├── .ansible-lint ├── .config └── molecule │ └── config.yml ├── .github └── workflows │ ├── ansible-lint.yml │ ├── commitlint.yml │ ├── molecule.yml │ └── release.yml ├── .gitignore ├── .pre-commit-config.yaml ├── .releaserc.json ├── CHANGELOG.md ├── CONTRIBUTING.md ├── CONTRIBUTORS.md ├── LICENSE.txt ├── Makefile ├── README.md ├── commitlint.config.js ├── defaults └── main.yml ├── examples ├── README_VAGRANT.md ├── Vagrantfile ├── bin │ └── preinstall ├── roles │ └── requirements.yml ├── site.yml ├── site_consul.yml └── vagrant_hosts ├── files └── README.md ├── handlers └── main.yml ├── meta └── main.yml ├── molecule ├── _tests │ └── test_vault.yml.j2 ├── almalinux-9 │ └── molecule.yml ├── amazonlinux-2022 │ └── molecule.yml ├── archlinux │ ├── molecule.yml │ └── prepare.yml ├── centos-stream-9-enterprise │ └── molecule.yml ├── centos-stream-9 │ └── molecule.yml ├── converge.yml ├── debian-11-enterprise │ └── molecule.yml ├── debian-11 │ └── molecule.yml ├── prepare.yml ├── requirements.yml ├── rockylinux-9 │ └── molecule.yml ├── ubuntu-20.04 │ └── molecule.yml ├── ubuntu-22.04 │ └── molecule.yml ├── ubuntu-24.04 │ └── molecule.yml └── verify.yml ├── role_variables.md ├── tasks ├── asserts.yml ├── backend_tls.yml ├── install.yml ├── install_hashi_repo.yml ├── install_remote.yml ├── main.yml ├── plugins │ └── acme.yml └── tls.yml ├── templates ├── vault_backend_consul.j2 ├── vault_backend_dynamodb.j2 ├── vault_backend_etcd.j2 ├── vault_backend_file.j2 ├── vault_backend_gcs.j2 ├── vault_backend_mysql.j2 ├── vault_backend_raft.j2 ├── vault_backend_s3.j2 ├── vault_entropy_seal.j2 ├── vault_logrotate.j2 ├── vault_main_configuration.hcl.j2 ├── vault_seal_awskms.j2 ├── vault_seal_azurekeyvault.j2 ├── vault_seal_gcpkms.j2 ├── vault_seal_ocikms.j2 ├── vault_seal_pkcs11.j2 ├── vault_seal_transit.j2 ├── vault_service_bsd_init.j2 ├── vault_service_debian_init.j2 ├── vault_service_registration_consul.hcl.j2 ├── vault_service_registration_kubernetes.hcl.j2 ├── vault_service_systemd.j2 └── vault_sysvinit.j2 ├── vars ├── Archlinux.yml ├── Debian.yml ├── Flatcar.yml ├── FreeBSD.yml ├── RedHat.yml └── main.yml ├── vault_releases.md └── version.txt /.ansible-lint: -------------------------------------------------------------------------------- 1 | --- 2 | # .ansible-lint 3 | skip_list: 4 | - '106' # Role name {} does not match ``^[a-z][a-z0-9_]+$`` pattern` 5 | - 'fqcn-builtins' # For ansible 2.7 - 2.9 compatibility 6 | - 'fqcn' # For ansible 2.7 - 2.9 compatibility 7 | - jinja 8 | 9 | exclude_paths: 10 | - meta/main.yml # https://github.com/ansible/ansible-lint/issues/4387 11 | - molecule 12 | - molecule/_tests/ 13 | - examples/ 14 | - tests/ 15 | -------------------------------------------------------------------------------- /.config/molecule/config.yml: -------------------------------------------------------------------------------- 1 | --- 2 | dependency: 3 | name: galaxy 4 | options: 5 | role-file: molecule/requirements.yml 6 | driver: 7 | name: docker 8 | lint: | 9 | set -e 10 | yamllint . 11 | ansible-lint 12 | provisioner: 13 | name: ansible 14 | config_options: 15 | defaults: 16 | callbacks_enabled: timer,profile_tasks 17 | fact_caching: jsonfile 18 | fact_caching_connection: ./cache 19 | forks: 100 20 | connection: 21 | pipelining: true 22 | playbooks: 23 | prepare: ../prepare.yml 24 | converge: ../converge.yml 25 | verify: ../verify.yml 26 | verifier: 27 | name: ansible 28 | -------------------------------------------------------------------------------- /.github/workflows/ansible-lint.yml: -------------------------------------------------------------------------------- 1 | --- 2 | name: Ansible Lint 3 | on: 4 | push: 5 | tags_ignore: 6 | - '*' 7 | pull_request: 8 | jobs: 9 | run: 10 | runs-on: ubuntu-20.04 11 | steps: 12 | - uses: actions/checkout@v4 13 | 14 | - name: Run ansible-lint 15 | uses: ansible/ansible-lint@main 16 | with: 17 | requirements_file: molecule/requirements.yml 18 | -------------------------------------------------------------------------------- /.github/workflows/commitlint.yml: -------------------------------------------------------------------------------- 1 | name: Lint Commit Messages 2 | on: 3 | push: 4 | branches: 5 | - main 6 | pull_request: 7 | 8 | jobs: 9 | commitlint: 10 | runs-on: ubuntu-latest 11 | steps: 12 | - uses: actions/checkout@v4 13 | with: 14 | fetch-depth: 0 15 | - uses: wagoid/commitlint-github-action@v5 16 | -------------------------------------------------------------------------------- /.github/workflows/molecule.yml: -------------------------------------------------------------------------------- 1 | --- 2 | name: Ansible Molecule 3 | 4 | on: 5 | push: 6 | tags_ignore: 7 | - '*' 8 | pull_request: 9 | 10 | env: 11 | ANSIBLE_FORCE_COLOR: '1' 12 | PY_COLORS: '1' 13 | 14 | jobs: 15 | discover-scenarios: 16 | runs-on: ubuntu-20.04 17 | outputs: 18 | scenarios: ${{ steps.set-scenarios.outputs.scenarios }} 19 | steps: 20 | - name: Check out codebase 21 | uses: actions/checkout@v3 22 | 23 | - name: Discover scenarios 24 | id: set-scenarios 25 | # Find path to all scenarios 26 | run: | 27 | scenarios="[`for x in $(ls -1 molecule -I _tests -I '*.yml'); do echo "'$x'"; done | tr '\n' ',' | sed '$s/,$//'`]" 28 | echo "scenarios=$scenarios" >> $GITHUB_OUTPUT 29 | 30 | test: 31 | needs: 32 | - discover-scenarios 33 | runs-on: ubuntu-20.04 34 | strategy: 35 | fail-fast: false 36 | matrix: 37 | scenario: ${{ fromJson(needs.discover-scenarios.outputs.scenarios) }} 38 | steps: 39 | - name: checkout 40 | uses: actions/checkout@v3 41 | - name: molecule 42 | uses: gofrolist/molecule-action@v2 43 | with: 44 | molecule_working_dir: . 45 | molecule_command: test 46 | molecule_args: --scenario-name ${{ matrix.scenario }} 47 | -------------------------------------------------------------------------------- /.github/workflows/release.yml: -------------------------------------------------------------------------------- 1 | name: Semantic Releaser 2 | 3 | on: 4 | push: 5 | branches: 6 | - master 7 | 8 | permissions: 9 | contents: write 10 | packages: write 11 | pull-requests: write 12 | 13 | jobs: 14 | semrel: 15 | runs-on: ubuntu-latest 16 | steps: 17 | - name: Checkout 18 | uses: actions/checkout@v4 19 | - name: Semantic Release 20 | uses: cycjimmy/semantic-release-action@v4 21 | with: 22 | extra_plugins: | 23 | @semantic-release/changelog@6.0.0 24 | @semantic-release/git@10.0.0 25 | conventional-changelog-conventionalcommits@8.0.0 26 | env: 27 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 28 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | .DS_Store 2 | .vagrant 3 | *.crt 4 | *.key 5 | *.retry 6 | *.zip 7 | cache/ 8 | examples/hosts 9 | files/vault 10 | files/vault*_SHA256SUMS 11 | meta/.galaxy_install_info 12 | examples/roles/ansible-community.ansible-vault 13 | -------------------------------------------------------------------------------- /.pre-commit-config.yaml: -------------------------------------------------------------------------------- 1 | repos: 2 | - repo: https://github.com/pre-commit/pre-commit-hooks 3 | rev: v4.4.0 4 | hooks: 5 | - id: trailing-whitespace 6 | - id: end-of-file-fixer 7 | - id: check-yaml 8 | - id: check-case-conflict 9 | - id: check-symlinks 10 | - id: check-json 11 | - id: mixed-line-ending 12 | args: ["--fix=lf"] 13 | - id: no-commit-to-branch 14 | args: [--branch, main] 15 | - id: pretty-format-json 16 | args: [--autofix, --no-sort-keys] 17 | -------------------------------------------------------------------------------- /.releaserc.json: -------------------------------------------------------------------------------- 1 | { 2 | "branches": [ 3 | "main", 4 | "master" 5 | ], 6 | "ci": false, 7 | "plugins": [ 8 | [ 9 | "@semantic-release/commit-analyzer", 10 | { 11 | "preset": "conventionalcommits" 12 | } 13 | ], 14 | [ 15 | "@semantic-release/release-notes-generator", 16 | { 17 | "preset": "conventionalcommits" 18 | } 19 | ], 20 | [ 21 | "@semantic-release/github", 22 | { 23 | "successComment": "This ${issue.pull_request ? 'PR is included' : 'issue has been resolved'} in version ${nextRelease.version} :tada:", 24 | "labels": false, 25 | "releasedLabels": false 26 | } 27 | ], 28 | [ 29 | "@semantic-release/changelog", 30 | { 31 | "changelogFile": "CHANGELOG.md", 32 | "changelogTitle": "# Changelog\n\nAll notable changes to this project will be documented in this file." 33 | } 34 | ], 35 | [ 36 | "@semantic-release/git", 37 | { 38 | "assets": [ 39 | "CHANGELOG.md" 40 | ], 41 | "message": "chore(release): version ${nextRelease.version} [skip ci]\n\n${nextRelease.notes}" 42 | } 43 | ] 44 | ] 45 | } 46 | -------------------------------------------------------------------------------- /CHANGELOG.md: -------------------------------------------------------------------------------- 1 | ## NEXT 2 | 3 | - Add support for proxy configuration 4 | - Add support for system certificates with `vault_tls_certs_path` and `vault_tls_private_path` 5 | 6 | ## v2.5.9 7 | - Add ability to install Vault Enterprise via HashiCorp Repo 8 | - Removed check of non-existent variable "vault_install_remote_repo" in tasks/main.yml 9 | - Bumped Vault version to v1.18.2 10 | - Revamped Readme 11 | 12 | ## v2.5.8 13 | - Add vault_unauthenticated_metrics_access to listener 14 | 15 | ## v2.5.7 16 | - Added support for useful options when running Vault behind a load balancer 17 | 18 | ## v2.5.6 19 | - Fix systemd forking process bug that prevents to stop/restart vault properly 20 | - Use exec to replace the calling process which effectively nullify the forkin problem 21 | 22 | ## v2.5.5 23 | - become_user vault_user when modifying files in vault_home 24 | 25 | ## v2.5.4 26 | - New installation instructions 27 | 28 | ## v2.5.3 29 | - Add Prometheus telemetry support (thanks @bbayszczak) 30 | - Add tag check_vault to to Vault status debug task (thanks @NorthFuture) 31 | - Fixed indentation of vault config file (thanks @rasta-rocket) 32 | - Add RHEL 8 support (thanks @kwevers) 33 | 34 | ## v2.5.2 35 | 36 | - Vault v1.3.2 37 | - Update documentation 38 | 39 | ## v2.5.1 40 | 41 | - Vault v1.3.1 42 | - Add MySQL storage (thanks @ericsysmin) 43 | - Update status task (thanks @ericsysmin) 44 | - Add group creation task (thanks @karras) 45 | - Update documentation (thanks @ilpianista) 46 | - Update documentation 47 | 48 | ## v2.5.0 49 | 50 | - Vault v1.3.1 51 | - Update documentation 52 | 53 | ## v2.4.0 54 | 55 | - Vault v1.2.4 56 | - Restart after binary change (thanks @bbaassssiiee) 57 | - Use command for vault version in main tasks (thanks @bbaassssiiee) 58 | - Update API status check (thanks @bbaassssiiee) 59 | - Support Fedora (thanks @rbjorklin) 60 | - Update CONTRIBUTORS 61 | - Update documentation 62 | 63 | ## v2.3.4 64 | 65 | - Vault v1.2.3 66 | - Fix s3 backend configuration and template (thanks @ebostijancic) 67 | - Update documentation 68 | 69 | ## v2.3.3 70 | 71 | - Vault v1.2.2 72 | - Update documentation 73 | 74 | ## v2.3.2 75 | 76 | - Fix Vault installation check (thanks @jpiron) 77 | - Update documentation 78 | 79 | ## v2.3.0 80 | 81 | - Vault v1.2.0 82 | - Update documentation 83 | 84 | ## v2.2.3 85 | 86 | - Vault v1.1.5 87 | - Add DynamoDB storage backend (thanks @chris-dudley) 88 | - Update CONTRIBUTORS 89 | - Update documentation 90 | 91 | ## v2.2.2 92 | 93 | - Vault v1.1.4 94 | - Add support for backend tls configuration (thanks @rhenwood3995) 95 | - Fix template line break (thanks @fhemberger) 96 | - ansible_default_ipv4 interface used as default (thanks @fhemberger) 97 | - Update vault_home (thanks @zeridon) 98 | - Add s3 storage backend template (thanks @dvmonroe) 99 | - Update documentation (thanks @dvmonroe) 100 | - Update CONTRIBUTORS 101 | 102 | ## v2.2.1 103 | 104 | - Resolve some task argument issues 105 | - Clean up line length a bit 106 | - Use Filesystem Storage Backend in Vagrant example playbook 107 | - Update Vagrantfile 108 | - Update documentation 109 | 110 | ## v2.2.0 111 | 112 | - Clean up task items 113 | - Fixup Get installed Vault version for multiline/quotes 114 | - Update vault_home value (thanks @xeivieni) 115 | - Add plugin_dir configuration (thanks @vmwiz) 116 | - Fix: Force `/bin/bash` on Get Vault package checksum (local) (thanks @fleu42) 117 | 118 | ## v2.1.9 119 | 120 | - Vault version 1.1.2 121 | - Feature: add etcd storage (thanks @cordula-grau) 122 | - Fix: Resolve deprecation warnings (thanks @cordula-grau) 123 | - Fix: Move become flag to required resources (thanks @cordula-grau) 124 | - Reposition some main variables 125 | - Remove `vault_tls_cipher_suites` values/fall back to Vault defaults 126 | - Remove unimplemented `vault_syslog_enable` 127 | - Rename `vault_listener_template` to `vault_main_configuration_template` 128 | - Rename corresponding template file to `vault_main_configuration.hcl.j2` 129 | - Update documentation 130 | 131 | ## v2.1.8 132 | 133 | - Vault version 1.1.1 134 | - Allow sealed state for standalone instance (thanks @kwevers) 135 | - Revert long line syntax change in main tasks (thanks @kwevers) 136 | - Ensure systemd is reloaded on unit changes (thanks @kwevers) 137 | - Add vault_bin_path to the PATH (thanks @kwevers) 138 | - Update documentation 139 | 140 | ## v2.1.7 141 | 142 | - Minimum Ansible version to 2.7 143 | - Support install on Debian Testing (thanks @gfeun) 144 | - Update for E206 [lint] 145 | - tasks/tls 146 | - Update for E201 [lint] 147 | - tasks/main 148 | - Update for E504 [lint] 149 | - tasks/install 150 | - tasks/install_enterprise 151 | - Use bool filter in template conditionals 152 | - Consistent seal template filenames 153 | - awskms seal (now named vault_seal_awskms.j2) 154 | - azurekeyvault seal (now named `vault_seal_azurekeyvault.j2`) 155 | - gcpkms seal template (now named `vault_seal_gcpkms.j2`) 156 | - pkcs11 seal template (now named `vault_seal_pkcs11.j2`) 157 | - Consistent service template names 158 | - BSD style init script (now named `vault_service_bsd_init.j2`) 159 | - Debian style init script (now named `vault_service_debian_init.j2`) 160 | - systemd unit (now named `vault_service_systemd.j2`) 161 | 162 | ## v2.1.6 163 | 164 | - Resolve environment additions/create .bashrc (thanks @gfeun) 165 | - Update documentation 166 | - Update license 167 | - Update variables 168 | 169 | ## v2.1.5 170 | 171 | - Vault v1.1.0 172 | - Add additional health responses to API reachability check (thanks @enqack) 173 | - VAULT_ADDR and VAULT_CACERT export in ~/.bashrc (thanks @planetrobbie) 174 | - Update documentation 175 | 176 | ## v2.1.4 177 | 178 | - Replace Azure Key Vault variables to resolve #85 179 | - Tidy and reorganize main variables 180 | 181 | ## v2.1.3 182 | 183 | - Vault v1.0.3 184 | - Skip certificate copy if desired (thanks @Fuochi-YNAP) 185 | - Skip health check if desired (thanks @Fuochi-YNAP) 186 | - Add Azure Key Auto Unseal configuration (thanks @nehrman) 187 | 188 | ## v2.1.2 189 | 190 | - Vault v1.0.2 191 | - Update documentation 192 | 193 | ## v2.1.1 194 | 195 | - Vault v1.0.1 196 | - AWS KMS seal support (thanks @jeffWelling) 197 | - Enable web UI by default 198 | - Update documentation 199 | 200 | ## v2.1.0 201 | 202 | - Vault v1.0.0 203 | - GCPKMS seal support (thanks @planetrobbie) 204 | - Update documentation 205 | 206 | ## v2.0.9 207 | 208 | - Correct systemd unit (thanks @jpiron) 209 | - Add initial telemetry support (thanks @jeffWelling) 210 | - Vagrant box memory increased to 2048MB 211 | - Update documentation 212 | 213 | ## v2.0.8 214 | 215 | - Vault v0.11.5 216 | - Conditional capabilites based on systemd version (thanks @bdossantos) 217 | - Update documentation 218 | 219 | ## v2.0.7 220 | 221 | - Vault v0.11.3 222 | - Templates in main tasks as variables (thanks @nathkn) 223 | - systemd unit updates (thanks @bdossantos) 224 | - Update documentation 225 | 226 | ## v2.0.5 227 | 228 | - Vault v0.11.2 229 | - Update systemd unit 230 | - Update Consul storage backend template (thanks @jpiron) 231 | - Configuration updates (thanks @jpiron) 232 | - Add client cert validation options to listener configuration (thanks @nathkn) 233 | 234 | ## v2.0.4 235 | 236 | - Vault v0.11.1 237 | - Update tasks/normalize conditionals 238 | - Update TLS variable names to match documentation 239 | - Conditional mlock capability (thanks @jpiron) 240 | - Streamline installation tasks (thanks @jpiron) 241 | - Update documentation 242 | 243 | ## v2.0.3 244 | 245 | - Vault version 0.10.4 246 | - Debian 9 support 247 | - Update support for enterprise versions (thanks @drewmullen) 248 | - Log rotation updates (thanks @drewmullen) 249 | - Update systemd unit file 250 | - Update documentation 251 | 252 | ## v2.0.2 253 | 254 | - Option to disable cert validation during API reachability (thanks @eripa) 255 | - Update systemd unit to address #41 256 | 257 | ## v2.0.1 258 | 259 | - Vault v0.10.1 260 | - Simplify cleanup task in remote install 261 | - enable_ui option (thanks @aarnaud) 262 | - Enhance API reachable check (thanks @aarnaud) 263 | - Add support for HTTPS in Consul backend (thanks @eripa) 264 | - Add support for HTTP 429 when vault_cluster_disable false (thanks @eripa) 265 | - Update CONTRIBUTORS 266 | - Update documentation 267 | 268 | ## v2.0.0 269 | 270 | - Vault version 0.10.0 271 | - Update documentation 272 | - Update Vagrant documentation 273 | 274 | ## v1.8.0 275 | 276 | - Vault version 0.9.6 277 | - Update