├── version.txt ├── files └── README.md ├── molecule ├── requirements.yml ├── converge.yml ├── archlinux │ ├── molecule.yml │ └── prepare.yml ├── debian-13 │ ├── prepare.yml │ └── molecule.yml ├── rockylinux-9 │ ├── prepare.yml │ └── molecule.yml ├── almalinux-9 │ ├── prepare.yml │ └── molecule.yml ├── centos-stream-9 │ ├── prepare.yml │ └── molecule.yml ├── debian-13-enterprise │ ├── prepare.yml │ └── molecule.yml ├── centos-stream-9-enterprise │ ├── prepare.yml │ └── molecule.yml ├── _tests │ └── test_vault.yml.j2 ├── debian-12 │ └── molecule.yml ├── debian-11 │ └── molecule.yml ├── ubuntu-22.04 │ └── molecule.yml ├── ubuntu-24.04 │ └── molecule.yml ├── amazonlinux-2022 │ └── molecule.yml ├── debian-11-enterprise │ └── molecule.yml ├── prepare.yml └── verify.yml ├── templates ├── vault_entropy_seal.j2 ├── vault_backend_file.j2 ├── vault_service_registration_kubernetes.hcl.j2 ├── vault_logrotate.j2 ├── vault_seal_gcpkms.j2 ├── vault_backend_gcs.j2 ├── vault_seal_ocikms.j2 ├── vault_seal_pkcs11.j2 ├── vault_seal_azurekeyvault.j2 ├── vault_backend_consul.j2 ├── vault_seal_awskms.j2 ├── vault_backend_s3.j2 ├── vault_backend_etcd.j2 ├── vault_seal_transit.j2 ├── vault_backend_mysql.j2 ├── vault_service_bsd_init.j2 ├── vault_backend_dynamodb.j2 ├── vault_service_registration_consul.hcl.j2 ├── vault_service_systemd.j2 ├── vault_backend_raft.j2 ├── vault_sysvinit.j2 ├── vault_service_debian_init.j2 └── vault_main_configuration.hcl.j2 ├── vars ├── Archlinux.yml ├── FreeBSD.yml ├── Flatcar.yml ├── Debian.yml ├── main.yml └── RedHat.yml ├── .ansible-lint ├── examples ├── roles │ └── requirements.yml ├── site_consul.yml ├── site.yml ├── vagrant_hosts ├── bin │ └── preinstall ├── Vagrantfile └── README_VAGRANT.md ├── commitlint.config.js ├── .gitignore ├── Makefile ├── .github └── workflows │ ├── commitlint.yml │ ├── ansible-lint.yml │ ├── release.yml │ └── molecule.yml ├── handlers └── main.yml ├── .pre-commit-config.yaml ├── .config └── molecule │ └── config.yml ├── meta └── main.yml ├── tasks ├── preinstall.yml ├── install_remote.yml ├── install.yml ├── tls.yml ├── backend_tls.yml ├── asserts.yml ├── plugins │ └── acme.yml ├── install_hashi_repo.yml └── main.yml ├── .releaserc.json ├── LICENSE.txt ├── CONTRIBUTORS.md ├── README.md ├── CONTRIBUTING.md ├── vault_releases.md ├── defaults └── main.yml ├── CHANGELOG.md └── role_variables.md /version.txt: -------------------------------------------------------------------------------- 1 | v2.5.9 2 | -------------------------------------------------------------------------------- /files/README.md: -------------------------------------------------------------------------------- 1 | # Files 2 | -------------------------------------------------------------------------------- /molecule/requirements.yml: -------------------------------------------------------------------------------- 1 | collections: 2 | - name: community.general 3 | -------------------------------------------------------------------------------- /templates/vault_entropy_seal.j2: -------------------------------------------------------------------------------- 1 | entropy "seal" { 2 | mode = "augmentation" 3 | } 4 | -------------------------------------------------------------------------------- /templates/vault_backend_file.j2: -------------------------------------------------------------------------------- 1 | storage "file" { 2 | path = "{{ vault_data_path }}" 3 | } 4 | -------------------------------------------------------------------------------- /vars/Archlinux.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: vars/Archlinux.yml - Archlinux vars for Vault 3 | 4 | vault_os_packages: 5 | - git 6 | - unzip 7 | -------------------------------------------------------------------------------- /vars/FreeBSD.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: FreeBSD.yml - FreeBSD OS variables for Vault 3 | 4 | vault_os_packages: 5 | - git 6 | - unzip 7 | -------------------------------------------------------------------------------- /.ansible-lint: -------------------------------------------------------------------------------- 1 | --- 2 | # .ansible-lint 3 | 4 | exclude_paths: 5 | - meta/main.yml # https://github.com/ansible/ansible-lint/issues/4387 6 | - molecule/ 7 | - examples/ 8 | -------------------------------------------------------------------------------- /examples/roles/requirements.yml: -------------------------------------------------------------------------------- 1 | - src: https://github.com/ansible-community/ansible-vault.git 2 | name: ansible-community.ansible-vault 3 | scm: git 4 | version: master 5 | -------------------------------------------------------------------------------- /commitlint.config.js: -------------------------------------------------------------------------------- 1 | // commitlint.config.js 2 | module.exports = { 3 | extends: ['@commitlint/config-conventional'], 4 | ignores: [(message) => /^Bumps \[.+]\(.+\) from .+ to .+\.$/m.test(message)], 5 | } 6 | -------------------------------------------------------------------------------- /molecule/converge.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Converge 3 | hosts: all 4 | tasks: 5 | - name: "Include molecule" 6 | include_role: 7 | name: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') | basename }}" 8 | -------------------------------------------------------------------------------- /vars/Flatcar.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: vars/Flatcar.yml - Flatcar Linux vars for Vault 3 | 4 | vault_systemd_unit_path: /etc/systemd/system 5 | 6 | vault_bin_path: /opt/bin 7 | 8 | vault_plugin_path: /opt/vault/plugins 9 | -------------------------------------------------------------------------------- /templates/vault_service_registration_kubernetes.hcl.j2: -------------------------------------------------------------------------------- 1 | # {{ ansible_managed }} 2 | 3 | service_registration "kubernetes" { 4 | namespace = "{{ vault_service_registration_kubernetes_namespace }}" 5 | pod_name = "{{ vault_service_registration_kubernetes_pod_name }}" 6 | } 7 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | .DS_Store 2 | .vagrant 3 | *.crt 4 | *.key 5 | *.retry 6 | *.zip 7 | cache/ 8 | examples/hosts 9 | files/vault 10 | files/vault*_SHA256SUMS 11 | meta/.galaxy_install_info 12 | examples/roles/ansible-community.ansible-vault 13 | .venv/ 14 | .idea/ 15 | .ansible/ 16 | -------------------------------------------------------------------------------- /examples/site_consul.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: site_consul.yml - Example Vault server playbook (Consul storage) 3 | 4 | - name: Install Vault 5 | hosts: consul_nodes 6 | any_errors_fatal: true 7 | become: true 8 | become_user: root 9 | roles: 10 | - {role: brianshumate.vault} 11 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | default: help 2 | 3 | .PHONY: help 4 | help: ## list makefile targets 5 | @grep -E '^[a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | sort | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}' 6 | 7 | .PHONY: lint 8 | lint: ## lint 9 | ansible-lint -c .ansible-lint 10 | -------------------------------------------------------------------------------- /vars/Debian.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: vars/Debian.yml - Debian vars for Vault 3 | 4 | vault_os_packages: 5 | - git 6 | - unzip 7 | - acl 8 | - gpg 9 | - libcap2-bin 10 | 11 | _vault_repository_url: "https://apt.releases.hashicorp.com" 12 | _vault_repository_key_url: "{{ _vault_repository_url }}/gpg" 13 | -------------------------------------------------------------------------------- /examples/site.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: site.yml - Example Vault server playbook (Filesystem storage) 3 | 4 | - name: Install Vault Vagrant Development Server 5 | hosts: vault_instances 6 | any_errors_fatal: true 7 | become: true 8 | become_user: root 9 | roles: 10 | - {role: ansible-community.ansible-vault, vault_backend: file} 11 | -------------------------------------------------------------------------------- /templates/vault_logrotate.j2: -------------------------------------------------------------------------------- 1 | # {{ ansible_managed }} 2 | 3 | {{ vault_log_path }}/vault.log 4 | { 5 | missingok 6 | copytruncate 7 | rotate {{ vault_logrotate_freq }} 8 | daily 9 | dateext 10 | compress 11 | postrotate 12 | /bin/systemctl reload vault 2> /dev/null || true 13 | endscript 14 | } 15 | -------------------------------------------------------------------------------- /molecule/archlinux/molecule.yml: -------------------------------------------------------------------------------- 1 | --- 2 | platforms: 3 | - name: archlinux 4 | groups: 5 | - vault_raft_servers 6 | image: carlodepieri/docker-archlinux-ansible 7 | command: /lib/systemd/systemd 8 | privileged: true 9 | cgroup_parent: docker.slice 10 | 11 | provisioner: 12 | playbooks: 13 | prepare: prepare.yml 14 | -------------------------------------------------------------------------------- /.github/workflows/commitlint.yml: -------------------------------------------------------------------------------- 1 | name: Lint Commit Messages 2 | on: 3 | push: 4 | branches: 5 | - main 6 | pull_request: 7 | 8 | jobs: 9 | commitlint: 10 | runs-on: ubuntu-24.04 11 | steps: 12 | - uses: actions/checkout@v4 13 | with: 14 | fetch-depth: 0 15 | - uses: wagoid/commitlint-github-action@v5 16 | -------------------------------------------------------------------------------- /molecule/debian-13/prepare.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Prepare Debian 3 | hosts: all 4 | gather_facts: false 5 | tasks: 6 | - name: Bootstrap Python 7 | ansible.builtin.raw: "test -e /usr/bin/python || apt-get install --update python3 -y" 8 | changed_when: true 9 | 10 | - name: Common prepare 11 | ansible.builtin.import_playbook: ../prepare.yml 12 | -------------------------------------------------------------------------------- /molecule/rockylinux-9/prepare.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Common prepare 3 | ansible.builtin.import_playbook: ../prepare.yml 4 | 5 | - name: Prepare Rocky 6 | hosts: all 7 | tasks: 8 | - name: Set Permission on /etc/shadow 9 | ansible.builtin.file: 10 | path: /etc/shadow 11 | mode: '0640' 12 | owner: root 13 | group: root 14 | -------------------------------------------------------------------------------- /molecule/almalinux-9/prepare.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Common prepare 3 | ansible.builtin.import_playbook: ../prepare.yml 4 | 5 | - name: Prepare AlmaLinux 6 | hosts: all 7 | tasks: 8 | - name: Set Permission on /etc/shadow 9 | ansible.builtin.file: 10 | path: /etc/shadow 11 | mode: '0640' 12 | owner: root 13 | group: root 14 | -------------------------------------------------------------------------------- /molecule/centos-stream-9/prepare.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Common prepare 3 | ansible.builtin.import_playbook: ../prepare.yml 4 | 5 | - name: Prepare CentOS 6 | hosts: all 7 | tasks: 8 | - name: Set Permission on /etc/shadow 9 | ansible.builtin.file: 10 | path: /etc/shadow 11 | mode: '0640' 12 | owner: root 13 | group: root 14 | -------------------------------------------------------------------------------- /molecule/archlinux/prepare.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Common prepare 3 | ansible.builtin.import_playbook: ../prepare.yml 4 | 5 | - name: Prepare ArchLinux 6 | hosts: all 7 | 8 | tasks: 9 | - name: Install prerequisites 10 | ansible.builtin.package: 11 | name: 12 | - sudo 13 | - unzip 14 | - tar 15 | state: present 16 | -------------------------------------------------------------------------------- /molecule/debian-13-enterprise/prepare.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Prepare Debian 3 | hosts: all 4 | gather_facts: false 5 | tasks: 6 | - name: Bootstrap Python 7 | ansible.builtin.raw: "test -e /usr/bin/python || apt-get install --update python3 -y" 8 | changed_when: true 9 | 10 | - name: Common prepare 11 | ansible.builtin.import_playbook: ../prepare.yml 12 | -------------------------------------------------------------------------------- /molecule/centos-stream-9-enterprise/prepare.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Common prepare 3 | ansible.builtin.import_playbook: ../prepare.yml 4 | 5 | - name: Prepare CentOS 6 | hosts: all 7 | tasks: 8 | - name: Set Permission on /etc/shadow 9 | ansible.builtin.file: 10 | path: /etc/shadow 11 | mode: '0640' 12 | owner: root 13 | group: root 14 | -------------------------------------------------------------------------------- /.github/workflows/ansible-lint.yml: -------------------------------------------------------------------------------- 1 | --- 2 | name: Ansible Lint 3 | on: 4 | push: 5 | tags_ignore: 6 | - '*' 7 | pull_request: 8 | jobs: 9 | lint: 10 | runs-on: ubuntu-24.04 11 | steps: 12 | - uses: actions/checkout@v4 13 | - name: Run ansible-lint 14 | uses: ansible/ansible-lint@main 15 | with: 16 | args: "-r molecule/requirements.yml" 17 | -------------------------------------------------------------------------------- /molecule/_tests/test_vault.yml.j2: -------------------------------------------------------------------------------- 1 | --- 2 | port: 3 | tcp:8200: 4 | listening: true 5 | service: 6 | vault.service: 7 | enabled: true 8 | running: true 9 | user: 10 | vault: 11 | exists: true 12 | groups: 13 | - {{ vault_group | default('bin') }} 14 | group: 15 | {{ vault_group | default('bin') }}: 16 | exists: true 17 | process: 18 | vault: 19 | running: true 20 | -------------------------------------------------------------------------------- /templates/vault_seal_gcpkms.j2: -------------------------------------------------------------------------------- 1 | seal "gcpckms" { 2 | {% if vault_gkms_copy_sa and vault_gkms_credentials_src_file is defined and vault_gkms_credentials|length -%} 3 | credentials = "{{ vault_gkms_credentials }}" 4 | {% endif -%} 5 | project = "{{ vault_gkms_project }}" 6 | region = "{{ vault_gkms_region }}" 7 | key_ring = "{{ vault_gkms_key_ring }}" 8 | crypto_key = "{{ vault_gkms_crypto_key }}" 9 | } 10 | -------------------------------------------------------------------------------- /handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # handlers file for vault 3 | 4 | - name: Restart vault 5 | become: true 6 | ansible.builtin.service: 7 | name: '{{ vault_systemd_service_name }}' 8 | state: restarted 9 | when: vault_service_restart | bool 10 | 11 | - name: Reload vault 12 | become: true 13 | ansible.builtin.service: 14 | name: '{{ vault_systemd_service_name }}' 15 | state: reloaded 16 | when: vault_service_reload | bool 17 | -------------------------------------------------------------------------------- /templates/vault_backend_gcs.j2: -------------------------------------------------------------------------------- 1 | storage "gcs" { 2 | bucket = "{{ vault_gcs_bucket }}" 3 | ha_enabled = "{{ vault_gcs_ha_enabled | bool | lower }}" 4 | {% if vault_gcs_chunk_size is defined and vault_gcs_chunk_size|length -%} 5 | chunk_size = "{{ vault_gcs_chunk_size }}" 6 | {% endif -%} 7 | {% if vault_gcs_max_parallel is defined and vault_gcs_max_parallel|length -%} 8 | max_parallel = {{ vault_gcs_max_parallel }} 9 | {% endif -%} 10 | } 11 | -------------------------------------------------------------------------------- /molecule/debian-12/molecule.yml: -------------------------------------------------------------------------------- 1 | --- 2 | platforms: 3 | - name: debian-12_repo 4 | groups: 5 | - vault_raft_servers 6 | image: dokken/debian-12 7 | pre_build_image: true 8 | command: /lib/systemd/systemd 9 | privileged: true 10 | cgroup_parent: docker.slice 11 | 12 | provisioner: 13 | inventory: 14 | host_vars: 15 | debian-12_repo: 16 | vault_install_hashi_repo: true 17 | vault_bin_path: /usr/bin 18 | vault_group: vault 19 | -------------------------------------------------------------------------------- /templates/vault_seal_ocikms.j2: -------------------------------------------------------------------------------- 1 | seal "ocikms" { 2 | key_id = "{{ vault_ocikms_key_id }}" 3 | auth_type_api_key = "{{ vault_ocikms_auth_type_api_key }}" 4 | {% if vault_ocikms_crypto_endpoint is string and vault_ocikms_crypto_endpoint|length %} 5 | crypto_endpoint = "{{ vault_ocikms_crypto_endpoint }}" 6 | {% endif %} 7 | {% if vault_ocikms_management_endpoint is string and vault_ocikms_management_endpoint|length %} 8 | management_endpoint = "{{ vault_ocikms_management_endpoint }}" 9 | {% endif %} 10 | } 11 | -------------------------------------------------------------------------------- /molecule/debian-13/molecule.yml: -------------------------------------------------------------------------------- 1 | --- 2 | platforms: 3 | - name: debian-13_repo 4 | groups: 5 | - vault_raft_servers 6 | image: dokken/debian-13 7 | pre_build_image: true 8 | command: /lib/systemd/systemd 9 | privileged: true 10 | cgroup_parent: docker.slice 11 | 12 | provisioner: 13 | playbooks: 14 | prepare: prepare.yml 15 | inventory: 16 | host_vars: 17 | debian-13_repo: 18 | vault_install_hashi_repo: true 19 | vault_bin_path: /usr/bin 20 | vault_group: vault 21 | -------------------------------------------------------------------------------- /.pre-commit-config.yaml: -------------------------------------------------------------------------------- 1 | repos: 2 | - repo: https://github.com/pre-commit/pre-commit-hooks 3 | rev: v4.4.0 4 | hooks: 5 | - id: trailing-whitespace 6 | - id: end-of-file-fixer 7 | - id: check-yaml 8 | - id: check-case-conflict 9 | - id: check-symlinks 10 | - id: check-json 11 | - id: mixed-line-ending 12 | args: ["--fix=lf"] 13 | - id: no-commit-to-branch 14 | args: [--branch, main] 15 | - id: pretty-format-json 16 | args: [--autofix, --no-sort-keys] 17 | -------------------------------------------------------------------------------- /vars/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | vault_http_status: 3 | '200': 'initialized, unsealed, and active' 4 | '429': 'unsealed and standby' 5 | '472': 'data recovery mode replication secondary and active' 6 | '473': 'performance standby' 7 | '501': 'not initialized' 8 | '503': 'sealed' 9 | 10 | # Supported *nix distributions 11 | _vault_nix_distros: 12 | - 'AlmaLinux' 13 | - 'Amazon' 14 | - 'Amazon Linux 2' 15 | - 'Archlinux' 16 | - 'CentOS' 17 | - 'Debian' 18 | - 'Fedora' 19 | - 'Flatcar' 20 | - 'FreeBSD' 21 | - 'OracleLinux' 22 | - 'RedHat' 23 | - 'Rocky' 24 | - 'Ubuntu' 25 | -------------------------------------------------------------------------------- /templates/vault_seal_pkcs11.j2: -------------------------------------------------------------------------------- 1 | seal "pkcs11" { 2 | lib = "{{ vault_seal_lib }}" 3 | {% if vault_softcard_enable %} 4 | token_label = "{{ vault_seal_token_label }}" 5 | {% else %} 6 | slot = "{{ vault_seal_slot }}" 7 | {% endif %} 8 | pin = "{{ vault_seal_pin }}" 9 | key_label = "{{ vault_seal_key_label }}" 10 | {% if vault_seal_hmac_key_label != '' %} 11 | hmac_key_label = "{{ vault_seal_hmac_key_label }}" 12 | {% endif %} 13 | generate_key = "{{ vault_seal_generate_key }}" 14 | {% if vault_seal_key_mechanism != '' %} 15 | mechanism = "{{ vault_seal_key_mechanism }}" 16 | {% endif %} 17 | } 18 | -------------------------------------------------------------------------------- /.config/molecule/config.yml: -------------------------------------------------------------------------------- 1 | --- 2 | dependency: 3 | name: galaxy 4 | options: 5 | requirements-file: molecule/requirements.yml 6 | driver: 7 | name: docker 8 | lint: | 9 | set -e 10 | yamllint . 11 | ansible-lint 12 | provisioner: 13 | name: ansible 14 | config_options: 15 | defaults: 16 | callbacks_enabled: timer,profile_tasks 17 | fact_caching: jsonfile 18 | fact_caching_connection: ./cache 19 | forks: 100 20 | connection: 21 | pipelining: true 22 | playbooks: 23 | prepare: ../prepare.yml 24 | converge: ../converge.yml 25 | verify: ../verify.yml 26 | verifier: 27 | name: ansible 28 | -------------------------------------------------------------------------------- /templates/vault_seal_azurekeyvault.j2: -------------------------------------------------------------------------------- 1 | seal "azurekeyvault" { 2 | tenant_id = "{{ vault_azurekeyvault_tenant_id }}" 3 | {% if vault_azurekeyvault_client_id is defined -%} 4 | client_id = "{{ vault_azurekeyvault_client_id }}" 5 | {% endif -%} 6 | {% if vault_azurekeyvault_client_secret is defined -%} 7 | client_secret = "{{ vault_azurekeyvault_client_secret }}" 8 | {% endif -%} 9 | {% if vault_azurekeyvault_vault_name is defined -%} 10 | vault_name = "{{ vault_azurekeyvault_vault_name }}" 11 | {% endif -%} 12 | {% if vault_azurekeyvault_key_name is defined -%} 13 | key_name = "{{ vault_azurekeyvault_key_name }}" 14 | {% endif -%} 15 | } 16 | -------------------------------------------------------------------------------- /templates/vault_backend_consul.j2: -------------------------------------------------------------------------------- 1 | backend "consul" { 2 | address = "{{ vault_consul }}" 3 | path = "{{ vault_consul_path }}" 4 | service = "{{ vault_consul_service }}" 5 | {% if vault_consul_token is defined and vault_consul_token %} 6 | token = "{{ vault_consul_token }}" 7 | {% endif %} 8 | scheme = "{{ vault_consul_scheme }}" 9 | {% if vault_tls_gossip | bool %} 10 | tls_ca_file="{{ vault_backend_tls_certs_path }}/{{ vault_backend_tls_ca_file }}" 11 | tls_cert_file = "{{ vault_backend_tls_certs_path }}/{{ vault_backend_tls_cert_file }}" 12 | tls_key_file = "{{ vault_backend_tls_private_path }}/{{ vault_backend_tls_key_file }}" 13 | {% endif %} 14 | } 15 | -------------------------------------------------------------------------------- /templates/vault_seal_awskms.j2: -------------------------------------------------------------------------------- 1 | seal "awskms" { 2 | kms_key_id = "{{ vault_awskms_key_id }}" 3 | {% if vault_awskms_region is string and vault_awskms_region|length %} 4 | region = "{{ vault_awskms_region }}" 5 | {% endif %} 6 | {% if vault_awskms_access_key is string and vault_awskms_access_key|length %} 7 | access_key = "{{ vault_awskms_access_key }}" 8 | {% endif %} 9 | {% if vault_awskms_secret_key is string and vault_awskms_secret_key|length %} 10 | secret_key = "{{ vault_awskms_secret_key }}" 11 | {% endif %} 12 | {% if vault_awskms_endpoint is string and vault_awskms_endpoint|length %} 13 | endpoint = "{{ vault_awskms_endpoint }}" 14 | {% endif %} 15 | } 16 | -------------------------------------------------------------------------------- /molecule/debian-11/molecule.yml: -------------------------------------------------------------------------------- 1 | --- 2 | platforms: 3 | - name: debian-11 4 | groups: 5 | - vault_raft_servers 6 | image: dokken/debian-11 7 | pre_build_image: true 8 | command: /lib/systemd/systemd 9 | privileged: true 10 | cgroup_parent: docker.slice 11 | - name: debian-11_repo 12 | groups: 13 | - vault_raft_servers 14 | image: dokken/debian-11 15 | pre_build_image: true 16 | command: /lib/systemd/systemd 17 | privileged: true 18 | cgroup_parent: docker.slice 19 | 20 | provisioner: 21 | inventory: 22 | host_vars: 23 | debian-11_repo: 24 | vault_install_hashi_repo: true 25 | vault_bin_path: /usr/bin 26 | vault_group: vault 27 | -------------------------------------------------------------------------------- /molecule/ubuntu-22.04/molecule.yml: -------------------------------------------------------------------------------- 1 | --- 2 | platforms: 3 | - name: ubuntu-22.04 4 | groups: 5 | - vault_raft_servers 6 | image: dokken/ubuntu-22.04 7 | pre_build_image: true 8 | command: /lib/systemd/systemd 9 | privileged: true 10 | cgroup_parent: docker.slice 11 | - name: ubuntu-22.04_repo 12 | groups: 13 | - vault_raft_servers 14 | image: dokken/ubuntu-22.04 15 | pre_build_image: true 16 | command: /lib/systemd/systemd 17 | privileged: true 18 | cgroup_parent: docker.slice 19 | 20 | provisioner: 21 | inventory: 22 | host_vars: 23 | ubuntu-22.04_repo: 24 | vault_install_hashi_repo: true 25 | vault_bin_path: /usr/bin 26 | vault_group: vault 27 | -------------------------------------------------------------------------------- /molecule/ubuntu-24.04/molecule.yml: -------------------------------------------------------------------------------- 1 | --- 2 | platforms: 3 | - name: ubuntu-24.04 4 | groups: 5 | - vault_raft_servers 6 | image: dokken/ubuntu-24.04 7 | pre_build_image: true 8 | command: /lib/systemd/systemd 9 | privileged: true 10 | cgroup_parent: docker.slice 11 | - name: ubuntu-24.04_repo 12 | groups: 13 | - vault_raft_servers 14 | image: dokken/ubuntu-24.04 15 | pre_build_image: true 16 | command: /lib/systemd/systemd 17 | privileged: true 18 | cgroup_parent: docker.slice 19 | 20 | provisioner: 21 | inventory: 22 | host_vars: 23 | ubuntu-24.04_repo: 24 | vault_install_hashi_repo: true 25 | vault_bin_path: /usr/bin 26 | vault_group: vault 27 | -------------------------------------------------------------------------------- /meta/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | galaxy_info: 3 | namespace: community 4 | author: Brian Shumate 5 | description: HashiCorp Vault server role 6 | company: Brian Shumate 7 | license: BSD 8 | min_ansible_version: '2.7' 9 | 10 | platforms: 11 | - name: Amazon 12 | - name: Amazon Linux 2 13 | - name: ArchLinux 14 | - name: Debian 15 | versions: 16 | - stretch 17 | - buster 18 | - bullseye 19 | - name: EL 20 | versions: 21 | - '7' 22 | - '8' 23 | - '9' 24 | - name: Ubuntu 25 | versions: 26 | - bionic 27 | - focal 28 | - jammy 29 | 30 | galaxy_tags: 31 | - networking 32 | - security 33 | - system 34 | 35 | dependencies: [] 36 | -------------------------------------------------------------------------------- /molecule/amazonlinux-2022/molecule.yml: -------------------------------------------------------------------------------- 1 | --- 2 | platforms: 3 | - name: amazonlinux-2022 4 | groups: 5 | - vault_raft_servers 6 | image: dokken/amazonlinux-2022 7 | pre_build_image: true 8 | command: /lib/systemd/systemd 9 | privileged: true 10 | cgroup_parent: docker.slice 11 | - name: amazonlinux-2022_repo 12 | groups: 13 | - vault_raft_servers 14 | image: dokken/amazonlinux-2022 15 | pre_build_image: true 16 | command: /lib/systemd/systemd 17 | privileged: true 18 | cgroup_parent: docker.slice 19 | 20 | provisioner: 21 | inventory: 22 | host_vars: 23 | amazonlinux-2022_repo: 24 | vault_install_hashi_repo: true 25 | vault_bin_path: /usr/bin 26 | vault_group: vault 27 | -------------------------------------------------------------------------------- /molecule/almalinux-9/molecule.yml: -------------------------------------------------------------------------------- 1 | --- 2 | platforms: 3 | - name: almalinux-9 4 | groups: 5 | - vault_raft_servers 6 | image: dokken/almalinux-9 7 | pre_build_image: true 8 | command: /lib/systemd/systemd 9 | privileged: true 10 | cgroup_parent: docker.slice 11 | - name: almalinux-9_repo 12 | groups: 13 | - vault_raft_servers 14 | image: dokken/almalinux-9 15 | pre_build_image: true 16 | command: /lib/systemd/systemd 17 | privileged: true 18 | cgroup_parent: docker.slice 19 | 20 | provisioner: 21 | playbooks: 22 | prepare: prepare.yml 23 | inventory: 24 | host_vars: 25 | almalinux-9_repo: 26 | vault_install_hashi_repo: true 27 | vault_bin_path: /usr/bin 28 | vault_group: vault 29 | -------------------------------------------------------------------------------- /molecule/rockylinux-9/molecule.yml: -------------------------------------------------------------------------------- 1 | --- 2 | platforms: 3 | - name: rockylinux-9 4 | groups: 5 | - vault_raft_servers 6 | image: dokken/rockylinux-9 7 | pre_build_image: true 8 | command: /lib/systemd/systemd 9 | privileged: true 10 | cgroup_parent: docker.slice 11 | - name: rockylinux-9_repo 12 | groups: 13 | - vault_raft_servers 14 | image: dokken/rockylinux-9 15 | pre_build_image: true 16 | command: /lib/systemd/systemd 17 | privileged: true 18 | cgroup_parent: docker.slice 19 | 20 | provisioner: 21 | playbooks: 22 | prepare: prepare.yml 23 | inventory: 24 | host_vars: 25 | rockylinux-9_repo: 26 | vault_install_hashi_repo: true 27 | vault_bin_path: /usr/bin 28 | vault_group: vault 29 | -------------------------------------------------------------------------------- /.github/workflows/release.yml: -------------------------------------------------------------------------------- 1 | name: Semantic Releaser 2 | 3 | on: 4 | push: 5 | branches: 6 | - master 7 | 8 | permissions: 9 | contents: write 10 | packages: write 11 | pull-requests: write 12 | 13 | jobs: 14 | semrel: 15 | if: github.repository == 'ansible-community/ansible-vault' 16 | runs-on: ubuntu-24.04 17 | steps: 18 | - name: Checkout 19 | uses: actions/checkout@v4 20 | - name: Semantic Release 21 | uses: cycjimmy/semantic-release-action@v4 22 | with: 23 | extra_plugins: | 24 | @semantic-release/changelog@6.0.0 25 | @semantic-release/git@10.0.0 26 | conventional-changelog-conventionalcommits@8.0.0 27 | env: 28 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 29 | -------------------------------------------------------------------------------- /molecule/centos-stream-9/molecule.yml: -------------------------------------------------------------------------------- 1 | --- 2 | platforms: 3 | - name: centos-stream-9 4 | groups: 5 | - vault_raft_servers 6 | image: dokken/centos-stream-9 7 | pre_build_image: true 8 | command: /lib/systemd/systemd 9 | privileged: true 10 | cgroup_parent: docker.slice 11 | - name: centos-stream-9_repo 12 | groups: 13 | - vault_raft_servers 14 | image: dokken/centos-stream-9 15 | pre_build_image: true 16 | command: /lib/systemd/systemd 17 | privileged: true 18 | cgroup_parent: docker.slice 19 | 20 | provisioner: 21 | playbooks: 22 | prepare: prepare.yml 23 | inventory: 24 | host_vars: 25 | centos-stream-9_repo: 26 | vault_install_hashi_repo: true 27 | vault_bin_path: /usr/bin 28 | vault_group: vault 29 | -------------------------------------------------------------------------------- /templates/vault_backend_s3.j2: -------------------------------------------------------------------------------- 1 | storage "s3" { 2 | access_key = "{{ vault_s3_access_key }}" 3 | secret_key = "{{ vault_s3_secret_key }}" 4 | bucket = "{{ vault_s3_bucket }}" 5 | region = "{{ vault_s3_region }}" 6 | disable_ssl = "{{ vault_s3_disable_ssl }}" 7 | 8 | vault_s3_max_parallel = "{{ vault_s3_max_parallel }}" 9 | 10 | {% if vault_s3_endpoint is defined and vault_s3_endpoint|length -%} 11 | endpoint = "{{ vault_s3_endpoint }}" 12 | {% endif %} 13 | {% if vault_s3_kms_key_id is defined and vault_s3_kms_key_id|length -%} 14 | kms_key_id = "{{ vault_s3_kms_key_id }}" 15 | {% endif %} 16 | {% if vault_s3_session_token is defined and vault_s3_session_token|length -%} 17 | session_token = "{{ vault_s3_session_token }}" 18 | {% endif %} 19 | 20 | s3_force_path_style = "{{ vault_s3_force_path_style }}" 21 | } 22 | -------------------------------------------------------------------------------- /vars/RedHat.