wbyc/terraform-certificate-automation
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
terraform-certificate-autom.../ansible/roles/vault_agent/tasks/main.yml
Patrick de Ruiter 22d78bf85c
All checks were successful
Code Quality & Security Scan / TFLint (push) Successful in 24s
Details
Code Quality & Security Scan / Tfsec Security Scan (push) Successful in 30s
Details
Code Quality & Security Scan / Checkov Security Scan (push) Successful in 44s
Details
Code Quality & Security Scan / Terraform Validate (push) Successful in 43s
Details
Code Quality & Security Scan / SonarQube Trigger (push) Successful in 47s
Details
Add ansible directory with vault_agent role and playbooks 
- Remove ansible/ from .gitignore
- Add vault_agent role (copied from terraform-vsphere-infra)
- Add vault_agent-playbook.yml for deployment
- Include ansible collections (cloud.terraform, ansible.posix, etc.)
- Archive consul_template role as consul_template-legacy

The ansible directory contains the vault-agent deployment automation
that replaces the legacy consul-template approach.
2025-11-10 12:33:38 +01:00

115 lines
3.2 KiB
YAML
Raw Blame History

---
# Main tasks for vault_agent role
- name: Install unzip (required for vault binary extraction)
package:
name: unzip
state: present
become: true
- name: Create vault-agent directories
file:
path: "{{ item }}"
state: directory
mode: '0755'
owner: "{{ vault_agent_user }}"
group: "{{ vault_agent_group }}"
become: true
loop:
- "{{ vault_agent_config_dir }}"
- "{{ vault_agent_data_dir }}"
- "{{ ssl_certs_dir }}"
- "{{ ssl_private_dir }}"
- name: Download and install Vault Agent binary
unarchive:
src: "https://releases.hashicorp.com/vault/{{ vault_agent_version }}/vault_{{ vault_agent_version }}_linux_amd64.zip"
dest: /usr/local/bin
remote_src: yes
owner: root
group: root
mode: '0755'
become: true
- name: Write AppRole role_id file
copy:
content: "{{ vault_approle_role_id }}"
dest: "{{ vault_agent_config_dir }}/role_id"
mode: '0644'
owner: "{{ vault_agent_user }}"
group: "{{ vault_agent_group }}"
become: true
when: vault_approle_role_id is defined
- name: Write AppRole secret_id file
copy:
content: "{{ vault_approle_secret_id }}"
dest: "{{ vault_agent_config_dir }}/secret_id"
mode: '0600'
owner: "{{ vault_agent_user }}"
group: "{{ vault_agent_group }}"
become: true
when: vault_approle_secret_id is defined
- name: Deploy certificate template (fullchain)
copy:
content: |
{{ "{{" }} with secret "{{ vault_secret_path }}" {{ "}}" }}{{ "{{" }} .Data.data.certificate {{ "}}" }}{{ "{{" }} .Data.data.chain_pem {{ "}}" }}{{ "{{" }} end {{ "}}" }}
dest: "{{ vault_agent_config_dir }}/certificate.tpl"
mode: '0644'
owner: "{{ vault_agent_user }}"
group: "{{ vault_agent_group }}"
become: true
notify: restart vault-agent
- name: Deploy chain certificate template
copy:
content: |
{{ "{{" }} with secret "{{ vault_secret_path }}" {{ "}}" }}{{ "{{" }} .Data.data.chain_pem {{ "}}" }}{{ "{{" }} end {{ "}}" }}
dest: "{{ vault_agent_config_dir }}/chain_pem.tpl"
mode: '0644'
owner: "{{ vault_agent_user }}"
group: "{{ vault_agent_group }}"
become: true
notify: restart vault-agent
- name: Deploy private key template
copy:
content: |
{{ "{{" }} with secret "{{ vault_secret_path }}" {{ "}}" }}{{ "{{" }} .Data.data.private_key {{ "}}" }}{{ "{{" }} end {{ "}}" }}
dest: "{{ vault_agent_config_dir }}/private_key.tpl"
mode: '0644'
owner: "{{ vault_agent_user }}"
group: "{{ vault_agent_group }}"
become: true
notify: restart vault-agent
- name: Deploy Vault Agent configuration
template:
src: vault-agent-config.hcl.j2
dest: "{{ vault_agent_config_dir }}/config.hcl"
mode: '0600'
owner: "{{ vault_agent_user }}"
group: "{{ vault_agent_group }}"
become: true
notify: restart vault-agent
- name: Deploy Vault Agent systemd service
template:
src: vault-agent.service.j2
dest: /etc/systemd/system/vault-agent.service
owner: root
group: root
mode: '0644'
become: true
notify:
- reload systemd
- restart vault-agent
- name: Enable and start vault-agent service
systemd:
name: vault-agent
enabled: true
state: started
daemon_reload: yes
become: true
Reference in New Issue View Git Blame Copy Permalink