is Vault API reachable task (thanks @rarguelloF) 278 | - File storage backend (thanks @aarnaud) 279 | - Update example versions 280 | - Update license date 281 | - Update CONTRIBUTORS 282 | - Update documentation 283 | 284 | ## v1.7.9 285 | 286 | - Vault version 0.9.5 287 | - Remove abs check on cluster_address in Consul backend to fix #33 288 | - Update documentation 289 | 290 | ## v1.7.8 291 | 292 | - Vault version 0.9.4 293 | - TLS already on remote source option (thanks @calebtonn) 294 | - Update documentation 295 | 296 | ## v1.7.7 297 | 298 | - Vault version 0.9.3 299 | - Update documentation 300 | 301 | ## v1.7.6 302 | 303 | - Vault version 0.9.2 304 | - Update documentation 305 | 306 | ## v1.7.5 307 | 308 | - Vault version 0.9.1 309 | - Update documentation 310 | 311 | ## v1.7.4 312 | 313 | - Vault version 0.9.0 314 | - Use HTTPS when TLS is enabled (thanks @tbartelmess) 315 | - Add Consul ACL token option to configuration (thanks @Lavoaster) 316 | - Update CONTRIBUTORS.md 317 | 318 | ## v1.7.3 319 | 320 | - Vault v0.8.3 321 | - Updated supporting software versions 322 | - Add vault_max_lease_ttl and vault_default_lease_ttl (thanks @bilke) 323 | 324 | ## v1.7.2 325 | 326 | - Vault v0.8.2 327 | - Update README (thanks @Gerrrr) 328 | - Update init scripts (thanks @Gerrrr) 329 | - Add vault_consul_service in consul storage template (thanks @Gerrrr) 330 | - Update CONTRIBUTORS.md (thanks @groggemans) 331 | 332 | ## v1.7.1 333 | 334 | - Vault v0.8.1 335 | 336 | ## v1.7.0 337 | 338 | - Vault v0.8.0 339 | - Fix Missing Defaults for TLS (thanks @marc-sensenich) 340 | - Add missing redirect_addr in HA consul config (thanks @groggemans) 341 | - Update CONTRIBUTORS 342 | 343 | ## v1.6.8 344 | 345 | - Enterprise task changes 346 | - Add `vault_install_remotely` docs 347 | - Add `vault_remote_tmp` variable and use it 348 | - Rename `cluster_nodes` label to `vault_instances` 349 | 350 | ## v1.6.7 351 | 352 | - Vault version 0.7.3 353 | - Update documentation 354 | 355 | ## v1.6.6 356 | 357 | - Explicit Vault address (0.0.0.0 is not good for HA mode) 358 | - Update listener template (thanks @groggemans) 359 | - Add vault_consul_path in consul storage template (thanks @groggemans) 360 | - Fix BSD init task and remove unused grouping (thanks @groggemans) 361 | - Update defaults order (thanks @groggemans) 362 | - Make vault user management configurable (thanks @groggemans) 363 | - Add UI switch (enterprise) and fix tls_disable (thanks @groggemans) 364 | - Remove no longer used 'primary_node' variable (thanks @groggemans) 365 | - Add missing README entries (thanks @groggemans) 366 | 367 | ## v1.6.5 368 | 369 | - Correct main tasks 370 | 371 | ## v1.6.4 372 | 373 | - Enable Vault Enterprise tasks 374 | - Remove `redirect_addr` in favor of request forwarding 375 | - Make `vault_log_level` environment variable override 376 | - Update documentation 377 | 378 | ## v1.6.3 379 | 380 | - Correct Vault Enterprise variables to address #18 381 | 382 | ## v1.6.2 383 | 384 | - Vault version 0.7.2 385 | - Minor play updates 386 | - Move asserts to asserts.yml file (thanks @groggemans) 387 | 388 | ## v1.6.1 389 | 390 | - Vault version 0.7.1 391 | - Further task cleanup 392 | 393 | ## v1.6.0 394 | 395 | - Add initial Vault Enterprise variables 396 | - Add initial Vault Enterprise installation tasks 397 | - Update when statements to avoid warnings about template delimiters 398 | - Update documentation 399 | 400 | ## v1.5.7 401 | 402 | - Add TLS directory task to TLS tasks (thanks @cwill747) 403 | - Update CONTRIBUTORS 404 | - Update CONTRIBUTING 405 | - Update documentation 406 | 407 | ## v1.5.6 408 | 409 | - Update remote tasks 410 | 411 | ## v1.5.5 412 | 413 | - Back to local_action for the download and unzip tasks 414 | - Already using grep, so let's just awk for the SHA and then register it 415 | - Add remote install capability (thanks @bilke) 416 | 417 | ## v1.5.4 418 | 419 | - Update documentation on new netaddr dependency _sweat_ 420 | 421 | ## v1.5.3 422 | 423 | - Revert local_action tasks 424 | - They are broken in every case I tested, and connection local is perfectly 425 | valid for running things on the local host :| 426 | 427 | ## v1.5.2 428 | 429 | - Switch to local actions (addresses #13) 430 | 431 | ## v1.5.1 432 | 433 | - Fixed vault_tls_cert_file and vault_tls_key_file vars 434 | 435 | ## v1.5.0 436 | 437 | - Add initial multi-architecture and OS support 438 | - Add FreeBSD support 439 | - Update documentation 440 | 441 | ## v1.4.2 442 | 443 | - All quoting issues sorted 444 | 445 | ## v1.4.1 446 | 447 | - Fix finicky var quoting issue 448 | 449 | ## v1.4.0 450 | 451 | - Updated many variables with environment variable overrides 452 | - Add `vault_tls_config_path` variable with reasonable default value 453 | - Set currently/reasonably secure `vault_tls_cipher_suites` defaults 454 | - Update listener template to finally close #3 455 | - Improve cleanup task 456 | - Update versions 457 | - Update documentation 458 | - Update ignores 459 | 460 | ## v1.3.12 461 | 462 | - Made VAULT_IFACE environment variable override 463 | 464 | ## v1.3.11 465 | 466 | - Update init scripts 467 | 468 | ## v1.3.10 469 | 470 | - Fix other modes / types ノ( ゜-゜ノ) 471 | 472 | ## v1.3.9 473 | 474 | - Fix quote removal/type finagling YAML sadness (thanks @arledesma) 475 | 476 | ## v1.3.8 477 | 478 | - Move TLS bits to separate task 479 | - Short circuit TLS bits as bad things™ were happening due to the empty 480 | cert and key values during the Vault SSL Certificate and Key copy ops 481 | (probably an Ansible bug, copying entire contents of files to vault etc dir) 482 | No bueno 483 | 484 | ## v1.3.7 485 | 486 | - Replace lost double quote (thanks @arledesma) 487 | - Add explicit vault user permissions to config (thanks @arledesma) 488 | - Remove duplicate cluster_address var 489 | - Update README / consistent variable style / more links to docs 490 | 491 | ## v1.3.6 492 | 493 | - Handle cluster_addre differently 494 | - Cleanup tasks 495 | - Consistent variable style 496 | - Cleanup meta 497 | 498 | ## v1.3.5 499 | 500 | - Remove explicit cluster_addr and let Vault default the value for now 501 | 502 | ## v1.3.4 503 | 504 | - Use vault_port+1 in cluster_addr for HA vault (thanks @arledesma) 505 | - Update CHANGELOG 506 | - Update Vagrant README 507 | 508 | ## v1.3.3 509 | 510 | - Update systemd unit file 511 | 512 | ## v1.3.2 513 | 514 | - Make vault user a system account 515 | 516 | ## v1.3.1 517 | 518 | - Vault 0.7.0 519 | - Initial TLS bits (thanks @arledesma) 520 | - Fix logging options (thanks @arledesma) 521 | - Update documentation 522 | 523 | ## v1.3.1 524 | 525 | - Add support for version specification via VAULT_VERSION environment variable 526 | - Renamed backend configuration template 527 | - Renamed main template to be inline with configuration section naming 528 | - Fix broken unit file 529 | 530 | ## v1.2.10 531 | 532 | - Use all defined variables (thanks @arledesma) 533 | - Make redirect_address more specific by adding redirect address variable 534 | - Update CONTRIBUTORS 535 | - Fix merge conflict (thanks @arledesma) 536 | - Fix missed variable (thanks @arledesma) 537 | 538 | ## v1.2.9 539 | 540 | - Fix backend template inclusion 541 | - Correct backend filename 542 | 543 | ## v1.2.8 544 | 545 | - Fix issue in wait_for (thanks @pierrefh) 546 | - Add contributing guidelines in CONTRIBUTING.md 547 | - Fix checksum var 548 | 549 | ## v1.2.7 550 | 551 | - Update main tasks 552 | - Update install tasks 553 | - Prefer compact YAML format across all tasks files 554 | 555 | ## v1.2.6 556 | 557 | - Check for local packages and summary files 558 | 559 | ## v1.2.5 560 | 561 | - Updated configuration templates 562 | - Updated documentation 563 | 564 | ## v1.2.4 565 | 566 | - Vaule 0.6.5 567 | 568 | ## v1.2.3 569 | 570 | - Vault 0.6.4 571 | 572 | ## v1.2.2 573 | 574 | - Fix variable name 575 | 576 | ## v1.2.1 577 | 578 | - Include installation tasks 579 | 580 | ## v1.2.0 581 | 582 | - Vault 0.6.3 583 | - Dynamic SHA 584 | - Streamline tasks 585 | - Streamline and consolidate variables 586 | - Move OS variables to vars 587 | - Separate install tasks 588 | - Remove OS specific tasks 589 | - Update documentation 590 | 591 | ## v1.0.21 592 | 593 | - Update/validate CentOS 7 box 594 | - Update documentation 595 | - Update failure cases for CentOS 596 | - Fix SysV init script 597 | 598 | ## v1.0.20 599 | 600 | - Fix binary name 601 | 602 | 603 | ## v1.0.9 604 | 605 | - Add files dir 606 | 607 | ## v1.0.8 608 | 609 | - Add files dir 610 | 611 | ## v1.0.7 612 | 613 | - Fix var names 614 | 615 | ## v1.0.6 616 | 617 | - Add fail on old distro versions 618 | - Remove all distro specific includes 619 | 620 | ## v1.0.5 621 | 622 | - Remove unnecessary include 623 | 624 | ## v1.0.4 625 | 626 | - Correct URL in docs 627 | - Remove vars dir 628 | - Enable download once / copy many install 629 | 630 | ## v1.1.2 631 | 632 | - Move all vars to defaults 633 | - Documentation updates 634 | 635 | ## v1.0.2 636 | 637 | - Set correct RAM amount in Vagrantfile 638 | - Rename Vagrant inventory back to cluster_nodes 639 | 640 | ## v1.0.2 641 | 642 | - Update documentation 643 | 644 | ## v1.0.0 645 | 646 | - Installs Vault 647 | - Installs Vault with Consul backend onto Consul VMs from brianshumate.consul 648 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Contributing 2 | 3 | When contributing to this repository, please first discuss the change you wish 4 | to make via issue, email, or any other method with the owners of this repository before making a change. 5 | 6 | Do note that this project has a code of conduct; please be sure to follow it 7 | in all of your project interactions. 8 | 9 | ## Pull Request Process 10 | 11 | 1. Ensure any install or build artifacts are removed before the end of 12 | the layer when doing a build 13 | 2. Update the README.md or README_VAGRANT.md with details of changes to the 14 | interface, this includes new environment variables, exposed ports, useful 15 | file locations and container parameters 16 | 3. Increase the version numbers in any examples files and the README.md 17 | to the new version that this Pull Request would represent. The versioning scheme we use is (mostly) [SemVer](http://semver.org/) 18 | 4. You may merge the Pull Request in once you have the sign-off of two other 19 | project contributors, or if you do not have permission to do that, you can 20 | request the second reviewer to merge it for you 21 | 22 | ## Code of Conduct 23 | 24 | ### Our Pledge 25 | 26 | In the interest of fostering an open and welcoming environment, we as 27 | contributors and maintainers pledge to making participation in our project 28 | and our community a harassment-free experience for everyone, regardless of age, 29 | body size, disability, ethnicity, gender identity and expression, level of 30 | experience, nationality, personal appearance, race, religion, or sexual 31 | identity and orientation. 32 | 33 | ### Our Standards 34 | 35 | Examples of behavior that contributes to creating a positive environment 36 | include: 37 | 38 | * Showing empathy towards other community members 39 | * Using welcoming and inclusive language 40 | * Being respectful of differing viewpoints and experiences 41 | * Gracefully accepting constructive criticism 42 | * Focusing on what is best for the community 43 | 44 | Examples of unacceptable behavior by participants include: 45 | 46 | * Use of sexualized language or imagery and unwelcome sexual attention 47 | or advances 48 | * Insulting/derogatory comments, and personal or political attacks 49 | * Public or private harassment 50 | * Publishing others' private information, such as a physical or electronic 51 | address, without explicit permission 52 | * Other conduct which could reasonably be considered inappropriate in a 53 | professional setting 54 | 55 | ### Our Responsibilities 56 | 57 | Project maintainers are responsible for clarifying the standards of acceptable 58 | behavior and are expected to take appropriate and fair corrective action in 59 | response to any instances of unacceptable behavior. 60 | 61 | Project maintainers have the right and responsibility to remove, edit, or 62 | reject comments, commits, code, wiki edits, issues, and other contributions 63 | that are not aligned to this Code of Conduct, or to ban temporarily or 64 | permanently any contributor for other behaviors that they deem inappropriate, 65 | threatening, offensive, or harmful. 66 | 67 | ### Scope 68 | 69 | This Code of Conduct applies both within project spaces and in public spaces 70 | when an individual is representing the project or its community. Examples of 71 | representing a project or community include using an official project e-mail 72 | address, posting via an official social media account, or acting as an 73 | appointed representative at an online or offline event. Representation of a 74 | project may be further defined and clarified by project maintainers. 75 | 76 | ### Enforcement 77 | 78 | Instances of abusive, harassing, or otherwise unacceptable behavior may be 79 | reported by contacting the project leadership: brian brianshumate com. 80 | 81 | All complaints will be reviewed and investigated and will result in a response 82 | that is deemed necessary and appropriate to the circumstances. The project 83 | team is obligated to maintain confidentiality with regard to the reporter of 84 | an incident. Further details of specific enforcement policies may be posted 85 | separately. 86 | 87 | Project maintainers who do not follow or enforce the Code of Conduct in good 88 | faith may face temporary or permanent repercussions as determined by other 89 | members of the project's leadership. 90 | 91 | ### Attribution 92 | 93 | This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, available at [http://contributor-covenant.org/version/1/4][version] 94 | 95 | [homepage]: http://contributor-covenant.org 96 | [version]: http://contributor-covenant.org/version/1/4/ 97 | -------------------------------------------------------------------------------- /CONTRIBUTORS.md: -------------------------------------------------------------------------------- 1 | # Contributors 2 | 3 | Thank you to all these fine folks for helping with ansible-vault! 4 | 5 | - [@aarnaud](https://github.com/aarnaud) 6 | - [@arledesma](https://github.com/arledesma) 7 | - [@bbaassssiiee](https://github.com/bbaassssiiee) 8 | - [@bdossantos](https://github.com/bdossantos) 9 | - [@bilke](https://github.com/bilke) 10 | - [@calebtonn](https://github.com/calebtonn) 11 | - [@chris-dudley](https://github.com/chris-dudley) 12 | - [@cordula-grau](https://github.com/cordula-grau) 13 | - [@cwill747](https://github.com/cwill747) 14 | - [@drewmullen](https://github.com/drewmullen) 15 | - [@dvmonroe](https://github.com/dvmonroe) 16 | - [@ebostijancic](https://github.com/ebostijancic) 17 | - [@enqack](https://github.com/enqack) 18 | - [@ericsysmin](https://github.com/ericsysmin) 19 | - [@eripa](https://github.com/eripa) 20 | - [@fhemberger](https://github.com/fhemberger) 21 | - [@fleu42](https://github.com/fleu42) 22 | - [@Fuochi-YNAP](https://github.com/Fuochi-YNAP) 23 | - [@gardar](https://github.com/gardar) 24 | - [@Gerrrr](https://github.com/Gerrrr) 25 | - [@gfeun](https://github.com/gfeun) 26 | - [@groggemans](https://github.com/groggemans) 27 | - [@ilpianista](https://github.com/ilpianista) 28 | - [@jeffWelling](https://github.com/jeffWelling) 29 | - [@jpiron](https://github.com/jpiron) 30 | - [@karras](https://github.com/karras) 31 | - [@kwevers](https://github.com/kwevers) 32 | - [@Lavoaster](https://github.com/Lavoaster) 33 | - [@legogris](https://github.com/legogris) 34 | - [@marc-sensenich](https://github.com/marc-sensenich) 35 | - [@nathkn](https://github.com/nathkn) 36 | - [@nehrman](https://github.com/nehrman) 37 | - [@NorthFuture](https://github.com/NorthFuture) 38 | - [@pierrefh](https://github.com/pierrefh) 39 | - [@rarguelloF](https://github.com/rarguelloF) 40 | - [@rasta-rocket](https://github.com/rasta-rocket) 41 | - [@rbjorklin](https://github.com/rbjorklin) 42 | - [@rhenwood3995](https://github.com/rhenwood3995) 43 | - [@tbartelmess](https://github.com/tbartelmess) 44 | - [@vmwiz](https://github.com/vmwiz) 45 | - [@zeridon](https://github.com/zeridon) 46 | - [@akerouanton](https://github.com/akerouanton) 47 | - [@elcomtik](https://github.com/elcomtik) 48 | -------------------------------------------------------------------------------- /LICENSE.txt: -------------------------------------------------------------------------------- 1 | Copyright (c) 2019, Brian Shumate 2 | All rights reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 5 | 6 | 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 7 | 8 | 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 9 | 10 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 11 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | default: help 2 | 3 | .PHONY: help 4 | help: ## list makefile targets 5 | @grep -E '^[a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | sort | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}' 6 | 7 | .PHONY: lint 8 | lint: ## lint 9 | ansible-lint -c .ansible-lint 10 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Ansible role to install Hashicorp Vault 2 | [![Ansible Lint](https://github.com/ansible-community/ansible-vault/actions/workflows/ansible-lint.yml/badge.svg?branch=master)](https://github.com/ansible-community/ansible-vault/actions/workflows/ansible-lint.yml?query=branch%3Amaster) 3 | [![Ansible Molecule](https://github.com/ansible-community/ansible-vault/actions/workflows/molecule.yml/badge.svg?branch=master)](https://github.com/ansible-community/ansible-vault/actions/workflows/molecule.yml?query=branch%3Amaster) 4 | [![Average time to resolve an issue](http://isitmaintained.com/badge/resolution/ansible-community/ansible-vault.svg)](http://isitmaintained.com/project/ansible-community/ansible-vault "Average time to resolve an issue") 5 | [![Percentage of issues still open](http://isitmaintained.com/badge/open/ansible-community/ansible-vault.svg)](http://isitmaintained.com/project/ansible-community/ansible-vault "Percentage of issues still open") 6 | 7 | This Ansible role performs a basic [Vault](https://vaultproject.io/) 8 | installation, including filesystem structure and example configuration. 