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: vars/RedHat.yml - Red Hat vars for Vault 3 | 4 | vault_os_packages: 5 | - "{{ 'libselinux-python' if ansible_python_version is version('3', '<') else 'python3-libselinux' }}" 6 | - git 7 | - unzip 8 | 9 | _vault_repository_url: "{% if (ansible_distribution | lower == 'fedora') %}\ 10 | https://rpm.releases.hashicorp.com/fedora/$releasever/$basearch/stable\ 11 | {% elif (ansible_distribution | lower == 'amazon') %}\ 12 | https://rpm.releases.hashicorp.com/AmazonLinux/{{ '$releasever' if (ansible_distribution_major_version | length <= 1) else 'latest' }}/$basearch/stable 13 | {% else %}\ 14 | https://rpm.releases.hashicorp.com/RHEL/$releasever/$basearch/stable\ 15 | {% endif %}" 16 | _vault_repository_key_url: "{{ _vault_repository_url | urlsplit('scheme') }}://{{ _vault_repository_url | urlsplit('netloc') }}/gpg" 17 | -------------------------------------------------------------------------------- /tasks/preinstall.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: tasks/preinstall.yml - pre-installation tasks for vault 3 | 4 | - name: Add Vault group 5 | become: true 6 | ansible.builtin.group: 7 | name: "{{ vault_group }}" 8 | state: present 9 | when: vault_manage_group | bool 10 | 11 | - name: Add Vault user 12 | become: true 13 | ansible.builtin.user: 14 | name: "{{ vault_user }}" 15 | comment: "Vault user" 16 | group: "{{ vault_group }}" 17 | groups: "{{ vault_groups }}" 18 | system: true 19 | when: vault_manage_user | bool 20 | 21 | - name: Update package cache 22 | ansible.builtin.package: 23 | update_cache: true 24 | tags: update_cache 25 | when: vault_os_packages | default([]) | length > 0 26 | 27 | - name: OS packages 28 | become: true 29 | ansible.builtin.package: 30 | name: "{{ vault_os_packages }}" 31 | state: present 32 | when: vault_os_packages | default([]) | length > 0 33 | -------------------------------------------------------------------------------- /molecule/debian-11-enterprise/molecule.yml: -------------------------------------------------------------------------------- 1 | --- 2 | platforms: 3 | - name: debian-11 4 | groups: 5 | - vault_raft_servers 6 | image: dokken/debian-11 7 | pre_build_image: true 8 | command: /lib/systemd/systemd 9 | privileged: true 10 | cgroup_parent: docker.slice 11 | - name: debian-11_repo 12 | groups: 13 | - vault_raft_servers 14 | image: dokken/debian-11 15 | pre_build_image: true 16 | command: /lib/systemd/systemd 17 | privileged: true 18 | cgroup_parent: docker.slice 19 | 20 | provisioner: 21 | inventory: 22 | host_vars: 23 | debian-11: 24 | vault_disable_api_health_check: true 25 | vault_enterprise: true 26 | vault_install_hashi_repo: false 27 | debian-11_repo: 28 | vault_disable_api_health_check: true 29 | vault_enterprise: true 30 | vault_install_hashi_repo: true 31 | vault_bin_path: /usr/bin 32 | vault_group: vault 33 | -------------------------------------------------------------------------------- /molecule/debian-13-enterprise/molecule.yml: -------------------------------------------------------------------------------- 1 | --- 2 | platforms: 3 | - name: debian-13 4 | groups: 5 | - vault_raft_servers 6 | image: dokken/debian-13 7 | pre_build_image: true 8 | command: /lib/systemd/systemd 9 | privileged: true 10 | cgroup_parent: docker.slice 11 | - name: debian-13_repo 12 | groups: 13 | - vault_raft_servers 14 | image: dokken/debian-13 15 | pre_build_image: true 16 | command: /lib/systemd/systemd 17 | privileged: true 18 | cgroup_parent: docker.slice 19 | 20 | provisioner: 21 | playbooks: 22 | prepare: prepare.yml 23 | inventory: 24 | host_vars: 25 | debian-13: 26 | vault_disable_api_health_check: true 27 | vault_enterprise: true 28 | vault_install_hashi_repo: false 29 | debian-13_repo: 30 | vault_disable_api_health_check: true 31 | vault_enterprise: true 32 | vault_install_hashi_repo: true 33 | vault_bin_path: /usr/bin 34 | vault_group: vault 35 | -------------------------------------------------------------------------------- /molecule/centos-stream-9-enterprise/molecule.yml: -------------------------------------------------------------------------------- 1 | --- 2 | platforms: 3 | - name: centos-stream-9 4 | groups: 5 | - vault_raft_servers 6 | image: dokken/centos-stream-9 7 | pre_build_image: true 8 | command: /lib/systemd/systemd 9 | privileged: true 10 | cgroup_parent: docker.slice 11 | - name: centos-stream-9_repo 12 | groups: 13 | - vault_raft_servers 14 | image: dokken/centos-stream-9 15 | pre_build_image: true 16 | command: /lib/systemd/systemd 17 | privileged: true 18 | cgroup_parent: docker.slice 19 | 20 | provisioner: 21 | playbooks: 22 | prepare: prepare.yml 23 | inventory: 24 | host_vars: 25 | centos-stream-9: 26 | vault_disable_api_health_check: true 27 | vault_enterprise: true 28 | vault_install_hashi_repo: false 29 | centos-stream-9_repo: 30 | vault_disable_api_health_check: true 31 | vault_enterprise: true 32 | vault_install_hashi_repo: true 33 | vault_bin_path: /usr/bin 34 | vault_group: vault 35 | -------------------------------------------------------------------------------- /templates/vault_backend_etcd.j2: -------------------------------------------------------------------------------- 1 | backend "etcd" { 2 | address = "{{ vault_etcd }}" 3 | path = "{{ vault_etcd_path }}" 4 | api = "{{ vault_etcd_api }}" 5 | request_timeout = "{{ vault_etcd_request_timeout }}" 6 | lock_timeout = "{{ vault_etcd_lock_timeout }}" 7 | sync = "{{ vault_etcd_sync }}" 8 | ha_enabled = "{{ vault_etcd_ha_enabled }}" 9 | {% if vault_etcd_discovery_srv is defined and vault_etcd_discovery_srv|length -%} 10 | discovery_srv = "{{ vault_etcd_discovery_srv }}" 11 | discovery_srv_name = "{{ vault_etcd_discovery_srv_name }}" 12 | {% endif -%} 13 | {% if vault_etcd_username is defined and vault_etcd_username|length -%} 14 | username = "{{ vault_etcd_username }}" 15 | password = "{{ vault_etcd_password }}" 16 | {% endif -%} 17 | {% if vault_tls_gossip | bool -%} 18 | tls_ca_file="{{ vault_backend_tls_certs_path }}/{{ vault_backend_tls_ca_file }}" 19 | tls_cert_file = "{{ vault_backend_tls_certs_path }}/{{ vault_backend_tls_cert_file }}" 20 | tls_key_file = "{{ vault_backend_tls_private_path }}/{{ vault_backend_tls_key_file }}" 21 | {% endif -%} 22 | } 23 | -------------------------------------------------------------------------------- /templates/vault_seal_transit.j2: -------------------------------------------------------------------------------- 1 | seal "transit" { 2 | address = "{{ vault_transit_address }}" 3 | token = "{{ vault_transit_token }}" 4 | disable_renewal = {{ '"true"' if vault_transit_disable_renewal else '"false"' }} 5 | 6 | // Key configuration 7 | key_name = "{{ vault_transit_key_name }}" 8 | mount_path = "{{ vault_transit_mount_path }}" 9 | {% if vault_transit_namespace is defined %} 10 | namespace = "{{ vault_transit_namespace }}" 11 | {% endif %} 12 | 13 | // TLS Configuration 14 | {% if vault_transit_tls_skip_verify | bool %} 15 | tls_skip_verify = "true" 16 | {% else %} 17 | tls_ca_cert = "{{ vault_backend_tls_certs_path }}/{{ vault_transit_tls_ca_cert_file }}" 18 | tls_client_cert = "{{ vault_backend_tls_certs_path }}/{{ vault_transit_tls_client_cert_file }}" 19 | tls_client_key = "{{ vault_backend_tls_private_path }}/{{ vault_transit_tls_client_key_file }}" 20 | {% if vault_transit_tls_server_name is defined %} 21 | tls_server_name = "{{ vault_transit_tls_server_name }}" 22 | {% endif %} 23 | {% endif %} 24 | } 25 | -------------------------------------------------------------------------------- /examples/vagrant_hosts: -------------------------------------------------------------------------------- 1 | # File: vagrant_hosts 2 | # Vault node hosts configuration for Vagrant 3 | # 4 | # NB: Replace the hosts below with your preferred node hostnames and continue 5 | # the 'nodeN' pattern for additional nodes past 'vault3' 6 | # Do not modify the labels (text appearing between []), however 7 | 8 | [vault_instances] 9 | vault.local ansible_ssh_user=vagrant ansible_ssh_private_key_file=./.vagrant/machines/vault1/virtualbox/private_key 10 | 11 | [consul_nodes] 12 | 13 | # If you want to install Vault using Consul VMs deployed with the 14 | # brianshumate.consul role, replace all instances of ~/ansible_roles 15 | # below with your actual Ansible role path and uncomment: 16 | 17 | # consul1.local ansible_ssh_user=vagrant ansible_ssh_private_key_file=~/ansible_roles/brianshumate.consul/examples/.vagrant/machines/consul1/virtualbox/private_key 18 | 19 | # consul2.local ansible_ssh_user=vagrant ansible_ssh_private_key_file=~/ansible_roles/brianshumate.consul/examples/.vagrant/machines/consul2/virtualbox/private_key 20 | 21 | # consul3.local ansible_ssh_user=vagrant ansible_ssh_private_key_file=~/ansible_roles/brianshumate.consul/examples/.vagrant/machines/consul3/virtualbox/private_key 22 | -------------------------------------------------------------------------------- /.releaserc.json: -------------------------------------------------------------------------------- 1 | { 2 | "branches": [ 3 | "main", 4 | "master" 5 | ], 6 | "ci": false, 7 | "plugins": [ 8 | [ 9 | "@semantic-release/commit-analyzer", 10 | { 11 | "preset": "conventionalcommits" 12 | } 13 | ], 14 | [ 15 | "@semantic-release/release-notes-generator", 16 | { 17 | "preset": "conventionalcommits" 18 | } 19 | ], 20 | [ 21 | "@semantic-release/github", 22 | { 23 | "successComment": "This ${issue.pull_request ? 'PR is included' : 'issue has been resolved'} in version ${nextRelease.version} :tada:", 24 | "labels": false, 25 | "releasedLabels": false 26 | } 27 | ], 28 | [ 29 | "@semantic-release/changelog", 30 | { 31 | "changelogFile": "CHANGELOG.md", 32 | "changelogTitle": "# Changelog\n\nAll notable changes to this project will be documented in this file." 33 | } 34 | ], 35 | [ 36 | "@semantic-release/git", 37 | { 38 | "assets": [ 39 | "CHANGELOG.md" 40 | ], 41 | "message": "chore(release): version ${nextRelease.version} [skip ci]\n\n${nextRelease.notes}" 42 | } 43 | ] 44 | ] 45 | } 46 | -------------------------------------------------------------------------------- /templates/vault_backend_mysql.j2: -------------------------------------------------------------------------------- 1 | storage "mysql" { 2 | username = "{{ vault_mysql_username }}" 3 | password = "{{ vault_mysql_password }}" 4 | {% if vault_mysql is defined and vault_mysql|length -%} 5 | address = "{{ vault_mysql }}" 6 | {% endif -%} 7 | {% if vault_mysql_database is defined and vault_mysql_database|length -%} 8 | database = "{{ vault_mysql_database }}" 9 | {% endif -%} 10 | {% if vault_mysql_table is defined and vault_mysql_table|length -%} 11 | table = "{{ vault_mysql_table }}" 12 | {% endif -%} 13 | {% if vault_mysql_tls_ca_file is defined and vault_mysql_tls_ca_file|length -%} 14 | tls_ca_file = "{{ vault_mysql_tls_ca_file }}" 15 | {% endif -%} 16 | {% if vault_mysql_max_parallel is defined and vault_mysql_max_parallel|length -%} 17 | max_parallel = "{{ vault_mysql_max_parallel }}" 18 | {% endif -%} 19 | {% if vault_mysql_max_idle_connections is defined and vault_mysql_max_idle_connections|length -%} 20 | max_idle_connections = "{{ vault_mysql_max_idle_connections }}" 21 | {% endif -%} 22 | {% if vault_mysql_max_connection_lifetime is defined and vault_mysql_max_connection_lifetime|length -%} 23 | max_connection_lifetime = "{{ vault_mysql_max_connection_lifetime }}" 24 | {% endif -%} 25 | } 26 | -------------------------------------------------------------------------------- /LICENSE.txt: -------------------------------------------------------------------------------- 1 | Copyright (c) 2019, Brian Shumate 2 | All rights reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 5 | 6 | 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 7 | 8 | 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 9 | 10 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 11 | -------------------------------------------------------------------------------- /.github/workflows/molecule.yml: -------------------------------------------------------------------------------- 1 | --- 2 | name: Ansible Molecule 3 | 4 | on: 5 | push: 6 | tags_ignore: 7 | - '*' 8 | pull_request: 9 | 10 | env: 11 | ANSIBLE_FORCE_COLOR: '1' 12 | PY_COLORS: '1' 13 | 14 | jobs: 15 | discover-scenarios: 16 | runs-on: ubuntu-24.04 17 | outputs: 18 | scenarios: ${{ steps.set-scenarios.outputs.scenarios }} 19 | steps: 20 | - name: Check out codebase 21 | uses: actions/checkout@v3 22 | 23 | - name: Discover scenarios 24 | id: set-scenarios 25 | # Find path to all scenarios 26 | run: | 27 | scenarios="[`for x in $(ls -1 molecule -I _tests -I '*.yml'); do echo "'$x'"; done | tr '\n' ',' | sed '$s/,$//'`]" 28 | echo "scenarios=$scenarios" >> $GITHUB_OUTPUT 29 | 30 | test: 31 | needs: 32 | - discover-scenarios 33 | runs-on: ubuntu-24.04 34 | strategy: 35 | fail-fast: false 36 | matrix: 37 | scenario: ${{ fromJson(needs.discover-scenarios.outputs.scenarios) }} 38 | steps: 39 | - name: checkout 40 | uses: actions/checkout@v3 41 | - name: molecule 42 | uses: gofrolist/molecule-action@v2 43 | with: 44 | molecule_working_dir: . 45 | molecule_command: test 46 | molecule_args: --scenario-name ${{ matrix.scenario }} 47 | -------------------------------------------------------------------------------- /tasks/install_remote.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: tasks/install_remote.yml 3 | # Package installation tasks for vault 4 | 5 | - name: Ensure remote vault dir exists 6 | ansible.builtin.file: 7 | path: /tmp/vault 8 | state: directory 9 | mode: "0750" 10 | 11 | - name: Check Vault package file 12 | ansible.builtin.stat: 13 | path: "/tmp/vault/{{ vault_pkg }}" 14 | register: vault_package 15 | tags: installation 16 | 17 | - name: "Download Vault → {{ vault_zip_url }}" 18 | ansible.builtin.get_url: 19 | url: "{{ vault_zip_url }}" 20 | dest: "/tmp/vault/{{ vault_pkg }}" 21 | checksum: "sha256:{{ (lookup('url', vault_checksum_file_url, wantlist=true) | select('match', '.*' + vault_pkg + '$') | first).split()[0] }}" 22 | timeout: 42 23 | mode: "0644" 24 | tags: installation 25 | when: not vault_package.stat.exists | bool 26 | 27 | - name: Unarchive Vault and install binary 28 | become: true 29 | ansible.builtin.unarchive: 30 | remote_src: true 31 | src: "/tmp/vault/{{ vault_pkg }}" 32 | dest: "{{ vault_bin_path }}" 33 | owner: "{{ vault_user }}" 34 | group: "{{ vault_group }}" 35 | mode: "{{ vault_harden_file_perms | ternary('0555', '0755') }}" 36 | notify: Restart vault 37 | tags: installation 38 | 39 | - name: Cleanup 40 | ansible.builtin.file: 41 | path: "/tmp/vault" 42 | state: absent 43 | tags: installation 44 | -------------------------------------------------------------------------------- /molecule/prepare.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Prepare host 3 | hosts: localhost 4 | connection: local 5 | 6 | tasks: 7 | - name: Prepare CI environment 8 | when: lookup('env', 'CI') is truthy 9 | block: 10 | - name: Install OS packages on controlling host 11 | when: ansible_distribution != 'MacOSX' 12 | ansible.builtin.package: 13 | name: unzip 14 | become: true 15 | 16 | - name: Install netaddr dependency on controlling host 17 | ansible.builtin.pip: 18 | name: netaddr 19 | become: false 20 | 21 | - name: Stub out vault enterprise service 22 | hosts: all 23 | tasks: 24 | - name: Prepare CI environment 25 | when: 26 | - "'enterprise' in lookup('env', 'MOLECULE_SCENARIO_DIRECTORY')" 27 | - ansible_service_mgr == "systemd" 28 | block: 29 | - name: Make sure dropin directory exists 30 | ansible.builtin.file: 31 | path: /etc/systemd/system/vault.service.d/ 32 | state: directory 33 | mode: '0755' 34 | 35 | - name: Write dropin file 36 | ansible.builtin.copy: 37 | dest: /etc/systemd/system/vault.service.d/fake-service.conf 38 | mode: '0644' 39 | content: | 40 | [Service] 41 | ExecStart= 42 | ExecStart=/usr/bin/sleep 100000 43 | -------------------------------------------------------------------------------- /templates/vault_service_bsd_init.j2: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # {{ ansible_managed }} 3 | # 4 | # PROVIDE: vault 5 | # REQUIRE: LOGIN 6 | # KEYWORD: shutdown 7 | 8 | # shellcheck disable=SC1091,2034,2154 9 | . /etc/rc.subr 10 | 11 | name="vault" 12 | rcvar=$(set_rcvar) 13 | 14 | 15 | load_rc_config $name 16 | : "${vault_enable="NO"}" 17 | : "${vault_users="vault"}" 18 | 19 | restart_cmd=vault_restart 20 | start_cmd=vault_start 21 | stop_cmd=vault_stop 22 | 23 | vault_start() { 24 | echo "Starting ${name}." 25 | {% if vault_http_proxy -%} 26 | export HTTP_PROXY={{ vault_http_proxy }} 27 | {% endif -%} 28 | {% if vault_https_proxy -%} 29 | export HTTPS_PROXY={{ vault_https_proxy }} 30 | {% endif -%} 31 | {% if vault_no_proxy -%} 32 | export NO_PROXY={{ vault_no_proxy }} 33 | {% endif -%} 34 | for user in ${vault_users}; do 35 | mkdir /var/run/vault 36 | chown -R "{{ vault_user }}:{{ vault_group }}" /var/run/vault/ 37 | su -m "${user}" -c "{{ vault_bin_path }}/vault server -config={{ vault_config_path if vault_use_config_path else vault_main_config }} {% if vault_log_level is defined %}-log-level={{ vault_log_level | lower }}{% endif %} {{ vault_exec_output }} &" 38 | done 39 | } 40 | 41 | vault_stop() { 42 | echo "Stopping $name." 43 | pids=$(pgrep vault) 44 | pkill vault 45 | wait_for_pids "${pids}" 46 | } 47 | 48 | vault_restart() { 49 | vault_stop 50 | vault_start 51 | } 52 | 53 | run_rc_command "$1" 54 | -------------------------------------------------------------------------------- /examples/bin/preinstall: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # File: examples/bin/preinstall - convenience script to add Vault 4 | # VM node host information to /etc/hosts for Vagrant 5 | 6 | vault="10\.1\.42\.240" 7 | 8 | # Log stuff 9 | function logmsg { 10 | msgtype="$1" 11 | msgtxt="$2" 12 | case "${msgtype}" in 13 | greeting) 14 | printf "🌞 ${txtylw}${msgtxt}\n" 15 | ;; 16 | info) 17 | printf "💬 ${txtwht}${msgtxt}\n" 18 | ;; 19 | success) 20 | printf "✅ ${txtgrn}${msgtxt}\n" 21 | ;; 22 | notice) 23 | printf "🚩 ${txtylw}${msgtxt}\n" 24 | ;; 25 | alert) 26 | printf "⛔️ ${txtred}${msgtxt}\n" >&2 27 | ;; 28 | *) 29 | printf "⁉️ ${txtwht}${msgtxt}\n" >&2 30 | ;; 31 | esac 32 | } 33 | 34 | # Check if sudo will need password 35 | function sudocheck { 36 | logmsg info "Enter your user account password for sudo if prompted" 37 | sudo true 38 | } 39 | 40 | # Add hosts entries if necessary 41 | function add_host { 42 | if grep vault /etc/hosts > /dev/null 2>&1; then 43 | logmsg success "Vault VM server information present in /etc/hosts" 44 | else 45 | sudocheck 46 | sudo sh -c "echo '# Vault Vagrant virtual machine host 47 | 10.1.42.240 vault.local vault 48 | ' >> /etc/hosts" 49 | logmsg success "Vault server host information added to /etc/hosts" 50 | fi 51 | } 52 | 53 | add_host 54 | -------------------------------------------------------------------------------- /templates/vault_backend_dynamodb.j2: -------------------------------------------------------------------------------- 1 | backend "dynamodb" { 2 | {% if vault_dynamodb is string and vault_dynamodb|length %} 3 | endpoint = "{{ vault_dynamodb }}" 4 | {% endif %} 5 | {% if vault_dynamodb_table is string and vault_dynamodb_table|length %} 6 | table = "{{ vault_dynamodb_table }}" 7 | {% endif %} 8 | {% if vault_dynamodb_ha_enabled | bool %} 9 | ha_enabled = "{{ vault_dynamodb_ha_enabled }}" 10 | {% endif %} 11 | {% if vault_dynamodb_max_parallel is string and vault_dynamodb_max_parallel|length %} 12 | max_parallel = "{{ vault_dynamodb_max_parallel }}" 13 | {% endif %} 14 | {% if vault_dynamodb_region is string and vault_dynamodb_region|length %} 15 | region = "{{ vault_dynamodb_region }}" 16 | {% endif %} 17 | {% if vault_dynamodb_read_capacity is defined and vault_dynamodb_read_capacity|int %} 18 | read_capacity = {{ vault_dynamodb_read_capacity }} 19 | {% endif %} 20 | {% if vault_dynamodb_write_capacity is defined and vault_dynamodb_write_capacity|int %} 21 | write_capacity = {{ vault_dynamodb_write_capacity }} 22 | {% endif %} 23 | {% if vault_dynamodb_access_key is string and vault_dynamodb_access_key|length %} 24 | access_key = "{{ vault_dynamodb_access_key }}" 25 | {% endif %} 26 | {% if vault_dynamodb_secret_key is string and vault_dynamodb_secret_key|length %} 27 | secret_key = "{{ vault_dynamodb_secret_key }}" 28 | {% endif %} 29 | {% if vault_dynamodb_session_token is string and vault_dynamodb_secret_key|length %} 30 | session_token = "{{ vault_dynamodb_session_token }}" 31 | {% endif %} 32 | } 33 | -------------------------------------------------------------------------------- /templates/vault_service_registration_consul.hcl.j2: -------------------------------------------------------------------------------- 1 | # {{ ansible_managed }} 2 | 3 | service_registration "consul" { 4 | address = "{{ vault_service_registration_consul_address }}" 5 | check_timeout = "{{ vault_service_registration_consul_check_timeout }}" 6 | disable_registration = "{{ vault_service_registration_consul_disable_registration }}" 7 | scheme = "{{ vault_service_registration_consul_scheme }}" 8 | service = "{{ vault_service_registration_consul_service }}" 9 | service_tags = "{{ vault_service_registration_consul_service_tags }}" 10 | {% if vault_service_registration_consul_service_address is defined and vault_service_registration_consul_service_address %} 11 | service_address = "{{ vault_service_registration_consul_service_address }}" 12 | {% endif %} 13 | {% if vault_service_registration_consul_token is defined and vault_service_registration_consul_token %} 14 | token = "{{ vault_service_registration_consul_token }}" 15 | {% endif %} 16 | 17 | {% if vault_service_registration_consul_scheme == "https" %} 18 | tls_ca_file="{{ vault_service_registration_consul_tls_certs_path }}/{{ vault_service_registration_consul_tls_ca_file }}" 19 | tls_cert_file = "{{ vault_service_registration_consul_tls_certs_path }}/{{ vault_service_registration_consul_tls_cert_file }}" 20 | tls_key_file = "{{ vault_service_registration_consul_tls_private_path }}/{{ vault_service_registration_consul_tls_key_file }}" 21 | tls_min_version = "{{ vault_service_registration_consul_tls_min_version }}" 22 | tls_skip_verify = "{{ vault_service_registration_consul_tls_skip_verify }}" 23 | {% endif %} 24 | } 25 | -------------------------------------------------------------------------------- /examples/Vagrantfile: -------------------------------------------------------------------------------- 1 | # -*- mode: ruby -*- 2 | # vi: set ft=ruby : 3 | 4 | # Vagrantfile for bootstrapping a development Vault cluster with 5 | # VirtualBox provider and Ansible provisioner 6 | 7 | ANSIBLE_PLAYBOOK = ENV['ANSIBLE_PLAYBOOK'] || "site.yml" 8 | BOX_MEM = ENV['BOX_MEM'] || "2048" 9 | BOX_NAME = ENV['BOX_NAME'] || "debian/bookworm64" 10 | VAULT_HOSTS = ENV['VAULT_HOSTS'] || "vagrant_hosts" 11 | LOGLEVEL = ENV['VAULT_LOGLEVEL'] || "info" 12 | VAGRANTFILE_API_VERSION = "2" 13 | 14 | Vagrant.require_version ">= 1.5.0" 15 | 16 | Vagrant.configure(VAGRANTFILE_API_VERSION) do |config| 17 | 18 | # Configure one Vault server 19 | config.vm.define :vault do |vault_config| 20 | vault_config.vm.box = BOX_NAME 21 | vault_config.vm.network :private_network, ip: "10.1.42.240" 22 | vault_config.vm.hostname = "vault.local" 23 | vault_config.ssh.forward_agent = true 24 | vault_config.vm.provider "virtualbox" do |v| 25 | v.name = "vault-server" 26 | v.customize ["modifyvm", :id, "--memory", BOX_MEM] 27 | v.customize ["modifyvm", :id, "--ioapic", "on"] 28 | v.customize ["modifyvm", :id, "--cpus", "2"] 29 | v.customize ["modifyvm", :id, "--natdnshostresolver1", "on"] 30 | v.customize ["modifyvm", :id, "--natdnsproxy1", "on"] 31 | end 32 | vault_config.vm.synced_folder '.', '/vagrant', disabled: true 33 | vault_config.vm.provision :ansible do |ansible| 34 | ansible.inventory_path = VAULT_HOSTS 35 | # Extra Ansible variables can be defined here 36 | ansible.extra_vars = { 37 | vault_log_level: LOGLEVEL 38 | } 39 | ansible.playbook = ANSIBLE_PLAYBOOK 40 | ansible.limit = "all" 41 | end 42 | end 43 | end 44 | -------------------------------------------------------------------------------- /tasks/install.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: tasks/install.yml - package installation tasks for vault 3 | 4 | - name: Check Vault package file (local) 5 | ansible.builtin.stat: 6 | path: "{{ role_path }}/files/{{ vault_pkg }}" 7 | become: false 8 | run_once: true 9 | register: vault_package 10 | delegate_to: 127.0.0.1 11 | 12 | - name: "Download Vault (local) → {{ vault_zip_url }}" 13 | ansible.builtin.get_url: 14 | url: "{{ vault_zip_url }}" 15 | dest: "{{ role_path }}/files/{{ vault_pkg }}" 16 | checksum: 17 | "sha256:{{ (lookup('url', vault_checksum_file_url, wantlist=true) | select('match', '.