9 | 10 | It can also bootstrap a minimal development or evaluation server or HA 11 | Consul-backed cluster in a Vagrant based environment. See 12 | [README_VAGRANT.md](https://github.com/ansible-community/ansible-vault/blob/master/examples/README_VAGRANT.md) and the associated [Vagrantfile](https://github.com/ansible-community/ansible-vault/blob/master/examples/Vagrantfile) for more details about the developer mode setup. 13 | 14 | ## Installation 15 | This role resides on GitHub pending the integration with Ansible Galaxy. To install this role create a `roles/requirements.yml` file in your Ansible project folder with the following contents: 16 | 17 | ```yaml 18 | - src: https://github.com/ansible-community/ansible-vault.git 19 | name: ansible-community.ansible-vault 20 | scm: git 21 | version: master 22 | ``` 23 | 24 | You can use git tag in the version attribute. Also you can honor its legacy `name: brianshumate.ansible-vault`. 25 | 26 | ## Quick Start Guide 27 | 28 | Basic installation is possible using the included [`site.yml`](examples/site.yml) playbook: 29 | 30 | ``` 31 | ansible-playbook -i hosts site.yml 32 | ``` 33 | 34 | You can also pass variables in using the `--extra-vars` option to the 35 | `ansible-playbook` command: 36 | 37 | ``` 38 | ansible-playbook -i hosts site.yml --extra-vars "vault_datacenter=maui" 39 | ``` 40 | 41 | Specify a template file with a different backend definition 42 | (see `templates/backend_consul.j2`): 43 | 44 | ``` 45 | ansible-playbook -i hosts site.yml --extra-vars "vault_backend_file=backend_file.j2" 46 | ``` 47 | 48 | You need to make sure that the template file `backend_file.j2` is in the 49 | role directory for this to work. 50 | 51 | ## Requirements 52 | 53 | This role requires Archlinux, AmazonLinux, FreeBSD, Debian or a RHEL based Linux distribution. It 54 | might work with other software versions, but does work with the following 55 | specific software and versions. Sorry, there is no planned support at the moment for Windows. 56 | 57 | See the [molecule scenarios](https://github.com/ansible-community/ansible-vault/tree/master/molecule) 58 | for currently tested distributions. 59 | 60 | ## Warning 61 | 62 | By default, this role may restart `vault` service when played (when there's a 63 | configuration change, OS Packages installed/updated) 64 | 65 | When there's no auto-unseal setup on your cluster, the restart may lead to a 66 | situation where all Vault instances will be sealed and your cluster will be 67 | down. 68 | 69 | To avoid this situation, the service restart by the playbook can be disabled 70 | by using the `vault_service_restart` role variable. 71 | 72 | Setting this `vault_service_restart` to `false` will disable the `vault` 73 | service restart by the playbook. You may have to restart the service manually 74 | to load any new configuration deployed. 75 | 76 | ## [Role Variables](role_variables.md) 77 | 78 | ## Misc 79 | 80 | ### [Vault Release Scheme](vault_releases.md) 81 | 82 | ## License 83 | 84 | BSD-2-Clause 85 | 86 | ## Author Information 87 | 88 | [Brian Shumate](http://brianshumate.com) 89 | 90 | ## Contributors 91 | 92 | Special thanks to the folks listed in [CONTRIBUTORS.md](https://github.com/brianshumate/ansible-vault/blob/master/CONTRIBUTORS.md) for their 93 | contributions to this project. 94 | -------------------------------------------------------------------------------- /commitlint.config.js: -------------------------------------------------------------------------------- 1 | // commitlint.config.js 2 | module.exports = { 3 | extends: ['@commitlint/config-conventional'], 4 | ignores: [(message) => /^Bumps \[.+]\(.+\) from .+ to .+\.$/m.test(message)], 5 | } 6 | -------------------------------------------------------------------------------- /defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: defaults/main.yml - default variables for Vault 3 | 4 | # --------------------------------------------------------------------------- 5 | # Core variables 6 | # --------------------------------------------------------------------------- 7 | 8 | # Package variables 9 | vault_version: "{{ lookup('env', 'VAULT_VERSION') | default('1.18.2', true) }}" 10 | 11 | vault_version_release_site_suffix: "{{ '+ent' if vault_enterprise }}{{ '.hsm' if vault_enterprise_hsm }}" 12 | vault_version_repo_suffix: "{{ '+ent' if vault_enterprise }}" 13 | vault_version_debian_repo_suffix: "-1" 14 | 15 | vault_architecture_map: 16 | # this first entry seems... redundant (but it's required for reasons) 17 | amd64: amd64 18 | x86_64: amd64 19 | armv7l: arm 20 | aarch64: arm64 21 | vault_architecture: "{{ vault_architecture_map[ansible_architecture] }}" 22 | vault_os: "{{ ansible_system | lower }}" 23 | 24 | vault_pkg_stub: "vault_{{ vault_version }}{{ vault_version_release_site_suffix }}" 25 | vault_pkg: "{{ vault_pkg_stub }}_{{ vault_os }}_{{ vault_architecture }}.zip" 26 | vault_shasums: "{{ vault_pkg_stub }}_SHA256SUMS" 27 | vault_url_stub: "https://releases.hashicorp.com/vault/{{ vault_version }}{{ vault_version_release_site_suffix }}" 28 | vault_zip_url: "{{ vault_url_stub }}/{{ vault_pkg }}" 29 | vault_checksum_file_url: "{{ vault_url_stub }}/{{ vault_shasums }}" 30 | vault_repository_url: "{{ _vault_repository_url | default() }}" 31 | vault_repository_key_url: "{{ _vault_repository_key_url | default() }}" 32 | vault_rhsm_subscription_name: 33 | vault_rhsm_repo_id: 34 | 35 | # Installation 36 | vault_start_pause_seconds: 0 37 | 38 | # Install method variables 39 | vault_install_hashi_repo: false 40 | vault_install_remotely: false 41 | vault_privileged_install: false 42 | 43 | # Paths 44 | vault_bin_path: "{{ '/usr/bin' if (vault_install_hashi_repo) else '/usr/local/bin' }}" 45 | vault_config_path: /etc/vault.d 46 | vault_plugin_path: /usr/local/lib/vault/plugins 47 | vault_data_path: "{{ '/opt/vault/data' if (vault_install_hashi_repo) else '/var/vault' }}" 48 | vault_log_path: /var/log/vault 49 | vault_run_path: /var/run/vault 50 | vault_home: "/home/{{ vault_user }}" 51 | vault_harden_file_perms: true 52 | 53 | # System user and group 54 | vault_manage_user: "{{ false if (vault_install_hashi_repo) else true }}" 55 | vault_user: vault 56 | vault_manage_group: false 57 | vault_group: "{{ 'vault' if (vault_install_hashi_repo) else 'bin' }}" 58 | vault_groups: null 59 | 60 | vault_dotfile: ".bashrc" 61 | vault_dotfile_disable: "{{ true if (vault_install_hashi_repo) else false }}" 62 | 63 | # Logging 64 | vault_enable_log: false 65 | vault_enable_logrotate: false 66 | vault_logrotate_freq: 7 67 | vault_logrotate_template: vault_logrotate.j2 68 | vault_exec_output: '' 69 | 70 | # Handlers 71 | vault_service_restart: true 72 | vault_service_reload: false 73 | 74 | # --------------------------------------------------------------------------- 75 | # Vault variables 76 | # --------------------------------------------------------------------------- 77 | 78 | vault_cluster_name: dc1 79 | vault_datacenter: dc1 80 | vault_log_level: "{{ lookup('env', 'VAULT_LOG_LEVEL') | default('info', true) }}" 81 | vault_iface: "{{ lookup('env', 'VAULT_IFACE') | default(ansible_default_ipv4.interface, true) }}" 82 | vault_address: "{{ hostvars[inventory_hostname]['ansible_' + vault_iface]['ipv4']['address'] }}" 83 | vault_ui: "{{ lookup('env', 'VAULT_UI') | default(true, true) }}" 84 | vault_port: 8200 85 | 86 | # seal configs are written in separate files in vault_config_path, if ony of those is enabled, we need to use vault_config_path in the systemD unit file 87 | vault_use_config_path: "{{ vault_transit or vault_awskms or vault_azurekeyvault or vault_gkms | default(false) }}" 88 | 89 | vault_main_config: "{{ vault_config_path }}/vault_main.hcl" 90 | vault_main_configuration_template: vault_main_configuration.hcl.j2 91 | vault_listener_localhost_enable: false 92 | vault_http_proxy: "" 93 | vault_https_proxy: "" 94 | vault_no_proxy: "" 95 | 96 | # --------------------------------------------------------------------------- 97 | # TCP listeners 98 | # --------------------------------------------------------------------------- 99 | 100 | vault_tcp_listeners: 101 | - vault_address: '{{ vault_address }}' 102 | vault_port: '{{ vault_port }}' 103 | vault_cluster_address: '{{ vault_cluster_address }}' 104 | # vault_proxy_protocol_behavior: '{{ vault_proxy_protocol_behavior }}' 105 | # vault_proxy_protocol_authorized_addrs: '{{ vault_proxy_protocol_authorized_addrs }}' 106 | vault_tls_disable: '{{ vault_tls_disable }}' 107 | vault_tls_certs_path: '{{ vault_tls_certs_path }}' 108 | vault_tls_private_path: '{{ vault_tls_private_path }}' 109 | vault_tls_cert_file: '{{ vault_tls_cert_file }}' 110 | vault_tls_key_file: '{{ vault_tls_key_file }}' 111 | vault_tls_ca_file: '{{ vault_tls_ca_file }}' 112 | vault_tls_min_version: '{{ vault_tls_min_version }}' 113 | vault_tls_cipher_suites: '{{ vault_tls_cipher_suites }}' 114 | vault_tls_require_and_verify_client_cert: '{{ vault_tls_require_and_verify_client_cert }}' 115 | vault_tls_disable_client_certs: '{{ vault_tls_disable_client_certs }}' 116 | # vault_x_forwarded_for_authorized_addrs: '{{ vault_x_forwarded_for_authorized_addrs }}' 117 | # vault_x_forwarded_for_hop_skips: '{{ vault_x_forwarded_for_hop_skips }}' 118 | # vault_x_forwarded_for_reject_not_authorized: '{{ vault_x_forwarded_for_reject_not_authorized }}' 119 | # vault_x_forwarded_for_reject_not_present: '{{ vault_x_forwarded_for_reject_not_present }}' 120 | 121 | # --------------------------------------------------------------------------- 122 | # Storage backend 123 | # --------------------------------------------------------------------------- 124 | 125 | vault_backend_consul: vault_backend_consul.j2 126 | vault_backend_file: vault_backend_file.j2 127 | vault_backend_raft: vault_backend_raft.j2 128 | vault_backend_etcd: vault_backend_etcd.j2 129 | vault_backend_s3: vault_backend_s3.j2 130 | vault_backend_dynamodb: vault_backend_dynamodb.j2 131 | vault_backend_mysql: vault_backend_mysql.j2 132 | vault_backend_gcs: vault_backend_gcs.j2 133 | 134 | vault_cluster_disable: false 135 | vault_cluster_address: "{{ hostvars[inventory_hostname]['ansible_' + vault_iface]['ipv4']['address'] }}:{{ (vault_port | int) + 1 }}" 136 | vault_cluster_addr: "{{ vault_protocol }}://{{ vault_cluster_address }}" 137 | vault_api_addr: "{{ vault_protocol }}://{{ vault_redirect_address | 138 | default(hostvars[inventory_hostname]['ansible_' + vault_iface]['ipv4']['address']) }}:{{ vault_port }}" 139 | vault_disable_api_health_check: false 140 | 141 | vault_max_lease_ttl: "768h" 142 | vault_default_lease_ttl: "768h" 143 | 144 | # Storage tls settings 145 | vault_backend_tls_src_files: "{{ vault_tls_src_files }}" 146 | vault_backend_tls_certs_path: "{{ vault_tls_certs_path }}" 147 | vault_backend_tls_private_path: "{{ vault_tls_private_path }}" 148 | vault_backend_tls_cert_file: "{{ vault_tls_cert_file }}" 149 | vault_backend_tls_key_file: "{{ vault_tls_key_file }}" 150 | vault_backend_tls_ca_file: "{{ vault_tls_ca_file }}" 151 | 152 | # Consul storage settings 153 | vault_consul: 127.0.0.1:8500 154 | vault_consul_path: vault 155 | vault_consul_service: vault 156 | vault_consul_scheme: http 157 | # vault_consul_token: 158 | 159 | # etcd storage settings 160 | vault_etcd: 127.0.0.1:2379 161 | vault_etcd_api: v3 162 | vault_etcd_path: /vault/ 163 | vault_etcd_discovery_srv: "" 164 | vault_etcd_discovery_srv_name: "" 165 | vault_etcd_ha_enabled: false 166 | vault_etcd_sync: true 167 | vault_etcd_username: "" 168 | vault_etcd_password: "" 169 | vault_etcd_request_timeout: "5s" 170 | vault_etcd_lock_timeout: "15s" 171 | 172 | # s3 storage settings 173 | vault_s3_access_key: "" 174 | vault_s3_secret_key: "" 175 | vault_s3_bucket: "vault_backend" 176 | vault_s3_region: "us-east-1" 177 | vault_s3_endpoint: "" 178 | vault_s3_disable_ssl: false 179 | vault_s3_force_path_style: false 180 | vault_s3_kms_key_id: "" 181 | vault_s3_session_token: "" 182 | vault_s3_max_parallel: "128" 183 | 184 | # dynamodb storage settings 185 | vault_dynamodb: "{{ lookup('env', 'AWS_DYNAMODB_ENDPOINT') | default('', false) }}" 186 | vault_dynamodb_table: "{{ lookup('env', 'AWS_DYNAMODB_TABLE') | default('vault-dynamodb-backend', false) }}" 187 | vault_dynamodb_ha_enabled: "{{ lookup('env', 'DYNAMODB_HA_ENABLED') | default('false', false) }}" 188 | vault_dynamodb_max_parallel: "128" 189 | vault_dynamodb_region: "{{ lookup('env', 'AWS_DEFAULT_REGION') | default('us-east-1', false) }}" 190 | vault_dynamodb_read_capacity: "{{ lookup('env', 'AWS_DYNAMODB_READ_CAPACITY') | default('5', false) }}" 191 | vault_dynamodb_write_capacity: "{{ lookup('env', 'AWS_DYNAMODB_WRITE_CAPACITY') | default('5', false) }}" 192 | vault_dynamodb_access_key: "{{ lookup('env', 'AWS_ACCESS_KEY_ID') | default('', false) }}" 193 | vault_dynamodb_secret_key: "{{ lookup('env', 'AWS_SECRET_ACCESS_KEY') | default('', false) }}" 194 | vault_dynamodb_session_token: "{{ lookup('env', 'AWS_SESSION_TOKEN') | default('', false) }}" 195 | 196 | # mysql storage settings 197 | vault_mysql: "" 198 | vault_mysql_username: "" 199 | vault_mysql_password: "" 200 | vault_mysql_database: "" 201 | vault_mysql_table: "" 202 | vault_mysql_tls_ca_file: "" 203 | vault_mysql_max_parallel: "" 204 | vault_mysql_max_idle_connections: "" 205 | vault_mysql_max_connection_lifetime: "" 206 | 207 | # gcs storage settings 208 | vault_gcs_bucket: "" 209 | vault_gcs_ha_enabled: false 210 | vault_gcs_chunk_size: "8192" 211 | vault_gcs_max_parallel: "128" 212 | vault_gcs_copy_sa: false 213 | vault_gcs_credentials_src_file: "" 214 | vault_gcs_credentials_dst_file: "{{ vault_home }}/{{ vault_gcs_credentials_src_file | basename }}" 215 | 216 | # raft storage settings 217 | vault_backend: raft 218 | vault_raft_group_name: "vault_raft_servers" 219 | vault_raft_cluster_members: | 220 | [ 221 | {% for server in groups[vault_raft_group_name] %} 222 | { 223 | "peer": "{{ server }}", 224 | "api_addr": "{{ hostvars[server]['vault_api_addr'] | 225 | default(vault_protocol + '://' + 226 | hostvars[server]['ansible_' + hostvars[server]['ansible_default_ipv4']['interface']]['ipv4']['address'] + ':' + (vault_port|string)) }}" 227 | }, 228 | {% endfor %} 229 | ] 230 | 231 | vault_raft_data_path: "{{ lookup('env', 'VAULT_RAFT_DATA_PATH') | default(vault_data_path, true) }}" 232 | vault_raft_node_id: "{{ lookup('env', 'VAULT_RAFT_NODE_ID') | default(inventory_hostname_short, true) }}" 233 | # vault_raft_leader_tls_servername 234 | # vault_raft_performance_multiplier: 235 | # vault_raft_trailing_logs: 236 | # vault_raft_snapshot_threshold: 237 | # vault_raft_max_entry_size: 238 | # vault_raft_autopilot_reconcile_interval: 239 | # vault_raft_cloud_auto_join: 240 | # vault_raft_cloud_auto_join_scheme: 241 | # vault_raft_cloud_auto_join_port: 242 | vault_raft_cloud_auto_join_exclusive: false 243 | 244 | # --------------------------------------------------------------------------- 245 | # Service registration variables 246 | # --------------------------------------------------------------------------- 247 | 248 | # Consul service registration settings 249 | vault_service_registration_consul_enable: false 250 | vault_service_registration_consul_template: vault_service_registration_consul.hcl.j2 251 | vault_service_registration_consul_check_timeout: 5s 252 | vault_service_registration_consul_address: 127.0.0.1:8500 253 | vault_service_registration_consul_service: vault 254 | vault_service_registration_consul_service_tags: "" 255 | vault_service_registration_consul_service_address: 256 | vault_service_registration_consul_disable_registration: false 257 | vault_service_registration_consul_scheme: http 258 | # vault_service_registration_consul_token: 259 | 260 | # Consul service registration tls settings 261 | vault_service_registration_consul_tls_certs_path: "{{ vault_tls_certs_path }}" 262 | vault_service_registration_consul_tls_private_path: "{{ vault_tls_private_path }}" 263 | vault_service_registration_consul_tls_cert_file: "{{ vault_tls_cert_file }}" 264 | vault_service_registration_consul_tls_key_file: "{{ vault_tls_key_file }}" 265 | vault_service_registration_consul_tls_ca_file: "{{ vault_tls_ca_file }}" 266 | vault_service_registration_consul_tls_min_version: "{{ vault_tls_min_version }}" 267 | vault_service_registration_consul_tls_skip_verify: false 268 | 269 | # Kubernetes service registration settings 270 | vault_service_registration_kubernetes_enable: false 271 | vault_service_registration_kubernetes_template: vault_service_registration_kubernetes.hcl.j2 272 | vault_service_registration_kubernetes_namespace: vault 273 | vault_service_registration_kubernetes_pod_name: vault 274 | 275 | # --------------------------------------------------------------------------- 276 | # Initialization and startup script templates 277 | # --------------------------------------------------------------------------- 278 | 279 | vault_bsdinit_template: vault_service_bsd_init.j2 280 | vault_sysvinit_template: vault_sysvinit.j2 281 | vault_debian_init_template: vault_service_debian_init.j2 282 | vault_systemd_template: vault_service_systemd.j2 283 | vault_systemd_service_name: vault 284 | vault_systemd_unit_path: /lib/systemd/system 285 | 286 | # --------------------------------------------------------------------------- 287 | # TLS variables 288 | # --------------------------------------------------------------------------- 289 | 290 | # NB: at the end of the role there's a API Reachability check; if you rely on 291 | # self-signed certificates you might need to change the following to false 292 | validate_certs_during_api_reachable_check: true 293 | 294 | vault_tls_certs_path: "{{ lookup('env', 'VAULT_TLS_DIR') | default(('/opt/vault/tls' if (vault_install_hashi_repo) else '/etc/vault/tls'), true) }}" 295 | _vault_tls_private_path: "{{ lookup('env', 'VAULT_TLS_DIR') | default(('/opt/vault/tls' if (vault_install_hashi_repo) else '/etc/vault/tls'), true) }}" 296 | vault_tls_private_path: "{{ _vault_tls_private_path ~ ('/private' if vault_harden_file_perms and vault_tls_copy_keys) }}" 297 | vault_tls_src_files: "{{ lookup('env', 'VAULT_TLS_SRC_FILES') | default(role_path ~ '/files', true) }}" 298 | 299 | vault_tls_disable: "{{ lookup('env', 'VAULT_TLS_DISABLE') | default(true, true) }}" 300 | vault_tls_gossip: "{{ lookup('env', 'VAULT_TLS_GOSSIP') | default(false, true) }}" 301 | 302 | vault_tls_copy_keys: "{{ false if (vault_install_hashi_repo) else true }}" 303 | vault_protocol: "{% if vault_tls_disable %}http{% else %}https{% endif %}" 304 | vault_tls_cert_file: "{{ lookup('env', 'VAULT_TLS_CERT_FILE') | default(('tls.crt' if (vault_install_hashi_repo) else 'server.crt'), true) }}" 305 | vault_tls_key_file: "{{ lookup('env', 'VAULT_TLS_KEY_FILE') | default(('tls.key' if (vault_install_hashi_repo) else 'server.key'), true) }}" 306 | vault_tls_ca_file: "{{ lookup('env', 'VAULT_TLS_CA_CRT') | default('ca.crt', true) }}" 307 | vault_tls_client_ca_file: "" 308 | 309 | vault_tls_min_version: "{{ lookup('env', 'VAULT_TLS_MIN_VERSION') | default('tls12', true) }}" 310 | vault_tls_cipher_suites: "" 311 | vault_tls_files_remote_src: false 312 | vault_tls_require_and_verify_client_cert: false 313 | vault_tls_disable_client_certs: false 314 | 315 | # --------------------------------------------------------------------------- 316 | # Seal variables 317 | # --------------------------------------------------------------------------- 318 | 319 | # transit auto unseal, see https://www.vaultproject.io/docs/configuration/seal/transit 320 | vault_transit: false 321 | vault_transit_backend: vault_seal_transit.j2 322 | vault_transit_config: "{{ vault_config_path }}/vault_transit.hcl" 323 | vault_transit_address: '' 324 | vault_transit_token: '' 325 | vault_transit_disable_renewal: false 326 | vault_transit_key_name: 'autounseal' 327 | vault_transit_mount_path: "transit/" 328 | # vault_transit_namespace: '' 329 | vault_transit_tls_ca_cert_file: "{{ vault_tls_ca_file }}" 330 | vault_transit_tls_client_cert_file: "autounseal_client_cert.pem" 331 | vault_transit_tls_client_key_file: "autounseal_client_key.pem" 332 | # vault_transit_tls_server_name: '' 333 | vault_transit_tls_skip_verify: "{{ lookup('env', 'VAULT_SKIP_VERIFY') | default('', false) }}" 334 | 335 | # awskms seal 336 | vault_awskms: false 337 | vault_awskms_config: "{{ vault_config_path }}/vault_awskms.hcl" 338 | vault_awskms_backend: vault_seal_awskms.j2 339 | vault_awskms_region: "{{ lookup('env', 'AWS_DEFAULT_REGION') | default('us-east-1', false) }}" 340 | vault_awskms_access_key: "{{ lookup('env', 'AWS_ACCESS_KEY_ID') | default('', false) }}" 341 | vault_awskms_secret_key: "{{ lookup('env', 'AWS_SECRET_ACCESS_KEY') | default('', false) }}" 342 | vault_awskms_key_id: "{{ lookup('env', 'VAULT_AWSKMS_SEAL_KEY_ID') | default('', false) }}" 343 | vault_awskms_endpoint: "{{ lookup('env', 'AWS_KMS_ENDPOINT') | default('', false) }}" 344 | 345 | # azurekeyvault seal 346 | vault_azurekeyvault: false 347 | vault_azurekeyvault_config: "{{ vault_config_path }}/vault_azurekeyvault.hcl" 348 | vault_azurekeyvault_backend: vault_seal_azurekeyvault.j2 349 | 350 | # gcpkms seal 351 | vault_gkms: false 352 | vault_backend_gkms: vault_seal_gcpkms.j2 353 | vault_gkms_project: '' 354 | vault_gkms_credentials_src_file: '' 355 | vault_gkms_credentials_content: '' 356 | vault_gkms_credentials: '/home/vault/vault-kms.json' 357 | vault_gkms_region: 'global' 358 | vault_gkms_key_ring: 'vault' 359 | vault_gkms_crypto_key: 'vault_key' 360 | vault_gkms_copy_sa: true 361 | 362 | # ocikms seal 363 | vault_ocikms: false 364 | vault_ocikms_backend: vault_seal_ocikms.j2 365 | vault_ocikms_auth_type_api_key: false 366 | vault_ocikms_key_id: "{{ lookup('env','VAULT_OCIKMS_SEAL_KEY_ID') | default('', false) }}" 367 | vault_ocikms_crypto_endpoint: "{{ lookup('env','VAULT_OCIKMS_CRYPTO_ENDPOINT') | default('', false) }}" 368 | vault_ocikms_management_endpoint: "{{ lookup('env','VAULT_OCIKMS_MANAGEMENT_ENDPOINT') | default('', false) }}" 369 | 370 | # pkcs11 seal 371 | vault_enterprise_hsm: false 372 | # WARNING: the following variable is deprecated as this section will become 373 | # _only_ a pkcs11 seal soon. Please take note that vault_hsm_app will 374 | # soon be removed! 375 | vault_hsm_app: pkcs11 376 | vault_backend_seal: vault_seal_pkcs11.j2 377 | vault_seal_lib: /lib64/hsmlibrary.so 378 | vault_seal_pin: 12345 379 | vault_seal_key_label: vault-hsm-key 380 | vault_seal_hmac_key_label: '' 381 | vault_seal_generate_key: false 382 | vault_seal_key_mechanism: '' 383 | vault_seal_token_label: '' 384 | vault_seal_slot: 0 385 | vault_softcard_enable: false 386 | vault_telemetry_enabled: false 387 | vault_unauthenticated_metrics_access: false 388 | vault_entropy_seal: false 389 | 390 | # --------------------------------------------------------------------------- 391 | # Enterprise related variables 392 | # --------------------------------------------------------------------------- 393 | 394 | vault_enterprise: "{{ lookup('env', 'VAULT_ENTERPRISE') | default(false, true) }}" 395 | 396 | # Manage enterprise license file with this role 397 | vault_configure_enterprise_license: false 398 | # Path to enterprise license on the remote host (destination path) 399 | # https://www.vaultproject.io/docs/configuration#license_path 400 | vault_license_path: "{{ vault_config_path }}/license.hclic" 401 | # Path to enterprise license on the Ansible controller (source file for upload) 402 | # Upload skipped when empty or undefined 403 | vault_license_file: "" 404 | 405 | # ----------------- 406 | # Vault plugins 407 | # ----------------- 408 | vault_plugins_enable: [] 409 | vault_plugins_src_dir_remote: /usr/local/src/vault/plugins # Directory for storing vault plugin src/zip files on target hosts 410 | vault_plugins_src_dir_local: "{{ role_path }}/files/plugins" # Directory for storing vault plugin src/zip files locally 411 | vault_plugins_src_dir_cleanup: false # Cleanup vault plugin src/zip dir after plugin install. WARNING: could cause plugins to be downloaded each time. 412 | 413 | # vault acme plugin 414 | vault_plugin_install: false 415 | vault_plugin_acme_install: remote # remote / local 416 | vault_plugin_acme_sidecar_install: false 417 | vault_plugin_acme_version: "latest" 418 | vault_plugin_acme_zip: "{{ vault_os }}_{{ vault_architecture }}.zip" 419 | vault_plugin_acme_release_url: "https://github.com/remilapeyre/vault-acme/releases/download/v{{ vault_plugin_acme_version }}" 420 | vault_plugin_acme_zip_sha256sum: "{{ (lookup('url', vault_plugin_acme_release_url ~ '/vault-acme_SHA256SUMS', 421 | wantlist=true) | select('match', '.*' + vault_plugin_acme_zip + '$') | first).split()[0] }}" 422 | -------------------------------------------------------------------------------- /examples/README_VAGRANT.md: -------------------------------------------------------------------------------- 1 | # Vault with Ansible 2 | 3 | This project provides documentation and a collection of scripts to help you automate deployment of [HashiCorp Vault](https://www.vaultproject.io/) using [Ansible](http://www.ansibleworks.com/) 4 | 5 | These are the instructions for deploying a development or evaluation cluster on Vagrant. 6 | 7 | The documentation and scripts are merely a starting point designed to both help familiarize you with the processes and quickly bootstrap an environment for development or evaluation. You may wish to expand on them and customize them with additional features specific to your needs later. 8 | 9 | ## Vagrant Development Server 10 | 11 | In some situations deploying a small cluster on your local development machine can be handy. This document describes such a scenario using the following technologies: 12 | 13 | * [Vault](https://vault.io) 14 | * [VirtualBox](https://www.virtualbox.org/) or [Vagrant-libvirt](https://vagrant-libvirt.github.io/vagrant-libvirt) 15 | * [Vagrant](http://www.vagrantup.com/) with Ansible provisioner and 16 | supporting plugin 17 | * [Ansible](http://www.ansibleworks.com/) 18 | 19 | The Vagrant Development Server virtual machine is configured with 2GB RAM, 2 CPU cores, and dual network interfaces. The primary interface uses NAT and has connection via the host to the outside world. The secondary interface is a private network and is used for Vault intra-cluster communication in addition to access from the host machine. 20 | 21 | The Vagrant configuration file, `Vagrantfile` is responsible for configuring the virtual machine and a baseline OS installation. 22 | 23 | The Ansible playbooks then further refine OS configuration, perform Vault software download and installation, and the configuration of a Vault service that is then started. 24 | 25 | The result is a single Vault server using the [Filesystem Storage Backend](https://www.vaultproject.io/docs/configuration/storage/filesystem.html) that is ready to be initialized and unsealed from either the host system or within the virtual machine itself. 26 | 27 | ## Designed for Ansible Galaxy 28 | 29 | This role is designed to be installed via the `ansible-galaxy` command instead of being directly run from the git repository. 30 | 31 | You should install it like this: 32 | 33 | ``` 34 | $ ansible-galaxy role install -r roles/requirements.yml -p roles 35 | ``` 36 | 37 | ## Quick Start 38 | 39 | Begin from the top level directory of this project and use the following 40 | steps to get up and running: 41 | 42 | 1. Install the following prerequisites: 43 | - [VirtualBox](https://www.virtualbox.org/wiki/Downloads) or [Vagrant-libvirt](https://vagrant-libvirt.github.io/vagrant-libvirt/#installation) 44 | - [Vagrant](http://downloads.vagrantup.com/) 45 | - [vagrant-hosts plugin](https://docs.ansible.com/ansible/latest/installation_guide/index.html). 46 | 2. Edit `/etc/hosts` or use the included `bin/preinstall` script to add 47 | the following entries to your development system's `/etc/hosts` file: 48 | - `10.1.42.240 vault1.local vault1` 49 | 4. `export VAGRANT_DEFAULT_PROVIDER=libvirt` to use libvirt instead of VirtualBox 50 | 5. `vagrant up` 51 | 6. You can use Vault directly from the host system with the `VAULT_ADDR` environment as shown in this example: 52 | ``` 53 | VAULT_ADDR=http://10.1.42.240:8200 vault operator init 54 | ``` 55 | 56 | You can also `vagrant ssh` into the VM and export `VAULT_ADDR=http://localhost:8200` to use Vault. 57 | 58 | > NOTE: By default, this project will install a Debian based Vault server. If you prefer, it can also install a server based on a different Vagrant box by changing the command in step 4 to include the `BOX_NAME` environment variable specifying a different Vagrant box name as the value such as in the following example: 59 | 60 | ``` 61 | BOX_NAME="debian/bullseye64" vagrant up 62 | ``` 63 | 64 | ## Vault Enterprise 65 | 66 | The role can install Vault Enterprise based server instances. 67 | 68 | Place the Vault Enterprise zip archive into `{{ role_path }}/files` and set `vault_enterprise: true` or use the `VAULT_ENTERPRISE="true"` environment variable. 69 | 70 | ## Notes 71 | 72 | If you notice an error like *vm: The '' provisioner could not be found.* make sure that you have the vagrant-hosts plugin installed 73 | 74 | ## Resources 75 | 76 | 1. https://www.vaultproject.io/ 77 | 2. https://www.vaultproject.io/docs/ 78 | 3. https://learn.hashicorp.com/vault/ 79 | 4. https://www.vaultproject.io/intro/getting-started/deploy.html 80 | 5. https://www.vaultproject.io/docs/index.html 81 | 6. http://www.ansible.com/ 82 | 7. http://www.vagrantup.com/ 83 | 8. https://www.virtualbox.org/ 84 | 9. https://github.com/adrienthebo/vagrant-hosts 85 | 10. https://vagrant-libvirt.github.io/vagrant-libvirt 86 | -------------------------------------------------------------------------------- /examples/Vagrantfile: -------------------------------------------------------------------------------- 1 | # -*- mode: ruby -*- 2 | # vi: set ft=ruby : 3 | 4 | # Vagrantfile for bootstrapping a development Vault cluster with 5 | # VirtualBox provider and Ansible provisioner 6 | 7 | ANSIBLE_PLAYBOOK = ENV['ANSIBLE_PLAYBOOK'] || "site.yml" 8 | BOX_MEM = ENV['BOX_MEM'] || "2048" 9 | BOX_NAME = ENV['BOX_NAME'] || "debian/bookworm64" 10 | VAULT_HOSTS = ENV['VAULT_HOSTS'] || "vagrant_hosts" 11 | LOGLEVEL = ENV['VAULT_LOGLEVEL'] || "info" 12 | VAGRANTFILE_API_VERSION = "2" 13 | 14 | Vagrant.require_version ">= 1.5.0" 15 | 16 | Vagrant.configure(VAGRANTFILE_API_VERSION) do |config| 17 | 18 | # Configure one Vault server 19 | config.vm.define :vault do |vault_config| 20 | vault_config.vm.box = BOX_NAME 21 | vault_config.vm.network :private_network, ip: "10.1.42.240" 22 | vault_config.vm.hostname = "vault.local" 23 | vault_config.ssh.forward_agent = true 24 | vault_config.vm.provider "virtualbox" do |v| 25 | v.name = "vault-server" 26 | v.customize ["modifyvm", :id, "--memory", BOX_MEM] 27 | v.customize ["modifyvm", :id, "--ioapic", "on"] 28 | v.customize ["modifyvm", :id, "--cpus", "2"] 29 | v.customize ["modifyvm", :id, "--natdnshostresolver1", "on"] 30 | v.customize ["modifyvm", :id, "--natdnsproxy1", "on"] 31 | end 32 | vault_config.vm.synced_folder '.', '/vagrant', disabled: true 33 | vault_config.vm.provision :ansible do |ansible| 34 | ansible.inventory_path = VAULT_HOSTS 35 | # Extra Ansible variables can be defined here 36 | ansible.extra_vars = { 37 | vault_log_level: LOGLEVEL 38 | } 39 | ansible.playbook = ANSIBLE_PLAYBOOK 40 | ansible.limit = "all" 41 | end 42 | end 43 | end 44 | -------------------------------------------------------------------------------- /examples/bin/preinstall: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # File: examples/bin/preinstall - convenience script to add Vault 4 | # VM node host information to /etc/hosts for Vagrant 5 | 6 | vault="10\.1\.42\.240" 7 | 8 | # Log stuff 9 | function logmsg { 10 | msgtype="$1" 11 | msgtxt="$2" 12 | case "${msgtype}" in 13 | greeting) 14 | printf "🌞 ${txtylw}${msgtxt}\n" 15 | ;; 16 | info) 17 | printf "💬 ${txtwht}${msgtxt}\n" 18 | ;; 19 | success) 20 | printf "✅ ${txtgrn}${msgtxt}\n" 21 | ;; 22 | notice) 23 | printf "🚩 ${txtylw}${msgtxt}\n" 24 | ;; 25 | alert) 26 | printf "⛔️ ${txtred}${msgtxt}\n" >&2 27 | ;; 28 | *) 29 | printf "⁉️ ${txtwht}${msgtxt}\n" >&2 30 | ;; 31 | esac 32 | } 33 | 34 | # Check if sudo will need password 35 | function sudocheck { 36 | logmsg info "Enter your user account password for sudo if prompted" 37 | sudo true 38 | } 39 | 40 | # Add hosts entries if necessary 41 | function add_host { 42 | if grep vault /etc/hosts > /dev/null 2>&1; then 43 | logmsg success "Vault VM server information present in /etc/hosts" 44 | else 45 | sudocheck 46 | sudo sh -c "echo '# Vault Vagrant virtual machine host 47 | 10.1.42.240 vault.local vault 48 | ' >> /etc/hosts" 49 | logmsg success "Vault server host information added to /etc/hosts" 50 | fi 51 | } 52 | 53 | add_host 54 | -------------------------------------------------------------------------------- /examples/roles/requirements.yml: -------------------------------------------------------------------------------- 1 | - src: https://github.com/ansible-community/ansible-vault.git 2 | name: ansible-community.ansible-vault 3 | scm: git 4 | version: master 5 | -------------------------------------------------------------------------------- /examples/site.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: site.yml - Example Vault server playbook (Filesystem storage) 3 | 4 | - name: Install Vault Vagrant Development Server 5 | hosts: vault_instances 6 | any_errors_fatal: true 7 | become: true 8 | become_user: root 9 | roles: 10 | - {role: ansible-community.ansible-vault, vault_backend: file} 11 | -------------------------------------------------------------------------------- /examples/site_consul.