*' + (vault_pkg | regex_escape()) + '$') | first).split()[0] }}" 18 | timeout: 42 19 | mode: "0644" 20 | become: "{{ vault_privileged_install }}" 21 | run_once: true 22 | tags: installation 23 | when: not vault_package.stat.exists | bool 24 | delegate_to: 127.0.0.1 25 | 26 | - name: Unarchive Vault (local) 27 | ansible.builtin.unarchive: 28 | src: "{{ role_path }}/files/{{ vault_pkg }}" 29 | dest: "{{ role_path }}/files/" 30 | creates: "{{ role_path }}/files/vault" 31 | become: "{{ vault_privileged_install }}" 32 | run_once: true 33 | tags: installation 34 | delegate_to: 127.0.0.1 35 | 36 | - name: Install Vault 37 | become: true 38 | ansible.builtin.copy: 39 | src: "{{ role_path }}/files/vault" 40 | dest: "{{ vault_bin_path }}" 41 | owner: "{{ vault_user }}" 42 | group: "{{ vault_group }}" 43 | mode: "{{ vault_harden_file_perms | ternary('0555', '0755') }}" 44 | notify: Restart vault 45 | tags: installation 46 | 47 | - name: Cleanup (local) 48 | ansible.builtin.file: 49 | path: "{{ item }}" 50 | state: "absent" 51 | become: "{{ vault_privileged_install }}" 52 | with_fileglob: "{{ role_path }}/files/vault" 53 | run_once: true 54 | tags: installation 55 | delegate_to: 127.0.0.1 56 | -------------------------------------------------------------------------------- /tasks/tls.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: tasks/tls.yml - TLS tasks for Vault 3 | 4 | - name: Create TLS directory 5 | become: true 6 | ansible.builtin.file: 7 | path: "{{ vault_tls_certs_path }}" 8 | state: directory 9 | owner: "{{ vault_user }}" 10 | group: "{{ vault_group }}" 11 | mode: "{{ vault_harden_file_perms | ternary('0555', '0755') }}" 12 | when: vault_tls_copy_keys | bool 13 | tags: 14 | - tls 15 | 16 | - name: Create private TLS directory 17 | become: true 18 | ansible.builtin.file: 19 | path: "{{ vault_tls_private_path }}" 20 | state: directory 21 | owner: "{{ vault_user }}" 22 | group: "{{ vault_group }}" 23 | mode: "{{ vault_harden_file_perms | ternary('0500', '0700') }}" 24 | when: 25 | - vault_tls_copy_keys | bool 26 | - vault_tls_certs_path != vault_tls_private_path 27 | tags: 28 | - tls 29 | 30 | - name: Vault SSL Certificate and Key 31 | become: true 32 | ansible.builtin.copy: 33 | remote_src: "{{ vault_tls_files_remote_src }}" 34 | src: "{{ item.src }}" 35 | dest: "{{ item.dest }}" 36 | owner: "{{ vault_user }}" 37 | group: "{{ vault_group }}" 38 | mode: "{{ item.mode }}" 39 | with_items: 40 | - src: "{{ vault_tls_src_files }}/{{ vault_tls_ca_file }}" 41 | dest: "{{ vault_tls_certs_path }}/{{ vault_tls_ca_file }}" 42 | mode: "{{ vault_harden_file_perms | ternary('0444', '0644') }}" 43 | - src: "{{ vault_tls_src_files }}/{{ vault_tls_cert_file }}" 44 | dest: "{{ vault_tls_certs_path }}/{{ vault_tls_cert_file }}" 45 | mode: "{{ vault_harden_file_perms | ternary('0444', '0644') }}" 46 | - src: "{{ vault_tls_src_files }}/{{ vault_tls_key_file }}" 47 | dest: "{{ vault_tls_private_path }}/{{ vault_tls_key_file }}" 48 | mode: "{{ vault_harden_file_perms | ternary('0400', '0600') }}" 49 | when: vault_tls_copy_keys | bool 50 | notify: 51 | - Restart vault 52 | - Reload vault 53 | tags: 54 | - tls 55 | -------------------------------------------------------------------------------- /tasks/backend_tls.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: tasks/backend_tls.yml - Backend TLS tasks for Vault 3 | 4 | - name: Create backend TLS directory 5 | become: true 6 | ansible.builtin.file: 7 | path: "{{ vault_backend_tls_certs_path }}" 8 | state: directory 9 | owner: "{{ vault_user }}" 10 | group: "{{ vault_group }}" 11 | mode: "{{ vault_harden_file_perms | ternary('0555', '0755') }}" 12 | when: vault_tls_copy_keys | bool 13 | tags: 14 | - tls 15 | 16 | - name: Create private backend TLS directory 17 | become: true 18 | ansible.builtin.file: 19 | path: "{{ vault_backend_tls_private_path }}" 20 | state: directory 21 | owner: "{{ vault_user }}" 22 | group: "{{ vault_group }}" 23 | mode: "{{ vault_harden_file_perms | ternary('0500', '0700') }}" 24 | when: 25 | - vault_tls_copy_keys | bool 26 | - vault_backend_tls_certs_path != vault_backend_tls_private_path 27 | tags: 28 | - tls 29 | 30 | - name: Vault backend SSL Certificate and Key 31 | become: true 32 | ansible.builtin.copy: 33 | remote_src: "{{ vault_tls_files_remote_src }}" 34 | src: "{{ item.src }}" 35 | dest: "{{ item.dest }}" 36 | owner: "{{ vault_user }}" 37 | group: "{{ vault_group }}" 38 | mode: "{{ item.mode }}" 39 | with_items: 40 | - src: "{{ vault_backend_tls_src_files }}/{{ vault_backend_tls_ca_file }}" 41 | dest: "{{ vault_backend_tls_certs_path }}/{{ vault_backend_tls_ca_file }}" 42 | mode: "{{ vault_harden_file_perms | ternary('0444', '0644') }}" 43 | - src: "{{ vault_backend_tls_src_files }}/{{ vault_backend_tls_cert_file }}" 44 | dest: "{{ vault_backend_tls_certs_path }}/{{ vault_backend_tls_cert_file }}" 45 | mode: "{{ vault_harden_file_perms | ternary('0444', '0644') }}" 46 | - src: "{{ vault_backend_tls_src_files }}/{{ vault_backend_tls_key_file }}" 47 | dest: "{{ vault_backend_tls_private_path }}/{{ vault_backend_tls_key_file }}" 48 | mode: "{{ vault_harden_file_perms | ternary('0400', '0600') }}" 49 | when: vault_tls_copy_keys | bool 50 | tags: 51 | - tls 52 | -------------------------------------------------------------------------------- /CONTRIBUTORS.md: -------------------------------------------------------------------------------- 1 | # Contributors 2 | 3 | Thank you to all these fine folks for helping with ansible-vault! 4 | 5 | - [@aarnaud](https://github.com/aarnaud) 6 | - [@arledesma](https://github.com/arledesma) 7 | - [@bbaassssiiee](https://github.com/bbaassssiiee) 8 | - [@bdossantos](https://github.com/bdossantos) 9 | - [@bilke](https://github.com/bilke) 10 | - [@calebtonn](https://github.com/calebtonn) 11 | - [@chris-dudley](https://github.com/chris-dudley) 12 | - [@cordula-grau](https://github.com/cordula-grau) 13 | - [@cwill747](https://github.com/cwill747) 14 | - [@drewmullen](https://github.com/drewmullen) 15 | - [@dvmonroe](https://github.com/dvmonroe) 16 | - [@ebostijancic](https://github.com/ebostijancic) 17 | - [@enqack](https://github.com/enqack) 18 | - [@ericsysmin](https://github.com/ericsysmin) 19 | - [@eripa](https://github.com/eripa) 20 | - [@fhemberger](https://github.com/fhemberger) 21 | - [@fleu42](https://github.com/fleu42) 22 | - [@Fuochi-YNAP](https://github.com/Fuochi-YNAP) 23 | - [@gardar](https://github.com/gardar) 24 | - [@Gerrrr](https://github.com/Gerrrr) 25 | - [@gfeun](https://github.com/gfeun) 26 | - [@groggemans](https://github.com/groggemans) 27 | - [@ilpianista](https://github.com/ilpianista) 28 | - [@jeffWelling](https://github.com/jeffWelling) 29 | - [@jpiron](https://github.com/jpiron) 30 | - [@karras](https://github.com/karras) 31 | - [@kwevers](https://github.com/kwevers) 32 | - [@Lavoaster](https://github.com/Lavoaster) 33 | - [@legogris](https://github.com/legogris) 34 | - [@marc-sensenich](https://github.com/marc-sensenich) 35 | - [@nathkn](https://github.com/nathkn) 36 | - [@nehrman](https://github.com/nehrman) 37 | - [@NorthFuture](https://github.com/NorthFuture) 38 | - [@pierrefh](https://github.com/pierrefh) 39 | - [@rarguelloF](https://github.com/rarguelloF) 40 | - [@rasta-rocket](https://github.com/rasta-rocket) 41 | - [@rbjorklin](https://github.com/rbjorklin) 42 | - [@rhenwood3995](https://github.com/rhenwood3995) 43 | - [@tbartelmess](https://github.com/tbartelmess) 44 | - [@vmwiz](https://github.com/vmwiz) 45 | - [@zeridon](https://github.com/zeridon) 46 | - [@akerouanton](https://github.com/akerouanton) 47 | - [@elcomtik](https://github.com/elcomtik) 48 | -------------------------------------------------------------------------------- /tasks/asserts.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: tasks/asserts.yml - Asserts for this role 3 | 4 | - name: Check distribution compatibility 5 | ansible.builtin.fail: 6 | msg: "{{ ansible_distribution }} is not supported by this role" 7 | when: 8 | - ansible_distribution not in _vault_nix_distros 9 | - ansible_os_family != 'Windows' 10 | 11 | - name: Fail if not a new release of Red Hat / CentOS 12 | ansible.builtin.fail: 13 | msg: "{{ ansible_distribution_version }} is not a supported version of {{ ansible_distribution }} for this role" 14 | when: 15 | - ansible_distribution in ['RedHat', 'CentOS'] 16 | - ansible_distribution_version is version(7, '<') 17 | 18 | - name: Fail if not a new release of Debian 19 | ansible.builtin.fail: 20 | msg: "{{ ansible_distribution_version }} is not a supported version of {{ ansible_distribution }} for this role" 21 | when: 22 | - ansible_distribution == "Debian" 23 | - (ansible_distribution_version != 'buster/sid') and (ansible_distribution_version is version(8.5, '<')) 24 | 25 | - name: Fail if not a new release of FreeBSD 26 | ansible.builtin.fail: 27 | msg: "{{ ansible_distribution_version }} is not a supported version." 28 | when: 29 | - ansible_distribution == "FreeBSD" 30 | - ansible_distribution_version is version(10, '<') 31 | 32 | - name: Fail if not a new release of Ubuntu 33 | ansible.builtin.fail: 34 | msg: "{{ ansible_distribution_version }} is not a supported version of {{ ansible_distribution }} for this role" 35 | when: 36 | - ansible_distribution == "Ubuntu" 37 | - ansible_distribution_version is version(13.04, '<') 38 | 39 | - name: Check for vault_redirect_address usage 40 | ansible.builtin.debug: 41 | msg: "vault_redirect_address is deprecated. Check for vault_api_addr in the README." 42 | when: vault_redirect_address is defined 43 | 44 | - name: Check if vault_transit_address and vault_transit_token has been specified 45 | ansible.builtin.fail: 46 | msg: "need vault_transit_address and vault_transit_token defined for vault transit seal configuration." 47 | when: 48 | - vault_transit | bool 49 | - not (vault_transit_address or vault_transit_token) 50 | -------------------------------------------------------------------------------- /templates/vault_service_systemd.j2: -------------------------------------------------------------------------------- 1 | # {{ ansible_managed }} 2 | 3 | [Unit] 4 | Description="HashiCorp Vault - A tool for managing secrets" 5 | Documentation=https://www.vaultproject.io/docs/ 6 | Requires=network-online.target 7 | After=network-online.target 8 | {% if vault_use_config_path %} 9 | ConditionPathExists={{ vault_config_path }} 10 | {% else %} 11 | ConditionPathExists={{ vault_main_config }} 12 | {% endif %} 13 | 14 | [Service] 15 | User={{ vault_user }} 16 | Group={{ vault_group }} 17 | ProtectSystem=full 18 | ProtectHome=read-only 19 | PrivateTmp=yes 20 | PrivateDevices=yes 21 | SecureBits=keep-caps 22 | Capabilities=CAP_IPC_LOCK+ep 23 | {% if systemd_version.stdout is version('230', '>=') %} 24 | AmbientCapabilities=CAP_SYSLOG CAP_IPC_LOCK {{ "CAP_NET_BIND_SERVICE" if vault_port < 1024 }} 25 | {% endif %} 26 | CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK {{ "CAP_NET_BIND_SERVICE" if vault_port < 1024 }} 27 | NoNewPrivileges=yes 28 | {% if vault_gcs_copy_sa and vault_gcs_credentials_src_file is defined and vault_gcs_credentials_dst_file|length -%} 29 | Environment=GOOGLE_APPLICATION_CREDENTIALS={{ vault_gcs_credentials_dst_file }} 30 | {% endif -%} 31 | {% if vault_http_proxy -%} 32 | Environment=HTTP_PROXY={{ vault_http_proxy }} 33 | {% endif -%} 34 | {% if vault_https_proxy -%} 35 | Environment=HTTPS_PROXY={{ vault_https_proxy }} 36 | {% endif -%} 37 | {% if vault_no_proxy -%} 38 | Environment=NO_PROXY={{ vault_no_proxy }} 39 | {% endif -%} 40 | {% for _vault_variable_name, _vault_variable_value in vault_additional_environment_variables.items() -%} 41 | Environment={{ _vault_variable_name }}={{ _vault_variable_value }} 42 | {% endfor -%} 43 | ExecStart=/bin/sh -c 'exec {{ vault_bin_path }}/vault server -config={{ vault_config_path if vault_use_config_path else vault_main_config }} -log-level={{ vault_log_level | lower }} {{ vault_exec_output }}' 44 | ExecReload=/bin/kill --signal HUP $MAINPID 45 | KillMode=process 46 | KillSignal=SIGINT 47 | Restart=on-failure 48 | RestartSec=5 49 | TimeoutStopSec=30 50 | StartLimitInterval=60 51 | StartLimitBurst=3 52 | LimitNOFILE=524288 53 | LimitNPROC=524288 54 | LimitMEMLOCK=infinity 55 | LimitCORE=0 56 | 57 | [Install] 58 | WantedBy=multi-user.target 59 | -------------------------------------------------------------------------------- /molecule/verify.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Verify 3 | hosts: all 4 | become: true 5 | vars: 6 | goss_version: v0.3.7 7 | goss_arch: amd64 8 | goss_dst: /usr/local/bin/goss 9 | goss_sha256sum: 357f5c7f2e7949b412bce44349cd32ab19eb3947255a8ac805f884cc2c326059 10 | goss_url: "https://github.com/aelsabbahy/goss/releases/download/{{ goss_version }}/goss-linux-{{ goss_arch }}" 11 | goss_test_directory: /tmp 12 | goss_format: tap 13 | enterprise: "{{ 'enterprise' in lookup('env', 'MOLECULE_SCENARIO_DIRECTORY') }}" 14 | tasks: 15 | - name: Check if enterprise 16 | ansible.builtin.debug: 17 | msg: "Verification is skipped because vault enterprise does not start without license" 18 | when: enterprise 19 | - name: Verify tasks 20 | when: not enterprise 21 | block: 22 | - name: Download and install Goss 23 | get_url: 24 | url: "{{ goss_url }}" 25 | dest: "{{ goss_dst }}" 26 | checksum: "sha256:{{ goss_sha256sum }}" 27 | mode: 0755 28 | register: download_goss 29 | until: download_goss is succeeded 30 | retries: 3 31 | 32 | - name: Copy Goss tests to remote 33 | template: 34 | src: "{{ item }}" 35 | dest: "{{ goss_test_directory }}/{{ item | basename | splitext | first }}" 36 | mode: 0644 37 | with_fileglob: 38 | - "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') }}/molecule/_tests/test_*.j2" 39 | 40 | - name: Register test files 41 | shell: "ls {{ goss_test_directory }}/test_*.yml" 42 | changed_when: false 43 | register: test_files 44 | 45 | - name: Execute Goss tests 46 | environment: 47 | # yamllint disable-line rule:line-length 48 | PATH: '/opt/rh/rh-git218/root/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin' 49 | command: "{{ goss_dst }} -g {{ item }} validate -f {{ goss_format }}" 50 | changed_when: false 51 | register: test_results 52 | with_items: "{{ test_files.stdout_lines }}" 53 | 54 | - name: Display details about the Goss results 55 | debug: 56 | msg: "{{ item.stdout_lines }}" 57 | with_items: "{{ test_results.results }}" 58 | 59 | - name: Fail when tests fail 60 | fail: 61 | msg: "Goss failed to validate" 62 | when: item.rc != 0 63 | with_items: "{{ test_results.results }}" 64 | -------------------------------------------------------------------------------- /templates/vault_backend_raft.j2: -------------------------------------------------------------------------------- 1 | storage "raft" { 2 | path = "{{ vault_raft_data_path }}" 3 | node_id = "{{ vault_raft_node_id }}" 4 | {% if vault_raft_performance_multiplier is defined and vault_raft_performance_multiplier %} 5 | performance_multiplier = "{{ vault_raft_performance_multiplier }}" 6 | {% endif %} 7 | {% if vault_raft_trailing_logs is defined and vault_raft_trailing_logs %} 8 | trailing_logs = "{{ vault_raft_trailing_logs }}" 9 | {% endif %} 10 | {% if vault_raft_snapshot_threshold is defined and vault_raft_snapshot_threshold %} 11 | snapshot_threshold = "{{ vault_raft_snapshot_threshold }}" 12 | {% endif %} 13 | {% if vault_raft_max_entry_size is defined and vault_raft_max_entry_size %} 14 | max_entry_size = "{{ vault_raft_max_entry_size }}" 15 | {% endif %} 16 | {% if vault_raft_autopilot_reconcile_interval is defined and vault_raft_autopilot_reconcile_interval %} 17 | autopilot_reconcile_interval = "{{ vault_raft_autopilot_reconcile_interval }}" 18 | {% endif %} 19 | {% if vault_raft_cloud_auto_join is defined and vault_raft_cloud_auto_join %} 20 | retry_join { 21 | auto_join = "{{ vault_raft_cloud_auto_join }}" 22 | {% if vault_raft_cloud_auto_join_scheme is defined and vault_raft_cloud_auto_join_scheme %} 23 | auto_join_scheme = "{{ vault_raft_cloud_auto_join_scheme }}" 24 | {% endif %} 25 | {% if vault_raft_cloud_auto_join_port is defined and vault_raft_cloud_auto_join_port %} 26 | auto_join_port = "{{ vault_raft_cloud_auto_join_port }}" 27 | {% endif %} 28 | } 29 | {% endif %} 30 | {% if not vault_raft_cloud_auto_join_exclusive %} 31 | {% for raft_peer in vault_raft_cluster_members | from_yaml | rejectattr('peer', 'equalto', inventory_hostname) %} 32 | {% if not (vault_tls_disable | bool) and vault_tls_client_ca_file != "" %} 33 | retry_join { 34 | leader_api_addr = "{{ raft_peer.api_addr }}" 35 | {% if vault_raft_leader_tls_servername is defined %} 36 | leader_tls_servername = "{{ vault_raft_leader_tls_servername }}" 37 | {% endif %} 38 | leader_ca_cert_file = "{{ vault_backend_tls_certs_path }}/{{ vault_backend_tls_ca_file }}" 39 | leader_client_cert_file = "{{ vault_backend_tls_certs_path }}/{{ vault_backend_tls_cert_file }}" 40 | leader_client_key_file = "{{ vault_backend_tls_private_path }}/{{ vault_backend_tls_key_file }}" 41 | } 42 | {% else %} 43 | retry_join { 44 | leader_api_addr = "{{ raft_peer.api_addr }}" 45 | } 46 | {% endif %} 47 | {% endfor %} 48 | {% endif %} 49 | } 50 | 51 | // HashiCorp recommends disabling mlock when using Raft. 52 | disable_mlock = {{ vault_disable_mlock | default('true') | bool | lower }} 53 | -------------------------------------------------------------------------------- /templates/vault_sysvinit.j2: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # {{ ansible_managed }} 3 | # 4 | # chkconfig: 2345 95 95 5 | # description: Vault secret management tool 6 | # processname: vault 7 | # pidfile: /var/run/vault/pidfile 8 | 9 | {% if ansible_distribution == "Ubuntu" %} 10 | . /lib/lsb/init-functions 11 | {% else %} 12 | . /etc/init.d/functions 13 | {% endif %} 14 | 15 | VAULT="{{ vault_bin_path }}/vault" 16 | CONFIG="{{ vault_config_path }}" 17 | PID_FILE=/var/run/vault/vault.pid 18 | 19 | [ -e /etc/sysconfig/vault ] && . /etc/sysconfig/vault 20 | 21 | export GOMAXPROCS=$(nproc) 22 | 23 | mkrundir() { 24 | [ ! -d /var/run/vault ] && mkdir -p /var/run/vault 25 | chown {{ vault_user }} /var/run/vault 26 | } 27 | 28 | KILLPROC_OPT="-p ${PID_FILE}" 29 | mkpidfile() { 30 | mkrundir 31 | [ ! -f $PID_FILE ] && pidofproc $VAULT > $PID_FILE 32 | chown {{ vault_user }} /var/run/vault 33 | if [ $? -ne 0 ] ; then 34 | rm $PID_FILE 35 | KILLPROC_OPT="" 36 | fi 37 | } 38 | 39 | start() { 40 | echo -n "Starting vault: " 41 | {% if vault_http_proxy -%} 42 | export HTTP_PROXY={{ vault_http_proxy }} 43 | {% endif -%} 44 | {% if vault_https_proxy -%} 45 | export HTTPS_PROXY={{ vault_https_proxy }} 46 | {% endif -%} 47 | {% if vault_no_proxy -%} 48 | export NO_PROXY={{ vault_no_proxy }} 49 | {% endif -%} 50 | mkrundir 51 | [ -f $PID_FILE ] && rm $PID_FILE 52 | daemon --user={{ vault_user }} \ 53 | --pidfile="$PID_FILE" \ 54 | "$VAULT" server -config={{ vault_config_path if vault_use_config_path else vault_main_config }} {% if vault_log_level is defined %}-log-level={{ vault_log_level | lower }}{% endif %} {{ vault_exec_output }} & 55 | retcode=$? 56 | touch /var/lock/subsys/vault 57 | return $retcode 58 | } 59 | 60 | stop() { 61 | echo -n "Shutting down vault: " 62 | if ("${VAULT}" info 2>/dev/null | grep -q 'server = false' 2>/dev/null) ; then 63 | "$VAULT" leave 64 | fi 65 | 66 | mkpidfile 67 | killproc $KILLPROC_OPT $VAULT -9 68 | 69 | retcode=$? 70 | rm -f /var/lock/subsys/vault $PID_FILE 71 | return $retcode 72 | } 73 | 74 | case "$1" in 75 | start) 76 | start 77 | ;; 78 | stop) 79 | stop 80 | ;; 81 | status) 82 | "$VAULT" info 83 | ;; 84 | restart) 85 | stop 86 | start 87 | ;; 88 | reload) 89 | mkpidfile 90 | killproc $KILLPROC_OPT $VAULT -HUP 91 | ;; 92 | condrestart) 93 | [ -f /var/lock/subsys/vault ] && restart || : 94 | ;; 95 | *) 96 | echo "Usage: vault {start|stop|status|reload|restart}" 97 | exit 1 98 | ;; 99 | esac 100 | exit $? 101 | -------------------------------------------------------------------------------- /templates/vault_service_debian_init.j2: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # {{ ansible_managed }} 3 | # 4 | ### BEGIN INIT INFO 5 | # Provides: vault 6 | # Required-Start: $local_fs $remote_fs 7 | # Required-Stop: $local_fs $remote_fs 8 | # Default-Start: 2 3 4 5 9 | # Default-Stop: 0 1 6 10 | # Short-Description: Vault secret management tool 11 | # Description: Vault secret management tool 12 | ### END INIT INFO 13 | 14 | PATH="{{ vault_bin_path }}:/usr/sbin:/usr/bin:/sbin:/bin" 15 | DESC="Vault secret management tool" 16 | NAME=vault 17 | DAEMON="{{ vault_bin_path }}/$NAME" 18 | PIDFILE=/var/run/$NAME/$NAME.pid 19 | DAEMON_ARGS="server -config={{ vault_config_path if vault_use_config_path else vault_main_config }} -log-level={{ vault_log_level | lower }} {{ vault_exec_output }}" 20 | USER={{ vault_user }} 21 | SCRIPTNAME=/etc/init.d/$NAME 22 | 23 | [ -x "$DAEMON" ] || exit 0 24 | 25 | [ -r /etc/default/$NAME ] && . /etc/default/$NAME 26 | 27 | [ -f /etc/default/rcS ] && . /etc/default/rcS 28 | 29 | . /lib/lsb/init-functions 30 | 31 | mkrundir() { 32 | [ ! -d /var/run/vault ] && mkdir -p /var/run/vault 33 | chown $USER /var/run/vault 34 | } 35 | 36 | do_start() { 37 | {% if vault_http_proxy -%} 38 | export HTTP_PROXY={{ vault_http_proxy }} 39 | {% endif -%} 40 | {% if vault_https_proxy -%} 41 | export HTTPS_PROXY={{ vault_https_proxy }} 42 | {% endif -%} 43 | {% if vault_no_proxy -%} 44 | export NO_PROXY={{ vault_no_proxy }} 45 | {% endif -%} 46 | mkrundir 47 | start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON --chuid $USER --background --make-pidfile --test > /dev/null \ 48 | || return 1 49 | start-stop-daemon --start --quiet --pidfile $PIDFILE --chuid $USER --background --make-pidfile --background \ 50 | --startas /bin/bash -- -c "exec $DAEMON $DAEMON_ARGS" \ 51 | || return 2 52 | 53 | RETVAL=0 54 | for i in `seq 1 30`; do 55 | if ! start-stop-daemon --quiet --stop --test --pidfile $PIDFILE --exec $DAEMON --user $USER; then 56 | RETVAL=2 57 | sleep 1 58 | continue 59 | fi 60 | done 61 | return "$RETVAL" 62 | } 63 | 64 | do_stop() { 65 | if ("${DAEMON}" info 2>/dev/null | grep -q 'server = false' 2>/dev/null) ; then 66 | "$DAEMON" leave 67 | fi 68 | start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME 69 | RETVAL="$?" 70 | [ "$RETVAL" = 2 ] && return 2 71 | start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON 72 | [ "$?" = 2 ] && return 2 73 | rm -f $PIDFILE 74 | return "$RETVAL" 75 | } 76 | 77 | do_reload() { 78 | start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME 79 | return 0 80 | } 81 | 82 | case "$1" in 83 | start) 84 | [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME" 85 | do_start 86 | case "$?" in 87 | 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; 88 | 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; 89 | esac 90 | ;; 91 | stop) 92 | [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME" 93 | do_stop 94 | case "$?" in 95 | 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; 96 | 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; 97 | esac 98 | ;; 99 | restart) 100 | log_daemon_msg "Restarting $DESC" "$NAME" 101 | do_stop 102 | case "$?" in 103 | 0|1) 104 | do_start 105 | case "$?" in 106 | 0) log_end_msg 0 107 | ;; 108 | 1) log_end_msg 1 109 | ;; 110 | *) log_end_msg 1 111 | ;; 112 | esac 113 | ;; 114 | *) 115 | log_end_msg 1 116 | ;; 117 | esac 118 | ;; 119 | status) 120 | status_of_proc -p $PIDFILE $DAEMON $NAME && exit 0 || exit $? 121 | ;; 122 | *) 123 | echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2 124 | exit 3 125 | ;; 126 | esac 127 | : 128 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Ansible role to install Hashicorp Vault 2 | [![Ansible Lint](https://github.com/ansible-community/ansible-vault/actions/workflows/ansible-lint.yml/badge.svg?branch=master)](https://github.com/ansible-community/ansible-vault/actions/workflows/ansible-lint.yml?query=branch%3Amaster) 3 | [![Ansible Molecule](https://github.com/ansible-community/ansible-vault/actions/workflows/molecule.yml/badge.svg?branch=master)](https://github.com/ansible-community/ansible-vault/actions/workflows/molecule.yml?query=branch%3Amaster) 4 | [![Average time to resolve an issue](http://isitmaintained.com/badge/resolution/ansible-community/ansible-vault.svg)](http://isitmaintained.com/project/ansible-community/ansible-vault "Average time to resolve an issue") 5 | [![Percentage of issues still open](http://isitmaintained.com/badge/open/ansible-community/ansible-vault.svg)](http://isitmaintained.com/project/ansible-community/ansible-vault "Percentage of issues still open") 6 | 7 | This Ansible role performs a basic [Vault](https://vaultproject.io/) 8 | installation, including filesystem structure and example configuration. 9 | 10 | It can also bootstrap a minimal development or evaluation server or HA 11 | Consul-backed cluster in a Vagrant based environment. See 12 | [README_VAGRANT.md](https://github.com/ansible-community/ansible-vault/blob/master/examples/README_VAGRANT.md) and the associated [Vagrantfile](https://github.com/ansible-community/ansible-vault/blob/master/examples/Vagrantfile) for more details about the developer mode setup. 13 | 14 | ## Installation 15 | This role resides on GitHub pending the integration with Ansible Galaxy. To install this role create a `roles/requirements.yml` file in your Ansible project folder with the following contents: 16 | 17 | ```yaml 18 | - src: https://github.com/ansible-community/ansible-vault.git 19 | name: ansible-community.ansible-vault 20 | scm: git 21 | version: master 22 | ``` 23 | 24 | You can use git tag in the version attribute. Also you can honor its legacy `name: brianshumate.ansible-vault`. 25 | 26 | ## Quick Start Guide 27 | 28 | Basic installation is possible using the included [`site.yml`](examples/site.yml) playbook: 29 | 30 | ``` 31 | ansible-playbook -i hosts site.yml 32 | ``` 33 | 34 | You can also pass variables in using the `--extra-vars` option to the 35 | `ansible-playbook` command: 36 | 37 | ``` 38 | ansible-playbook -i hosts site.yml --extra-vars "vault_datacenter=maui" 39 | ``` 40 | 41 | Specify a template file with a different backend definition 42 | (see `templates/backend_consul.j2`): 43 | 44 | ``` 45 | ansible-playbook -i hosts site.yml --extra-vars "vault_backend_file=backend_file.j2" 46 | ``` 47 | 48 | You need to make sure that the template file `backend_file.j2` is in the 49 | role directory for this to work. 50 | 51 | ## Requirements 52 | 53 | This role requires Archlinux, AmazonLinux, FreeBSD, Debian or a RHEL based Linux distribution. It 54 | might work with other software versions, but does work with the following 55 | specific software and versions. Sorry, there is no planned support at the moment for Windows. 56 | 57 | See the [molecule scenarios](https://github.com/ansible-community/ansible-vault/tree/master/molecule) 58 | for currently tested distributions. 59 | 60 | ## Warning 61 | 62 | By default, this role may restart `vault` service when played (when there's a 63 | configuration change, OS Packages installed/updated) 64 | 65 | When there's no auto-unseal setup on your cluster, the restart may lead to a 66 | situation where all Vault instances will be sealed and your cluster will be 67 | down. 68 | 69 | To avoid this situation, the service restart by the playbook can be disabled 70 | by using the `vault_service_restart` role variable. 71 | 72 | Setting this `vault_service_restart` to `false` will disable the `vault` 73 | service restart by the playbook. You may have to restart the service manually 74 | to load any new configuration deployed. 75 | 76 | ## [Role Variables](role_variables.md) 77 | 78 | ## Misc 79 | 80 | ### [Vault Release Scheme](vault_releases.md) 81 | 82 | ## License 83 | 84 | BSD-2-Clause 85 | 86 | ## Author Information 87 | 88 | [Brian Shumate](http://brianshumate.com) 89 | 90 | ## Contributors 91 | 92 | Special thanks to the folks listed in [CONTRIBUTORS.md](https://github.com/brianshumate/ansible-vault/blob/master/CONTRIBUTORS.md) for their 93 | contributions to this project. 94 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Contributing 2 | 3 | When contributing to this repository, please first discuss the change you wish 4 | to make via issue, email, or any other method with the owners of this repository before making a change. 