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: site_consul.yml - Example Vault server playbook (Consul storage) 3 | 4 | - name: Install Vault 5 | hosts: consul_nodes 6 | any_errors_fatal: true 7 | become: true 8 | become_user: root 9 | roles: 10 | - {role: brianshumate.vault} 11 | -------------------------------------------------------------------------------- /examples/vagrant_hosts: -------------------------------------------------------------------------------- 1 | # File: vagrant_hosts 2 | # Vault node hosts configuration for Vagrant 3 | # 4 | # NB: Replace the hosts below with your preferred node hostnames and continue 5 | # the 'nodeN' pattern for additional nodes past 'vault3' 6 | # Do not modify the labels (text appearing between []), however 7 | 8 | [vault_instances] 9 | vault.local ansible_ssh_user=vagrant ansible_ssh_private_key_file=./.vagrant/machines/vault1/virtualbox/private_key 10 | 11 | [consul_nodes] 12 | 13 | # If you want to install Vault using Consul VMs deployed with the 14 | # brianshumate.consul role, replace all instances of ~/ansible_roles 15 | # below with your actual Ansible role path and uncomment: 16 | 17 | # consul1.local ansible_ssh_user=vagrant ansible_ssh_private_key_file=~/ansible_roles/brianshumate.consul/examples/.vagrant/machines/consul1/virtualbox/private_key 18 | 19 | # consul2.local ansible_ssh_user=vagrant ansible_ssh_private_key_file=~/ansible_roles/brianshumate.consul/examples/.vagrant/machines/consul2/virtualbox/private_key 20 | 21 | # consul3.local ansible_ssh_user=vagrant ansible_ssh_private_key_file=~/ansible_roles/brianshumate.consul/examples/.vagrant/machines/consul3/virtualbox/private_key 22 | -------------------------------------------------------------------------------- /files/README.md: -------------------------------------------------------------------------------- 1 | # Files 2 | -------------------------------------------------------------------------------- /handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # handlers file for vault 3 | 4 | - name: Restart vault 5 | become: true 6 | service: 7 | name: '{{ vault_systemd_service_name }}' 8 | state: restarted 9 | when: vault_service_restart | bool 10 | 11 | - name: Reload vault 12 | become: true 13 | service: 14 | name: '{{ vault_systemd_service_name }}' 15 | state: reloaded 16 | when: vault_service_reload | bool 17 | -------------------------------------------------------------------------------- /meta/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | galaxy_info: 3 | namespace: community 4 | author: Brian Shumate 5 | description: HashiCorp Vault server role 6 | company: Brian Shumate 7 | license: BSD 8 | min_ansible_version: '2.7' 9 | 10 | platforms: 11 | - name: Amazon 12 | - name: Amazon Linux 2 13 | - name: ArchLinux 14 | - name: Debian 15 | versions: 16 | - stretch 17 | - buster 18 | - bullseye 19 | - name: EL 20 | versions: 21 | - '7' 22 | - '8' 23 | - '9' 24 | - name: Ubuntu 25 | versions: 26 | - bionic 27 | - focal 28 | - jammy 29 | 30 | galaxy_tags: 31 | - networking 32 | - security 33 | - system 34 | 35 | dependencies: [] 36 | -------------------------------------------------------------------------------- /molecule/_tests/test_vault.yml.j2: -------------------------------------------------------------------------------- 1 | --- 2 | port: 3 | tcp:8200: 4 | listening: true 5 | service: 6 | vault.service: 7 | enabled: true 8 | running: true 9 | user: 10 | vault: 11 | exists: true 12 | groups: 13 | - {{ vault_group | default('bin') }} 14 | group: 15 | {{ vault_group | default('bin') }}: 16 | exists: true 17 | process: 18 | vault: 19 | running: true 20 | -------------------------------------------------------------------------------- /molecule/almalinux-9/molecule.yml: -------------------------------------------------------------------------------- 1 | --- 2 | platforms: 3 | - name: almalinux-9 4 | groups: 5 | - vault_raft_servers 6 | image: dokken/almalinux-9 7 | pre_build_image: true 8 | command: /lib/systemd/systemd 9 | privileged: true 10 | cgroup_parent: docker.slice 11 | - name: almalinux-9_repo 12 | groups: 13 | - vault_raft_servers 14 | image: dokken/almalinux-9 15 | pre_build_image: true 16 | command: /lib/systemd/systemd 17 | privileged: true 18 | cgroup_parent: docker.slice 19 | 20 | provisioner: 21 | inventory: 22 | host_vars: 23 | almalinux-9_repo: 24 | vault_install_hashi_repo: true 25 | vault_bin_path: /usr/bin 26 | vault_group: vault 27 | -------------------------------------------------------------------------------- /molecule/amazonlinux-2022/molecule.yml: -------------------------------------------------------------------------------- 1 | --- 2 | platforms: 3 | - name: amazonlinux-2022 4 | groups: 5 | - vault_raft_servers 6 | image: dokken/amazonlinux-2022 7 | pre_build_image: true 8 | command: /lib/systemd/systemd 9 | privileged: true 10 | cgroup_parent: docker.slice 11 | - name: amazonlinux-2022_repo 12 | groups: 13 | - vault_raft_servers 14 | image: dokken/amazonlinux-2022 15 | pre_build_image: true 16 | command: /lib/systemd/systemd 17 | privileged: true 18 | cgroup_parent: docker.slice 19 | 20 | provisioner: 21 | inventory: 22 | host_vars: 23 | amazonlinux-2022_repo: 24 | vault_install_hashi_repo: true 25 | vault_bin_path: /usr/bin 26 | vault_group: vault 27 | -------------------------------------------------------------------------------- /molecule/archlinux/molecule.yml: -------------------------------------------------------------------------------- 1 | --- 2 | platforms: 3 | - name: archlinux 4 | groups: 5 | - vault_raft_servers 6 | image: carlodepieri/docker-archlinux-ansible 7 | command: /lib/systemd/systemd 8 | privileged: true 9 | cgroup_parent: docker.slice 10 | 11 | provisioner: 12 | playbooks: 13 | prepare: prepare.yml 14 | -------------------------------------------------------------------------------- /molecule/archlinux/prepare.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Prepare controlling host 3 | hosts: localhost 4 | connection: local 5 | 6 | tasks: 7 | - name: Prepare CI environment 8 | when: (lookup('env', 'CI')) 9 | block: 10 | - name: Install OS packages on controlling host 11 | when: ansible_distribution != 'MacOSX' 12 | package: 13 | name: unzip 14 | become: true 15 | 16 | - name: Install netaddr dependency on controlling host 17 | pip: 18 | name: netaddr 19 | become: false 20 | 21 | - name: Prepare ArchLinux 22 | hosts: all 23 | 24 | tasks: 25 | - name: Install prerequisites 26 | package: 27 | name: 28 | - sudo 29 | - unzip 30 | - tar 31 | state: present 32 | -------------------------------------------------------------------------------- /molecule/centos-stream-9-enterprise/molecule.yml: -------------------------------------------------------------------------------- 1 | --- 2 | platforms: 3 | - name: centos-stream-9 4 | groups: 5 | - vault_raft_servers 6 | image: dokken/centos-stream-9 7 | pre_build_image: true 8 | command: /lib/systemd/systemd 9 | privileged: true 10 | cgroup_parent: docker.slice 11 | - name: centos-stream-9_repo 12 | groups: 13 | - vault_raft_servers 14 | image: dokken/centos-stream-9 15 | pre_build_image: true 16 | command: /lib/systemd/systemd 17 | privileged: true 18 | cgroup_parent: docker.slice 19 | 20 | provisioner: 21 | inventory: 22 | host_vars: 23 | centos-stream-9: 24 | vault_disable_api_health_check: true 25 | vault_enterprise: true 26 | vault_install_hashi_repo: false 27 | centos-stream-9_repo: 28 | vault_disable_api_health_check: true 29 | vault_enterprise: true 30 | vault_install_hashi_repo: true 31 | vault_bin_path: /usr/bin 32 | vault_group: vault 33 | -------------------------------------------------------------------------------- /molecule/centos-stream-9/molecule.yml: -------------------------------------------------------------------------------- 1 | --- 2 | platforms: 3 | - name: centos-stream-9 4 | groups: 5 | - vault_raft_servers 6 | image: dokken/centos-stream-9 7 | pre_build_image: true 8 | command: /lib/systemd/systemd 9 | privileged: true 10 | cgroup_parent: docker.slice 11 | - name: centos-stream-9_repo 12 | groups: 13 | - vault_raft_servers 14 | image: dokken/centos-stream-9 15 | pre_build_image: true 16 | command: /lib/systemd/systemd 17 | privileged: true 18 | cgroup_parent: docker.slice 19 | 20 | provisioner: 21 | inventory: 22 | host_vars: 23 | centos-stream-9_repo: 24 | vault_install_hashi_repo: true 25 | vault_bin_path: /usr/bin 26 | vault_group: vault 27 | -------------------------------------------------------------------------------- /molecule/converge.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Converge 3 | hosts: all 4 | tasks: 5 | - name: "Include molecule" 6 | include_role: 7 | name: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') | basename }}" 8 | -------------------------------------------------------------------------------- /molecule/debian-11-enterprise/molecule.yml: -------------------------------------------------------------------------------- 1 | --- 2 | platforms: 3 | - name: debian-11 4 | groups: 5 | - vault_raft_servers 6 | image: dokken/debian-11 7 | pre_build_image: true 8 | command: /lib/systemd/systemd 9 | privileged: true 10 | cgroup_parent: docker.slice 11 | - name: debian-11_repo 12 | groups: 13 | - vault_raft_servers 14 | image: dokken/debian-11 15 | pre_build_image: true 16 | command: /lib/systemd/systemd 17 | privileged: true 18 | cgroup_parent: docker.slice 19 | 20 | provisioner: 21 | inventory: 22 | host_vars: 23 | debian-11: 24 | vault_disable_api_health_check: true 25 | vault_enterprise: true 26 | vault_install_hashi_repo: false 27 | debian-11_repo: 28 | vault_disable_api_health_check: true 29 | vault_enterprise: true 30 | vault_install_hashi_repo: true 31 | vault_bin_path: /usr/bin 32 | vault_group: vault 33 | -------------------------------------------------------------------------------- /molecule/debian-11/molecule.yml: -------------------------------------------------------------------------------- 1 | --- 2 | platforms: 3 | - name: debian-11 4 | groups: 5 | - vault_raft_servers 6 | image: dokken/debian-11 7 | pre_build_image: true 8 | command: /lib/systemd/systemd 9 | privileged: true 10 | cgroup_parent: docker.slice 11 | - name: debian-11_repo 12 | groups: 13 | - vault_raft_servers 14 | image: dokken/debian-11 15 | pre_build_image: true 16 | command: /lib/systemd/systemd 17 | privileged: true 18 | cgroup_parent: docker.slice 19 | 20 | provisioner: 21 | inventory: 22 | host_vars: 23 | debian-11_repo: 24 | vault_install_hashi_repo: true 25 | vault_bin_path: /usr/bin 26 | vault_group: vault 27 | -------------------------------------------------------------------------------- /molecule/prepare.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Prepare 3 | hosts: localhost 4 | connection: local 5 | 6 | tasks: 7 | - name: Prepare CI environment 8 | when: (lookup('env', 'CI')) 9 | block: 10 | - name: Install OS packages on controlling host 11 | when: ansible_distribution != 'MacOSX' 12 | package: 13 | name: unzip 14 | become: true 15 | 16 | - name: Install netaddr dependency on controlling host 17 | pip: 18 | name: netaddr 19 | become: false 20 | -------------------------------------------------------------------------------- /molecule/requirements.yml: -------------------------------------------------------------------------------- 1 | collections: 2 | - name: community.general 3 | source: https://galaxy.ansible.com 4 | -------------------------------------------------------------------------------- /molecule/rockylinux-9/molecule.yml: -------------------------------------------------------------------------------- 1 | --- 2 | platforms: 3 | - name: rockylinux-9 4 | groups: 5 | - vault_raft_servers 6 | image: dokken/rockylinux-9 7 | pre_build_image: true 8 | command: /lib/systemd/systemd 9 | privileged: true 10 | cgroup_parent: docker.slice 11 | - name: rockylinux-9_repo 12 | groups: 13 | - vault_raft_servers 14 | image: dokken/rockylinux-9 15 | pre_build_image: true 16 | command: /lib/systemd/systemd 17 | privileged: true 18 | cgroup_parent: docker.slice 19 | 20 | provisioner: 21 | inventory: 22 | host_vars: 23 | rockylinux-9_repo: 24 | vault_install_hashi_repo: true 25 | vault_bin_path: /usr/bin 26 | vault_group: vault 27 | -------------------------------------------------------------------------------- /molecule/ubuntu-20.04/molecule.yml: -------------------------------------------------------------------------------- 1 | --- 2 | platforms: 3 | - name: ubuntu-20.04 4 | groups: 5 | - vault_raft_servers 6 | image: dokken/ubuntu-20.04 7 | pre_build_image: true 8 | command: /lib/systemd/systemd 9 | privileged: true 10 | cgroup_parent: docker.slice 11 | - name: ubuntu-20.04_repo 12 | groups: 13 | - vault_raft_servers 14 | image: dokken/ubuntu-20.04 15 | pre_build_image: true 16 | command: /lib/systemd/systemd 17 | privileged: true 18 | cgroup_parent: docker.slice 19 | 20 | provisioner: 21 | inventory: 22 | host_vars: 23 | ubuntu-20.04_repo: 24 | vault_install_hashi_repo: true 25 | vault_bin_path: /usr/bin 26 | vault_group: vault 27 | -------------------------------------------------------------------------------- /molecule/ubuntu-22.04/molecule.yml: -------------------------------------------------------------------------------- 1 | --- 2 | platforms: 3 | - name: ubuntu-22.04 4 | groups: 5 | - vault_raft_servers 6 | image: dokken/ubuntu-22.04 7 | pre_build_image: true 8 | command: /lib/systemd/systemd 9 | privileged: true 10 | cgroup_parent: docker.slice 11 | - name: ubuntu-22.04_repo 12 | groups: 13 | - vault_raft_servers 14 | image: dokken/ubuntu-22.04 15 | pre_build_image: true 16 | command: /lib/systemd/systemd 17 | privileged: true 18 | cgroup_parent: docker.slice 19 | 20 | provisioner: 21 | inventory: 22 | host_vars: 23 | ubuntu-22.04_repo: 24 | vault_install_hashi_repo: true 25 | vault_bin_path: /usr/bin 26 | vault_group: vault 27 | -------------------------------------------------------------------------------- /molecule/ubuntu-24.04/molecule.yml: -------------------------------------------------------------------------------- 1 | --- 2 | platforms: 3 | - name: ubuntu-24.04 4 | groups: 5 | - vault_raft_servers 6 | image: dokken/ubuntu-24.04 7 | pre_build_image: true 8 | command: /lib/systemd/systemd 9 | privileged: true 10 | cgroup_parent: docker.slice 11 | - name: ubuntu-24.04_repo 12 | groups: 13 | - vault_raft_servers 14 | image: dokken/ubuntu-24.04 15 | pre_build_image: true 16 | command: /lib/systemd/systemd 17 | privileged: true 18 | cgroup_parent: docker.slice 19 | 20 | provisioner: 21 | inventory: 22 | host_vars: 23 | ubuntu-24.04_repo: 24 | vault_install_hashi_repo: true 25 | vault_bin_path: /usr/bin 26 | vault_group: vault 27 | -------------------------------------------------------------------------------- /molecule/verify.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Verify 3 | hosts: all 4 | become: true 5 | vars: 6 | goss_version: v0.3.7 7 | goss_arch: amd64 8 | goss_dst: /usr/local/bin/goss 9 | goss_sha256sum: 357f5c7f2e7949b412bce44349cd32ab19eb3947255a8ac805f884cc2c326059 10 | goss_url: "https://github.com/aelsabbahy/goss/releases/download/{{ goss_version }}/goss-linux-{{ goss_arch }}" 11 | goss_test_directory: /tmp 12 | goss_format: tap 13 | enterprise: "{{ 'enterprise' in lookup('env', 'MOLECULE_SCENARIO_DIRECTORY') }}" 14 | tasks: 15 | - name: Check if enterprise 16 | ansible.builtin.debug: 17 | msg: "Verification is skipped because vault enterprise does not start without license" 18 | when: enterprise 19 | - name: Verify tasks 20 | when: not enterprise 21 | block: 22 | - name: Download and install Goss 23 | get_url: 24 | url: "{{ goss_url }}" 25 | dest: "{{ goss_dst }}" 26 | checksum: "sha256:{{ goss_sha256sum }}" 27 | mode: 0755 28 | register: download_goss 29 | until: download_goss is succeeded 30 | retries: 3 31 | 32 | - name: Copy Goss tests to remote 33 | template: 34 | src: "{{ item }}" 35 | dest: "{{ goss_test_directory }}/{{ item | basename | splitext | first }}" 36 | mode: 0644 37 | with_fileglob: 38 | - "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') }}/molecule/_tests/test_*.j2" 39 | 40 | - name: Register test files 41 | shell: "ls {{ goss_test_directory }}/test_*.yml" 42 | changed_when: false 43 | register: test_files 44 | 45 | - name: Execute Goss tests 46 | environment: 47 | # yamllint disable-line rule:line-length 48 | PATH: '/opt/rh/rh-git218/root/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin' 49 | command: "{{ goss_dst }} -g {{ item }} validate -f {{ goss_format }}" 50 | changed_when: false 51 | register: test_results 52 | with_items: "{{ test_files.stdout_lines }}" 53 | 54 | - name: Display details about the Goss results 55 | debug: 56 | msg: "{{ item.stdout_lines }}" 57 | with_items: "{{ test_results.results }}" 58 | 59 | - name: Fail when tests fail 60 | fail: 61 | msg: "Goss failed to validate" 62 | when: item.rc != 0 63 | with_items: "{{ test_results.results }}" 64 | -------------------------------------------------------------------------------- /role_variables.md: -------------------------------------------------------------------------------- 1 | # Role Variables 2 | 3 | The role defines variables in `defaults/main.yml`: 4 | 5 | ## `vault_listener_localhost_enable` 6 | 7 | - Set this to true if you enable listen vault on localhost 8 | - Default value: *false* 9 | 10 | ## `vault_privileged_install` 11 | 12 | - Set this to true if you see permission errors when the vault files are 13 | downloaded and unpacked locally. This issue can show up if the role has 14 | been downloaded by one user (like root), and the installation is done 15 | with a different user. 16 | - Default value: *false* 17 | 18 | ## `vault_version` 19 | 20 | - Version to install 21 | - Can be overridden with `VAULT_VERSION` environment variable 22 | - Will include ".hsm" if vault_enterprise_hsm=True 23 | 24 | - Default value: 1.5.5 25 | 26 | ## `vault_enterprise` 27 | 28 | - Set this to true when installing Vault Enterprise; this is not currently 29 | possible as a "remote only" install method 30 | - Can be overridden with `VAULT_ENTERPRISE` environment variable 31 | - Default value: *false* 32 | 33 | ## `vault_pkg` 34 | 35 | - package filename 36 | - Default value: `"vault_{{ vault_version }}_linux_amd64.zip"` 37 | 38 | ## `vault_enterprise_pkg` 39 | 40 | - package filename 41 | - Default value: `"vault-enterprise_{{ vault_version }}_{{ vault_os }}_{{ vault_architecture }}.zip"` 42 | 43 | ## `vault_zip_url` 44 | 45 | - Package download URL 46 | - Default value: `"https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version }}_linux_amd64.zip"` 47 | - Override this var if you have your zip hosted internally 48 | - Works for enterprise installs also 49 | 50 | ## `vault_checksum_file_url` 51 | 52 | - SHA summaries URL 53 | - Override this var if you have your sha file is hosted internally 54 | - Default value: `"https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version}}_SHA256SUMS"` 55 | 56 | ## `vault_install_hashi_repo` 57 | 58 | - Set this to `true` when installing Vault via HashiCorp Linux repository. 