5 | 6 | Do note that this project has a code of conduct; please be sure to follow it 7 | in all of your project interactions. 8 | 9 | ## Pull Request Process 10 | 11 | 1. Ensure any install or build artifacts are removed before the end of 12 | the layer when doing a build 13 | 2. Update the README.md or README_VAGRANT.md with details of changes to the 14 | interface, this includes new environment variables, exposed ports, useful 15 | file locations and container parameters 16 | 3. Increase the version numbers in any examples files and the README.md 17 | to the new version that this Pull Request would represent. The versioning scheme we use is (mostly) [SemVer](http://semver.org/) 18 | 4. You may merge the Pull Request in once you have the sign-off of two other 19 | project contributors, or if you do not have permission to do that, you can 20 | request the second reviewer to merge it for you 21 | 22 | ## Code of Conduct 23 | 24 | ### Our Pledge 25 | 26 | In the interest of fostering an open and welcoming environment, we as 27 | contributors and maintainers pledge to making participation in our project 28 | and our community a harassment-free experience for everyone, regardless of age, 29 | body size, disability, ethnicity, gender identity and expression, level of 30 | experience, nationality, personal appearance, race, religion, or sexual 31 | identity and orientation. 32 | 33 | ### Our Standards 34 | 35 | Examples of behavior that contributes to creating a positive environment 36 | include: 37 | 38 | * Showing empathy towards other community members 39 | * Using welcoming and inclusive language 40 | * Being respectful of differing viewpoints and experiences 41 | * Gracefully accepting constructive criticism 42 | * Focusing on what is best for the community 43 | 44 | Examples of unacceptable behavior by participants include: 45 | 46 | * Use of sexualized language or imagery and unwelcome sexual attention 47 | or advances 48 | * Insulting/derogatory comments, and personal or political attacks 49 | * Public or private harassment 50 | * Publishing others' private information, such as a physical or electronic 51 | address, without explicit permission 52 | * Other conduct which could reasonably be considered inappropriate in a 53 | professional setting 54 | 55 | ### Our Responsibilities 56 | 57 | Project maintainers are responsible for clarifying the standards of acceptable 58 | behavior and are expected to take appropriate and fair corrective action in 59 | response to any instances of unacceptable behavior. 60 | 61 | Project maintainers have the right and responsibility to remove, edit, or 62 | reject comments, commits, code, wiki edits, issues, and other contributions 63 | that are not aligned to this Code of Conduct, or to ban temporarily or 64 | permanently any contributor for other behaviors that they deem inappropriate, 65 | threatening, offensive, or harmful. 66 | 67 | ### Scope 68 | 69 | This Code of Conduct applies both within project spaces and in public spaces 70 | when an individual is representing the project or its community. Examples of 71 | representing a project or community include using an official project e-mail 72 | address, posting via an official social media account, or acting as an 73 | appointed representative at an online or offline event. Representation of a 74 | project may be further defined and clarified by project maintainers. 75 | 76 | ### Enforcement 77 | 78 | Instances of abusive, harassing, or otherwise unacceptable behavior may be 79 | reported by contacting the project leadership: brian brianshumate com. 80 | 81 | All complaints will be reviewed and investigated and will result in a response 82 | that is deemed necessary and appropriate to the circumstances. The project 83 | team is obligated to maintain confidentiality with regard to the reporter of 84 | an incident. Further details of specific enforcement policies may be posted 85 | separately. 86 | 87 | Project maintainers who do not follow or enforce the Code of Conduct in good 88 | faith may face temporary or permanent repercussions as determined by other 89 | members of the project's leadership. 90 | 91 | ### Attribution 92 | 93 | This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, available at [http://contributor-covenant.org/version/1/4][version] 94 | 95 | [homepage]: http://contributor-covenant.org 96 | [version]: http://contributor-covenant.org/version/1/4/ 97 | -------------------------------------------------------------------------------- /examples/README_VAGRANT.md: -------------------------------------------------------------------------------- 1 | # Vault with Ansible 2 | 3 | This project provides documentation and a collection of scripts to help you automate deployment of [HashiCorp Vault](https://www.vaultproject.io/) using [Ansible](http://www.ansibleworks.com/) 4 | 5 | These are the instructions for deploying a development or evaluation cluster on Vagrant. 6 | 7 | The documentation and scripts are merely a starting point designed to both help familiarize you with the processes and quickly bootstrap an environment for development or evaluation. You may wish to expand on them and customize them with additional features specific to your needs later. 8 | 9 | ## Vagrant Development Server 10 | 11 | In some situations deploying a small cluster on your local development machine can be handy. This document describes such a scenario using the following technologies: 12 | 13 | * [Vault](https://vault.io) 14 | * [VirtualBox](https://www.virtualbox.org/) or [Vagrant-libvirt](https://vagrant-libvirt.github.io/vagrant-libvirt) 15 | * [Vagrant](http://www.vagrantup.com/) with Ansible provisioner and 16 | supporting plugin 17 | * [Ansible](http://www.ansibleworks.com/) 18 | 19 | The Vagrant Development Server virtual machine is configured with 2GB RAM, 2 CPU cores, and dual network interfaces. The primary interface uses NAT and has connection via the host to the outside world. The secondary interface is a private network and is used for Vault intra-cluster communication in addition to access from the host machine. 20 | 21 | The Vagrant configuration file, `Vagrantfile` is responsible for configuring the virtual machine and a baseline OS installation. 22 | 23 | The Ansible playbooks then further refine OS configuration, perform Vault software download and installation, and the configuration of a Vault service that is then started. 24 | 25 | The result is a single Vault server using the [Filesystem Storage Backend](https://www.vaultproject.io/docs/configuration/storage/filesystem.html) that is ready to be initialized and unsealed from either the host system or within the virtual machine itself. 26 | 27 | ## Designed for Ansible Galaxy 28 | 29 | This role is designed to be installed via the `ansible-galaxy` command instead of being directly run from the git repository. 30 | 31 | You should install it like this: 32 | 33 | ``` 34 | $ ansible-galaxy role install -r roles/requirements.yml -p roles 35 | ``` 36 | 37 | ## Quick Start 38 | 39 | Begin from the top level directory of this project and use the following 40 | steps to get up and running: 41 | 42 | 1. Install the following prerequisites: 43 | - [VirtualBox](https://www.virtualbox.org/wiki/Downloads) or [Vagrant-libvirt](https://vagrant-libvirt.github.io/vagrant-libvirt/#installation) 44 | - [Vagrant](http://downloads.vagrantup.com/) 45 | - [vagrant-hosts plugin](https://docs.ansible.com/projects/ansible/latest/installation_guide/index.html). 46 | 2. Edit `/etc/hosts` or use the included `bin/preinstall` script to add 47 | the following entries to your development system's `/etc/hosts` file: 48 | - `10.1.42.240 vault1.local vault1` 49 | 4. `export VAGRANT_DEFAULT_PROVIDER=libvirt` to use libvirt instead of VirtualBox 50 | 5. `vagrant up` 51 | 6. You can use Vault directly from the host system with the `VAULT_ADDR` environment as shown in this example: 52 | ``` 53 | VAULT_ADDR=http://10.1.42.240:8200 vault operator init 54 | ``` 55 | 56 | You can also `vagrant ssh` into the VM and export `VAULT_ADDR=http://localhost:8200` to use Vault. 57 | 58 | > NOTE: By default, this project will install a Debian based Vault server. If you prefer, it can also install a server based on a different Vagrant box by changing the command in step 4 to include the `BOX_NAME` environment variable specifying a different Vagrant box name as the value such as in the following example: 59 | 60 | ``` 61 | BOX_NAME="debian/bullseye64" vagrant up 62 | ``` 63 | 64 | ## Vault Enterprise 65 | 66 | The role can install Vault Enterprise based server instances. 67 | 68 | Place the Vault Enterprise zip archive into `{{ role_path }}/files` and set `vault_enterprise: true` or use the `VAULT_ENTERPRISE="true"` environment variable. 69 | 70 | ## Notes 71 | 72 | If you notice an error like *vm: The '' provisioner could not be found.* make sure that you have the vagrant-hosts plugin installed 73 | 74 | ## Resources 75 | 76 | 1. https://www.vaultproject.io/ 77 | 2. https://www.vaultproject.io/docs/ 78 | 3. https://learn.hashicorp.com/vault/ 79 | 4. https://www.vaultproject.io/intro/getting-started/deploy.html 80 | 5. https://www.vaultproject.io/docs/index.html 81 | 6. http://www.ansible.com/ 82 | 7. http://www.vagrantup.com/ 83 | 8. https://www.virtualbox.org/ 84 | 9. https://github.com/adrienthebo/vagrant-hosts 85 | 10. https://vagrant-libvirt.github.io/vagrant-libvirt 86 | -------------------------------------------------------------------------------- /vault_releases.md: -------------------------------------------------------------------------------- 1 | # Vault Releases 2 | 3 | From the [official release channels](https://www.hashicorp.com/official-release-channels), 4 | this role supports [Linux Repositories](https://www.hashicorp.com/official-packaging-guide) 5 | and the [Release Site](https://releases.hashicorp.com). 6 | 7 | The enterprise edition comes with optional support for 8 | [HSM](https://developer.hashicorp.com/vault/docs/enterprise/hsm) 9 | and/or [FIPS](https://developer.hashicorp.com/vault/docs/enterprise/fips). 10 | 11 | ## Release Site 12 | 13 | The file format of the release site is as follows: 14 | ``` 15 | https://releases.hashicorp.com/vault/1.18.2/vault_1.18.2_linux_amd64.zip 16 | https://releases.hashicorp.com/vault/1.18.2+ent/vault_1.18.2+ent_linux_amd64.zip 17 | https://releases.hashicorp.com/vault/1.18.2+ent.hsm/vault_1.18.2+ent.hsm_linux_amd64.zip 18 | https://releases.hashicorp.com/vault/1.18.1+ent.hsm.fips1402/vault_1.18.1+ent.hsm.fips1402_linux_amd64.zip 19 | ``` 20 | 21 | The checksum files follow the same naming scheme: 22 | ``` 23 | https://releases.hashicorp.com/vault/1.18.2+ent.hsm.fips1402/vault_1.18.2+ent.hsm.fips1402_SHA256SUMS 24 | https://releases.hashicorp.com/vault/1.18.2+ent.hsm.fips1402/vault_1.18.2+ent.hsm.fips1402_SHA256SUMS.sig 25 | https://releases.hashicorp.com/vault/1.18.2+ent.hsm.fips1402/vault_1.18.2+ent.hsm.fips1402_SHA256SUMS.72D7468F.sig 26 | ``` 27 | 28 | We see that the directory and filename of the enterprise edition 29 | contains `+ent`, and HSM and FIPS are separated with `.hsm` and 30 | `.fips1402`, respectively. 31 | 32 | ## Linux Repositories 33 | 34 | ### Debian 35 | 36 | ``` 37 | $ apt-cache show $(apt-cache search vault | awk '{print $1}') | grep -E 'Package|Maintainer' | grep HashiCorp -B1 | grep Package | sort -u 38 | Package: consul-template 39 | Package: envconsul 40 | Package: vault 41 | Package: vault-benchmark 42 | Package: vault-enterprise 43 | Package: vault-enterprise-fips1402 44 | Package: vault-enterprise-hsm 45 | Package: vault-enterprise-hsm-fips1402 46 | Package: vault-radar 47 | Package: vault-secrets-gateway 48 | ``` 49 | 50 | ``` 51 | $ apt-cache madison vault-enterprise 52 | vault-enterprise | 1.18.2+ent-1 | https://apt.releases.hashicorp.com bookworm/main amd64 Packages 53 | vault-enterprise | 1.18.1+ent-1 | https://apt.releases.hashicorp.com bookworm/main amd64 Packages 54 | vault-enterprise | 1.18.0+ent-1 | https://apt.releases.hashicorp.com bookworm/main amd64 Packages 55 | vault-enterprise | 1.17.9+ent-1 | https://apt.releases.hashicorp.com bookworm/main amd64 Packages 56 | ... 57 | ``` 58 | 59 | To install a specific version of a package, the version is added to the package name with a `=`, e.g.: 60 | ``` 61 | $ apt-get install vault-enterprise=1.18.2+ent-1 62 | ``` 63 | The trailing `-1` is mandatory. 64 | 65 | ### RPM 66 | 67 | The format of the package name and version for RPM is: 68 | ``` 69 | $ dnf list available | grep hashicorp | grep vault 70 | vault.x86_64 1.18.2-1 hashicorp 71 | vault-benchmark.x86_64 0.3.0-1 hashicorp 72 | vault-enterprise.i386 1.9.4+ent-1 hashicorp 73 | vault-enterprise.armv7hl 1.11.2+ent-1 hashicorp 74 | vault-enterprise.x86_64 1.18.2+ent-1 hashicorp 75 | vault-enterprise-fips1402.x86_64 1.18.2+ent-1 hashicorp 76 | vault-enterprise-hsm.x86_64 1.18.2+ent-1 hashicorp 77 | vault-enterprise-hsm-fips1402.x86_64 1.18.2+ent-1 hashicorp 78 | vault-radar.x86_64 0.19.0-1 hashicorp 79 | vault-secrets-gateway.x86_64 0.1.5-1 hashicorp 80 | ``` 81 | 82 | To install a specific version of a package, the version is added to the package name with a `-`, e.g.: 83 | ``` 84 | $ dnf install vault-enterprise-1.18.2+ent 85 | ``` 86 | Notice that, different to the Debian package, the trailing `-1` is not required. 87 | -------------------------------------------------------------------------------- /tasks/plugins/acme.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Looking up latest version of acme plugin 3 | ansible.builtin.set_fact: 4 | vault_plugin_acme_version: "{{ (lookup('url', 'https://api.github.com/repos/remilapeyre/vault-acme/releases', split_lines=false) | 5 | from_json)[0].get('tag_name') | replace('v', '') }}" 6 | when: 'vault_plugin_acme_version == "latest"' 7 | 8 | - name: Vault acme plugin installation 9 | block: 10 | - name: Fetch acme vault plugin 11 | delegate_to: "{{ (vault_plugin_acme_install == 'local') | ternary('localhost', inventory_hostname) }}" 12 | block: 13 | - name: Create temporary directory for acme vault plugin 14 | ansible.builtin.file: 15 | path: "{{ (vault_plugin_acme_install == 'local') | ternary(vault_plugins_src_dir_local, vault_plugins_src_dir_remote) }}/acme" 16 | state: directory 17 | mode: "0755" 18 | owner: "{{ (vault_plugin_acme_install == 'local') | ternary(omit, vault_user) }}" 19 | group: "{{ (vault_plugin_acme_install == 'local') | ternary(omit, vault_group) }}" 20 | register: __vault_plugin_acme_zip_dir 21 | run_once: "{{ (vault_plugin_acme_install == 'local') }}" 22 | 23 | - name: Download acme vault plugin 24 | ansible.builtin.get_url: 25 | url: "{{ vault_plugin_acme_release_url }}/{{ vault_plugin_acme_zip }}" 26 | dest: "{{ __vault_plugin_acme_zip_dir.path }}" 27 | checksum: "sha256:{{ vault_plugin_acme_zip_sha256sum }}" 28 | mode: "0644" 29 | register: __vault_plugin_acme_zip_file 30 | run_once: "{{ (vault_plugin_acme_install == 'local') }}" 31 | 32 | - name: Extract acme vault plugin 33 | ansible.builtin.unarchive: 34 | remote_src: "{{ (vault_plugin_acme_install == 'remote') }}" 35 | src: "{{ __vault_plugin_acme_zip_file.dest }}" 36 | dest: "{{ __vault_plugin_acme_zip_dir.path }}" 37 | mode: "0644" 38 | run_once: "{{ (vault_plugin_acme_install == 'local') }}" 39 | 40 | - name: Install acme vault plugin 41 | ansible.builtin.copy: 42 | remote_src: "{{ (vault_plugin_acme_install == 'remote') }}" 43 | src: "{{ __vault_plugin_acme_zip_dir.path }}/{{ item.src }}" 44 | dest: "{{ item.dest }}" 45 | mode: "{{ vault_harden_file_perms | ternary('0555', '0755') }}" 46 | owner: "{{ vault_user }}" 47 | group: "{{ vault_group }}" 48 | when: (item.when | default(true)) 49 | loop: 50 | - src: "acme-plugin" 51 | dest: "{{ vault_plugin_path }}/acme" 52 | - src: "sidecar" 53 | dest: "/usr/local/bin/vault-acme-sidecar" 54 | when: "{{ vault_plugin_acme_sidecar_install }}" 55 | 56 | always: 57 | - name: "Clean up src directory" 58 | ansible.builtin.file: 59 | path: "{{ __vault_plugin_acme_zip_dir.path }}" 60 | state: absent 61 | delegate_to: "{{ (vault_plugin_acme_install == 'local') | ternary('localhost', inventory_hostname) }}" 62 | run_once: "{{ (vault_plugin_acme_install == 'local') }}" 63 | when: (vault_plugins_src_dir_cleanup) 64 | 65 | - name: "Check vault authentication" 66 | ansible.builtin.command: 67 | cmd: vault token lookup 68 | changed_when: false 69 | failed_when: false 70 | register: __vault_token_lookup 71 | no_log: true 72 | 73 | - name: Enable acme plugin 74 | when: 75 | - (check_result.status == 200) 76 | - (__vault_token_lookup.rc == 0) 77 | block: 78 | - name: "Look up registered acme plugin sha256" 79 | ansible.builtin.command: 80 | cmd: vault plugin info -field=sha256 secret acme 81 | changed_when: false 82 | failed_when: false 83 | register: __vault_plugin_acme_registered_sha256 84 | 85 | - name: "Get acme plugin sha256sum" 86 | ansible.builtin.stat: 87 | path: "{{ vault_plugin_path }}/acme" 88 | checksum_algorithm: sha256 89 | register: __vault_plugin_acme_sha256sum 90 | 91 | - name: "Register acme plugin in vault catalog" 92 | ansible.builtin.command: 93 | cmd: "vault write sys/plugins/catalog/secret/acme 94 | sha_256={{ __vault_plugin_acme_sha256sum.stat.checksum }} 95 | version={{ vault_plugin_acme_version }} command=acme" 96 | become: true 97 | become_user: "{{ vault_user }}" 98 | register: __vault_write_acme 99 | changed_when: __vault_write_acme.stdout is search('Success!') 100 | when: __vault_plugin_acme_registered_sha256.stdout != __vault_plugin_acme_sha256sum.stat.checksum 101 | 102 | - name: "Enable acme plugin" 103 | ansible.builtin.command: 104 | cmd: vault secrets enable -path acme -plugin-name acme plugin 105 | register: __vault_plugin_acme_enable 106 | changed_when: __vault_plugin_acme_enable.stdout is search('Enabled the acme secrets engine') 107 | failed_when: __vault_plugin_acme_enable.stdout is search('plugin not found in the catalog') 108 | -------------------------------------------------------------------------------- /tasks/install_hashi_repo.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: tasks/install_hashi_repo.yml 3 | # Install Vault via HashiCorp Linux repository 4 | 5 | - name: Add Vault/Hashicorp rpm repo 6 | ansible.builtin.yum_repository: 7 | name: hashicorp 8 | description: Hashicorp Stable - $basearch 9 | baseurl: "{{ vault_repository_url }}" 10 | gpgkey: "{{ vault_repository_key_url }}" 11 | gpgcheck: true 12 | enabled: true 13 | become: true 14 | when: 15 | - ansible_pkg_mgr in ['yum', 'dnf'] 16 | - vault_rhsm_repo_id is falsy 17 | 18 | - name: Make sure apt keyring directory exists 19 | ansible.builtin.file: 20 | path: /etc/apt/keyrings 21 | state: directory 22 | mode: '0755' 23 | become: true 24 | when: ansible_pkg_mgr == 'apt' 25 | 26 | - name: Add Vault/Hashicorp apt key 27 | ansible.builtin.get_url: 28 | url: "{{ vault_repository_key_url }}" 29 | dest: /etc/apt/keyrings/hashicorp-archive-keyring.asc 30 | mode: '0644' 31 | become: true 32 | when: ansible_pkg_mgr == 'apt' 33 | 34 | - name: Add Vault/Hashicorp apt repo 35 | ansible.builtin.apt_repository: 36 | repo: "deb [signed-by=/etc/apt/keyrings/hashicorp-archive-keyring.asc] {{ vault_repository_url }} {{ ansible_distribution_release }} main" 37 | state: present 38 | become: true 39 | when: ansible_pkg_mgr == 'apt' 40 | 41 | - name: Attach RHSM subscription / repo 42 | when: vault_rhsm_repo_id is truthy 43 | become: true 44 | block: 45 | - name: Check if Hashicorp/Vault RHSM repo subscription is enabled 46 | ansible.builtin.command: 47 | cmd: "subscription-manager list --consumed --matches={{ vault_rhsm_subscription_name | quote }} --pool-only" 48 | register: _subscription_manager_consumed 49 | changed_when: false 50 | when: vault_rhsm_subscription_name is truthy 51 | 52 | - name: Find Hashicorp/Vault RHSM repo subscription pool id 53 | ansible.builtin.command: 54 | cmd: "subscription-manager list --available --matches={{ vault_rhsm_subscription_name | quote }} --pool-only" 55 | register: _subscription_manager_available 56 | changed_when: false 57 | when: 58 | - vault_rhsm_subscription_name is truthy 59 | - _subscription_manager_consumed.stdout | length <= 0 60 | 61 | - name: Attach Hashicorp/Vault RHSM subscription 62 | ansible.builtin.command: 63 | cmd: "subscription-manager attach --pool={{ _subscription_manager_available.stdout }}" 64 | register: _subscription_manager_attach 65 | changed_when: _subscription_manager_attach.stdout is search('Successfully attached a subscription') 66 | failed_when: _subscription_manager_attach.stdout is search('could not be found') 67 | when: 68 | - vault_rhsm_subscription_name is truthy 69 | - _subscription_manager_consumed.stdout | default() | length <= 0 70 | - _subscription_manager_available.stdout | default() | length > 0 71 | 72 | - name: Enable RHSM repository 73 | community.general.rhsm_repository: 74 | name: "{{ vault_rhsm_repo_id }}" 75 | state: enabled 76 | 77 | - name: Ensure Enterprise package is not present when OSS is desired and vice versa 78 | ansible.builtin.package: 79 | name: "{{ 'vault' ~ ('-enterprise' if not (vault_enterprise | bool) else '') }}" 80 | state: absent 81 | become: true 82 | 83 | - name: "Install Vault package {{ _vault_repo_pkg }}" 84 | ansible.builtin.package: 85 | name: "{{ _vault_repo_pkg }}" 86 | state: present 87 | become: true 88 | vars: 89 | _vault_repo_pkg: "{% if (ansible_pkg_mgr in ['yum', 'dnf']) %}\ 90 | vault{{ '-enterprise' if vault_enterprise }}-{{ vault_version }}{{ vault_version_repo_suffix }}\ 91 | {% elif (ansible_pkg_mgr == 'apt') %}\ 92 | vault{{ '-enterprise' if vault_enterprise }}={{ vault_version }}{{ vault_version_repo_suffix }}{{ vault_version_debian_repo_suffix }}\ 93 | {% else %}\ 94 | vault{{ '-enterprise' if vault_enterprise }}={{ vault_version }}{{ vault_version_repo_suffix }}\ 95 | {% endif %}" 96 | notify: Restart vault 97 | 98 | - name: Mask default Vault config from package 99 | become: true 100 | ansible.builtin.copy: 101 | owner: root 102 | group: root 103 | mode: "{{ vault_harden_file_perms | ternary('0444', '0644') }}" 104 | dest: /etc/vault.d/vault.hcl 105 | content: | 106 | # Placeholder to mask default RPM/DPKG Vault config file. 107 | # 108 | # Package-installed config would interfere with Ansible-managed config files 109 | # in this directory. Keeping an empty placeholder prevents package updates 110 | # from re-installing the default config. 111 | when: ansible_pkg_mgr in ['yum', 'dnf', 'apt'] 112 | 113 | - name: Harden binary perms 114 | become: true 115 | ansible.builtin.file: 116 | path: "{{ vault_bin_path }}/vault" 117 | mode: "0755" # Package default is 0775 118 | owner: root # Package default 119 | group: root # Package default 120 | when: vault_harden_file_perms 121 | 122 | - name: Delete vault.env 123 | become: true 124 | ansible.builtin.file: 125 | state: absent 126 | path: /etc/vault.d/vault.env 127 | when: vault_harden_file_perms 128 | 129 | - name: Harden perms of default cert/key 130 | ansible.builtin.file: 131 | path: "/opt/vault/tls/{{ item }}" 132 | mode: "0400" 133 | with_items: 134 | - tls.crt 135 | - tls.key 136 | when: 137 | - vault_harden_file_perms 138 | - not vault_tls_disable 139 | - not vault_tls_copy_keys 140 | 141 | - name: Delete default cert/key 142 | become: true 143 | ansible.builtin.file: 144 | state: absent 145 | path: "/opt/vault/tls/{{ item }}" 146 | with_items: 147 | - tls.crt 148 | - tls.key 149 | when: vault_tls_disable or vault_tls_copy_keys 150 | -------------------------------------------------------------------------------- /templates/vault_main_configuration.hcl.j2: -------------------------------------------------------------------------------- 1 | # {{ ansible_managed }} 2 | 3 | cluster_name = "{{ vault_cluster_name }}" 4 | max_lease_ttl = "{{ vault_max_lease_ttl }}" 5 | default_lease_ttl = "{{ vault_default_lease_ttl }}" 6 | 7 | disable_clustering = "{{ vault_cluster_disable }}" 8 | cluster_addr = "{{ vault_cluster_addr }}" 9 | api_addr = "{{ vault_api_addr }}" 10 | 11 | plugin_directory = "{{ vault_plugin_path }}" 12 | 13 | {% for l in vault_tcp_listeners %} 14 | listener "tcp" { 15 | address = "{{ l.vault_address }}:{{ l.vault_port }}" 16 | cluster_address = "{{ l.vault_cluster_address }}" 17 | {% if (l.vault_proxy_protocol_behavior is defined and l.vault_proxy_protocol_behavior) -%} 18 | proxy_protocol_behavior = "{{ l.vault_proxy_protocol_behavior }}" 19 | {% if (l.vault_proxy_protocol_authorized_addrs is defined) -%} 20 | proxy_protocol_authorized_addrs = "{{ l.vault_proxy_protocol_authorized_addrs }}" 21 | {% endif -%} 22 | {% endif -%} 23 | {% if not (l.vault_tls_disable | bool) -%} 24 | {% if (l.vault_tls_client_ca_file is defined) -%} 25 | tls_client_ca_file="{{ l.vault_tls_certs_path }}/{{ l.vault_tls_client_ca_file }}" 26 | {% endif -%} 27 | tls_cert_file = "{{ l.vault_tls_certs_path }}/{{ l.vault_tls_cert_file }}" 28 | tls_key_file = "{{ l.vault_tls_private_path }}/{{ l.vault_tls_key_file }}" 29 | tls_min_version = "{{ l.vault_tls_min_version }}" 30 | {% if vault_tls_cipher_suites is defined and vault_tls_cipher_suites -%} 31 | tls_cipher_suites = "{{ l.vault_tls_cipher_suites}}" 32 | {% endif -%} 33 | {% if (l.vault_tls_require_and_verify_client_cert | bool) -%} 34 | tls_require_and_verify_client_cert = "{{ l.vault_tls_require_and_verify_client_cert | bool | lower}}" 35 | {% endif -%} 36 | {% if (l.vault_tls_disable_client_certs | bool) -%} 37 | tls_disable_client_certs = "{{ l.vault_tls_disable_client_certs | bool | lower}}" 38 | {% endif -%} 39 | {% endif -%} 40 | tls_disable = "{{ l.vault_tls_disable | bool | lower }}" 41 | {% if (l.vault_x_forwarded_for_authorized_addrs is defined and l.vault_x_forwarded_for_authorized_addrs) -%} 42 | x_forwarded_for_authorized_addrs = "{{ l.vault_x_forwarded_for_authorized_addrs }}" 43 | {% if (l.vault_x_forwarded_for_hop_skips is defined) -%} 44 | x_forwarded_for_hop_skips = "{{ l.vault_x_forwarded_for_hop_skips }}" 45 | {% endif -%} 46 | {% if (l.vault_x_forwarded_for_reject_not_authorized is defined) -%} 47 | x_forwarded_for_reject_not_authorized = "{{ l.vault_x_forwarded_for_reject_not_authorized | bool | lower }}" 48 | {% endif -%} 49 | {% if (l.vault_x_forwarded_for_reject_not_present is defined) -%} 50 | x_forwarded_for_reject_not_present = "{{ l.vault_x_forwarded_for_reject_not_present | bool | lower }}" 51 | {% endif -%} 52 | {% endif -%} 53 | {% if (vault_unauthenticated_metrics_access | bool) -%} 54 | telemetry { 55 | unauthenticated_metrics_access = "true" 56 | } 57 | {% endif %} 58 | } 59 | {% endfor %} 60 | 61 | {% if (vault_listener_localhost_enable | bool) -%} 62 | listener "tcp" { 63 | address = "127.0.0.1:{{ vault_port }}" 64 | cluster_address = "127.0.0.1:8201" 65 | tls_disable = "true" 66 | } 67 | {% endif -%} 68 | 69 | {# 70 | Select which storage backend you want generated and placed 71 | in the vault configuration file. 72 | #} 73 | {% if vault_backend == 'consul' -%} 74 | {% include vault_backend_consul with context -%} 75 | {% elif vault_backend == 'etcd' -%} 76 | {% include vault_backend_etcd with context -%} 77 | {% elif vault_backend == 'file' -%} 78 | {% include vault_backend_file with context -%} 79 | {% elif vault_backend == 's3' -%} 80 | {% include vault_backend_s3 with context -%} 81 | {% elif vault_backend == 'dynamodb' -%} 82 | {% include vault_backend_dynamodb with context -%} 83 | {% elif vault_backend == 'mysql' -%} 84 | {% include vault_backend_mysql with context -%} 85 | {% elif vault_backend == 'gcs' -%} 86 | {% include vault_backend_gcs with context -%} 87 | {% elif vault_backend == 'raft' -%} 88 | {% include vault_backend_raft with context -%} 89 | {% endif %} 90 | 91 | {% if vault_service_registration_consul_enable -%} 92 | {% include vault_service_registration_consul_template with context -%} 93 | {% endif %} 94 | {% if vault_service_registration_kubernetes_enable -%} 95 | {% include vault_service_registration_kubernetes_template with context -%} 96 | {% endif %} 97 | 98 | {% if vault_ui -%} 99 | ui = {{ vault_ui | bool | lower }} 100 | {% endif %} 101 | 102 | {% if vault_entropy_seal | bool -%} 103 | {% include 'vault_entropy_seal.j2' with context %} 104 | {% endif %} 105 | 106 | {% if vault_enterprise_hsm | bool -%} 107 | {% include vault_backend_seal with context %} 108 | {% endif %} 109 | 110 | {% if vault_gkms | bool -%} 111 | {% include vault_backend_gkms with context %} 112 | {% endif %} 113 | 114 | {% if vault_ocikms | bool -%} 115 | {% include vault_ocikms_backend with context %} 116 | {% endif %} 117 | 118 | {% if vault_telemetry_enabled | bool -%} 119 | telemetry { 120 | {% if vault_statsite_address is defined %} 121 | statsite_address = "{{vault_statsite_address}}" 122 | {% endif -%} 123 | {% if vault_statsd_address is defined %} 124 | statsd_address = "{{vault_statsd_address}}" 125 | {% endif -%} 126 | {% if vault_prometheus_retention_time is defined %} 127 | prometheus_retention_time = "{{ vault_prometheus_retention_time }}" 128 | {% endif -%} 129 | {% if vault_telemetry_disable_hostname is defined %} 130 | disable_hostname = {{vault_telemetry_disable_hostname | bool | lower }} 131 | {% endif -%} 132 | {% if vault_telemetry_usage_gauge_period is defined %} 133 | usage_gauge_period = "{{ vault_telemetry_usage_gauge_period }}" 134 | {% endif -%} 135 | } 136 | {% endif -%} 137 | 138 | {% if vault_configure_enterprise_license | bool -%} 139 | license_path = "{{ vault_license_path }}" 140 | {% endif -%} 141 | 142 | {% if vault_custom_configuration is defined -%} 143 | {{ vault_custom_configuration }} 144 | {% endif -%} 145 | -------------------------------------------------------------------------------- /tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Include asserts 3 | ansible.builtin.include_tasks: asserts.yml 4 | 5 | - name: Include OS-specific variables 6 | ansible.builtin.include_vars: "{{ lookup('first_found', params) }}" 7 | vars: 8 | params: 9 | files: 10 | - "{{ ansible_os_family }}{{ ansible_distribution_major_version }}.yml" 11 | - "{{ ansible_os_family }}.yml" 12 | paths: 13 | - vars 14 | 15 | - name: Run preinstall tasks 16 | ansible.builtin.include_tasks: preinstall.yml 17 | tags: preinstall 18 | 19 | - name: Check Vault installation 20 | ansible.builtin.shell: 21 | cmd: command -v vault # noqa command-instead-of-shell # command is a shell builtin 22 | environment: 23 | PATH: "{{ vault_bin_path }}:{{ ansible_env.PATH }}" 24 | register: vault_installation 25 | changed_when: false 26 | ignore_errors: true 27 | check_mode: false 28 | 29 | - name: Get installed Vault version 30 | ansible.builtin.shell: 31 | cmd: | 32 | set -o pipefail 33 | {{ vault_installation.stdout }} -version | cut -d' ' -f2 | tr -d 'v' 34 | args: 35 | executable: /bin/bash 36 | when: not vault_installation is failed 37 | changed_when: false 38 | check_mode: false 39 | register: installed_vault_version 40 | 41 | - name: Compute if installation is required 42 | ansible.builtin.set_fact: 43 | installation_required: "{{ vault_installation is failed or installed_vault_version.stdout != vault_version~('+ent' if vault_enterprise) }}" 44 | 45 | - name: Install OS packages and Vault via control host 46 | ansible.builtin.include_tasks: install.yml 47 | when: 48 | - not vault_install_remotely | bool 49 | - not vault_install_hashi_repo | bool 50 | - installation_required | bool 51 | 52 | - name: Install Vault via HashiCorp repository 53 | ansible.builtin.include_tasks: install_hashi_repo.yml 54 | when: 55 | - not vault_install_remotely | bool 56 | - vault_install_hashi_repo | bool 57 | - installation_required | bool 58 | 59 | - name: Install OS packages and Vault via remote hosts 60 | ansible.builtin.include_tasks: install_remote.yml 61 | when: 62 | - not vault_enterprise | bool 63 | - vault_install_remotely | bool 64 | - not vault_install_hashi_repo | bool 65 | - installation_required | bool 66 | 67 | - name: Check Vault mlock capability 68 | become: true 69 | ansible.builtin.command: 70 | cmd: "setcap cap_ipc_lock=+ep {{ vault_bin_path }}/vault" 71 | changed_when: false # read-only task 72 | ignore_errors: true 73 | register: vault_mlock_capability 74 | 75 | - name: Enable non root mlock capability 76 | become: true 77 | ansible.builtin.command: 78 | cmd: "setcap cap_ipc_lock=+ep {{ vault_bin_path }}/vault" 79 | register: output 80 | changed_when: output.rc != 0 81 | when: vault_mlock_capability is failed 82 | 83 | - name: Create directories 84 | become: true 85 | ansible.builtin.file: 86 | path: "{{ item.path }}" 87 | state: directory 88 | owner: "{{ vault_user }}" 89 | group: "{{ vault_group }}" 90 | mode: "{{ item.mode }}" 91 | with_items: 92 | - path: "{{ vault_config_path }}" 93 | mode: "{{ vault_harden_file_perms | ternary('0550', '0750') }}" 94 | - path: "{{ vault_plugin_path }}" 95 | mode: "{{ vault_harden_file_perms | ternary('0555', '0755') }}" 96 | - path: "{{ vault_data_path }}" 97 | mode: "0750" 98 | - path: "{{ vault_log_path }}" 99 | mode: "0750" 100 | - path: "{{ vault_run_path }}" 101 | mode: "0750" 102 | 103 | - name: Enable logrotate for vault 104 | become: true 105 | ansible.builtin.template: 106 | src: "{{ vault_logrotate_template }}" 107 | dest: /etc/logrotate.d/vault 108 | owner: root 109 | group: root 110 | mode: "0644" 111 | when: vault_enable_logrotate | bool 112 | 113 | - name: TLS configuration 114 | ansible.builtin.include_tasks: tls.yml 115 | when: not vault_tls_disable | bool 116 | 117 | - name: Backend storage TLS configuration 118 | ansible.builtin.include_tasks: backend_tls.yml 119 | when: vault_tls_gossip | bool 120 | 121 | - name: "Get content of GCP Credentials from file" 122 | ansible.builtin.set_fact: 123 | vault_gkms_credentials_content: "{{ lookup('file', vault_gkms_credentials_src_file) }}" 124 | when: 125 | - vault_gkms | bool 126 | - vault_gkms_credentials_src_file | length > 0 127 | 128 | - name: "Copy over GCP Credentials for Auto Unseal" # noqa template-instead-of-copy # https://github.com/ansible/ansible-lint/issues/2501 129 | ansible.builtin.copy: 130 | content: "{{ vault_gkms_credentials_content }}" 131 | dest: "{{ vault_gkms_credentials }}" 132 | owner: "{{ vault_user }}" 133 | group: "{{ vault_group }}" 134 | mode: "{{ vault_harden_file_perms | ternary('0400', '0600') }}" 135 | when: 136 | - vault_gkms | bool 137 | - vault_gkms_credentials_content | length > 0 or 138 | vault_gkms_copy_sa | bool 139 | 140 | - name: "Copy GCP Credentials for gcs backend" 141 | ansible.builtin.copy: 142 | src: "{{ vault_gcs_credentials_src_file }}" 143 | dest: "{{ vault_gcs_credentials_dst_file }}" 144 | owner: "{{ vault_user }}" 145 | group: "{{ vault_group }}" 146 | mode: "{{ vault_harden_file_perms | ternary('0400', '0600') }}" 147 | when: 148 | - vault_backend == "gcs" 149 | - vault_gcs_copy_sa | bool 150 | 151 | - name: Vault main configuration 152 | become: true 153 | ansible.builtin.template: 154 | src: "{{ vault_main_configuration_template }}" 155 | dest: "{{ vault_main_config }}" 156 | owner: "{{ vault_user }}" 157 | group: "{{ vault_group }}" 158 | mode: "{{ vault_harden_file_perms | ternary('0400', '0600') }}" 159 | backup: "{{ vault_backup_config | default('false') | bool | lower }}" 160 | notify: 161 | - Restart vault 162 | - Reload vault 163 | 164 | - name: Vault transit seal configuration 165 | become: true 166 | ansible.builtin.template: 167 | src: "{{ vault_transit_backend }}" 168 | dest: "{{ vault_transit_config }}" 169 | owner: "{{ vault_user }}" 170 | group: "{{ vault_group }}" 171 | mode: "{{ vault_harden_file_perms | ternary('0400', '0600') }}" 172 | backup: "{{ vault_backup_config | default('false') | bool | lower }}" 173 | when: vault_transit | bool 174 | notify: Restart vault 175 | 176 | - name: Vault awskms seal configuration 177 | become: true 178 | ansible.builtin.template: 179 | src: "{{ vault_awskms_backend }}" 180 | dest: "{{ vault_awskms_config }}" 181 | owner: "{{ vault_user }}" 182 | group: "{{ vault_group }}" 183 | mode: "{{ vault_harden_file_perms | ternary('0400', '0600') }}" 184 | backup: "{{ vault_backup_config | default('false') | bool | lower }}" 185 | when: vault_awskms | bool 186 | notify: Restart vault 187 | 188 | - name: Vault azurekeyvault seal configuration 189 | become: true 190 | ansible.builtin.template: 191 | src: "{{ vault_azurekeyvault_backend }}" 192 | dest: "{{ vault_azurekeyvault_config }}" 193 | owner: "{{ vault_user }}" 194 | group: "{{ vault_group }}" 195 | mode: "{{ vault_harden_file_perms | ternary('0400', '0600') }}" 196 | backup: "{{ vault_backup_config | default('false') | bool | lower }}" 197 | when: vault_azurekeyvault | bool 198 | notify: Restart vault 199 | 200 | - name: Upload Vault license file to vault_license_path 201 | become: true 202 | ansible.builtin.copy: 203 | src: "{{ vault_license_file }}" 204 | dest: "{{ vault_license_path }}" 205 | owner: "{{ vault_user }}" 206 | group: "{{ vault_group }}" 207 | mode: "{{ vault_harden_file_perms | ternary('0400', '0644') }}" 208 | when: 209 | - vault_configure_enterprise_license | bool 210 | - vault_license_file | length > 0 211 | 212 | - name: Upload Vault license content to vault_license_path 213 | become: true 214 | copy: 215 | content: "{{ vault_license_content }}" 216 | dest: "{{ vault_license_path }}" 217 | owner: "{{ vault_user }}" 218 | group: "{{ vault_group }}" 219 | mode: "{{ vault_harden_file_perms | ternary('0400', '0644') }}" 220 | when: 221 | - vault_configure_enterprise_license | bool 222 | - vault_license_content | length > 0 223 | 224 | - name: "Set Exec output to log path when enabled log" 225 | ansible.builtin.set_fact: 226 | vault_exec_output: ">> {{ vault_log_path }}/vault.log 2>&1" 227 | when: vault_enable_log 228 | 229 | - name: BSD init script 230 | ansible.builtin.template: 231 | src: "{{ vault_bsdinit_template }}" 232 | dest: /etc/rc.d/vault 233 | owner: root 234 | group: wheel 235 | mode: "0755" 236 | when: ansible_os_family == "FreeBSD" 237 | 238 | - name: SYSV init script 239 | ansible.builtin.template: 240 | src: "{{ vault_sysvinit_template }}" 241 | dest: /etc/init.d/vault 242 | owner: root 243 | group: root 244 | mode: "0755" 245 | when: 246 | - not ansible_service_mgr == "systemd" 247 | - not ansible_os_family == "Debian" 248 | - not ansible_os_family == "FreeBSD" 249 | - not ansible_os_family == "Solaris" 250 | 251 | - name: Debian init script 252 | ansible.builtin.template: 253 | src: "{{ vault_debian_init_template }}" 254 | dest: /etc/init.d/vault 255 | owner: root 256 | group: root 257 | mode: "0755" 258 | when: 259 | - not ansible_service_mgr == "systemd" 260 | - ansible_os_family == "Debian" 261 | - not ansible_os_family == "FreeBSD" 262 | - not ansible_os_family == "Solaris" 263 | 264 | - name: Extract systemd version 265 | ansible.builtin.shell: 266 | cmd: | 267 | set -o pipefail 268 | systemctl --version systemd | head -n 1 | cut -d' ' -f2 269 | args: 270 | executable: /bin/bash 271 | changed_when: false 272 | check_mode: false 273 | register: systemd_version 274 | when: 275 | - ansible_service_mgr == "systemd" 276 | - not ansible_os_family == "FreeBSD" 277 | - not ansible_os_family == "Solaris" 278 | tags: skip_ansible_lint 279 | 280 | - name: Systemd unit 281 | become: true 282 | ansible.builtin.template: 283 | src: "{{ vault_systemd_template }}" 284 | dest: "{{ vault_systemd_unit_path }}/{{ vault_systemd_service_name }}.service" 285 | force: true 286 | owner: root 287 | group: root 288 | mode: "0644" 289 | register: systemd_unit 290 | when: 291 | - ansible_service_mgr == "systemd" 292 | - not ansible_os_family == "FreeBSD" 293 | - not ansible_os_family == "Solaris" 294 | - systemd_version is defined 295 | 296 | - name: Reload systemd 297 | become: true 298 | ansible.builtin.systemd: 299 | daemon_reload: true 300 | notify: Restart Vault 301 | when: 302 | - ansible_service_mgr == "systemd" 303 | - not ansible_os_family == "FreeBSD" 304 | - not ansible_os_family == "Solaris" 305 | - systemd_version is defined 306 | - systemd_unit is changed 307 | 308 | - name: Start Vault 309 | become: true 310 | ansible.builtin.service: 311 | name: '{{ vault_systemd_service_name }}' 312 | state: started 313 | enabled: true 314 | register: start_vault 315 | 316 | - name: Pause to let Vault startup correctly 317 | ansible.builtin.pause: 318 | seconds: "{{ vault_start_pause_seconds }}" 319 | when: 320 | - start_vault is changed # noqa no-handler 321 | - vault_start_pause_seconds | int > 0 322 | 323 | - name: Restart Vault if needed 324 | ansible.builtin.meta: flush_handlers 325 | 326 | - name: Compute TLS friendly vault_addr 327 | ansible.builtin.set_fact: 328 | vault_addr: "{{ (vault_address == '0.0.0.0') | ternary('127.0.0.1', vault_address) }}" 329 | 330 | - name: Insert http(s) export in dotfile 331 | become: true 332 | ansible.builtin.lineinfile: 333 | path: "{{ vault_home }}/{{ vault_dotfile }}" 334 | regexp: "^export VAULT_ADDR=" 335 | line: "export VAULT_ADDR='{{ vault_tls_disable | ternary('http', 'https') }}://{{ vault_addr }}:{{ vault_port }}'" 336 | owner: "{{ vault_user }}" 337 | group: "{{ vault_group }}" 338 | create: true 339 | mode: "0600" 340 | when: 341 | - not vault_dotfile_disable 342 | - ansible_os_family != 'Windows' 343 | 344 | - name: Insert CA cert export in dotfile 345 | become: true 346 | ansible.builtin.lineinfile: 347 | path: "{{ vault_home }}/{{ vault_dotfile }}" 348 | regexp: "^export VAULT_CACERT=" 349 | line: "export VAULT_CACERT={{ vault_tls_certs_path }}/{{ vault_tls_ca_file }}" 350 | owner: "{{ vault_user }}" 351 | group: "{{ vault_group }}" 352 | create: true 353 | mode: "0600" 354 | when: 355 | - not vault_dotfile_disable 356 | - not vault_tls_disable | bool 357 | - ansible_os_family != 'Windows' 358 | 359 | # This should succeed regardless of seal state 360 | - name: Vault API reachable? 361 | # Attempt to help with long lines > 160 issues 362 | vars: 363 | vault_addr_protocol: "{{ vault_tls_disable | ternary('http', 'https') }}" 364 | environment: 365 | no_proxy: "{{ vault_api_addr | urlsplit('hostname') }}" 366 | ansible.builtin.uri: 367 | validate_certs: "{{ validate_certs_during_api_reachable_check | bool }}" 368 | url: "{{ vault_api_addr }}/v1/sys/health" 369 | method: GET 370 | # 200 if initialized, unsealed, and active 371 | # 429 if unsealed and standby 372 | # 472 if data recovery mode replication secondary and active 373 | # 473 if performance standby 374 | # 501 if not initialized 375 | # 503 if sealed 376 | # See: https://www.vaultproject.io/api/system/health.html 377 | status_code: 200, 429, 472, 473, 501, 503 378 | body_format: json 379 | register: check_result 380 | retries: 6 381 | until: check_result is succeeded 382 | delay: 10 383 | changed_when: false 384 | tags: 385 | - check_vault 386 | when: 387 | - not vault_disable_api_health_check | bool 388 | 389 | - name: Install/configure vault plugins 390 | ansible.builtin.include_tasks: "plugins/{{ _index_plugin }}.yml" 391 | loop: "{{ ('molecule-notest' not in ansible_skip_tags) | ternary(vault_plugins_enable, 392 | lookup('fileglob', 'tasks/plugins/*.yml', wantlist=true) | map('basename') | map('splitext') | map('first')) }}" 393 | loop_control: 394 | loop_var: _index_plugin 395 | args: 396 | apply: 397 | environment: 398 | VAULT_ADDR: "{{ lookup('env', 'VAULT_ADDR') | 399 | default(vault_tls_disable | ternary('http', 'https') ~ '://' ~ vault_addr ~ ':' ~ vault_port, true) }}" 400 | VAULT_CACERT: "{{ lookup('env', 'VAULT_CACERT') | 401 | default(vault_tls_config_path ~ '/' ~ vault_tls_ca_file if not (vault_tls_disable) else '', true) }}" 402 | VAULT_TOKEN: "{{ lookup('env', 'VAULT_TOKEN') | default(lookup('file', '~/.vault-token', errors='ignore'), true) }}" 403 | when: vault_plugin_install | bool 404 | 405 | - name: Vault status 406 | ansible.builtin.debug: 407 | msg: "Vault is {{ vault_http_status[check_result.status | string] }}" 408 | tags: 409 | - check_vault 410 | when: 411 | - not vault_disable_api_health_check | bool 412 | -------------------------------------------------------------------------------- /defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: defaults/main.yml - default variables for Vault 3 | 4 | # --------------------------------------------------------------------------- 5 | # Core variables 6 | # --------------------------------------------------------------------------- 7 | 8 | # Package variables 9 | vault_version: "{{ lookup('env', 'VAULT_VERSION') | default('1.21.1', true) }}" 10 | 11 | vault_version_release_site_suffix: "{{ '+ent' if vault_enterprise }}{{ '.hsm' if vault_enterprise_hsm }}" 12 | vault_version_repo_suffix: "{{ '+ent' if vault_enterprise }}" 13 | vault_version_debian_repo_suffix: "-1" 14 | 15 | vault_architecture_map: 16 | # this first entry seems... redundant (but it's required for reasons) 17 | amd64: amd64 18 | x86_64: amd64 19 | armv7l: arm 20 | aarch64: arm64 21 | vault_architecture: "{{ vault_architecture_map[ansible_architecture] }}" 22 | vault_os: "{{ ansible_system | lower }}" 23 | 24 | vault_pkg_stub: "vault_{{ vault_version }}{{ vault_version_release_site_suffix }}" 25 | vault_pkg: "{{ vault_pkg_stub }}_{{ vault_os }}_{{ vault_architecture }}.zip" 26 | vault_shasums: "{{ vault_pkg_stub }}_SHA256SUMS" 27 | vault_url_stub: "https://releases.hashicorp.com/vault/{{ vault_version }}{{ vault_version_release_site_suffix }}" 28 | vault_zip_url: "{{ vault_url_stub }}/{{ vault_pkg }}" 29 | vault_checksum_file_url: "{{ vault_url_stub }}/{{ vault_shasums }}" 30 | vault_repository_url: "{{ _vault_repository_url | default() }}" 31 | vault_repository_key_url: "{{ _vault_repository_key_url | default() }}" 32 | vault_rhsm_subscription_name: 33 | vault_rhsm_repo_id: 34 | 35 | # Installation 36 | vault_start_pause_seconds: 0 37 | 38 | # Install method variables 39 | vault_install_hashi_repo: false 40 | vault_install_remotely: false 41 | vault_privileged_install: false 42 | 43 | # Paths 44 | vault_bin_path: "{{ '/usr/bin' if (vault_install_hashi_repo) else '/usr/local/bin' }}" 45 | vault_config_path: /etc/vault.d 46 | vault_plugin_path: /usr/local/lib/vault/plugins 47 | vault_data_path: "{{ '/opt/vault/data' if (vault_install_hashi_repo) else '/var/vault' }}" 48 | vault_log_path: /var/log/vault 49 | vault_run_path: /var/run/vault 50 | vault_home: "/home/{{ vault_user }}" 51 | vault_harden_file_perms: true 52 | 53 | # System user and group 54 | vault_manage_user: "{{ false if (vault_install_hashi_repo) else true }}" 55 | vault_user: vault 56 | vault_manage_group: false 57 | vault_group: "{{ 'vault' if (vault_install_hashi_repo) else 'bin' }}" 58 | vault_groups: null 59 | 60 | vault_dotfile: ".bashrc" 61 | vault_dotfile_disable: "{{ true if (vault_install_hashi_repo) else false }}" 62 | 63 | # Logging 64 | vault_enable_log: false 65 | vault_enable_logrotate: false 66 | vault_logrotate_freq: 7 67 | vault_logrotate_template: vault_logrotate.j2 68 | vault_exec_output: '' 69 | 70 | # Handlers 71 | vault_service_restart: true 72 | vault_service_reload: false 73 | 74 | # --------------------------------------------------------------------------- 75 | # Vault variables 76 | # --------------------------------------------------------------------------- 77 | 78 | vault_cluster_name: dc1 79 | vault_datacenter: dc1 80 | vault_log_level: "{{ lookup('env', 'VAULT_LOG_LEVEL') | default('info', true) }}" 81 | vault_iface: "{{ lookup('env', 'VAULT_IFACE') | default(ansible_default_ipv4.interface, true) }}" 82 | vault_address: "{{ hostvars[inventory_hostname]['ansible_' + vault_iface]['ipv4']['address'] }}" 83 | vault_ui: "{{ lookup('env', 'VAULT_UI') | default(true, true) }}" 84 | vault_port: 8200 85 | 86 | # seal configs are written in separate files in vault_config_path, if ony of those is enabled, we need to use vault_config_path in the systemD unit file 87 | vault_use_config_path: "{{ vault_transit or vault_awskms or vault_azurekeyvault or vault_gkms | default(false) }}" 88 | 89 | vault_main_config: "{{ vault_config_path }}/vault_main.hcl" 90 | vault_main_configuration_template: vault_main_configuration.hcl.j2 91 | vault_listener_localhost_enable: false 92 | vault_http_proxy: "" 93 | vault_https_proxy: "" 94 | vault_no_proxy: "" 95 | vault_additional_environment_variables: {} 96 | # FOO: bar 97 | # FOO2: bar2 98 | 99 | # --------------------------------------------------------------------------- 100 | # TCP listeners 101 | # --------------------------------------------------------------------------- 102 | 103 | vault_tcp_listeners: 104 | - vault_address: '{{ vault_address }}' 105 | vault_port: '{{ vault_port }}' 106 | vault_cluster_address: '{{ vault_cluster_address }}' 107 | # vault_proxy_protocol_behavior: '{{ vault_proxy_protocol_behavior }}' 108 | # vault_proxy_protocol_authorized_addrs: '{{ vault_proxy_protocol_authorized_addrs }}' 109 | vault_tls_disable: '{{ vault_tls_disable }}' 110 | vault_tls_certs_path: '{{ vault_tls_certs_path }}' 111 | vault_tls_private_path: '{{ vault_tls_private_path }}' 112 | vault_tls_cert_file: '{{ vault_tls_cert_file }}' 113 | vault_tls_key_file: '{{ vault_tls_key_file }}' 114 | vault_tls_ca_file: '{{ vault_tls_ca_file }}' 115 | vault_tls_min_version: '{{ vault_tls_min_version }}' 116 | vault_tls_cipher_suites: '{{ vault_tls_cipher_suites }}' 117 | vault_tls_require_and_verify_client_cert: '{{ vault_tls_require_and_verify_client_cert }}' 118 | vault_tls_disable_client_certs: '{{ vault_tls_disable_client_certs }}' 119 | # vault_x_forwarded_for_authorized_addrs: '{{ vault_x_forwarded_for_authorized_addrs }}' 120 | # vault_x_forwarded_for_hop_skips: '{{ vault_x_forwarded_for_hop_skips }}' 121 | # vault_x_forwarded_for_reject_not_authorized: '{{ vault_x_forwarded_for_reject_not_authorized }}' 122 | # vault_x_forwarded_for_reject_not_present: '{{ vault_x_forwarded_for_reject_not_present }}' 123 | 124 | # --------------------------------------------------------------------------- 125 | # Storage backend 126 | # --------------------------------------------------------------------------- 127 | 128 | vault_backend_consul: vault_backend_consul.j2 129 | vault_backend_file: vault_backend_file.j2 130 | vault_backend_raft: vault_backend_raft.j2 131 | vault_backend_etcd: vault_backend_etcd.j2 132 | vault_backend_s3: vault_backend_s3.j2 133 | vault_backend_dynamodb: vault_backend_dynamodb.j2 134 | vault_backend_mysql: vault_backend_mysql.j2 135 | vault_backend_gcs: vault_backend_gcs.j2 136 | 137 | vault_cluster_disable: false 138 | vault_cluster_address: "{{ hostvars[inventory_hostname]['ansible_' + vault_iface]['ipv4']['address'] }}:{{ (vault_port | int) + 1 }}" 139 | vault_cluster_addr: "{{ vault_protocol }}://{{ vault_cluster_address }}" 140 | vault_api_addr: "{{ vault_protocol }}://{{ vault_redirect_address | 141 | default(hostvars[inventory_hostname]['ansible_' + vault_iface]['ipv4']['address']) }}:{{ vault_port }}" 142 | vault_disable_api_health_check: false 143 | 144 | vault_max_lease_ttl: "768h" 145 | vault_default_lease_ttl: "768h" 146 | 147 | # Storage tls settings 148 | vault_backend_tls_src_files: "{{ vault_tls_src_files }}" 149 | vault_backend_tls_certs_path: "{{ vault_tls_certs_path }}" 150 | vault_backend_tls_private_path: "{{ vault_tls_private_path }}" 151 | vault_backend_tls_cert_file: "{{ vault_tls_cert_file }}" 152 | vault_backend_tls_key_file: "{{ vault_tls_key_file }}" 153 | vault_backend_tls_ca_file: "{{ vault_tls_ca_file }}" 154 | 155 | # Consul storage settings 156 | vault_consul: 127.0.0.1:8500 157 | vault_consul_path: vault 158 | vault_consul_service: vault 159 | vault_consul_scheme: http 160 | # vault_consul_token: 161 | 162 | # etcd storage settings 163 | vault_etcd: 127.0.0.1:2379 164 | vault_etcd_api: v3 165 | vault_etcd_path: /vault/ 166 | vault_etcd_discovery_srv: "" 167 | vault_etcd_discovery_srv_name: "" 168 | vault_etcd_ha_enabled: false 169 | vault_etcd_sync: true 170 | vault_etcd_username: "" 171 | vault_etcd_password: "" 172 | vault_etcd_request_timeout: "5s" 173 | vault_etcd_lock_timeout: "15s" 174 | 175 | # s3 storage settings 176 | vault_s3_access_key: "" 177 | vault_s3_secret_key: "" 178 | vault_s3_bucket: "vault_backend" 179 | vault_s3_region: "us-east-1" 180 | vault_s3_endpoint: "" 181 | vault_s3_disable_ssl: false 182 | vault_s3_force_path_style: false 183 | vault_s3_kms_key_id: "" 184 | vault_s3_session_token: "" 185 | vault_s3_max_parallel: "128" 186 | 187 | # dynamodb storage settings 188 | vault_dynamodb: "{{ lookup('env', 'AWS_DYNAMODB_ENDPOINT') | default('', false) }}" 189 | vault_dynamodb_table: "{{ lookup('env', 'AWS_DYNAMODB_TABLE') | default('vault-dynamodb-backend', false) }}" 190 | vault_dynamodb_ha_enabled: "{{ lookup('env', 'DYNAMODB_HA_ENABLED') | default('false', false) }}" 191 | vault_dynamodb_max_parallel: "128" 192 | vault_dynamodb_region: "{{ lookup('env', 'AWS_DEFAULT_REGION') | default('us-east-1', false) }}" 193 | vault_dynamodb_read_capacity: "{{ lookup('env', 'AWS_DYNAMODB_READ_CAPACITY') | default('5', false) }}" 194 | vault_dynamodb_write_capacity: "{{ lookup('env', 'AWS_DYNAMODB_WRITE_CAPACITY') | default('5', false) }}" 195 | vault_dynamodb_access_key: "{{ lookup('env', 'AWS_ACCESS_KEY_ID') | default('', false) }}" 196 | vault_dynamodb_secret_key: "{{ lookup('env', 'AWS_SECRET_ACCESS_KEY') | default('', false) }}" 197 | vault_dynamodb_session_token: "{{ lookup('env', 'AWS_SESSION_TOKEN') | default('', false) }}" 198 | 199 | # mysql storage settings 200 | vault_mysql: "" 201 | vault_mysql_username: "" 202 | vault_mysql_password: "" 203 | vault_mysql_database: "" 204 | vault_mysql_table: "" 205 | vault_mysql_tls_ca_file: "" 206 | vault_mysql_max_parallel: "" 207 | vault_mysql_max_idle_connections: "" 208 | vault_mysql_max_connection_lifetime: "" 209 | 210 | # gcs storage settings 211 | vault_gcs_bucket: "" 212 | vault_gcs_ha_enabled: false 213 | vault_gcs_chunk_size: "8192" 214 | vault_gcs_max_parallel: "128" 215 | vault_gcs_copy_sa: false 216 | vault_gcs_credentials_src_file: "" 217 | vault_gcs_credentials_dst_file: "{{ vault_home }}/{{ vault_gcs_credentials_src_file | basename }}" 218 | 219 | # raft storage settings 220 | vault_backend: raft 221 | vault_raft_group_name: "vault_raft_servers" 222 | vault_raft_cluster_members: | 223 | [ 224 | {% for server in groups[vault_raft_group_name] %} 225 | { 226 | "peer": "{{ server }}", 227 | "api_addr": "{{ hostvars[server]['vault_api_addr'] | 228 | default(vault_protocol + '://' + 229 | hostvars[server]['ansible_' + hostvars[server]['ansible_default_ipv4']['interface']]['ipv4']['address'] + ':' + (vault_port|string)) }}" 230 | }, 231 | {% endfor %} 232 | ] 233 | 234 | vault_raft_data_path: "{{ lookup('env', 'VAULT_RAFT_DATA_PATH') | default(vault_data_path, true) }}" 235 | vault_raft_node_id: "{{ lookup('env', 'VAULT_RAFT_NODE_ID') | default(inventory_hostname_short, true) }}" 236 | # vault_raft_leader_tls_servername 237 | # vault_raft_performance_multiplier: 238 | # vault_raft_trailing_logs: 239 | # vault_raft_snapshot_threshold: 240 | # vault_raft_max_entry_size: 241 | # vault_raft_autopilot_reconcile_interval: 242 | # vault_raft_cloud_auto_join: 243 | # vault_raft_cloud_auto_join_scheme: 244 | # vault_raft_cloud_auto_join_port: 245 | vault_raft_cloud_auto_join_exclusive: false 246 | 247 | # --------------------------------------------------------------------------- 248 | # Service registration variables 249 | # --------------------------------------------------------------------------- 250 | 251 | # Consul service registration settings 252 | vault_service_registration_consul_enable: false 253 | vault_service_registration_consul_template: vault_service_registration_consul.hcl.j2 254 | vault_service_registration_consul_check_timeout: 5s 255 | vault_service_registration_consul_address: 127.0.0.1:8500 256 | vault_service_registration_consul_service: vault 257 | vault_service_registration_consul_service_tags: "" 258 | vault_service_registration_consul_service_address: 259 | vault_service_registration_consul_disable_registration: false 260 | vault_service_registration_consul_scheme: http 261 | # vault_service_registration_consul_token: 262 | 263 | # Consul service registration tls settings 264 | vault_service_registration_consul_tls_certs_path: "{{ vault_tls_certs_path }}" 265 | vault_service_registration_consul_tls_private_path: "{{ vault_tls_private_path }}" 266 | vault_service_registration_consul_tls_cert_file: "{{ vault_tls_cert_file }}" 267 | vault_service_registration_consul_tls_key_file: "{{ vault_tls_key_file }}" 268 | vault_service_registration_consul_tls_ca_file: "{{ vault_tls_ca_file }}" 269 | vault_service_registration_consul_tls_min_version: "{{ vault_tls_min_version }}" 270 | vault_service_registration_consul_tls_skip_verify: false 271 | 272 | # Kubernetes service registration settings 273 | vault_service_registration_kubernetes_enable: false 274 | vault_service_registration_kubernetes_template: vault_service_registration_kubernetes.hcl.j2 275 | vault_service_registration_kubernetes_namespace: vault 276 | vault_service_registration_kubernetes_pod_name: vault 277 | 278 | # --------------------------------------------------------------------------- 279 | # Initialization and startup script templates 280 | # --------------------------------------------------------------------------- 281 | 282 | vault_bsdinit_template: vault_service_bsd_init.j2 283 | vault_sysvinit_template: vault_sysvinit.j2 284 | vault_debian_init_template: vault_service_debian_init.j2 285 | vault_systemd_template: vault_service_systemd.j2 286 | vault_systemd_service_name: vault 287 | vault_systemd_unit_path: /lib/systemd/system 288 | 289 | # --------------------------------------------------------------------------- 290 | # TLS variables 291 | # --------------------------------------------------------------------------- 292 | 293 | # NB: at the end of the role there's a API Reachability check; if you rely on 294 | # self-signed certificates you might need to change the following to false 295 | validate_certs_during_api_reachable_check: true 296 | 297 | vault_tls_certs_path: "{{ lookup('env', 'VAULT_TLS_DIR') | default(('/opt/vault/tls' if (vault_install_hashi_repo) else '/etc/vault/tls'), true) }}" 298 | _vault_tls_private_path: "{{ lookup('env', 'VAULT_TLS_DIR') | default(('/opt/vault/tls' if (vault_install_hashi_repo) else '/etc/vault/tls'), true) }}" 299 | vault_tls_private_path: "{{ _vault_tls_private_path ~ ('/private' if vault_harden_file_perms and vault_tls_copy_keys) }}" 300 | vault_tls_src_files: "{{ lookup('env', 'VAULT_TLS_SRC_FILES') | default(role_path ~ '/files', true) }}" 301 | 302 | vault_tls_disable: "{{ lookup('env', 'VAULT_TLS_DISABLE') | default(true, true) }}" 303 | vault_tls_gossip: "{{ lookup('env', 'VAULT_TLS_GOSSIP') | default(false, true) }}" 304 | 305 | vault_tls_copy_keys: "{{ false if (vault_install_hashi_repo) else true }}" 306 | vault_protocol: "{% if vault_tls_disable %}http{% else %}https{% endif %}" 307 | vault_tls_cert_file: "{{ lookup('env', 'VAULT_TLS_CERT_FILE') | default(('tls.crt' if (vault_install_hashi_repo) else 'server.crt'), true) }}" 308 | vault_tls_key_file: "{{ lookup('env', 'VAULT_TLS_KEY_FILE') | default(('tls.key' if (vault_install_hashi_repo) else 'server.key'), true) }}" 309 | vault_tls_ca_file: "{{ lookup('env', 'VAULT_TLS_CA_CRT') | default('ca.crt', true) }}" 310 | vault_tls_client_ca_file: "" 311 | 312 | vault_tls_min_version: "{{ lookup('env', 'VAULT_TLS_MIN_VERSION') | default('tls12', true) }}" 313 | vault_tls_cipher_suites: "" 314 | vault_tls_files_remote_src: false 315 | vault_tls_require_and_verify_client_cert: false 316 | vault_tls_disable_client_certs: false 317 | 318 | # --------------------------------------------------------------------------- 319 | # Seal variables 320 | # --------------------------------------------------------------------------- 321 | 322 | # transit auto unseal, see https://www.vaultproject.io/docs/configuration/seal/transit 323 | vault_transit: false 324 | vault_transit_backend: vault_seal_transit.j2 325 | vault_transit_config: "{{ vault_config_path }}/vault_transit.hcl" 326 | vault_transit_address: '' 327 | vault_transit_token: '' 328 | vault_transit_disable_renewal: false 329 | vault_transit_key_name: 'autounseal' 330 | vault_transit_mount_path: "transit/" 331 | # vault_transit_namespace: '' 332 | vault_transit_tls_ca_cert_file: "{{ vault_transit_tls_ca_cert_file | default(vault_tls_ca_file) }}" 333 | vault_transit_tls_client_cert_file: "{{ vault_transit_tls_client_cert | default('autounseal_client_cert.pem', true) }}" 334 | vault_transit_tls_client_key_file: "{{ vault_transit_tls_client_key | default('autounseal_client_key.pem', true) }}" 335 | # vault_transit_tls_server_name: '' 336 | vault_transit_tls_skip_verify: "{{ lookup('env', 'VAULT_SKIP_VERIFY') | default('', false) }}" 337 | 338 | # awskms seal 339 | vault_awskms: false 340 | vault_awskms_config: "{{ vault_config_path }}/vault_awskms.hcl" 341 | vault_awskms_backend: vault_seal_awskms.j2 342 | vault_awskms_region: "{{ lookup('env', 'AWS_DEFAULT_REGION') | default('us-east-1', false) }}" 343 | vault_awskms_access_key: "{{ lookup('env', 'AWS_ACCESS_KEY_ID') | default('', false) }}" 344 | vault_awskms_secret_key: "{{ lookup('env', 'AWS_SECRET_ACCESS_KEY') | default('', false) }}" 345 | vault_awskms_key_id: "{{ lookup('env', 'VAULT_AWSKMS_SEAL_KEY_ID') | default('', false) }}" 346 | vault_awskms_endpoint: "{{ lookup('env', 'AWS_KMS_ENDPOINT') | default('', false) }}" 347 | 348 | # azurekeyvault seal 349 | vault_azurekeyvault: false 350 | vault_azurekeyvault_config: "{{ vault_config_path }}/vault_azurekeyvault.hcl" 351 | vault_azurekeyvault_backend: vault_seal_azurekeyvault.j2 352 | 353 | # gcpkms seal 354 | vault_gkms: false 355 | vault_backend_gkms: vault_seal_gcpkms.j2 356 | vault_gkms_project: '' 357 | vault_gkms_credentials_src_file: '' 358 | vault_gkms_credentials_content: '' 359 | vault_gkms_credentials: '/home/vault/vault-kms.json' 360 | vault_gkms_region: 'global' 361 | vault_gkms_key_ring: 'vault' 362 | vault_gkms_crypto_key: 'vault_key' 363 | vault_gkms_copy_sa: true 364 | 365 | # ocikms seal 366 | vault_ocikms: false 367 | vault_ocikms_backend: vault_seal_ocikms.j2 368 | vault_ocikms_auth_type_api_key: false 369 | vault_ocikms_key_id: "{{ lookup('env', 'VAULT_OCIKMS_SEAL_KEY_ID') | default('', false) }}" 370 | vault_ocikms_crypto_endpoint: "{{ lookup('env', 'VAULT_OCIKMS_CRYPTO_ENDPOINT') | default('', false) }}" 371 | vault_ocikms_management_endpoint: "{{ lookup('env', 'VAULT_OCIKMS_MANAGEMENT_ENDPOINT') | default('', false) }}" 372 | 373 | # pkcs11 seal 374 | vault_enterprise_hsm: false 375 | # WARNING: the following variable is deprecated as this section will become 376 | # _only_ a pkcs11 seal soon. Please take note that vault_hsm_app will 377 | # soon be removed! 378 | vault_hsm_app: pkcs11 379 | vault_backend_seal: vault_seal_pkcs11.j2 380 | vault_seal_lib: /lib64/hsmlibrary.so 381 | vault_seal_pin: 12345 382 | vault_seal_key_label: vault-hsm-key 383 | vault_seal_hmac_key_label: '' 384 | vault_seal_generate_key: false 385 | vault_seal_key_mechanism: '' 386 | vault_seal_token_label: '' 387 | vault_seal_slot: 0 388 | vault_softcard_enable: false 389 | vault_telemetry_enabled: false 390 | vault_unauthenticated_metrics_access: false 391 | vault_entropy_seal: false 392 | 393 | # --------------------------------------------------------------------------- 394 | # Enterprise related variables 395 | # --------------------------------------------------------------------------- 396 | 397 | vault_enterprise: "{{ lookup('env', 'VAULT_ENTERPRISE') | default(false, true) }}" 398 | 399 | # Manage enterprise license file with this role 400 | vault_configure_enterprise_license: false 401 | # Path to enterprise license on the remote host (destination path) 402 | # https://www.vaultproject.io/docs/configuration#license_path 403 | vault_license_path: "{{ vault_config_path }}/license.hclic" 404 | # Path to enterprise license on the Ansible controller (source file for upload) 405 | # Upload skipped when empty or undefined, if `vault_license_file` is also empty or undefined 406 | # Only used if `vault_configure_enterprise_license: true` 407 | vault_license_file: "" 408 | # Value of the enterprise license to use 409 | # Upload skipped when empty or undefined, if `vault_license_file` is also empty or undefined 410 | # Only used if `vault_configure_enterprise_license: true` 411 | vault_license_content: "" 412 | 413 | # ----------------- 414 | # Vault plugins 415 | # ----------------- 416 | vault_plugins_enable: [] 417 | vault_plugins_src_dir_remote: /usr/local/src/vault/plugins # Directory for storing vault plugin src/zip files on target hosts 418 | vault_plugins_src_dir_local: "{{ role_path }}/files/plugins" # Directory for storing vault plugin src/zip files locally 419 | vault_plugins_src_dir_cleanup: false # Cleanup vault plugin src/zip dir after plugin install. WARNING: could cause plugins to be downloaded each time. 420 | 421 | # vault acme plugin 422 | vault_plugin_install: false 423 | vault_plugin_acme_install: remote # remote / local 424 | vault_plugin_acme_sidecar_install: false 425 | vault_plugin_acme_version: "latest" 426 | vault_plugin_acme_zip: "{{ vault_os }}_{{ vault_architecture }}.zip" 427 | vault_plugin_acme_release_url: "https://github.com/remilapeyre/vault-acme/releases/download/v{{ vault_plugin_acme_version }}" 428 | vault_plugin_acme_zip_sha256sum: "{{ (lookup('url', vault_plugin_acme_release_url ~ '/vault-acme_SHA256SUMS', 429 | wantlist=true) | select('match', '.*' + vault_plugin_acme_zip + '$') | first).split()[0] }}" 430 | -------------------------------------------------------------------------------- /CHANGELOG.md: -------------------------------------------------------------------------------- 1 | # Changelog 2 | 3 | All notable changes to this project will be documented in this file. 4 | 5 | ## [3.3.0](https://github.com/ansible-community/ansible-vault/compare/v3.2.4...v3.3.0) (2025-12-11) 6 | 7 | ### Features 8 | 9 | * add a way to upload license from variable (not file) ([#378](https://github.com/ansible-community/ansible-vault/issues/378)) ([b8fffb3](https://github.com/ansible-community/ansible-vault/commit/b8fffb330aebd777e72ff54a818bc2bbff3e2c0d)) 10 | 11 | ### Bug Fixes 12 | 13 | * only run cache update if we have packages to install ([#400](https://github.com/ansible-community/ansible-vault/issues/400)) ([2619857](https://github.com/ansible-community/ansible-vault/commit/261985731887d9ebe05841b0163937f3e1903cd9)) 14 | 15 | ## [3.2.4](https://github.com/ansible-community/ansible-vault/compare/v3.2.3...v3.2.4) (2025-12-01) 16 | 17 | ### Bug Fixes 18 | 19 | * allow user defined tls variables to be set instead of hardcoded default values ([#385](https://github.com/ansible-community/ansible-vault/issues/385)) ([db36693](https://github.com/ansible-community/ansible-vault/commit/db36693ead780df7c69aefdf757bf538a4800f65)) 20 | 21 | ## [3.2.3](https://github.com/ansible-community/ansible-vault/compare/v3.2.2...v3.2.3) (2025-11-28) 22 | 23 | ### Bug Fixes 24 | 25 | * convert vault_raft_cluster_members and rhsm_repo_id to work with ansible 12 ([#397](https://github.com/ansible-community/ansible-vault/issues/397)) ([192d6ea](https://github.com/ansible-community/ansible-vault/commit/192d6eabc23e7b6cc2333ffb5cd29b25792bc1a8)) 26 | 27 | ## [3.2.2](https://github.com/ansible-community/ansible-vault/compare/v3.2.1...v3.2.2) (2025-11-27) 28 | 29 | ### Bug Fixes 30 | 31 | * add become to create private tls directory ([#396](https://github.com/ansible-community/ansible-vault/issues/396)) ([a11b8a4](https://github.com/ansible-community/ansible-vault/commit/a11b8a48bdac04e55bd8747e47ef6f8eed843002)) 32 | 33 | ## [3.2.1](https://github.com/ansible-community/ansible-vault/compare/v3.2.0...v3.2.1) (2025-11-27) 34 | 35 | ### Bug Fixes 36 | 37 | * solve crash if vault_port is set below 1024 by adding CAP_NET_ADMIN ([#376](https://github.com/ansible-community/ansible-vault/issues/376)) ([858a6f0](https://github.com/ansible-community/ansible-vault/commit/858a6f04c6f4731f25d5dd28097d7f2ee5ac2231)) 38 | 39 | ## [3.2.0](https://github.com/ansible-community/ansible-vault/compare/v3.1.2...v3.2.0) (2025-11-27) 40 | 41 | ### Features 42 | 43 | * consolidated preinstall tasks ([#392](https://github.com/ansible-community/ansible-vault/issues/392)) ([8909f88](https://github.com/ansible-community/ansible-vault/commit/8909f88bcdc0e8ec0825343786b96b7ad9e0fd46)) 44 | 45 | ## [3.1.2](https://github.com/ansible-community/ansible-vault/compare/v3.1.1...v3.1.2) (2025-11-27) 46 | 47 | ### Bug Fixes 48 | 49 | * added gpg Debian derivates ([#391](https://github.com/ansible-community/ansible-vault/issues/391)) ([a6c797c](https://github.com/ansible-community/ansible-vault/commit/a6c797c90ec78900cf76fc6e04c577800f6da1fd)) 50 | 51 | ## [3.1.1](https://github.com/ansible-community/ansible-vault/compare/v3.1.0...v3.1.1) (2025-11-27) 52 | 53 | ### Bug Fixes 54 | 55 | * replace usage of deprecated apt-key usage (fixes [#386](https://github.com/ansible-community/ansible-vault/issues/386)) ([#390](https://github.com/ansible-community/ansible-vault/issues/390)) ([f3eae77](https://github.com/ansible-community/ansible-vault/commit/f3eae778ab0e47a29b7e1bd61d566c8326bd7179)) 56 | 57 | ## [3.1.0](https://github.com/ansible-community/ansible-vault/compare/v3.0.0...v3.1.0) (2025-11-26) 58 | 59 | ### Features 60 | 61 | * allow additional environment variables ([#366](https://github.com/ansible-community/ansible-vault/issues/366)) ([da957e0](https://github.com/ansible-community/ansible-vault/commit/da957e0d3880f3ba87d0f62751c59b5e98ae10fa)) 62 | * **GHA:** add commitlint and semrel ([#362](https://github.com/ansible-community/ansible-vault/issues/362)) ([d5bae97](https://github.com/ansible-community/ansible-vault/commit/d5bae97c79a783b2b7044d3b166dd2f0495666e9)) 63 | 64 | ### Bug Fixes 65 | 66 | * Avoid triggering semantic release on forks ([#388](https://github.com/ansible-community/ansible-vault/issues/388)) ([188f145](https://github.com/ansible-community/ansible-vault/commit/188f1456bab4a52ccc2df75fbaa852a0c6a64eb2)) 67 | * **semrel:** fix branch ([#363](https://github.com/ansible-community/ansible-vault/issues/363)) ([ec91b6c](https://github.com/ansible-community/ansible-vault/commit/ec91b6ca1bc61444be0cf8b916ba4ebce6608962)) 68 | * **semrel:** fix branch ([#364](https://github.com/ansible-community/ansible-vault/issues/364)) ([2c87dd4](https://github.com/ansible-community/ansible-vault/commit/2c87dd4a372defffa77670dab6ce00cbd3ae219d)) 69 | * **smerel:** bump changelog to 8.0.0 ([#365](https://github.com/ansible-community/ansible-vault/issues/365)) ([7e2fded](https://github.com/ansible-community/ansible-vault/commit/7e2fdeddec3405756aae10f1dedcace4ba94779b)) 70 | 71 | ## NEXT 72 | 73 | - Add support for proxy configuration 74 | - Add support for system certificates with `vault_tls_certs_path` and `vault_tls_private_path` 75 | 76 | ## v2.5.9 77 | - Add ability to install Vault Enterprise via HashiCorp Repo 78 | - Removed check of non-existent variable "vault_install_remote_repo" in tasks/main.yml 79 | - Bumped Vault version to v1.18.2 80 | - Revamped Readme 81 | 82 | ## v2.5.8 83 | - Add vault_unauthenticated_metrics_access to listener 84 | 85 | ## v2.5.7 86 | - Added support for useful options when running Vault behind a load balancer 87 | 88 | ## v2.5.6 89 | - Fix systemd forking process bug that prevents to stop/restart vault properly 90 | - Use exec to replace the calling process which effectively nullify the forkin problem 91 | 92 | ## v2.5.5 93 | - become_user vault_user when modifying files in vault_home 94 | 95 | ## v2.5.4 96 | - New installation instructions 97 | 98 | ## v2.5.3 99 | - Add Prometheus telemetry support (thanks @bbayszczak) 100 | - Add tag check_vault to to Vault status debug task (thanks @NorthFuture) 101 | - Fixed indentation of vault config file (thanks @rasta-rocket) 102 | - Add RHEL 8 support (thanks @kwevers) 103 | 104 | ## v2.5.2 105 | 106 | - Vault v1.3.2 107 | - Update documentation 108 | 109 | ## v2.5.1 110 | 111 | - Vault v1.3.1 112 | - Add MySQL storage (thanks @ericsysmin) 113 | - Update status task (thanks @ericsysmin) 114 | - Add group creation task (thanks @karras) 115 | - Update documentation (thanks @ilpianista) 116 | - Update documentation 117 | 118 | ## v2.5.0 119 | 120 | - Vault v1.3.1 121 | - Update documentation 122 | 123 | ## v2.4.0 124 | 125 | - Vault v1.2.4 126 | - Restart after binary change (thanks @bbaassssiiee) 127 | - Use command for vault version in main tasks (thanks @bbaassssiiee) 128 | - Update API status check (thanks @bbaassssiiee) 129 | - Support Fedora (thanks @rbjorklin) 130 | - Update CONTRIBUTORS 131 | - Update documentation 132 | 133 | ## v2.3.4 134 | 135 | - Vault v1.2.3 136 | - Fix s3 backend configuration and template (thanks @ebostijancic) 137 | - Update documentation 138 | 139 | ## v2.3.3 140 | 141 | - Vault v1.2.2 142 | - Update documentation 143 | 144 | ## v2.3.2 145 | 146 | - Fix Vault installation check (thanks @jpiron) 147 | - Update documentation 148 | 149 | ## v2.3.0 150 | 151 | - Vault v1.2.0 152 | - Update documentation 153 | 154 | ## v2.2.3 155 | 156 | - Vault v1.1.5 157 | - Add DynamoDB storage backend (thanks @chris-dudley) 158 | - Update CONTRIBUTORS 159 | - Update documentation 160 | 161 | ## v2.2.2 162 | 163 | - Vault v1.1.4 164 | - Add support for backend tls configuration (thanks @rhenwood3995) 165 | - Fix template line break (thanks @fhemberger) 166 | - ansible_default_ipv4 interface used as default (thanks @fhemberger) 167 | - Update vault_home (thanks @zeridon) 168 | - Add s3 storage backend template (thanks @dvmonroe) 169 | - Update documentation (thanks @dvmonroe) 170 | - Update CONTRIBUTORS 171 | 172 | ## v2.2.1 173 | 174 | - Resolve some task argument issues 175 | - Clean up line length a bit 176 | - Use Filesystem Storage Backend in Vagrant example playbook 177 | - Update Vagrantfile 178 | - Update documentation 179 | 180 | ## v2.2.0 181 | 182 | - Clean up task items 183 | - Fixup Get installed Vault version for multiline/quotes 184 | - Update vault_home value (thanks @xeivieni) 185 | - Add plugin_dir configuration (thanks @vmwiz) 186 | - Fix: Force `/bin/bash` on Get Vault package checksum (local) (thanks @fleu42) 187 | 188 | ## v2.1.9 189 | 190 | - Vault version 1.1.2 191 | - Feature: add etcd storage (thanks @cordula-grau) 192 | - Fix: Resolve deprecation warnings (thanks @cordula-grau) 193 | - Fix: Move become flag to required resources (thanks @cordula-grau) 194 | - Reposition some main variables 195 | - Remove `vault_tls_cipher_suites` values/fall back to Vault defaults 196 | - Remove unimplemented `vault_syslog_enable` 197 | - Rename `vault_listener_template` to `vault_main_configuration_template` 198 | - Rename corresponding template file to `vault_main_configuration.hcl.j2` 199 | - Update documentation 200 | 201 | ## v2.1.8 202 | 203 | - Vault version 1.1.1 204 | - Allow sealed state for standalone instance (thanks @kwevers) 205 | - Revert long line syntax change in main tasks (thanks @kwevers) 206 | - Ensure systemd is reloaded on unit changes (thanks @kwevers) 207 | - Add vault_bin_path to the PATH (thanks @kwevers) 208 | - Update documentation 209 | 210 | ## v2.1.7 211 | 212 | - Minimum Ansible version to 2.7 213 | - Support install on Debian Testing (thanks @gfeun) 214 | - Update for E206 [lint] 215 | - tasks/tls 216 | - Update for E201 [lint] 217 | - tasks/main 218 | - Update for E504 [lint] 219 | - tasks/install 220 | - tasks/install_enterprise 221 | - Use bool filter in template conditionals 222 | - Consistent seal template filenames 223 | - awskms seal (now named vault_seal_awskms.j2) 224 | - azurekeyvault seal (now named `vault_seal_azurekeyvault.j2`) 225 | - gcpkms seal template (now named `vault_seal_gcpkms.j2`) 226 | - pkcs11 seal template (now named `vault_seal_pkcs11.j2`) 227 | - Consistent service template names 228 | - BSD style init script (now named `vault_service_bsd_init.j2`) 229 | - Debian style init script (now named `vault_service_debian_init.j2`) 230 | - systemd unit (now named `vault_service_systemd.j2`) 231 | 232 | ## v2.1.6 233 | 234 | - Resolve environment additions/create .bashrc (thanks @gfeun) 235 | - Update documentation 236 | - Update license 237 | - Update variables 238 | 239 | ## v2.1.5 240 | 241 | - Vault v1.1.0 242 | - Add additional health responses to API reachability check (thanks @enqack) 243 | - VAULT_ADDR and VAULT_CACERT export in ~/.bashrc (thanks @planetrobbie) 244 | - Update documentation 245 | 246 | ## v2.1.4 247 | 248 | - Replace Azure Key Vault variables to resolve #85 249 | - Tidy and reorganize main variables 250 | 251 | ## v2.1.3 252 | 253 | - Vault v1.0.3 254 | - Skip certificate copy if desired (thanks @Fuochi-YNAP) 255 | - Skip health check if desired (thanks @Fuochi-YNAP) 256 | - Add Azure Key Auto Unseal configuration (thanks @nehrman) 257 | 258 | ## v2.1.2 259 | 260 | - Vault v1.0.2 261 | - Update documentation 262 | 263 | ## v2.1.1 264 | 265 | - Vault v1.0.1 266 | - AWS KMS seal support (thanks @jeffWelling) 267 | - Enable web UI by default 268 | - Update documentation 269 | 270 | ## v2.1.0 271 | 272 | - Vault v1.0.0 273 | - GCPKMS seal support (thanks @planetrobbie) 274 | - Update documentation 275 | 276 | ## v2.0.9 277 | 278 | - Correct systemd unit (thanks @jpiron) 279 | - Add initial telemetry support (thanks @jeffWelling) 280 | - Vagrant box memory increased to 2048MB 281 | - Update documentation 282 | 283 | ## v2.0.8 284 | 285 | - Vault v0.11.5 286 | - Conditional capabilites based on systemd version (thanks @bdossantos) 287 | - Update documentation 288 | 289 | ## v2.0.7 290 | 291 | - Vault v0.11.3 292 | - Templates in main tasks as variables (thanks @nathkn) 293 | - systemd unit updates (thanks @bdossantos) 294 | - Update documentation 295 | 296 | ## v2.0.5 297 | 298 | - Vault v0.11.2 299 | - Update systemd unit 300 | - Update Consul storage backend template (thanks @jpiron) 301 | - Configuration updates (thanks @jpiron) 302 | - Add client cert validation options to listener configuration (thanks @nathkn) 303 | 304 | ## v2.0.4 305 | 306 | - Vault v0.11.1 307 | - Update tasks/normalize conditionals 308 | - Update TLS variable names to match documentation 309 | - Conditional mlock capability (thanks @jpiron) 310 | - Streamline installation tasks (thanks @jpiron) 311 | - Update documentation 312 | 313 | ## v2.0.3 314 | 315 | - Vault version 0.10.4 316 | - Debian 9 support 317 | - Update support for enterprise versions (thanks @drewmullen) 318 | - Log rotation updates (thanks @drewmullen) 319 | - Update systemd unit file 320 | - Update documentation 321 | 322 | ## v2.0.2 323 | 324 | - Option to disable cert validation during API reachability (thanks @eripa) 325 | - Update systemd unit to address #41 326 | 327 | ## v2.0.1 328 | 329 | - Vault v0.10.1 330 | - Simplify cleanup task in remote install 331 | - enable_ui option (thanks @aarnaud) 332 | - Enhance API reachable check (thanks @aarnaud) 333 | - Add support for HTTPS in Consul backend (thanks @eripa) 334 | - Add support for HTTP 429 when vault_cluster_disable false (thanks @eripa) 335 | - Update CONTRIBUTORS 336 | - Update documentation 337 | 338 | ## v2.0.0 339 | 340 | - Vault version 0.10.0 341 | - Update documentation 342 | - Update Vagrant documentation 343 | 344 | ## v1.8.0 345 | 346 | - Vault version 0.9.6 347 | - Update is Vault API reachable task (thanks @rarguelloF) 348 | - File storage backend (thanks @aarnaud) 349 | - Update example versions 350 | - Update license date 351 | - Update CONTRIBUTORS 352 | - Update documentation 353 | 354 | ## v1.7.9 355 | 356 | - Vault version 0.9.5 357 | - Remove abs check on cluster_address in Consul backend to fix #33 358 | - Update documentation 359 | 360 | ## v1.7.8 361 | 362 | - Vault version 0.9.4 363 | - TLS already on remote source option (thanks @calebtonn) 364 | - Update documentation 365 | 366 | ## v1.7.7 367 | 368 | - Vault version 0.9.3 369 | - Update documentation 370 | 371 | ## v1.7.6 372 | 373 | - Vault version 0.9.2 374 | - Update documentation 375 | 376 | ## v1.7.5 377 | 378 | - Vault version 0.9.1 379 | - Update documentation 380 | 381 | ## v1.7.4 382 | 383 | - Vault version 0.9.0 384 | - Use HTTPS when TLS is enabled (thanks @tbartelmess) 385 | - Add Consul ACL token option to configuration (thanks @Lavoaster) 386 | - Update CONTRIBUTORS.md 387 | 388 | ## v1.7.3 389 | 390 | - Vault v0.8.3 391 | - Updated supporting software versions 392 | - Add vault_max_lease_ttl and vault_default_lease_ttl (thanks @bilke) 393 | 394 | ## v1.7.2 395 | 396 | - Vault v0.8.2 397 | - Update README (thanks @Gerrrr) 398 | - Update init scripts (thanks @Gerrrr) 399 | - Add vault_consul_service in consul storage template (thanks @Gerrrr) 400 | - Update CONTRIBUTORS.md (thanks @groggemans) 401 | 402 | ## v1.7.1 403 | 404 | - Vault v0.8.1 405 | 406 | ## v1.7.0 407 | 408 | - Vault v0.8.0 409 | - Fix Missing Defaults for TLS (thanks @marc-sensenich) 410 | - Add missing redirect_addr in HA consul config (thanks @groggemans) 411 | - Update CONTRIBUTORS 412 | 413 | ## v1.6.8 414 | 415 | - Enterprise task changes 416 | - Add `vault_install_remotely` docs 417 | - Add `vault_remote_tmp` variable and use it 418 | - Rename `cluster_nodes` label to `vault_instances` 419 | 420 | ## v1.6.7 421 | 422 | - Vault version 0.7.3 423 | - Update documentation 424 | 425 | ## v1.6.6 426 | 427 | - Explicit Vault address (0.0.0.0 is not good for HA mode) 428 | - Update listener template (thanks @groggemans) 429 | - Add vault_consul_path in consul storage template (thanks @groggemans) 430 | - Fix BSD init task and remove unused grouping (thanks @groggemans) 431 | - Update defaults order (thanks @groggemans) 432 | - Make vault user management configurable (thanks @groggemans) 433 | - Add UI switch (enterprise) and fix tls_disable (thanks @groggemans) 434 | - Remove no longer used 'primary_node' variable (thanks @groggemans) 435 | - Add missing README entries (thanks @groggemans) 436 | 437 | ## v1.6.5 438 | 439 | - Correct main tasks 440 | 441 | ## v1.6.4 442 | 443 | - Enable Vault Enterprise tasks 444 | - Remove `redirect_addr` in favor of request forwarding 445 | - Make `vault_log_level` environment variable override 446 | - Update documentation 447 | 448 | ## v1.6.3 449 | 450 | - Correct Vault Enterprise variables to address #18 451 | 452 | ## v1.6.2 453 | 454 | - Vault version 0.7.2 455 | - Minor play updates 456 | - Move asserts to asserts.yml file (thanks @groggemans) 457 | 458 | ## v1.6.1 459 | 460 | - Vault version 0.7.1 461 | - Further task cleanup 462 | 463 | ## v1.6.0 464 | 465 | - Add initial Vault Enterprise variables 466 | - Add initial Vault Enterprise installation tasks 467 | - Update when statements to avoid warnings about template delimiters 468 | - Update documentation 469 | 470 | ## v1.5.7 471 | 472 | - Add TLS directory task to TLS tasks (thanks @cwill747) 473 | - Update CONTRIBUTORS 474 | - Update CONTRIBUTING 475 | - Update documentation 476 | 477 | ## v1.5.6 478 | 479 | - Update remote tasks 480 | 481 | ## v1.5.5 482 | 483 | - Back to local_action for the download and unzip tasks 484 | - Already using grep, so let's just awk for the SHA and then register it 485 | - Add remote install capability (thanks @bilke) 486 | 487 | ## v1.5.4 488 | 489 | - Update documentation on new netaddr dependency _sweat_ 490 | 491 | ## v1.5.3 492 | 493 | - Revert local_action tasks 494 | - They are broken in every case I tested, and connection local is perfectly 495 | valid for running things on the local host :| 496 | 497 | ## v1.5.2 498 | 499 | - Switch to local actions (addresses #13) 500 | 501 | ## v1.5.1 502 | 503 | - Fixed vault_tls_cert_file and vault_tls_key_file vars 504 | 505 | ## v1.5.0 506 | 507 | - Add initial multi-architecture and OS support 508 | - Add FreeBSD support 509 | - Update documentation 510 | 511 | ## v1.4.2 512 | 513 | - All quoting issues sorted 514 | 515 | ## v1.4.1 516 | 517 | - Fix finicky var quoting issue 518 | 519 | ## v1.4.0 520 | 521 | - Updated many variables with environment variable overrides 522 | - Add `vault_tls_config_path` variable with reasonable default value 523 | - Set currently/reasonably secure `vault_tls_cipher_suites` defaults 524 | - Update listener template to finally close #3 