59 | When set, you can also define `vault_repository_key_url` and `vault_repository_url` 60 | to override the default URL of the GPG key for the repository and the default URL of the 61 | repository used. 62 | - Default value: *false* 63 | 64 | ## `vault_rhsm_repo_id` 65 | 66 | - Name of rhsm repo 67 | - Set this to the name of your rhsm repo when installing Vault via a RHSM repository (RedHat Satellite/Foreman/etc.). 68 | When set, you need make sure `vault_install_hashi_repo` is set to `true` to enable repo install. And optionally also 69 | the rhsm subscription name with `vault_rhsm_subscription_name`. 70 | - Default value: null 71 | 72 | ## `vault_rhsm_subscription_name` 73 | 74 | - Name of rhsm subscription 75 | - Set the rhsm subscription name to attach the rhsm subscription via subscription-manager. 76 | When set, you need make sure `vault_install_hashi_repo` is set to `true` to enable repo install. And also that 77 | `vault_rhsm_repo_id` is set. 78 | - Default value: null 79 | 80 | ## `vault_install_remotely` 81 | 82 | - Set this to `true` will download Vault binary from each target instead of localhost 83 | - Default value: *false* 84 | 85 | ## `vault_shasums` 86 | 87 | - SHA summaries filename (included for convenience not for modification) 88 | - Default value: `"vault_{{ vault_version }}_SHA256SUMS"` 89 | 90 | ## `vault_enterprise_shasums` 91 | 92 | - SHA summaries filename (included for convenience not for modification) 93 | - Will attempt to download from `vault_checksum_file_url` if not present in files/ 94 | - Default value: `"vault-enterprise_{{ vault_version }}_SHA256SUMS"` 95 | 96 | ## `vault_bin_path` 97 | 98 | - Binary installation path 99 | - Default value: `/usr/local/bin` 100 | 101 | ## `vault_config_path` 102 | 103 | - Configuration file path 104 | - Default value: `/etc/vault.d` 105 | 106 | ## `vault_use_config_path` 107 | 108 | - Use `"{{ vault_config_path }}"` to configure vault instead of `"{{ vault_main_config }}"` 109 | - default vaule: *false* 110 | 111 | ## `vault_plugin_path` 112 | 113 | - Path from where plugins can be loaded 114 | - Default value: `/usr/local/lib/vault/plugins` 115 | 116 | ## `vault_plugins_enable` 117 | 118 | - List of plugins to enable (Check uner `tasks/plugins` to see supported plugins.) 119 | - For example: `vault_plugins_enable: [ 'acme', 'example' ]` 120 | - Default value: `[]` 121 | 122 | ## `vault_plugins_src_dir_remote` 123 | 124 | - Directory where temporary plugin zip/installation files are placed. 125 | When installation is processed remotely. 126 | - Default value: `/usr/local/src/vault/plugins` 127 | 128 | ## `vault_plugins_src_dir_local` 129 | 130 | - Directory where temporary plugin zip/installation files are placed. 131 | When installation is processed locally. 132 | - Default value: `{{ role_path }}/files/plugins` 133 | 134 | ## `vault_plugins_src_dir_cleanup` 135 | 136 | - Whether to clean up the temporary plugin zip/installation file directory after plugin install. 137 | Warning: When plugins don't provide a version number this could cause the plugins to be downloaded every time and thus breaking idempotence. 138 | - Default value: `false` 139 | 140 | ## `vault_data_path` 141 | 142 | - Data path 143 | - Default value: `/var/vault` 144 | 145 | ## `vault_log_path` 146 | 147 | - Log path 148 | - Default value: `/var/log/vault` 149 | 150 | ## `vault_run_path` 151 | 152 | - PID file location 153 | - Default value: `/var/run/vault` 154 | 155 | ## `vault_harden_file_perms` 156 | 157 | - Whether this role should disallow Vault from writing into config and plugin 158 | path. This should be enabled to follow [Production Hardening](https://learn.hashicorp.com/tutorials/vault/production-hardening). 159 | - Default value: false 160 | 161 | ## `vault_manage_user` 162 | 163 | - Should this role manage the vault user? 164 | - Default value: true 165 | 166 | ## `vault_user` 167 | 168 | - OS user name 169 | - Default value: vault 170 | 171 | ## `vault_group` 172 | 173 | - OS group name 174 | - Default value: bin 175 | 176 | ## `vault_groups` 177 | 178 | - OS additional groups as in ansibles user module 179 | - Default value: null 180 | 181 | ## `vault_manage_group` 182 | 183 | - Should this role manage the vault group? 184 | - Default value: false 185 | 186 | ## `vault_cluster_name` 187 | 188 | - Cluster name label 189 | - Default value: dc1 190 | 191 | ## `vault_datacenter` 192 | 193 | - Datacenter label 194 | - Default value: dc1 195 | 196 | ## `vault_ui` 197 | 198 | - Enable vault web UI 199 | - Default value: true 200 | 201 | ## `vault_service_restart` 202 | 203 | - Should the playbook restart Vault service when needed 204 | - Default value: true 205 | 206 | ## `vault_service_reload` 207 | 208 | - Should the playbook reload Vault service when the main config changes. 209 | - Default value: false 210 | 211 | ## `vault_start_pause_seconds` 212 | 213 | - Some installations may need some time between the first Vault start 214 | and the first restart. Setting this to a value `>0` will add a pause 215 | time after the first Vault start. 216 | - Default value: 0 217 | 218 | # TCP Listener Variables 219 | 220 | ## `vault_tcp_listeners` 221 | 222 | - A list of tcp listeners. Each listener can define any of the listener specific variables described in further detail below. 223 | - Default value: 224 | ```yaml 225 | vault_tcp_listeners: 226 | - vault_address: '{{ vault_address }}' 227 | vault_port: '{{ vault_port }}' 228 | vault_cluster_address: '{{ vault_cluster_address }}' 229 | # vault_proxy_protocol_behavior: '{{ vault_proxy_protocol_behavior }}' 230 | # vault_proxy_protocol_authorized_addrs: '{{ vault_proxy_protocol_authorized_addrs }}' 231 | vault_tls_disable: '{{ vault_tls_disable }}' 232 | vault_tls_certs_path: '{{ vault_tls_certs_path }}' 233 | vault_tls_private_path: '{{ vault_tls_private_path }}' 234 | vault_tls_cert_file: '{{ vault_tls_cert_file }}' 235 | vault_tls_key_file: '{{ vault_tls_key_file }}' 236 | vault_tls_ca_file: '{{ vault_tls_ca_file }}' 237 | vault_tls_min_version: '{{ vault_tls_min_version }}' 238 | vault_tls_cipher_suites: '{{ vault_tls_cipher_suites }}' 239 | vault_tls_require_and_verify_client_cert: '{{ vault_tls_require_and_verify_client_cert }}' 240 | vault_tls_disable_client_certs: '{{ vault_tls_disable_client_certs }}' 241 | # vault_x_forwarded_for_authorized_addrs: '{{ vault_x_forwarded_for_authorized_addrs }}' 242 | # vault_x_forwarded_for_hop_skips: '{{ vault_x_forwarded_for_hop_skips }}' 243 | # vault_x_forwarded_for_reject_not_authorized: '{{ vault_x_forwarded_for_reject_not_authorized }}' 244 | # vault_x_forwarded_for_reject_not_present: '{{ vault_x_forwarded_for_reject_not_present }}' 245 | ``` 246 | 247 | # Storage Backend Variables 248 | 249 | ## `vault_backend` 250 | 251 | - Which storage backend should be selected, choices are: raft, consul, etcd, file, s3, and dynamodb 252 | - Default value: raft 253 | 254 | 255 | ## `vault_backend_tls_src_files` 256 | 257 | - User-specified source directory for TLS files for storage communication 258 | - `{{ vault_tls_src_files }}` 259 | 260 | ## `vault_backend_tls_certs_path` 261 | 262 | - Path to directory containing backend tls certificate files 263 | - `{{ vault_tls_certs_path }}` 264 | 265 | ## `vault_backend_tls_private_path` 266 | 267 | - Path to directory containing backend tls key files 268 | - `{{ vault_tls_private_path }}` 269 | 270 | ## `vault_backend_tls_cert_file` 271 | 272 | - Specifies the path to the certificate for backend communication (if supported). 273 | - `{{ vault_tls_cert_file }}` 274 | 275 | ## `vault_backend_tls_key_file` 276 | 277 | - Specifies the path to the private key for backend communication (if supported). 278 | - `{{ vault_tls_key_file }}` 279 | 280 | ## `vault_backend_tls_ca_file` 281 | 282 | - CA certificate used for backend communication (if supported). This defaults to system bundle if not specified. 283 | - `{{ vault_tls_ca_file }}` 284 | 285 | ## Raft Storage Backend 286 | ## `vault_raft_leader_tls_servername` 287 | 288 | - TLS servername to use when connecting with HTTPS 289 | - Default value: none 290 | 291 | ## `vault_raft_group_name` 292 | 293 | - Inventory group name of servers hosting the raft backend 294 | - Default value: vault_raft_servers 295 | 296 | ## `vault_raft_cluster_members` 297 | 298 | - Members of the raft cluster 299 | - Default value: hosts in `vault_raft_group_name` group 300 | - Can be used to override the behaviour of dynamically selecting all hosts in `vault_raft_group_name` 301 | - Example: 302 | ``` 303 | vault_raft_cluster_members: 304 | - peer: vault-host-1 305 | api_addr: https://vault-host-1:8200 306 | - peer: vault-host-2 307 | api_addr: https://vault-host-2:8200 308 | - peer: vault-host-3 309 | api_addr: https://vault-host-2:8200 310 | ``` 311 | - Setting the `vault_raft_cluster_members` statically enables you to run the role against a single host (instead of the entire host group) 312 | 313 | ## `vault_raft_data_path` 314 | 315 | - Data path for Raft 316 | - Default value: vault_data_path 317 | 318 | ## `vault_raft_node_id` 319 | 320 | - Node_id for Raft 321 | - Default value: inventory_hostname_short 322 | 323 | ## `vault_raft_performance_multiplier` 324 | 325 | - Performance multiplier for Raft 326 | - Default value: none 327 | 328 | ## `vault_raft_trailing_logs` 329 | 330 | - Logs entries count left on log store after snapshot 331 | - Default value: none 332 | 333 | ## `vault_raft_snapshot_threshold` 334 | 335 | - Minimum Raft commit entries between snapshots 336 | - Default value: none 337 | 338 | ## `vault_raft_max_entry_size` 339 | 340 | - Maximum number of bytes for a Raft entry 341 | - Default value: none 342 | 343 | ## `vault_raft_autopilot_reconcile_interval` 344 | 345 | - Interval after which autopilot will pick up any state changes 346 | - Default value: none 347 | 348 | ## `vault_raft_cloud_auto_join` 349 | 350 | - Defines any cloud auto-join metadata. If supplied, Vault will 351 | attempt to automatically discover peers in addition to what can 352 | be provided via `leader_api_addr` 353 | - Default value: none 354 | 355 | ## `vault_raft_cloud_auto_join_exclusive` 356 | 357 | - If set to `true`, any `leader_api_addr` occurences will be removed 358 | from the configuration. 359 | Keeping this to `false` will allow `auto_join` and `leader_api_addr` 360 | to coexist 361 | - Default value: false 362 | 363 | ## `vault_raft_cloud_auto_join_scheme` 364 | 365 | - URI scheme to be used for `auto_join` 366 | - Default value: none (`https` is the default value set by 367 | Vault if not specified) 368 | 369 | ## `vault_raft_cloud_auto_join_port` 370 | 371 | - Port to be used for `auto_join` 372 | - Default value: none (`8200` is the default value set by 373 | Vault if not specified) 374 | 375 | ## Consul Storage Backend 376 | 377 | ## `vault_backend_consul` 378 | 379 | - Backend consul template filename 380 | - Default value: `backend_consul.j2` 381 | 382 | ## `vault_consul` 383 | 384 | - host:port value for connecting to Consul HA backend 385 | - Default value: 127.0.0.1:8500 386 | 387 | ## `vault_consul_scheme` 388 | 389 | - Scheme for Consul backend 390 | - Supported values: http, https 391 | - Default value: http 392 | 393 | ## `vault_consul_path` 394 | 395 | - Name of Vault's Consul K/V root path 396 | - Default value: vault 397 | 398 | ## `vault_consul_service` 399 | 400 | - Name of the Vault service to register in Consul 401 | - Default value: vault 402 | 403 | ## `vault_consul_token` 404 | 405 | - ACL token for accessing Consul 406 | - Default value: none 407 | 408 | ## etcd Storage Backend 409 | 410 | ## `vault_etcd` 411 | 412 | - Address of etcd storage 413 | - Default value: 127.0.0.1:2379 414 | 415 | ## `vault_etcd_api` 416 | 417 | - API version 418 | - Default value: v3 419 | 420 | ## `vault_etcd_path` 421 | 422 | - Path for Vault storage 423 | - Default value: /vault/ 424 | 425 | ## `vault_etcd_discovery_srv` 426 | 427 | - Discovery server 428 | - Default value: none 429 | 430 | ## `vault_etcd_discovery_srv_name` 431 | 432 | - Discovery server name 433 | - Default value: none 434 | 435 | ## `vault_etcd_ha_enabled` 436 | 437 | - Use storage for High Availability mode 438 | - Default value: false 439 | 440 | ## `vault_etcd_sync` 441 | 442 | - Use etcdsync 443 | - Default value: true 444 | 445 | ## `vault_etcd_username` 446 | 447 | - Username 448 | - Default value: none 449 | 450 | ## `vault_etcd_password` 451 | 452 | - Password 453 | - Default value: none 454 | 455 | ## `vault_etcd_request_timeout` 456 | 457 | - Request timeout 458 | - Default value: "5s" 459 | 460 | ## `vault_etcd_lock_timeout` 461 | 462 | - Lock timeout 463 | - Default value: "15s" 464 | 465 | ## File Storage Backend 466 | 467 | ## `vault_backend_file` 468 | 469 | - Backend file template filename 470 | - Default value: `backend_file.j2` 471 | 472 | ## Raft Integrated Storage Backend 473 | 474 | ## `vault_backend_raft` 475 | 476 | - Backend raft integrated storage template filename 477 | - Default value: `vault_backend_raft.j2` 478 | 479 | ## `vault_raft_node_id` 480 | 481 | - Identifier for the node in the integrated storage Raft cluster 482 | - Default value: "raft_node_1" 483 | 484 | ## `vault_raft_retry_join` 485 | 486 | - Details of all the nodes are known beforehand 487 | - Default value: "[]" 488 | 489 | ### `leader_api_addr` 490 | 491 | - Address of a possible leader node. 492 | - Default value: "" 493 | 494 | ### `leader_ca_cert_file` 495 | 496 | - File path to the CA cert of the possible leader node. 497 | - Default value: "" 498 | 499 | ### `leader_client_cert_file` 500 | 501 | - File path to the client certificate for the follower node to establish client authentication with the possible leader node. 502 | - Default value: "" 503 | 504 | ### `leader_client_key_file` 505 | 506 | - File path to the client key for the follower node to establish client authentication with the possible leader node. 507 | - Default value: "" 508 | 509 | ### `leader_ca_cert` 510 | 511 | - CA cert of the possible leader node. 512 | - Default value: "" 513 | 514 | ### `leader_client_cert` 515 | 516 | - Client certificate for the follower node to establish client authentication with the possible leader node. 517 | - Default value: "" 518 | 519 | ### `leader_client_key` 520 | 521 | - Client key for the follower node to establish client authentication with the possible leader node. 522 | - Default value: "" 523 | 524 | ## DynamoDB Storage Backend 525 | 526 | For additional documentation for the various options available, see the 527 | [Vault documentation](https://www.vaultproject.io/docs/configuration/storage/dynamodb.html) 528 | for the DynamoDB storage backend. 529 | 530 | ## `vault_dynamodb` 531 | 532 | - Specifies an alternative DynamoDB endpoint. 533 | - Default value: none 534 | - Can be overridden with the environment variable `AWS_DYNAMODB_ENDPOINT`. 535 | 536 | ## `vault_dynamodb_table` 537 | 538 | - Name of the DynamoDB table used to store Vault data. 539 | - If the table does not already exist, it will be created during 540 | initialization. 541 | - Default value: `"vault-dynamodb-backend"` 542 | - Can be overridden with the environment variable `AWS_DYNAMODB_TABLE`. 543 | 544 | ## `vault_dynamodb_ha_enabled` 545 | 546 | - Whether High Availability is enabled for this storage backend. 547 | - Default value: `"false"` 548 | - Can be overridden with the environment variable `DYNAMODB_HA_ENABLED`. 