525 | - Improve cleanup task 526 | - Update versions 527 | - Update documentation 528 | - Update ignores 529 | 530 | ## v1.3.12 531 | 532 | - Made VAULT_IFACE environment variable override 533 | 534 | ## v1.3.11 535 | 536 | - Update init scripts 537 | 538 | ## v1.3.10 539 | 540 | - Fix other modes / types ノ( ゜-゜ノ) 541 | 542 | ## v1.3.9 543 | 544 | - Fix quote removal/type finagling YAML sadness (thanks @arledesma) 545 | 546 | ## v1.3.8 547 | 548 | - Move TLS bits to separate task 549 | - Short circuit TLS bits as bad things™ were happening due to the empty 550 | cert and key values during the Vault SSL Certificate and Key copy ops 551 | (probably an Ansible bug, copying entire contents of files to vault etc dir) 552 | No bueno 553 | 554 | ## v1.3.7 555 | 556 | - Replace lost double quote (thanks @arledesma) 557 | - Add explicit vault user permissions to config (thanks @arledesma) 558 | - Remove duplicate cluster_address var 559 | - Update README / consistent variable style / more links to docs 560 | 561 | ## v1.3.6 562 | 563 | - Handle cluster_addre differently 564 | - Cleanup tasks 565 | - Consistent variable style 566 | - Cleanup meta 567 | 568 | ## v1.3.5 569 | 570 | - Remove explicit cluster_addr and let Vault default the value for now 571 | 572 | ## v1.3.4 573 | 574 | - Use vault_port+1 in cluster_addr for HA vault (thanks @arledesma) 575 | - Update CHANGELOG 576 | - Update Vagrant README 577 | 578 | ## v1.3.3 579 | 580 | - Update systemd unit file 581 | 582 | ## v1.3.2 583 | 584 | - Make vault user a system account 585 | 586 | ## v1.3.1 587 | 588 | - Vault 0.7.0 589 | - Initial TLS bits (thanks @arledesma) 590 | - Fix logging options (thanks @arledesma) 591 | - Update documentation 592 | 593 | ## v1.3.1 594 | 595 | - Add support for version specification via VAULT_VERSION environment variable 596 | - Renamed backend configuration template 597 | - Renamed main template to be inline with configuration section naming 598 | - Fix broken unit file 599 | 600 | ## v1.2.10 601 | 602 | - Use all defined variables (thanks @arledesma) 603 | - Make redirect_address more specific by adding redirect address variable 604 | - Update CONTRIBUTORS 605 | - Fix merge conflict (thanks @arledesma) 606 | - Fix missed variable (thanks @arledesma) 607 | 608 | ## v1.2.9 609 | 610 | - Fix backend template inclusion 611 | - Correct backend filename 612 | 613 | ## v1.2.8 614 | 615 | - Fix issue in wait_for (thanks @pierrefh) 616 | - Add contributing guidelines in CONTRIBUTING.md 617 | - Fix checksum var 618 | 619 | ## v1.2.7 620 | 621 | - Update main tasks 622 | - Update install tasks 623 | - Prefer compact YAML format across all tasks files 624 | 625 | ## v1.2.6 626 | 627 | - Check for local packages and summary files 628 | 629 | ## v1.2.5 630 | 631 | - Updated configuration templates 632 | - Updated documentation 633 | 634 | ## v1.2.4 635 | 636 | - Vaule 0.6.5 637 | 638 | ## v1.2.3 639 | 640 | - Vault 0.6.4 641 | 642 | ## v1.2.2 643 | 644 | - Fix variable name 645 | 646 | ## v1.2.1 647 | 648 | - Include installation tasks 649 | 650 | ## v1.2.0 651 | 652 | - Vault 0.6.3 653 | - Dynamic SHA 654 | - Streamline tasks 655 | - Streamline and consolidate variables 656 | - Move OS variables to vars 657 | - Separate install tasks 658 | - Remove OS specific tasks 659 | - Update documentation 660 | 661 | ## v1.0.21 662 | 663 | - Update/validate CentOS 7 box 664 | - Update documentation 665 | - Update failure cases for CentOS 666 | - Fix SysV init script 667 | 668 | ## v1.0.20 669 | 670 | - Fix binary name 671 | 672 | 673 | ## v1.0.9 674 | 675 | - Add files dir 676 | 677 | ## v1.0.8 678 | 679 | - Add files dir 680 | 681 | ## v1.0.7 682 | 683 | - Fix var names 684 | 685 | ## v1.0.6 686 | 687 | - Add fail on old distro versions 688 | - Remove all distro specific includes 689 | 690 | ## v1.0.5 691 | 692 | - Remove unnecessary include 693 | 694 | ## v1.0.4 695 | 696 | - Correct URL in docs 697 | - Remove vars dir 698 | - Enable download once / copy many install 699 | 700 | ## v1.1.2 701 | 702 | - Move all vars to defaults 703 | - Documentation updates 704 | 705 | ## v1.0.2 706 | 707 | - Set correct RAM amount in Vagrantfile 708 | - Rename Vagrant inventory back to cluster_nodes 709 | 710 | ## v1.0.2 711 | 712 | - Update documentation 713 | 714 | ## v1.0.0 715 | 716 | - Installs Vault 717 | - Installs Vault with Consul backend onto Consul VMs from brianshumate.consul 718 | -------------------------------------------------------------------------------- /role_variables.md: -------------------------------------------------------------------------------- 1 | # Role Variables 2 | 3 | The role defines variables in `defaults/main.yml`: 4 | 5 | ## `vault_listener_localhost_enable` 6 | 7 | - Set this to true if you enable listen vault on localhost 8 | - Default value: *false* 9 | 10 | ## `vault_privileged_install` 11 | 12 | - Set this to true if you see permission errors when the vault files are 13 | downloaded and unpacked locally. This issue can show up if the role has 14 | been downloaded by one user (like root), and the installation is done 15 | with a different user. 16 | - Default value: *false* 17 | 18 | ## `vault_version` 19 | 20 | - Version to install 21 | - Can be overridden with `VAULT_VERSION` environment variable 22 | - Will include ".hsm" if vault_enterprise_hsm=True 23 | 24 | - Default value: 1.5.5 25 | 26 | ## `vault_enterprise` 27 | 28 | - Set this to true when installing Vault Enterprise; this is not currently 29 | possible as a "remote only" install method 30 | - Can be overridden with `VAULT_ENTERPRISE` environment variable 31 | - Default value: *false* 32 | 33 | ## `vault_pkg` 34 | 35 | - package filename 36 | - Default value: `"vault_{{ vault_version }}_linux_amd64.zip"` 37 | 38 | ## `vault_enterprise_pkg` 39 | 40 | - package filename 41 | - Default value: `"vault-enterprise_{{ vault_version }}_{{ vault_os }}_{{ vault_architecture }}.zip"` 42 | 43 | ## `vault_zip_url` 44 | 45 | - Package download URL 46 | - Default value: `"https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version }}_linux_amd64.zip"` 47 | - Override this var if you have your zip hosted internally 48 | - Works for enterprise installs also 49 | 50 | ## `vault_checksum_file_url` 51 | 52 | - SHA summaries URL 53 | - Override this var if you have your sha file is hosted internally 54 | - Default value: `"https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version}}_SHA256SUMS"` 55 | 56 | ## `vault_install_hashi_repo` 57 | 58 | - Set this to `true` when installing Vault via HashiCorp Linux repository. 59 | When set, you can also define `vault_repository_key_url` and `vault_repository_url` 60 | to override the default URL of the GPG key for the repository and the default URL of the 61 | repository used. 62 | - Default value: *false* 63 | 64 | ## `vault_rhsm_repo_id` 65 | 66 | - Name of rhsm repo 67 | - Set this to the name of your rhsm repo when installing Vault via a RHSM repository (RedHat Satellite/Foreman/etc.). 68 | When set, you need make sure `vault_install_hashi_repo` is set to `true` to enable repo install. And optionally also 69 | the rhsm subscription name with `vault_rhsm_subscription_name`. 70 | - Default value: null 71 | 72 | ## `vault_rhsm_subscription_name` 73 | 74 | - Name of rhsm subscription 75 | - Set the rhsm subscription name to attach the rhsm subscription via subscription-manager. 76 | When set, you need make sure `vault_install_hashi_repo` is set to `true` to enable repo install. And also that 77 | `vault_rhsm_repo_id` is set. 78 | - Default value: null 79 | 80 | ## `vault_install_remotely` 81 | 82 | - Set this to `true` will download Vault binary from each target instead of localhost 83 | - Default value: *false* 84 | 85 | ## `vault_shasums` 86 | 87 | - SHA summaries filename (included for convenience not for modification) 88 | - Default value: `"vault_{{ vault_version }}_SHA256SUMS"` 89 | 90 | ## `vault_enterprise_shasums` 91 | 92 | - SHA summaries filename (included for convenience not for modification) 93 | - Will attempt to download from `vault_checksum_file_url` if not present in files/ 94 | - Default value: `"vault-enterprise_{{ vault_version }}_SHA256SUMS"` 95 | 96 | ## `vault_bin_path` 97 | 98 | - Binary installation path 99 | - Default value: `/usr/local/bin` 100 | 101 | ## `vault_config_path` 102 | 103 | - Configuration file path 104 | - Default value: `/etc/vault.d` 105 | 106 | ## `vault_use_config_path` 107 | 108 | - Use `"{{ vault_config_path }}"` to configure vault instead of `"{{ vault_main_config }}"` 109 | - default vaule: *false* 110 | 111 | ## `vault_plugin_path` 112 | 113 | - Path from where plugins can be loaded 114 | - Default value: `/usr/local/lib/vault/plugins` 115 | 116 | ## `vault_plugins_enable` 117 | 118 | - List of plugins to enable (Check uner `tasks/plugins` to see supported plugins.) 119 | - For example: `vault_plugins_enable: [ 'acme', 'example' ]` 120 | - Default value: `[]` 121 | 122 | ## `vault_plugins_src_dir_remote` 123 | 124 | - Directory where temporary plugin zip/installation files are placed. 125 | When installation is processed remotely. 126 | - Default value: `/usr/local/src/vault/plugins` 127 | 128 | ## `vault_plugins_src_dir_local` 129 | 130 | - Directory where temporary plugin zip/installation files are placed. 131 | When installation is processed locally. 132 | - Default value: `{{ role_path }}/files/plugins` 133 | 134 | ## `vault_plugins_src_dir_cleanup` 135 | 136 | - Whether to clean up the temporary plugin zip/installation file directory after plugin install. 137 | Warning: When plugins don't provide a version number this could cause the plugins to be downloaded every time and thus breaking idempotence. 138 | - Default value: `false` 139 | 140 | ## `vault_data_path` 141 | 142 | - Data path 143 | - Default value: `/var/vault` 144 | 145 | ## `vault_log_path` 146 | 147 | - Log path 148 | - Default value: `/var/log/vault` 149 | 150 | ## `vault_run_path` 151 | 152 | - PID file location 153 | - Default value: `/var/run/vault` 154 | 155 | ## `vault_harden_file_perms` 156 | 157 | - Whether this role should disallow Vault from writing into config and plugin 158 | path. This should be enabled to follow [Production Hardening](https://learn.hashicorp.com/tutorials/vault/production-hardening). 159 | - Default value: false 160 | 161 | ## `vault_manage_user` 162 | 163 | - Should this role manage the vault user? 164 | - Default value: true 165 | 166 | ## `vault_user` 167 | 168 | - OS user name 169 | - Default value: vault 170 | 171 | ## `vault_group` 172 | 173 | - OS group name 174 | - Default value: bin 175 | 176 | ## `vault_groups` 177 | 178 | - OS additional groups as in ansibles user module 179 | - Default value: null 180 | 181 | ## `vault_manage_group` 182 | 183 | - Should this role manage the vault group? 184 | - Default value: false 185 | 186 | ## `vault_cluster_name` 187 | 188 | - Cluster name label 189 | - Default value: dc1 190 | 191 | ## `vault_datacenter` 192 | 193 | - Datacenter label 194 | - Default value: dc1 195 | 196 | ## `vault_ui` 197 | 198 | - Enable vault web UI 199 | - Default value: true 200 | 201 | ## `vault_service_restart` 202 | 203 | - Should the playbook restart Vault service when needed 204 | - Default value: true 205 | 206 | ## `vault_service_reload` 207 | 208 | - Should the playbook reload Vault service when the main config changes. 209 | - Default value: false 210 | 211 | ## `vault_start_pause_seconds` 212 | 213 | - Some installations may need some time between the first Vault start 214 | and the first restart. Setting this to a value `>0` will add a pause 215 | time after the first Vault start. 216 | - Default value: 0 217 | 218 | # TCP Listener Variables 219 | 220 | ## `vault_tcp_listeners` 221 | 222 | - A list of tcp listeners. Each listener can define any of the listener specific variables described in further detail below. 223 | - Default value: 224 | ```yaml 225 | vault_tcp_listeners: 226 | - vault_address: '{{ vault_address }}' 227 | vault_port: '{{ vault_port }}' 228 | vault_cluster_address: '{{ vault_cluster_address }}' 229 | # vault_proxy_protocol_behavior: '{{ vault_proxy_protocol_behavior }}' 230 | # vault_proxy_protocol_authorized_addrs: '{{ vault_proxy_protocol_authorized_addrs }}' 231 | vault_tls_disable: '{{ vault_tls_disable }}' 232 | vault_tls_certs_path: '{{ vault_tls_certs_path }}' 233 | vault_tls_private_path: '{{ vault_tls_private_path }}' 234 | vault_tls_cert_file: '{{ vault_tls_cert_file }}' 235 | vault_tls_key_file: '{{ vault_tls_key_file }}' 236 | vault_tls_ca_file: '{{ vault_tls_ca_file }}' 237 | vault_tls_min_version: '{{ vault_tls_min_version }}' 238 | vault_tls_cipher_suites: '{{ vault_tls_cipher_suites }}' 239 | vault_tls_require_and_verify_client_cert: '{{ vault_tls_require_and_verify_client_cert }}' 240 | vault_tls_disable_client_certs: '{{ vault_tls_disable_client_certs }}' 241 | # vault_x_forwarded_for_authorized_addrs: '{{ vault_x_forwarded_for_authorized_addrs }}' 242 | # vault_x_forwarded_for_hop_skips: '{{ vault_x_forwarded_for_hop_skips }}' 243 | # vault_x_forwarded_for_reject_not_authorized: '{{ vault_x_forwarded_for_reject_not_authorized }}' 244 | # vault_x_forwarded_for_reject_not_present: '{{ vault_x_forwarded_for_reject_not_present }}' 245 | ``` 246 | 247 | # Storage Backend Variables 248 | 249 | ## `vault_backend` 250 | 251 | - Which storage backend should be selected, choices are: raft, consul, etcd, file, s3, and dynamodb 252 | - Default value: raft 253 | 254 | 255 | ## `vault_backend_tls_src_files` 256 | 257 | - User-specified source directory for TLS files for storage communication 258 | - `{{ vault_tls_src_files }}` 259 | 260 | ## `vault_backend_tls_certs_path` 261 | 262 | - Path to directory containing backend tls certificate files 263 | - `{{ vault_tls_certs_path }}` 264 | 265 | ## `vault_backend_tls_private_path` 266 | 267 | - Path to directory containing backend tls key files 268 | - `{{ vault_tls_private_path }}` 269 | 270 | ## `vault_backend_tls_cert_file` 271 | 272 | - Specifies the path to the certificate for backend communication (if supported). 273 | - `{{ vault_tls_cert_file }}` 274 | 275 | ## `vault_backend_tls_key_file` 276 | 277 | - Specifies the path to the private key for backend communication (if supported). 278 | - `{{ vault_tls_key_file }}` 279 | 280 | ## `vault_backend_tls_ca_file` 281 | 282 | - CA certificate used for backend communication (if supported). This defaults to system bundle if not specified. 283 | - `{{ vault_tls_ca_file }}` 284 | 285 | ## Raft Integrated Storage Backend 286 | 287 | ## `vault_backend_raft` 288 | 289 | - Backend raft integrated storage template filename 290 | - Default value: `vault_backend_raft.j2` 291 | 292 | ## `vault_raft_leader_tls_servername` 293 | 294 | - TLS servername to use when connecting with HTTPS 295 | - Default value: none 296 | 297 | ## `vault_raft_group_name` 298 | 299 | - Inventory group name of servers hosting the raft backend 300 | - Default value: vault_raft_servers 301 | 302 | ## `vault_raft_cluster_members` 303 | 304 | - Members of the raft cluster 305 | - Default value: hosts in `vault_raft_group_name` group 306 | - Can be used to override the behaviour of dynamically selecting all hosts in `vault_raft_group_name` 307 | - Example: 308 | ``` 309 | vault_raft_cluster_members: 310 | - peer: vault-host-1 311 | api_addr: https://vault-host-1:8200 312 | - peer: vault-host-2 313 | api_addr: https://vault-host-2:8200 314 | - peer: vault-host-3 315 | api_addr: https://vault-host-2:8200 316 | ``` 317 | - Setting the `vault_raft_cluster_members` statically enables you to run the role against a single host (instead of the entire host group) 318 | 319 | ## `vault_raft_data_path` 320 | 321 | - Data path for Raft 322 | - Default value: vault_data_path 323 | 324 | ## `vault_raft_node_id` 325 | 326 | - Node_id for Raft 327 | - Default value: inventory_hostname_short 328 | 329 | ## `vault_raft_performance_multiplier` 330 | 331 | - Performance multiplier for Raft 332 | - Default value: none 333 | 334 | ## `vault_raft_trailing_logs` 335 | 336 | - Logs entries count left on log store after snapshot 337 | - Default value: none 338 | 339 | ## `vault_raft_snapshot_threshold` 340 | 341 | - Minimum Raft commit entries between snapshots 342 | - Default value: none 343 | 344 | ## `vault_raft_max_entry_size` 345 | 346 | - Maximum number of bytes for a Raft entry 347 | - Default value: none 348 | 349 | ## `vault_raft_autopilot_reconcile_interval` 350 | 351 | - Interval after which autopilot will pick up any state changes 352 | - Default value: none 353 | 354 | ## `vault_raft_cloud_auto_join` 355 | 356 | - Defines any cloud auto-join metadata. If supplied, Vault will 357 | attempt to automatically discover peers in addition to what can 358 | be provided via `leader_api_addr` 359 | - Default value: none 360 | 361 | ## `vault_raft_cloud_auto_join_exclusive` 362 | 363 | - If set to `true`, any `leader_api_addr` occurences will be removed 364 | from the configuration. 365 | Keeping this to `false` will allow `auto_join` and `leader_api_addr` 366 | to coexist 367 | - Default value: false 368 | 369 | ## `vault_raft_cloud_auto_join_scheme` 370 | 371 | - URI scheme to be used for `auto_join` 372 | - Default value: none (`https` is the default value set by 373 | Vault if not specified) 374 | 375 | ## `vault_raft_cloud_auto_join_port` 376 | 377 | - Port to be used for `auto_join` 378 | - Default value: none (`8200` is the default value set by 379 | Vault if not specified) 380 | 381 | ## Consul Storage Backend 382 | 383 | ## `vault_backend_consul` 384 | 385 | - Backend consul template filename 386 | - Default value: `backend_consul.j2` 387 | 388 | ## `vault_consul` 389 | 390 | - host:port value for connecting to Consul HA backend 391 | - Default value: 127.0.0.1:8500 392 | 393 | ## `vault_consul_scheme` 394 | 395 | - Scheme for Consul backend 396 | - Supported values: http, https 397 | - Default value: http 398 | 399 | ## `vault_consul_path` 400 | 401 | - Name of Vault's Consul K/V root path 402 | - Default value: vault 403 | 404 | ## `vault_consul_service` 405 | 406 | - Name of the Vault service to register in Consul 407 | - Default value: vault 408 | 409 | ## `vault_consul_token` 410 | 411 | - ACL token for accessing Consul 412 | - Default value: none 413 | 414 | ## etcd Storage Backend 415 | 416 | ## `vault_etcd` 417 | 418 | - Address of etcd storage 419 | - Default value: 127.0.0.1:2379 420 | 421 | ## `vault_etcd_api` 422 | 423 | - API version 424 | - Default value: v3 425 | 426 | ## `vault_etcd_path` 427 | 428 | - Path for Vault storage 429 | - Default value: /vault/ 430 | 431 | ## `vault_etcd_discovery_srv` 432 | 433 | - Discovery server 434 | - Default value: none 435 | 436 | ## `vault_etcd_discovery_srv_name` 437 | 438 | - Discovery server name 439 | - Default value: none 440 | 441 | ## `vault_etcd_ha_enabled` 442 | 443 | - Use storage for High Availability mode 444 | - Default value: false 445 | 446 | ## `vault_etcd_sync` 447 | 448 | - Use etcdsync 449 | - Default value: true 450 | 451 | ## `vault_etcd_username` 452 | 453 | - Username 454 | - Default value: none 455 | 456 | ## `vault_etcd_password` 457 | 458 | - Password 459 | - Default value: none 460 | 461 | ## `vault_etcd_request_timeout` 462 | 463 | - Request timeout 464 | - Default value: "5s" 465 | 466 | ## `vault_etcd_lock_timeout` 467 | 468 | - Lock timeout 469 | - Default value: "15s" 470 | 471 | ## File Storage Backend 472 | 473 | ## `vault_backend_file` 474 | 475 | - Backend file template filename 476 | - Default value: `backend_file.j2` 477 | 478 | ## DynamoDB Storage Backend 479 | 480 | For additional documentation for the various options available, see the 481 | [Vault documentation](https://www.vaultproject.io/docs/configuration/storage/dynamodb.html) 482 | for the DynamoDB storage backend. 483 | 484 | ## `vault_dynamodb` 485 | 486 | - Specifies an alternative DynamoDB endpoint. 487 | - Default value: none 488 | - Can be overridden with the environment variable `AWS_DYNAMODB_ENDPOINT`. 489 | 490 | ## `vault_dynamodb_table` 491 | 492 | - Name of the DynamoDB table used to store Vault data. 493 | - If the table does not already exist, it will be created during 494 | initialization. 495 | - Default value: `"vault-dynamodb-backend"` 496 | - Can be overridden with the environment variable `AWS_DYNAMODB_TABLE`. 497 | 498 | ## `vault_dynamodb_ha_enabled` 499 | 500 | - Whether High Availability is enabled for this storage backend. 501 | - Default value: `"false"` 502 | - Can be overridden with the environment variable `DYNAMODB_HA_ENABLED`. 503 | - The missing `AWS_` prefix is not a typo, this particular variable is not 504 | prefixed in both the Vault documentation and source code. 505 | 506 | ## `vault_dynamodb_max_parallel` 507 | 508 | - The maximum number of concurrent requests. 509 | - Default value: `"128"` 510 | 511 | ## `vault_dynamodb_region` 512 | 513 | - The AWS region. 514 | - Default value: `us-east-1` 515 | - Can be overridden with the environment variable `AWS_DEFAULT_REGION` 516 | 517 | ## `vault_dynamodb_read_capacity` 518 | 519 | - Number of reads per second to provision for the table. 520 | - Only used during table creation, has no effect if the table already exists. 521 | - Default value: `5` 522 | - Can be overridden with the environment variable `AWS_DYNAMODB_READ_CAPACITY`. 523 | 524 | ## `vault_dynamodb_write_capacity` 525 | 526 | - Number of writes per second to provision for the table. 527 | - Only used during table creation, has no effect if the table already exists. 528 | - Default value: `5` 529 | - Can be overridden with the environment variable `AWS_DYNAMODB_WRITE_CAPACITY`. 530 | 531 | ## `vault_dynamodb_access_key` 532 | 533 | - AWS access key to use for authentication. 534 | - Default value: none 535 | - Can be overridden with the environment variable `AWS_ACCESS_KEY_ID` 536 | - Leaving both this and `vault_dynamodb_secret_key` blank will cause Vault to 537 | attempt to retrieve the credentials from the AWS metadata service. 538 | 539 | ## `vault_dynamodb_secret_key` 540 | 541 | - AWS secret key used for authentication. 542 | - Default value: none 543 | - Can be overridden with the environment variable `AWS_SECRET_ACCESS_KEY` 544 | - Leaving both this and `vault_dynamodb_access_key` blank will cause Vault to 545 | attempt to retrieve the credentials from the AWS metadata service. 546 | 547 | ## `vault_dynamodb_session_token` 548 | 549 | - AWS session token. 550 | - Default value: none 551 | - Can be overridden with the environment variable `AWS_SESSION_TOKEN` 552 | 553 | ## Google Cloud Storage Storage Backend 554 | 555 | ## `vault_gcs_bucket` 556 | 557 | - Specifies the name of the bucket to use for storage. 558 | - Default value: none 559 | 560 | ## `vault_gcs_ha_enabled` 561 | 562 | - Specifies if high availability mode is enabled. 563 | - Default value: `"false"` 564 | 565 | 566 | ## `vault_gcs_chunk_size` 567 | 568 | - Specifies the maximum size (in kilobytes) to send in a single request. If set to 0, it will attempt to send the whole object at once, but will not retry any failures. 569 | - Default value: `"8192"` 570 | 571 | ## `vault_gcs_max_parallel` 572 | 573 | - Specifies the maximum number of parallel operations to take place. 574 | - Default value: `"128"` 575 | 576 | ## `vault_gcs_copy_sa` 577 | 578 | - Copy GCP SA credentials file from Ansible control node to Vault server. When not `true` and no value is specified for `vault_gcs_credentials_src_file`, the default instance service account credentials are used. 579 | - Default value: `"false"` 580 | 581 | ## `vault_gcs_credentials_src_file` 582 | 583 | - Path to GCP SA credential on Ansible control node. 584 | - Default value: none 585 | 586 | ## `vault_gcs_credentials_dst_file` 587 | 588 | - Path to SA GCP credential on Vault server. 589 | - Default value: `{{ vault_home }}/{{ vault_gcs_credentials_src_file | basename}}"` 590 | 591 | ## Consul Service Registration 592 | 593 | For additional information on the various options, see the 594 | [Vault documentation](https://www.vaultproject.io/docs/configuration/service-registration/consul) 595 | for Consul service registration. Note that this is only available 596 | starting at Vault version 1.4. 597 | 598 | ## `vault_service_registration_consul_enable` 599 | 600 | - Enable Consul service registration 601 | - Default value: false 602 | 603 | ## `vault_service_registration_consul_template` 604 | 605 | - Consul service registration template filename 606 | - Default value: `service_registration_consul.hcl.j2` 607 | 608 | ## `vault_service_registration_consul_address` 609 | 610 | - host:port value for connecting to Consul service registration 611 | - Default value: 127.0.0.1:8500 612 | 613 | ## `vault_service_registration_check_timeout` 614 | 615 | - Specifies the check interval used to send health check information back to Consul. 616 | - Default value: 5s 617 | 618 | ## `vault_service_registration_disable_registration` 619 | 620 | - Specifies whether Vault should register itself with Consul. 621 | - Default value: false 622 | 623 | ## `vault_service_registration_consul_scheme` 624 | 625 | - Scheme for Consul service registration 626 | - Supported values: http, https 627 | - Default value: http 628 | 629 | ## `vault_service_registration_consul_service` 630 | 631 | - Name of the Vault service to register in Consul 632 | - Default value: vault 633 | 634 | ## `vault_service_registration_consul_service_tags` 635 | 636 | - Specifies a comma-separated list of tags to attach to the service registration in Consul. 637 | - Default value: "" 638 | 639 | ## `vault_service_registration_consul_service_address` 640 | 641 | - Specifies a service-specific address to set on the service registration in Consul. 642 | - Default value: nil 643 | 644 | ## `vault_service_registration_consul_token` 645 | 646 | - ACL token for registering with Consul service registration 647 | - Default value: none 648 | 649 | ## `vault_service_registration_consul_tls_certs_path` 650 | 651 | - path to tls certificate 652 | - default value `{{ vault_tls_certs_path }}` 653 | 654 | ## `vault_service_registration_consul_tls_private_path` 655 | 656 | - path to tls key 657 | - default value `{{ vault_tls_private_path }}` 658 | 659 | ## `vault_service_registration_consul_tls_ca_file` 660 | 661 | - CA certificate filename 662 | - Default value: `{{ vault_tls_ca_file }}` 663 | 664 | ## `vault_service_registration_consul_tls_cert_file` 665 | 666 | - Server certificate 667 | - Default value: `{{ vault_tls_cert_file }}` 668 | 669 | ## `vault_service_registration_consul_tls_key_file` 670 | 671 | - Server key 672 | - Default value: `{{ vault_tls_key_file }}` 673 | 674 | ## `vault_service_registration_consul_tls_min_version` 675 | 676 | - [Minimum acceptable TLS version](https://www.vaultproject.io/docs/configuration/listener/tcp.html#tls_min_version) 677 | - Default value: `{{ vault_tls_min_version }}` 678 | 679 | ## `vault_service_registration_consul_tls_skip_verify` 680 | 681 | - Disable verification of TLS certificates. Using this option is highly discouraged. 682 | - Default value: false 683 | 684 | ## Kubernetes Service Registration 685 | 686 | For additional information on the various options, see the 687 | [Vault documentation](https://www.vaultproject.io/docs/configuration/service-registration/kubernetes) 688 | for Kubernetes service registration. Note that this is only 689 | available starting at Vault version 1.4. 