549 | - The missing `AWS_` prefix is not a typo, this particular variable is not 550 | prefixed in both the Vault documentation and source code. 551 | 552 | ## `vault_dynamodb_max_parallel` 553 | 554 | - The maximum number of concurrent requests. 555 | - Default value: `"128"` 556 | 557 | ## `vault_dynamodb_region` 558 | 559 | - The AWS region. 560 | - Default value: `us-east-1` 561 | - Can be overridden with the environment variable `AWS_DEFAULT_REGION` 562 | 563 | ## `vault_dynamodb_read_capacity` 564 | 565 | - Number of reads per second to provision for the table. 566 | - Only used during table creation, has no effect if the table already exists. 567 | - Default value: `5` 568 | - Can be overridden with the environment variable `AWS_DYNAMODB_READ_CAPACITY`. 569 | 570 | ## `vault_dynamodb_write_capacity` 571 | 572 | - Number of writes per second to provision for the table. 573 | - Only used during table creation, has no effect if the table already exists. 574 | - Default value: `5` 575 | - Can be overridden with the environment variable `AWS_DYNAMODB_WRITE_CAPACITY`. 576 | 577 | ## `vault_dynamodb_access_key` 578 | 579 | - AWS access key to use for authentication. 580 | - Default value: none 581 | - Can be overridden with the environment variable `AWS_ACCESS_KEY_ID` 582 | - Leaving both this and `vault_dynamodb_secret_key` blank will cause Vault to 583 | attempt to retrieve the credentials from the AWS metadata service. 584 | 585 | ## `vault_dynamodb_secret_key` 586 | 587 | - AWS secret key used for authentication. 588 | - Default value: none 589 | - Can be overridden with the environment variable `AWS_SECRET_ACCESS_KEY` 590 | - Leaving both this and `vault_dynamodb_access_key` blank will cause Vault to 591 | attempt to retrieve the credentials from the AWS metadata service. 592 | 593 | ## `vault_dynamodb_session_token` 594 | 595 | - AWS session token. 596 | - Default value: none 597 | - Can be overridden with the environment variable `AWS_SESSION_TOKEN` 598 | 599 | ## Google Cloud Storage Storage Backend 600 | 601 | ## `vault_gcs_bucket` 602 | 603 | - Specifies the name of the bucket to use for storage. 604 | - Default value: none 605 | 606 | ## `vault_gcs_ha_enabled` 607 | 608 | - Specifies if high availability mode is enabled. 609 | - Default value: `"false"` 610 | 611 | 612 | ## `vault_gcs_chunk_size` 613 | 614 | - Specifies the maximum size (in kilobytes) to send in a single request. If set to 0, it will attempt to send the whole object at once, but will not retry any failures. 615 | - Default value: `"8192"` 616 | 617 | ## `vault_gcs_max_parallel` 618 | 619 | - Specifies the maximum number of parallel operations to take place. 620 | - Default value: `"128"` 621 | 622 | ## `vault_gcs_copy_sa` 623 | 624 | - Copy GCP SA credentials file from Ansible control node to Vault server. When not `true` and no value is specified for `vault_gcs_credentials_src_file`, the default instance service account credentials are used. 625 | - Default value: `"false"` 626 | 627 | ## `vault_gcs_credentials_src_file` 628 | 629 | - Path to GCP SA credential on Ansible control node. 630 | - Default value: none 631 | 632 | ## `vault_gcs_credentials_dst_file` 633 | 634 | - Path to SA GCP credential on Vault server. 635 | - Default value: `{{ vault_home }}/{{ vault_gcs_credentials_src_file | basename}}"` 636 | 637 | ## Consul Service Registration 638 | 639 | For additional information on the various options, see the 640 | [Vault documentation](https://www.vaultproject.io/docs/configuration/service-registration/consul) 641 | for Consul service registration. Note that this is only available 642 | starting at Vault version 1.4. 643 | 644 | ## `vault_service_registration_consul_enable` 645 | 646 | - Enable Consul service registration 647 | - Default value: false 648 | 649 | ## `vault_service_registration_consul_template` 650 | 651 | - Consul service registration template filename 652 | - Default value: `service_registration_consul.hcl.j2` 653 | 654 | ## `vault_service_registration_consul_address` 655 | 656 | - host:port value for connecting to Consul service registration 657 | - Default value: 127.0.0.1:8500 658 | 659 | ## `vault_service_registration_check_timeout` 660 | 661 | - Specifies the check interval used to send health check information back to Consul. 662 | - Default value: 5s 663 | 664 | ## `vault_service_registration_disable_registration` 665 | 666 | - Specifies whether Vault should register itself with Consul. 667 | - Default value: false 668 | 669 | ## `vault_service_registration_consul_scheme` 670 | 671 | - Scheme for Consul service registration 672 | - Supported values: http, https 673 | - Default value: http 674 | 675 | ## `vault_service_registration_consul_service` 676 | 677 | - Name of the Vault service to register in Consul 678 | - Default value: vault 679 | 680 | ## `vault_service_registration_consul_service_tags` 681 | 682 | - Specifies a comma-separated list of tags to attach to the service registration in Consul. 683 | - Default value: "" 684 | 685 | ## `vault_service_registration_consul_service_address` 686 | 687 | - Specifies a service-specific address to set on the service registration in Consul. 688 | - Default value: nil 689 | 690 | ## `vault_service_registration_consul_token` 691 | 692 | - ACL token for registering with Consul service registration 693 | - Default value: none 694 | 695 | ## `vault_service_registration_consul_tls_certs_path` 696 | 697 | - path to tls certificate 698 | - default value `{{ vault_tls_certs_path }}` 699 | 700 | ## `vault_service_registration_consul_tls_private_path` 701 | 702 | - path to tls key 703 | - default value `{{ vault_tls_private_path }}` 704 | 705 | ## `vault_service_registration_consul_tls_ca_file` 706 | 707 | - CA certificate filename 708 | - Default value: `{{ vault_tls_ca_file }}` 709 | 710 | ## `vault_service_registration_consul_tls_cert_file` 711 | 712 | - Server certificate 713 | - Default value: `{{ vault_tls_cert_file }}` 714 | 715 | ## `vault_service_registration_consul_tls_key_file` 716 | 717 | - Server key 718 | - Default value: `{{ vault_tls_key_file }}` 719 | 720 | ## `vault_service_registration_consul_tls_min_version` 721 | 722 | - [Minimum acceptable TLS version](https://www.vaultproject.io/docs/configuration/listener/tcp.html#tls_min_version) 723 | - Default value: `{{ vault_tls_min_version }}` 724 | 725 | ## `vault_service_registration_consul_tls_skip_verify` 726 | 727 | - Disable verification of TLS certificates. Using this option is highly discouraged. 728 | - Default value: false 729 | 730 | ## Kubernetes Service Registration 731 | 732 | For additional information on the various options, see the 733 | [Vault documentation](https://www.vaultproject.io/docs/configuration/service-registration/kubernetes) 734 | for Kubernetes service registration. Note that this is only 735 | available starting at Vault version 1.4. 736 | 737 | ## `vault_service_registration_kubernetes_consul_enable` 738 | 739 | - Enable Kubernetes service registration 740 | - Default value: false 741 | 742 | ## `vault_service_registration_kubernetes_template` 743 | 744 | - Kubernetes service registration template filename 745 | - Default value: `service_registration_kubernetes.hcl.j2` 746 | 747 | ## `vault_service_registration_kubernetes_namespace` 748 | 749 | - Kubernetes namespace to register 750 | - Default value: vault 751 | 752 | ## `vault_service_registration_pod_name` 753 | 754 | - Kubernetes pod name to register 755 | - Default value: vault 756 | 757 | ## `vault_log_level` 758 | 759 | - [Log level](https://www.consul.io/docs/agent/options.html#_log_level) 760 | - Supported values: trace, debug, info, warn, err 761 | - Default value: info 762 | - Requires Vault version 0.11.1 or higher 763 | 764 | ## `vault_iface` 765 | 766 | - Network interface 767 | - Can be overridden with `VAULT_IFACE` environment variable 768 | - Default value: eth1 769 | 770 | ## `vault_address` 771 | 772 | - Primary network interface address to use 773 | - Default value: `"{{ hostvars[inventory_hostname]['ansible_'+vault_iface]['ipv4']['address'] }}"` 774 | 775 | ## `vault_port` 776 | 777 | - TCP port number to on which to listen 778 | - Default value: 8200 779 | 780 | ## `vault_max_lease_ttl` 781 | 782 | - Configures the [maximum possible lease duration](https://www.vaultproject.io/docs/config/#max_lease_ttl) for tokens and secrets. 783 | - Default value: 768h (32 days) 784 | 785 | ## `vault_default_lease_ttl` 786 | 787 | - Configures the [default lease duration](https://www.vaultproject.io/docs/config/#default_lease_ttl) for tokens and secrets. 788 | - Default value: 768h (32 days) 789 | 790 | ## `vault_main_config` 791 | - Main configuration file name (full path) 792 | - Default value: `"{{ vault_config_path }}/vault_main.hcl"` 793 | 794 | ## `vault_main_configuration_template` 795 | 796 | - Vault main configuration template file 797 | - Default value: *vault_main_configuration.hcl.j2* 798 | 799 | ## `vault_custom_configuration` 800 | 801 | - Vault custom configuration 802 | - Default value: none 803 | 804 | ## `vault_http_proxy` 805 | 806 | - Address to be used as the proxy for HTTP and HTTPS requests unless overridden by `vault_https_proxy` or `vault_no_proxy` 807 | - Default value: `""` 808 | 809 | ## `vault_https_proxy` 810 | 811 | - Address to be used as the proxy for HTTPS requests unless overridden by `vault_no_proxy` 812 | - Default value: `""` 813 | 814 | ## `vault_no_proxy` 815 | 816 | - Comma separated values which specify hosts that should be exluded from proxying. Follows [golang conventions](https://godoc.org/golang.org/x/net/http/httpproxy) 817 | - Default value: `""` 818 | 819 | ## `vault_cluster_address` 820 | 821 | - Address to bind to for cluster server-to-server requests 822 | - Default value: `"{{ hostvars[inventory_hostname]['ansible_'+vault_iface]['ipv4']['address'] }}:{{ (vault_port | int) + 1}}"` 823 | 824 | ## `vault_cluster_addr` 825 | 826 | - Address to advertise to other Vault servers in the cluster for request forwarding 827 | - Default value: `"{{ vault_protocol }}://{{ vault_cluster_address }}"` 828 | 829 | ## `vault_api_addr` 830 | 831 | - [HA Client Redirect address](https://www.vaultproject.io/docs/concepts/ha.html#client-redirection) 832 | - Default value: `"{{ vault_protocol }}://{{ vault_redirect_address or hostvars[inventory_hostname]['ansible_'+vault_iface]['ipv4']['address'] }}:{{ vault_port }}"` 833 | - vault_redirect_address is kept for backward compatibility but is deprecated. 834 | 835 | ## `vault_disable_api_health_check` 836 | 837 | - flag for disabling the health check on vaults api address 838 | - Default value: `false` 839 | 840 | ## `vault_cluster_disable` 841 | 842 | - Disable HA clustering 843 | - Default value: false 844 | 845 | ## `validate_certs_during_api_reachable_check` 846 | 847 | - Disable Certificate Validation for API reachability check 848 | - Default value: true 849 | 850 | ## `vault_proxy_protocol_behavior` 851 | 852 | - May be one of `use_always`, `allow_authorized`, or `deny_unauthorized` 853 | - Enables [PROXY protocol](https://www.vaultproject.io/docs/configuration/listener/tcp#proxy_protocol_behavior) for listener. 854 | - If enabled and set to something other than `use_always`, you must also set 855 | - [*vault_proxy_protocol_authorized_addrs*](https://www.vaultproject.io/docs/configuration/listener/tcp#proxy_protocol_authorized_addrs) 856 | - Comma-separated list of source IPs for which PROXY protocol information will be used. 857 | - Default value: "" 858 | 859 | ## `vault_tls_certs_path` 860 | 861 | - Path to TLS certificates 862 | - Default value `/etc/vault/tls` 863 | 864 | ## `vault_tls_private_path` 865 | 866 | - Path to TLS keys 867 | - Default value `/etc/vault/tls` 868 | 869 | ## `vault_tls_disable` 870 | 871 | - [Disable TLS](https://www.vaultproject.io/docs/configuration/listener/tcp.html#tls_disable) 872 | - Can be overridden with `VAULT_TLS_DISABLE` environment variable 873 | - Default value: 1 874 | 875 | ## `vault_tls_gossip` 876 | 877 | - Enable TLS Gossip to storage (if supported) 878 | - Default value: 0 879 | 880 | ## `vault_tls_src_files` 881 | 882 | - User-specified source directory for TLS files 883 | - Override with `VAULT_TLS_SRC_FILES` environment variable 884 | - Default value: `{{ role_path }}/files` 885 | 886 | ## `vault_tls_ca_file` 887 | 888 | - CA certificate filename 889 | - Override with `VAULT_TLS_CA_CRT` environment variable 890 | - Default value: `ca.crt` 891 | 892 | ## `vault_tls_client_ca_file` 893 | 894 | - Client CA certificate filename 895 | - Default value: `` 896 | 897 | ## `vault_tls_cert_file` 898 | 899 | - Server certificate 900 | - Override with `VAULT_TLS_CERT_FILE` environment variable 901 | - Default value: `server.crt` 902 | 903 | ## `vault_tls_key_file` 904 | 905 | - Server key 906 | - Override with `VAULT_TLS_KEY_FILE` environment variable 907 | - Default value: `server.key` 908 | 909 | ## `vault_tls_min_version` 910 | 911 | - [Minimum acceptable TLS version](https://www.vaultproject.io/docs/configuration/listener/tcp.html#tls_min_version) 912 | - Can be overridden with `VAULT_TLS_MIN_VERSION` environment variable 913 | - Default value: tls12 914 | 915 | ## `vault_tls_cipher_suites` 916 | 917 | - [Comma-separated list of supported ciphersuites](https://www.vaultproject.io/docs/configuration/listener/tcp.html#tls_cipher_suites) 918 | - Default value: "" 919 | 920 | ## `vault_tls_require_and_verify_client_cert` 921 | 922 | - [Require clients to present a valid client certificate](https://www.vaultproject.io/docs/configuration/listener/tcp.html#tls_require_and_verify_client_cert) 923 | - Default value: false 924 | 925 | ## `vault_tls_disable_client_certs` 926 | 927 | - [Disable requesting for client certificates](https://www.vaultproject.io/docs/configuration/listener/tcp.html#tls_disable_client_certs) 928 | - Default value: false 929 | 930 | ## `vault_tls_copy_keys` 931 | 932 | - Copy TLS files from src to dest 933 | - Default value: true 934 | 935 | ## `vault_tls_files_remote_src` 936 | 937 | - Copy from remote source if TLS files are already on host 938 | - Default value: false 939 | 940 | ## `vault_x_forwarded_for_authorized_addrs` 941 | 942 | - Comma-separated list of source IP CIDRs for which an X-Forwarded-For header will be trusted. 943 | - Enables [X-Forwarded-For support.](https://www.vaultproject.io/docs/configuration/listener/tcp#x_forwarded_for_authorized_addrs) 944 | - If enabled, you may also set any of the following parameters: 945 | - *vault_x_forwarded_for_hop_skips* with a format of "N" for the number of hops to skip 946 | - *vault_x_forwarded_for_reject_not_authorized* with true/false 947 | - *vault_x_forwarded_for_reject_not_present* with true/false 948 | - Default value: "" 949 | 950 | ## `vault_bsdinit_template` 951 | - BSD init template file 952 | - Default value: `vault_service_bsd_init.j2` 953 | 954 | ## `vault_sysvinit_template` 955 | - SysV init template file 956 | - Default value: `vault_sysvinit.j2` 957 | 958 | ## `vault_debian_init_template` 959 | - Debian init template file 960 | - Default value: `vault_service_debian_init.j2` 961 | 962 | ## `vault_systemd_template` 963 | - Systemd service template file 964 | - Default value: `vault_service_systemd.j2` 965 | 966 | ## `vault_systemd_service_name` 967 | - Systemd service unit name 968 | - Default value: "vault" 969 | 970 | ## `vault_telemetry_enabled` 971 | - Enable [Vault telemetry](https://www.vaultproject.io/docs/configuration/telemetry.html) 972 | - If enabled, you must set at least one of the following parameters according to your telemetry provider: 973 | - *vault_statsite_address* with a format of "FQDN:PORT" 974 | - *vault_statsd_address* with a format of "FQDN:PORT" 975 | - *vault_prometheus_retention_time* e.g: "30s" or "24h" 976 | - If enabled, optionally set *vault_telemetry_disable_hostname* to strip the hostname prefix from telemetry data 977 | - Default value: *false* 978 | 979 | ## `vault_unauthenticated_metrics_access` 980 | 981 | - Configure [unauthenticated metrics access](https://www.vaultproject.io/docs/configuration/listener/tcp#configuring-unauthenticated-metrics-access) 982 | - Default value: false 983 | 984 | ## `vault_telemetry_usage_gauge_period` 985 | 986 | - Specifies the interval at which high-cardinality usage data is collected, 987 | such as token counts, entity counts, and secret counts. 