690 | 691 | ## `vault_service_registration_kubernetes_consul_enable` 692 | 693 | - Enable Kubernetes service registration 694 | - Default value: false 695 | 696 | ## `vault_service_registration_kubernetes_template` 697 | 698 | - Kubernetes service registration template filename 699 | - Default value: `service_registration_kubernetes.hcl.j2` 700 | 701 | ## `vault_service_registration_kubernetes_namespace` 702 | 703 | - Kubernetes namespace to register 704 | - Default value: vault 705 | 706 | ## `vault_service_registration_pod_name` 707 | 708 | - Kubernetes pod name to register 709 | - Default value: vault 710 | 711 | ## `vault_log_level` 712 | 713 | - [Log level](https://www.consul.io/docs/agent/options.html#_log_level) 714 | - Supported values: trace, debug, info, warn, err 715 | - Default value: info 716 | - Requires Vault version 0.11.1 or higher 717 | 718 | ## `vault_iface` 719 | 720 | - Network interface 721 | - Can be overridden with `VAULT_IFACE` environment variable 722 | - Default value: eth1 723 | 724 | ## `vault_address` 725 | 726 | - Primary network interface address to use 727 | - Default value: `"{{ hostvars[inventory_hostname]['ansible_'+vault_iface]['ipv4']['address'] }}"` 728 | 729 | ## `vault_port` 730 | 731 | - TCP port number to on which to listen 732 | - Setting `vault_port` below 1024 will add the `CAP_NET_BIND_SERVICE` capability to the systemd service 733 | - This capability allows an unprivileged user to start a service on a privileged port 734 | - Default value: 8200 735 | 736 | ## `vault_max_lease_ttl` 737 | 738 | - Configures the [maximum possible lease duration](https://www.vaultproject.io/docs/config/#max_lease_ttl) for tokens and secrets. 739 | - Default value: 768h (32 days) 740 | 741 | ## `vault_default_lease_ttl` 742 | 743 | - Configures the [default lease duration](https://www.vaultproject.io/docs/config/#default_lease_ttl) for tokens and secrets. 744 | - Default value: 768h (32 days) 745 | 746 | ## `vault_main_config` 747 | - Main configuration file name (full path) 748 | - Default value: `"{{ vault_config_path }}/vault_main.hcl"` 749 | 750 | ## `vault_main_configuration_template` 751 | 752 | - Vault main configuration template file 753 | - Default value: *vault_main_configuration.hcl.j2* 754 | 755 | ## `vault_custom_configuration` 756 | 757 | - Vault custom configuration 758 | - Default value: none 759 | 760 | ## `vault_http_proxy` 761 | 762 | - Address to be used as the proxy for HTTP and HTTPS requests unless overridden by `vault_https_proxy` or `vault_no_proxy` 763 | - Default value: `""` 764 | 765 | ## `vault_https_proxy` 766 | 767 | - Address to be used as the proxy for HTTPS requests unless overridden by `vault_no_proxy` 768 | - Default value: `""` 769 | 770 | ## `vault_no_proxy` 771 | 772 | - Comma separated values which specify hosts that should be exluded from proxying. Follows [golang conventions](https://godoc.org/golang.org/x/net/http/httpproxy) 773 | - Default value: `""` 774 | 775 | ## `vault_additional_environment_variables` 776 | 777 | - Dict of items of type `Dict[str, str]` to add additional environment variables to the systemd service 778 | - Default value: `{}` 779 | 780 | Example: 781 | 782 | ```yaml 783 | vault_additional_environment_variables: 784 | FOO: bar 785 | ``` 786 | 787 | ## `vault_cluster_address` 788 | 789 | - Address to bind to for cluster server-to-server requests 790 | - Default value: `"{{ hostvars[inventory_hostname]['ansible_'+vault_iface]['ipv4']['address'] }}:{{ (vault_port | int) + 1}}"` 791 | 792 | ## `vault_cluster_addr` 793 | 794 | - Address to advertise to other Vault servers in the cluster for request forwarding 795 | - Default value: `"{{ vault_protocol }}://{{ vault_cluster_address }}"` 796 | 797 | ## `vault_api_addr` 798 | 799 | - [HA Client Redirect address](https://www.vaultproject.io/docs/concepts/ha.html#client-redirection) 800 | - Default value: `"{{ vault_protocol }}://{{ vault_redirect_address or hostvars[inventory_hostname]['ansible_'+vault_iface]['ipv4']['address'] }}:{{ vault_port }}"` 801 | - vault_redirect_address is kept for backward compatibility but is deprecated. 802 | 803 | ## `vault_disable_api_health_check` 804 | 805 | - flag for disabling the health check on vaults api address 806 | - Default value: `false` 807 | 808 | ## `vault_cluster_disable` 809 | 810 | - Disable HA clustering 811 | - Default value: false 812 | 813 | ## `validate_certs_during_api_reachable_check` 814 | 815 | - Disable Certificate Validation for API reachability check 816 | - Default value: true 817 | 818 | ## `vault_proxy_protocol_behavior` 819 | 820 | - May be one of `use_always`, `allow_authorized`, or `deny_unauthorized` 821 | - Enables [PROXY protocol](https://www.vaultproject.io/docs/configuration/listener/tcp#proxy_protocol_behavior) for listener. 822 | - If enabled and set to something other than `use_always`, you must also set 823 | - [*vault_proxy_protocol_authorized_addrs*](https://www.vaultproject.io/docs/configuration/listener/tcp#proxy_protocol_authorized_addrs) 824 | - Comma-separated list of source IPs for which PROXY protocol information will be used. 825 | - Default value: "" 826 | 827 | ## `vault_tls_certs_path` 828 | 829 | - Path to TLS certificates 830 | - Default value `/etc/vault/tls` 831 | 832 | ## `vault_tls_private_path` 833 | 834 | - Path to TLS keys 835 | - Default value `/etc/vault/tls` 836 | 837 | ## `vault_tls_disable` 838 | 839 | - [Disable TLS](https://www.vaultproject.io/docs/configuration/listener/tcp.html#tls_disable) 840 | - Can be overridden with `VAULT_TLS_DISABLE` environment variable 841 | - Default value: 1 842 | 843 | ## `vault_tls_gossip` 844 | 845 | - Enable TLS Gossip to storage (if supported) 846 | - Default value: 0 847 | 848 | ## `vault_tls_src_files` 849 | 850 | - User-specified source directory for TLS files 851 | - Override with `VAULT_TLS_SRC_FILES` environment variable 852 | - Default value: `{{ role_path }}/files` 853 | 854 | ## `vault_tls_ca_file` 855 | 856 | - CA certificate filename 857 | - Override with `VAULT_TLS_CA_CRT` environment variable 858 | - Default value: `ca.crt` 859 | 860 | ## `vault_tls_client_ca_file` 861 | 862 | - Client CA certificate filename 863 | - Default value: `` 864 | 865 | ## `vault_tls_cert_file` 866 | 867 | - Server certificate 868 | - Override with `VAULT_TLS_CERT_FILE` environment variable 869 | - Default value: `server.crt` 870 | 871 | ## `vault_tls_key_file` 872 | 873 | - Server key 874 | - Override with `VAULT_TLS_KEY_FILE` environment variable 875 | - Default value: `server.key` 876 | 877 | ## `vault_tls_min_version` 878 | 879 | - [Minimum acceptable TLS version](https://www.vaultproject.io/docs/configuration/listener/tcp.html#tls_min_version) 880 | - Can be overridden with `VAULT_TLS_MIN_VERSION` environment variable 881 | - Default value: tls12 882 | 883 | ## `vault_tls_cipher_suites` 884 | 885 | - [Comma-separated list of supported ciphersuites](https://www.vaultproject.io/docs/configuration/listener/tcp.html#tls_cipher_suites) 886 | - Default value: "" 887 | 888 | ## `vault_tls_require_and_verify_client_cert` 889 | 890 | - [Require clients to present a valid client certificate](https://www.vaultproject.io/docs/configuration/listener/tcp.html#tls_require_and_verify_client_cert) 891 | - Default value: false 892 | 893 | ## `vault_tls_disable_client_certs` 894 | 895 | - [Disable requesting for client certificates](https://www.vaultproject.io/docs/configuration/listener/tcp.html#tls_disable_client_certs) 896 | - Default value: false 897 | 898 | ## `vault_tls_copy_keys` 899 | 900 | - Copy TLS files from src to dest 901 | - Default value: true 902 | 903 | ## `vault_tls_files_remote_src` 904 | 905 | - Copy from remote source if TLS files are already on host 906 | - Default value: false 907 | 908 | ## `vault_x_forwarded_for_authorized_addrs` 909 | 910 | - Comma-separated list of source IP CIDRs for which an X-Forwarded-For header will be trusted. 911 | - Enables [X-Forwarded-For support.](https://www.vaultproject.io/docs/configuration/listener/tcp#x_forwarded_for_authorized_addrs) 912 | - If enabled, you may also set any of the following parameters: 913 | - *vault_x_forwarded_for_hop_skips* with a format of "N" for the number of hops to skip 914 | - *vault_x_forwarded_for_reject_not_authorized* with true/false 915 | - *vault_x_forwarded_for_reject_not_present* with true/false 916 | - Default value: "" 917 | 918 | ## `vault_bsdinit_template` 919 | - BSD init template file 920 | - Default value: `vault_service_bsd_init.j2` 921 | 922 | ## `vault_sysvinit_template` 923 | - SysV init template file 924 | - Default value: `vault_sysvinit.j2` 925 | 926 | ## `vault_debian_init_template` 927 | - Debian init template file 928 | - Default value: `vault_service_debian_init.j2` 929 | 930 | ## `vault_systemd_template` 931 | - Systemd service template file 932 | - Default value: `vault_service_systemd.j2` 933 | 934 | ## `vault_systemd_service_name` 935 | - Systemd service unit name 936 | - Default value: "vault" 937 | 938 | ## `vault_telemetry_enabled` 939 | - Enable [Vault telemetry](https://www.vaultproject.io/docs/configuration/telemetry.html) 940 | - If enabled, you must set at least one of the following parameters according to your telemetry provider: 941 | - *vault_statsite_address* with a format of "FQDN:PORT" 942 | - *vault_statsd_address* with a format of "FQDN:PORT" 943 | - *vault_prometheus_retention_time* e.g: "30s" or "24h" 944 | - If enabled, optionally set *vault_telemetry_disable_hostname* to strip the hostname prefix from telemetry data 945 | - Default value: *false* 946 | 947 | ## `vault_unauthenticated_metrics_access` 948 | 949 | - Configure [unauthenticated metrics access](https://www.vaultproject.io/docs/configuration/listener/tcp#configuring-unauthenticated-metrics-access) 950 | - Default value: false 951 | 952 | ## `vault_telemetry_usage_gauge_period` 953 | 954 | - Specifies the interval at which high-cardinality usage data is collected, 955 | such as token counts, entity counts, and secret counts. 956 | - Default value: *undefined* 957 | 958 | # OS Distribution Variables 959 | 960 | The `vault` binary works on most Linux platforms and is not distribution 961 | specific. However, some distributions require installation of specific OS 962 | packages with different naming, so this role was built with support for 963 | popular Linux distributions and defines these variables to deal with the 964 | differences across distributions: 965 | 966 | ## `vault_pkg` 967 | 968 | - Vault package filename 969 | - Default value: `{{ vault_version }}_linux_amd64.zip` 970 | 971 | ## `vault_centos_url` 972 | 973 | - Vault package download URL 974 | - Default value: `{{ vault_zip_url }}` 975 | 976 | ## `vault_centos_os_packages` 977 | 978 | - List of OS packages to install 979 | - Default value: list 980 | 981 | ## `vault_debian_url` 982 | 983 | - Vault package download URL 984 | - Default value: `"{{ vault_zip_url }}"` 985 | 986 | ## `vault_sha256` 987 | 988 | - Vault download SHA256 summary 989 | - Default value: SHA256 summary 990 | 991 | ## `vault_debian_os_packages` 992 | 993 | - List of OS packages to install 994 | - Default value: list 995 | 996 | ## `vault_pkg` 997 | 998 | - Vault package filename 999 | - Default value: `"{{ vault_version }}_linux_amd64.zip"` 1000 | 1001 | ## `vault_redhat_url` 1002 | 1003 | - Vault package download URL 1004 | - Default value: `"{{ vault_zip_url }}"` 1005 | 1006 | ## `vault_sha256` 1007 | 1008 | - Vault package SHA256 summary 1009 | - Default value: SHA256 summary 1010 | 1011 | ## `vault_redhat_os_packages` 1012 | 1013 | - List of OS packages to install 1014 | - Default value: list 1015 | 1016 | ## `vault_pkg` 1017 | 1018 | - Vault package filename 1019 | - Default value: `"{{ vault_version }}_linux_amd64.zip"` 1020 | 1021 | ## `vault_ubuntu_url` 1022 | 1023 | - Vault package download URL 1024 | - Default value: `"{{ vault_zip_url }}"` 1025 | 1026 | ## `vault_sha256` 1027 | 1028 | - Vault package SHA256 summary 1029 | - Default value: SHA256 summary 1030 | 1031 | ## `vault_enable_log` 1032 | 1033 | - Enable log to `vault_log_path` 1034 | - Default value: false 1035 | 1036 | ## `vault_enable_logrotate` 1037 | 1038 | - Enable logrotation for systemd based systems 1039 | - Default value: false 1040 | 1041 | ## `vault_logrotate_freq` 1042 | 1043 | - Determines how frequently to rotate vault logs 1044 | - Default value: 7 1045 | 1046 | ## `vault_logrotate_template` 1047 | 1048 | - Logrotate template file 1049 | - Default value: `vault_logrotate.j2` 1050 | 1051 | ## `vault_ubuntu_os_packages` 1052 | 1053 | - List of OS packages to install 1054 | - Default value: list 1055 | 1056 | # Dependencies 1057 | 1058 | > **NOTE**: Read these before executing the role to avoid certain frequently 1059 | encountered issues which are resolved by installing the correct dependencies. 1060 | 1061 | ## `gtar` 1062 | 1063 | Ansible requires GNU tar and this role performs some local use of the 1064 | unarchive module, so ensure that your system has `gtar` installed. 1065 | 1066 | ## Python netaddr 1067 | 1068 | The role depends on `python-netaddr` so: 1069 | 1070 | ``` 1071 | pip install netaddr 1072 | ``` 1073 | 1074 | on the Ansible control host prior to executing the role. 1075 | 1076 | # Vault Enterprise 1077 | 1078 | The role can install Vault Enterprise based instances. 1079 | 1080 | Place the Vault Enterprise zip archive into `{{ role_path }}/files` and set 1081 | `vault_enterprise: true` or use the `VAULT_ENTERPRISE="true"` environment 1082 | variable. Attempts to download the package from `vault_zip_url` if zip is not found in files/. 1083 | 1084 | Since v2.5.9 of this role you can also install Vault Enterprise via the HashiCorp Repo. In order to install Vault Enterprise via the HashiCorp Repo, set `vault_install_hashi_repo: true*` as well as `vault_enterprise: true`. 1085 | 1086 | **Warning:** Non-Enterprise Package will be removed if already installed and vault_enterprise is set to *true* and vice versa. 1087 | 1088 | # Vault Enterprise with HSM 1089 | 1090 | The role can configure HSM based instances. Make sure to reference the [HSM support page](https://www.vaultproject.io/docs/configuration/seal/index.html) and take notice of the [behavior changes](https://www.vaultproject.io/docs/enterprise/hsm/behavior.html#initialization) after HSM is installed. 1091 | 1092 | ## `vault_enterprise_hsm` 1093 | 1094 | - Set to True if using hsm binary. Basically just includes ".hsm" in "vault_version" var 1095 | - Default value: false 1096 | 1097 | ## `vault_configure_enterprise_license` 1098 | 1099 | - Manage enterprise license file with this role. Set to `true` to use `vault_license_path`, and `vault_license_file` or `vault_license_content`. 1100 | - Default value: false 1101 | 1102 | ## `vault_license_path` 1103 | 1104 | - Path to enterprise license on the remote host (destination path). [`license_path`](https://www.vaultproject.io/docs/configuration#license_path) in the main configuration file. Only used if `vault_configure_enterprise_license: true`. 1105 | - Default value: `{{ vault_config_path }}/license.hclic` 1106 | 1107 | ## `vault_license_file` 1108 | 1109 | - Path to enterprise license on the Ansible controller (source file for upload). Upload skipped when empty or undefined, if `vault_license_content` is also empty or undefined. Only used if `vault_configure_enterprise_license: true`. 1110 | - Default value: "" 1111 | 1112 | ## `vault_license_content` 1113 | 1114 | - Value of the enterprise license to use. Upload skipped when empty or undefined, if `vault_license_file` is also empty or undefined. Only used if `vault_configure_enterprise_license: true`. 1115 | - Default value: "" 1116 | 1117 | ## `vault_hsm_app` 1118 | 1119 | - Set which cryptography app to use. 1120 | - Default value: pkcs11 1121 | 1122 | ## `vault_backend_seal` 1123 | 1124 | > NOTE: This seal will be migrated to the `pkcs11` seal and made consistent with the other seal types with respect to breaking naming changes soon. 1125 | 1126 | - Backend seal template filename 1127 | - Default value: `vault_backend_seal.j2` 1128 | 1129 | ## `vault_seal_lib` 1130 | 1131 | - Set to the absolute path of the HSM library vault will call 1132 | - Default value: `/lib64/hsmlibrary.so` 1133 | 1134 | ## `vault_seal_pin` 1135 | 1136 | - The PIN for login. May also be specified by the VAULT_HSM_PIN environment variable. If set via the environment variable, Vault will obfuscate the environment variable after reading it, and it will need to be re-set if Vault is restarted. 1137 | - Default value: 12345 1138 | 1139 | ## `vault_seal_key_label` 1140 | 1141 | - The label of the key to use. If the key does not exist and generation is enabled, this is the label that will be given to the generated key. May also be specified by the VAULT_HSM_KEY_LABEL environment variable. 1142 | - Default value: '' 1143 | 1144 | ## `vault_seal_hmac_key_label` 1145 | 1146 | - The label of the HMAC key to use. If the key does not exist and generation is enabled, this is the label that will be given to the generated HMAC key. May also be specified by the VAULT_HSM_HMAC_KEY_LABEL environment variable. 1147 | - Default value: '' 1148 | 1149 | ## `vault_seal_generate_key` 1150 | 1151 | - If no existing key with the label specified by key_label can be found at Vault initialization time, instructs Vault to generate a key. This is a boolean expressed as a string (e.g. "true"). May also be specified by the VAULT_HSM_GENERATE_KEY environment variable. Vault may not be able to successfully generate keys in all circumstances, such as if proprietary vendor extensions are required to create keys of a suitable type. 1152 | - Default value: false 1153 | 1154 | ## `vault_seal_key_mechanism` 1155 | 1156 | - Do not change this unles you know you need to. The encryption/decryption mechanism to use, specified as a decimal or hexadecimal (prefixed by 0x) string. May also be specified by the VAULT_HSM_MECHANISM environment variable. 1157 | - Default value: '' 1158 | - Example for RSA: 0x0009 1159 | 1160 | ## `vault_seal_token_label` 1161 | 1162 | - The slot token label to use. May also be specified by the VAULT_HSM_TOKEN_LABEL environment variable. This label will only be applied when `vault_softcard_enable` is true. 1163 | - Default value: '' 1164 | 1165 | ## `vault_softcard_enable` 1166 | 1167 | - Enable if you plan to use a softcard on your HSM. 1168 | - Default value: false 1169 | 1170 | ## `vault_seal_slot` 1171 | 1172 | - The slot number to use, specified as a string (e.g. "0"). May also be specified by the VAULT_HSM_SLOT environment variable. This label will only be applied when `vault_softcard_enable` is false (default). 1173 | - Default value: 0 1174 | 1175 | ## `vault_entropy_seal` 1176 | 1177 | - Set to True to [include `entropy` stanza](https://learn.hashicorp.com/tutorials/vault/hsm-entropy) which enables [entropy augmentation for supported seals](https://www.vaultproject.io/docs/configuration/entropy-augmentation). Supported Seal types include PKCS11, AWS KMS, and Vault Transit. 1178 | - Default value: false 1179 | 1180 | The following stanza will be included in the hcl main configuration file if `vault_entropy_seal=true`: 1181 | ``` 1182 | entropy "seal" { 1183 | mode = "augmentation" 1184 | } 1185 | ``` 1186 | 1187 | # Vault GCP Cloud KMS Auto-unseal 1188 | 1189 | This feature enables operators to delegate the unsealing process to Google Key Management System Cloud to ease operations in the event of partial failure and to aid in the creation of new or ephemeral clusters. 1190 | 1191 | This Auto-unseal mechanism is Open Source in Vault 1.0 but would require Enterprise binaries for any earlier version. 1192 | 1193 | ## `vault_gkms` 1194 | 1195 | - Set to True to enable Google Cloud KMS Auto-Unseal. 1196 | - Default value: false 1197 | 1198 | ## `vault_backend_gkms` 1199 | 1200 | - Backend seal template filename 1201 | - Default value: `vault_seal_gcpkms.j2` 1202 | 1203 | ## `vault_gkms_project` 1204 | 1205 | - GCP Project where the key reside. 1206 | - Default value: '' 1207 | 1208 | ## `vault_gkms_copy_sa` 1209 | 1210 | - Copy GCP SA credentials file from Ansible control node to Vault server. When not `true` and no value is specified for `vault_gkms_credentials_src_file`, the default instance service account credentials are used. 1211 | - Default value: `"true"` 1212 | 1213 | ## `vault_gkms_credentials_src_file` 1214 | 1215 | - User-specified source directory for GCP Credential on Ansible control node. 1216 | - Either this or vault_gkms_credentials_content must be set if vault_gkms enabled. 1217 | - Default value: '' 1218 | 1219 | ## `vault_gkms_credentials_content` 1220 | 1221 | - User-specified GCP Credential file content. 1222 | - Either this or vault_gkms_credentials_src_file must be set if vault_gkms enabled. 1223 | - Default value: '' 1224 | 1225 | ## `vault_gkms_credentials` 1226 | 1227 | - Path to GCP credential on Vault server. 1228 | - Default value: `/home/vault/vault-kms.json` 1229 | 1230 | ## `vault_gkms_region` 1231 | 1232 | - GCP Region where the key reside. 1233 | - Default value: global 1234 | 1235 | ## `vault_gkms_key_ring` 1236 | 1237 | - The id of the Google Cloud Platform KeyRing to which the key shall belong. 1238 | - Default value: vault 1239 | 1240 | ## `vault_gkms_crypto_key` 1241 | 1242 | - The CryptoKey's name. A CryptoKey's name must be unique within a location and match the regular expression [a-zA-Z0-9_-]{1,63} 1243 | - Default value: vault_key 1244 | 1245 | # Vault OCI KMS Auto-unseal 1246 | 1247 | This feature enabled operators to delegate the unsealing process to OCI KMS to ease operations in the event of a partial failure and to 1248 | aid in the creation of new or ephemeral clusters. 1249 | 1250 | ## `vault_ocikms` 1251 | 1252 | - Set to true to enable OCI KMS Auto-unseal. 1253 | - Default value: false 1254 | 1255 | ## `vault_ocikms_backend` 1256 | 1257 | - Backend seal template filename. 1258 | - Default value: `vault_seal_ocikms.j2` 1259 | 1260 | ## `vault_ocikms_auth_type_api_key` 1261 | 1262 | - Specifies if using API key to authenticate to OCI KMS service. 1263 | - Default value: false 1264 | 1265 | ## `vault_ocikms_key_id` 1266 | 1267 | - The OCI KMS key ID to use. 1268 | - Default value: VAULT_OCIKMS_SEAL_KEY_ID 1269 | 1270 | ## `vault_ocikms_crypto_endpoint` 1271 | 1272 | - The OCI KMS cryptographic endpoint (or data plane endpoint) to be used to make OCI KMS encryption/decryption requests. 1273 | - Default value: VAULT_OCIKMS_CRYPTO_ENDPOINT 1274 | 1275 | ## `vault_ocikms_management_endpoint` 1276 | 1277 | - The OCI KMS management endpoint (or control plane endpoint) to be used to make OCI KMS key management requests. 1278 | - Default value: VAULT_OCIKMS_MANAGEMENT_ENDPOINT 1279 | 1280 | # Vault Transit Auto-unseal 1281 | This enables Vault to use another Vault instance for the unseal process using its transit secret engine 1282 | 1283 | ## `vault_transit` 1284 | 1285 | - Set to true to enable Vault Transit Auto-unseal 1286 | - Default value: `false` 1287 | 1288 | ## `vault_transit_backend` 1289 | 1290 | - Backend seal template filename 1291 | - Default value: `vault_seal_transit.j2` 1292 | 1293 | ## `vault_transit_config`: 1294 | 1295 | - Destination configuration file 1296 | - Default value: `vault_transit.hcl` 1297 | 1298 | ## `vault_transit_address`: 1299 | 1300 | - Vault Address of the instance used for auto unseal 1301 | - Default value: ``, this variable is mandatory if `vault_transit: true` 1302 | 1303 | ## `vault_transit_token`: 1304 | 1305 | - Token used to authenticate to the external vault instance 1306 | - Default value: ``, this variable is mandatory if `vault_transit: true` 1307 | 1308 | ## `vault_transit_disable_renewal`: 1309 | 1310 | - Wether to disable automatic token renewal 1311 | - Default value: `false` 1312 | 1313 | ## `vault_transit_key_name` 1314 | 1315 | - Name of the key used for auto unseal 1316 | - Default value: `autounseal` 1317 | 1318 | ## `vault_transit_mount_path`: 1319 | 1320 | - Path where the transit engine is mounted to 1321 | - Default value: `transit/` 1322 | 1323 | ## `vault_transit_namespace`: 1324 | 1325 | - Namespace of the mounted transit engine 1326 | - Default value: ``, omitted per default 1327 | 1328 | ## `vault_transit_tls_ca_cert`: 1329 | 1330 | - CA Certificate of the external vault instance 1331 | - Default value: `ca_cert.pem`, omitted if `vault_transit_tls_skip_verify: true` 1332 | 1333 | ## `vault_transit_tls_client_cert`: 1334 | 1335 | - Client Certificate of the external vault instance 1336 | - Default value: `client_cert.pem`, omitted if `vault_transit_tls_skip_verify: true` 1337 | 1338 | ## `vault_transit_tls_client_key`: 1339 | 1340 | - Client Key of the external vault instance 1341 | - Default value: `ca_cert.pem`, omitted if `vault_transit_tls_skip_verify: true` 1342 | 1343 | ## `vault_transit_tls_server_name` 1344 | 1345 | - TLS Servername of the external vault instance 1346 | - Default value: ``, omitted per default 1347 | 1348 | ## `vault_transit_tls_skip_verify`: 1349 | 1350 | - Wether to disable TLS certificate verification 1351 | - Default: `false`, can also be set via `VAULT_SKIP_VERIFY` 1352 | 1353 | # Vault AWS KMS Auto-unseal 1354 | 1355 | This feature enabled operators to delegate the unsealing process to AWS KMS to ease operations in the event of a partial failure and to 1356 | aid in the creation of new or ephemeral clusters. 1357 | 1358 | ## `vault_awskms` 1359 | 1360 | - Set to true to enable AWS KMS Auto-unseal 1361 | - Default value: false 1362 | 1363 | ## `vault_awskms_backend` 1364 | 1365 | - Backend seal template filename 1366 | - Default value: `vault_seal_awskms.j2` 1367 | 1368 | ## `vault_awskms_region` 1369 | 1370 | - Which AWS KMS region to use 1371 | - Default value: us-east-1 1372 | 1373 | ## `vault_awskms_access_key` 1374 | 1375 | - The AWS Access Key to use for talking to AWS KMS 1376 | - Default value: AWS_ACCESS_KEY_ID 1377 | 1378 | ## `vault_awskms_secret_key` 1379 | 1380 | - The AWS Secret Key ID to use for takling to AWS KMS 1381 | - Default value: AWS_SECRET_ACCESS_KEY 1382 | 1383 | ## `vault_awskms_key_id` 1384 | 1385 | - The KMS Key ID to use for AWS KMS 1386 | - Default value: VAULT_AWSKMS_SEAL_KEY_ID 1387 | 1388 | ## `vault_awskms_endpoint` 1389 | 1390 | - The endpoint to use for KMS 1391 | - Default value: AWS_KMS_ENDPOINT 1392 | 1393 | # Vault Azure Key Vault Auto-unseal 1394 | 1395 | This feature enabled operators to delegate the unsealing process to AZURE Key Vaultto ease operations in the event of a partial failure and to aid in the creation of new or ephemeral clusters. 1396 | 1397 | ## `vault_azurekeyvault` 1398 | 1399 | - Set to true to enable AZURE Key Vault Auto-unseal 1400 | - Default value: false 1401 | 1402 | ## `vault_backend_azurekeyvault` 1403 | 1404 | - Backend seal template filename 1405 | - Default value: `vault_seal_azurekeyvault.j2` 1406 | 1407 | ## `vault_azurekeyvault_client_id` 1408 | 1409 | - Application ID related to Service Principal Name for the Application used to connect to Azure 1410 | - Default value: EXAMPLE_CLIENT_ID 1411 | 1412 | ## `vault_azurekeyvault_client_secret` 1413 | 1414 | - Client Secret is the secret key attached to your Application 1415 | - Default value: EXAMPLE_CLIENT_SECRET 1416 | 1417 | ## `vault_azurekeyvault_tenant_id` 1418 | 1419 | - Tenant ID is your Directory ID in Azure 1420 | - Default value: EXAMPLE_TENANT_ID 1421 | 1422 | ## `vault_azurekeyvault_vault_name` 1423 | 1424 | - The name of the Vault which hosts the key 1425 | - Default value: vault 1426 | 1427 | ## `vault_azurekeyvault_key_name` 1428 | 1429 | - The key hosted in the Vault in Azure Key Vault 1430 | - Default value: vault_key 1431 | 1432 | # Vault plugins 1433 | 1434 | ## acme plugin 1435 | 1436 | Installs vault-acme plugin, also enables the plugin if authenticated against vault (`VAULT_ADDR`, `VAULT_TOKEN` env). 1437 | 1438 | ## `vault_plugin_acme_install` 1439 | - Setting this to `remote` will download the acme plugin to each target instead of copying it from localhost. 1440 | - Choices: remote / local 1441 | - Default value: `remote` 1442 | 1443 | ## `vault_plugin_acme_sidecar_install` 1444 | - Whether to install vault acme sidecar for `HTTP-01`/`TLS_ALPN_01` challenges in addition to DNS-01. 1445 | - Default value: `false` 1446 | 1447 | ## `vault_plugin_acme_version` 1448 | - Version of the acme plugin to install, can be set to `latest` for obtaining the latest available version. 1449 | - Default value: `latest` 1450 | --------------------------------------------------------------------------------