988 | - Default value: *undefined* 989 | 990 | # OS Distribution Variables 991 | 992 | The `vault` binary works on most Linux platforms and is not distribution 993 | specific. However, some distributions require installation of specific OS 994 | packages with different naming, so this role was built with support for 995 | popular Linux distributions and defines these variables to deal with the 996 | differences across distributions: 997 | 998 | ## `vault_pkg` 999 | 1000 | - Vault package filename 1001 | - Default value: `{{ vault_version }}_linux_amd64.zip` 1002 | 1003 | ## `vault_centos_url` 1004 | 1005 | - Vault package download URL 1006 | - Default value: `{{ vault_zip_url }}` 1007 | 1008 | ## `vault_centos_os_packages` 1009 | 1010 | - List of OS packages to install 1011 | - Default value: list 1012 | 1013 | ## `vault_pkg` 1014 | 1015 | - Vault package filename 1016 | - Default value: `"{{ vault_version }}_linux_amd64.zip"` 1017 | 1018 | ## `vault_debian_url` 1019 | 1020 | - Vault package download URL 1021 | - Default value: `"{{ vault_zip_url }}"` 1022 | 1023 | ## `vault_sha256` 1024 | 1025 | - Vault download SHA256 summary 1026 | - Default value: SHA256 summary 1027 | 1028 | ## `vault_debian_os_packages` 1029 | 1030 | - List of OS packages to install 1031 | - Default value: list 1032 | 1033 | ## `vault_pkg` 1034 | 1035 | - Vault package filename 1036 | - Default value: `"{{ vault_version }}_linux_amd64.zip"` 1037 | 1038 | ## `vault_redhat_url` 1039 | 1040 | - Vault package download URL 1041 | - Default value: `"{{ vault_zip_url }}"` 1042 | 1043 | ## `vault_sha256` 1044 | 1045 | - Vault package SHA256 summary 1046 | - Default value: SHA256 summary 1047 | 1048 | ## `vault_redhat_os_packages` 1049 | 1050 | - List of OS packages to install 1051 | - Default value: list 1052 | 1053 | ## `vault_pkg` 1054 | 1055 | - Vault package filename 1056 | - Default value: `"{{ vault_version }}_linux_amd64.zip"` 1057 | 1058 | ## `vault_ubuntu_url` 1059 | 1060 | - Vault package download URL 1061 | - Default value: `"{{ vault_zip_url }}"` 1062 | 1063 | ## `vault_sha256` 1064 | 1065 | - Vault package SHA256 summary 1066 | - Default value: SHA256 summary 1067 | 1068 | ## `vault_enable_log` 1069 | 1070 | - Enable log to `vault_log_path` 1071 | - Default value: false 1072 | 1073 | ## `vault_enable_logrotate` 1074 | 1075 | - Enable logrotation for systemd based systems 1076 | - Default value: false 1077 | 1078 | ## `vault_logrotate_freq` 1079 | 1080 | - Determines how frequently to rotate vault logs 1081 | - Default value: 7 1082 | 1083 | ## `vault_logrotate_template` 1084 | 1085 | - Logrotate template file 1086 | - Default value: `vault_logrotate.j2` 1087 | 1088 | ## `vault_ubuntu_os_packages` 1089 | 1090 | - List of OS packages to install 1091 | - Default value: list 1092 | 1093 | # Dependencies 1094 | 1095 | > **NOTE**: Read these before executing the role to avoid certain frequently 1096 | encountered issues which are resolved by installing the correct dependencies. 1097 | 1098 | ## `gtar` 1099 | 1100 | Ansible requires GNU tar and this role performs some local use of the 1101 | unarchive module, so ensure that your system has `gtar` installed. 1102 | 1103 | ## Python netaddr 1104 | 1105 | The role depends on `python-netaddr` so: 1106 | 1107 | ``` 1108 | pip install netaddr 1109 | ``` 1110 | 1111 | on the Ansible control host prior to executing the role. 1112 | 1113 | # Vault Enterprise 1114 | 1115 | The role can install Vault Enterprise based instances. 1116 | 1117 | Place the Vault Enterprise zip archive into `{{ role_path }}/files` and set 1118 | `vault_enterprise: true` or use the `VAULT_ENTERPRISE="true"` environment 1119 | variable. Attempts to download the package from `vault_zip_url` if zip is not found in files/. 1120 | 1121 | Since v2.5.9 of this role you can also install Vault Enterprise via the HashiCorp Repo. In order to install Vault Enterprise via the HashiCorp Repo, set `vault_install_hashi_repo: true*` as well as `vault_enterprise: true`. 1122 | 1123 | **Warning:** Non-Enterprise Package will be removed if already installed and vault_enterprise is set to *true* and vice versa. 1124 | 1125 | # Vault Enterprise with HSM 1126 | 1127 | The role can configure HSM based instances. Make sure to reference the [HSM support page](https://www.vaultproject.io/docs/configuration/seal/index.html) and take notice of the [behavior changes](https://www.vaultproject.io/docs/enterprise/hsm/behavior.html#initialization) after HSM is installed. 1128 | 1129 | ## `vault_enterprise_hsm` 1130 | 1131 | - Set to True if using hsm binary. Basically just includes ".hsm" in "vault_version" var 1132 | - Default value: false 1133 | 1134 | ## `vault_configure_enterprise_license` 1135 | 1136 | - Manage enterprise license file with this role. Set to `true` to use `vault_license_path` or `vault_license_file`. 1137 | - Default value: false 1138 | 1139 | ## `vault_license_path` 1140 | 1141 | - Path to enterprise license on the remote host (destination path). [`license_path`](https://www.vaultproject.io/docs/configuration#license_path) in the main configuration file. Only used if `vault_configure_enterprise_license: true`. 1142 | - Default value: `{{ vault_config_path }}/license.hclic` 1143 | 1144 | ## `vault_license_file` 1145 | 1146 | - Path to enterprise license on the Ansible controller (source file for upload). Upload skipped when empty or undefined. Only used if `vault_configure_enterprise_license: true`. 1147 | - Default value: "" 1148 | 1149 | ## `vault_hsm_app` 1150 | 1151 | - Set which cryptography app to use. 1152 | - Default value: pkcs11 1153 | 1154 | ## `vault_backend_seal` 1155 | 1156 | > NOTE: This seal will be migrated to the `pkcs11` seal and made consistent with the other seal types with respect to breaking naming changes soon. 1157 | 1158 | - Backend seal template filename 1159 | - Default value: `vault_backend_seal.j2` 1160 | 1161 | ## `vault_seal_lib` 1162 | 1163 | - Set to the absolute path of the HSM library vault will call 1164 | - Default value: `/lib64/hsmlibrary.so` 1165 | 1166 | ## `vault_seal_pin` 1167 | 1168 | - The PIN for login. May also be specified by the VAULT_HSM_PIN environment variable. If set via the environment variable, Vault will obfuscate the environment variable after reading it, and it will need to be re-set if Vault is restarted. 1169 | - Default value: 12345 1170 | 1171 | ## `vault_seal_key_label` 1172 | 1173 | - The label of the key to use. If the key does not exist and generation is enabled, this is the label that will be given to the generated key. May also be specified by the VAULT_HSM_KEY_LABEL environment variable. 1174 | - Default value: '' 1175 | 1176 | ## `vault_seal_hmac_key_label` 1177 | 1178 | - The label of the HMAC key to use. If the key does not exist and generation is enabled, this is the label that will be given to the generated HMAC key. May also be specified by the VAULT_HSM_HMAC_KEY_LABEL environment variable. 1179 | - Default value: '' 1180 | 1181 | ## `vault_seal_generate_key` 1182 | 1183 | - If no existing key with the label specified by key_label can be found at Vault initialization time, instructs Vault to generate a key. This is a boolean expressed as a string (e.g. "true"). May also be specified by the VAULT_HSM_GENERATE_KEY environment variable. Vault may not be able to successfully generate keys in all circumstances, such as if proprietary vendor extensions are required to create keys of a suitable type. 1184 | - Default value: false 1185 | 1186 | ## `vault_seal_key_mechanism` 1187 | 1188 | - Do not change this unles you know you need to. The encryption/decryption mechanism to use, specified as a decimal or hexadecimal (prefixed by 0x) string. May also be specified by the VAULT_HSM_MECHANISM environment variable. 1189 | - Default value: '' 1190 | - Example for RSA: 0x0009 1191 | 1192 | ## `vault_seal_token_label` 1193 | 1194 | - The slot token label to use. May also be specified by the VAULT_HSM_TOKEN_LABEL environment variable. This label will only be applied when `vault_softcard_enable` is true. 1195 | - Default value: '' 1196 | 1197 | ## `vault_softcard_enable` 1198 | 1199 | - Enable if you plan to use a softcard on your HSM. 1200 | - Default value: false 1201 | 1202 | ## `vault_seal_slot` 1203 | 1204 | - The slot number to use, specified as a string (e.g. "0"). May also be specified by the VAULT_HSM_SLOT environment variable. This label will only be applied when `vault_softcard_enable` is false (default). 1205 | - Default value: 0 1206 | 1207 | ## `vault_entropy_seal` 1208 | 1209 | - Set to True to [include `entropy` stanza](https://learn.hashicorp.com/tutorials/vault/hsm-entropy) which enables [entropy augmentation for supported seals](https://www.vaultproject.io/docs/configuration/entropy-augmentation). Supported Seal types include PKCS11, AWS KMS, and Vault Transit. 1210 | - Default value: false 1211 | 1212 | The following stanza will be included in the hcl main configuration file if `vault_entropy_seal=true`: 1213 | ``` 1214 | entropy "seal" { 1215 | mode = "augmentation" 1216 | } 1217 | ``` 1218 | 1219 | # Vault GCP Cloud KMS Auto-unseal 1220 | 1221 | This feature enables operators to delegate the unsealing process to Google Key Management System Cloud to ease operations in the event of partial failure and to aid in the creation of new or ephemeral clusters. 1222 | 1223 | This Auto-unseal mechanism is Open Source in Vault 1.0 but would require Enterprise binaries for any earlier version. 1224 | 1225 | ## `vault_gkms` 1226 | 1227 | - Set to True to enable Google Cloud KMS Auto-Unseal. 1228 | - Default value: false 1229 | 1230 | ## `vault_backend_gkms` 1231 | 1232 | - Backend seal template filename 1233 | - Default value: `vault_seal_gcpkms.j2` 1234 | 1235 | ## `vault_gkms_project` 1236 | 1237 | - GCP Project where the key reside. 1238 | - Default value: '' 1239 | 1240 | ## `vault_gkms_copy_sa` 1241 | 1242 | - Copy GCP SA credentials file from Ansible control node to Vault server. When not `true` and no value is specified for `vault_gkms_credentials_src_file`, the default instance service account credentials are used. 1243 | - Default value: `"true"` 1244 | 1245 | ## `vault_gkms_credentials_src_file` 1246 | 1247 | - User-specified source directory for GCP Credential on Ansible control node. 1248 | - Either this or vault_gkms_credentials_content must be set if vault_gkms enabled. 1249 | - Default value: '' 1250 | 1251 | ## `vault_gkms_credentials_content` 1252 | 1253 | - User-specified GCP Credential file content. 1254 | - Either this or vault_gkms_credentials_src_file must be set if vault_gkms enabled. 1255 | - Default value: '' 1256 | 1257 | ## `vault_gkms_credentials` 1258 | 1259 | - Path to GCP credential on Vault server. 1260 | - Default value: `/home/vault/vault-kms.json` 1261 | 1262 | ## `vault_gkms_region` 1263 | 1264 | - GCP Region where the key reside. 1265 | - Default value: global 1266 | 1267 | ## `vault_gkms_key_ring` 1268 | 1269 | - The id of the Google Cloud Platform KeyRing to which the key shall belong. 1270 | - Default value: vault 1271 | 1272 | ## `vault_gkms_crypto_key` 1273 | 1274 | - The CryptoKey's name. A CryptoKey's name must be unique within a location and match the regular expression [a-zA-Z0-9_-]{1,63} 1275 | - Default value: vault_key 1276 | 1277 | # Vault OCI KMS Auto-unseal 1278 | 1279 | This feature enabled operators to delegate the unsealing process to OCI KMS to ease operations in the event of a partial failure and to 1280 | aid in the creation of new or ephemeral clusters. 1281 | 1282 | ## `vault_ocikms` 1283 | 1284 | - Set to true to enable OCI KMS Auto-unseal. 1285 | - Default value: false 1286 | 1287 | ## `vault_ocikms_backend` 1288 | 1289 | - Backend seal template filename. 1290 | - Default value: `vault_seal_ocikms.j2` 1291 | 1292 | ## `vault_ocikms_auth_type_api_key` 1293 | 1294 | - Specifies if using API key to authenticate to OCI KMS service. 1295 | - Default value: false 1296 | 1297 | ## `vault_ocikms_key_id` 1298 | 1299 | - The OCI KMS key ID to use. 1300 | - Default value: VAULT_OCIKMS_SEAL_KEY_ID 1301 | 1302 | ## `vault_ocikms_crypto_endpoint` 1303 | 1304 | - The OCI KMS cryptographic endpoint (or data plane endpoint) to be used to make OCI KMS encryption/decryption requests. 1305 | - Default value: VAULT_OCIKMS_CRYPTO_ENDPOINT 1306 | 1307 | ## `vault_ocikms_management_endpoint` 1308 | 1309 | - The OCI KMS management endpoint (or control plane endpoint) to be used to make OCI KMS key management requests. 1310 | - Default value: VAULT_OCIKMS_MANAGEMENT_ENDPOINT 1311 | 1312 | # Vault Transit Auto-unseal 1313 | This enables Vault to use another Vault instance for the unseal process using its transit secret engine 1314 | 1315 | ## `vault_transit` 1316 | 1317 | - Set to true to enable Vault Transit Auto-unseal 1318 | - Default value: `false` 1319 | 1320 | ## `vault_transit_backend` 1321 | 1322 | - Backend seal template filename 1323 | - Default value: `vault_seal_transit.j2` 1324 | 1325 | ## `vault_transit_config`: 1326 | 1327 | - Destination configuration file 1328 | - Default value: `vault_transit.hcl` 1329 | 1330 | ## `vault_transit_address`: 1331 | 1332 | - Vault Address of the instance used for auto unseal 1333 | - Default value: ``, this variable is mandatory if `vault_transit: true` 1334 | 1335 | ## `vault_transit_token`: 1336 | 1337 | - Token used to authenticate to the external vault instance 1338 | - Default value: ``, this variable is mandatory if `vault_transit: true` 1339 | 1340 | ## `vault_transit_disable_renewal`: 1341 | 1342 | - Wether to disable automatic token renewal 1343 | - Default value: `false` 1344 | 1345 | ## `vault_transit_key_name` 1346 | 1347 | - Name of the key used for auto unseal 1348 | - Default value: `autounseal` 1349 | 1350 | ## `vault_transit_mount_path`: 1351 | 1352 | - Path where the transit engine is mounted to 1353 | - Default value: `transit/` 1354 | 1355 | ## `vault_transit_namespace`: 1356 | 1357 | - Namespace of the mounted transit engine 1358 | - Default value: ``, omitted per default 1359 | 1360 | ## `vault_transit_tls_ca_cert`: 1361 | 1362 | - CA Certificate of the external vault instance 1363 | - Default value: `ca_cert.pem`, omitted if `vault_transit_tls_skip_verify: true` 1364 | 1365 | ## `vault_transit_tls_client_cert`: 1366 | 1367 | - Client Certificate of the external vault instance 1368 | - Default value: `client_cert.pem`, omitted if `vault_transit_tls_skip_verify: true` 1369 | 1370 | ## `vault_transit_tls_client_key`: 1371 | 1372 | - Client Key of the external vault instance 1373 | - Default value: `ca_cert.pem`, omitted if `vault_transit_tls_skip_verify: true` 1374 | 1375 | ## `vault_transit_tls_server_name` 1376 | 1377 | - TLS Servername of the external vault instance 1378 | - Default value: ``, omitted per default 1379 | 1380 | ## `vault_transit_tls_skip_verify`: 1381 | 1382 | - Wether to disable TLS certificate verification 1383 | - Default: `false`, can also be set via `VAULT_SKIP_VERIFY` 1384 | 1385 | # Vault AWS KMS Auto-unseal 1386 | 1387 | This feature enabled operators to delegate the unsealing process to AWS KMS to ease operations in the event of a partial failure and to 1388 | aid in the creation of new or ephemeral clusters. 1389 | 1390 | ## `vault_awskms` 1391 | 1392 | - Set to true to enable AWS KMS Auto-unseal 1393 | - Default value: false 1394 | 1395 | ## `vault_awskms_backend` 1396 | 1397 | - Backend seal template filename 1398 | - Default value: `vault_seal_awskms.j2` 1399 | 1400 | ## `vault_awskms_region` 1401 | 1402 | - Which AWS KMS region to use 1403 | - Default value: us-east-1 1404 | 1405 | ## `vault_awskms_access_key` 1406 | 1407 | - The AWS Access Key to use for talking to AWS KMS 1408 | - Default value: AWS_ACCESS_KEY_ID 1409 | 1410 | ## `vault_awskms_secret_key` 1411 | 1412 | - The AWS Secret Key ID to use for takling to AWS KMS 1413 | - Default value: AWS_SECRET_ACCESS_KEY 1414 | 1415 | ## `vault_awskms_key_id` 1416 | 1417 | - The KMS Key ID to use for AWS KMS 1418 | - Default value: VAULT_AWSKMS_SEAL_KEY_ID 1419 | 1420 | ## `vault_awskms_endpoint` 1421 | 1422 | - The endpoint to use for KMS 1423 | - Default value: AWS_KMS_ENDPOINT 1424 | 1425 | # Vault Azure Key Vault Auto-unseal 1426 | 1427 | This feature enabled operators to delegate the unsealing process to AZURE Key Vaultto ease operations in the event of a partial failure and to aid in the creation of new or ephemeral clusters. 1428 | 1429 | ## `vault_azurekeyvault` 1430 | 1431 | - Set to true to enable AZURE Key Vault Auto-unseal 1432 | - Default value: false 1433 | 1434 | ## `vault_backend_azurekeyvault` 1435 | 1436 | - Backend seal template filename 1437 | - Default value: `vault_seal_azurekeyvault.j2` 1438 | 1439 | ## `vault_azurekeyvault_client_id` 1440 | 1441 | - Application ID related to Service Principal Name for the Application used to connect to Azure 1442 | - Default value: EXAMPLE_CLIENT_ID 1443 | 1444 | ## `vault_azurekeyvault_client_secret` 1445 | 1446 | - Client Secret is the secret key attached to your Application 1447 | - Default value: EXAMPLE_CLIENT_SECRET 1448 | 1449 | ## `vault_azurekeyvault_tenant_id` 1450 | 1451 | - Tenant ID is your Directory ID in Azure 1452 | - Default value: EXAMPLE_TENANT_ID 1453 | 1454 | ## `vault_azurekeyvault_vault_name` 1455 | 1456 | - The name of the Vault which hosts the key 1457 | - Default value: vault 1458 | 1459 | ## `vault_azurekeyvault_key_name` 1460 | 1461 | - The key hosted in the Vault in Azure Key Vault 1462 | - Default value: vault_key 1463 | 1464 | # Vault plugins 1465 | 1466 | ## acme plugin 1467 | 1468 | Installs vault-acme plugin, also enables the plugin if authenticated against vault (`VAULT_ADDR`, `VAULT_TOKEN` env). 1469 | 1470 | ## `vault_plugin_acme_install` 1471 | - Setting this to `remote` will download the acme plugin to each target instead of copying it from localhost. 1472 | - Choices: remote / local 1473 | - Default value: `remote` 1474 | 1475 | ## `vault_plugin_acme_sidecar_install` 1476 | - Whether to install vault acme sidecar for `HTTP-01`/`TLS_ALPN_01` challenges in addition to DNS-01. 1477 | - Default value: `false` 1478 | 1479 | ## `vault_plugin_acme_version` 1480 | - Version of the acme plugin to install, can be set to `latest` for obtaining the latest available version. 1481 | - Default value: `latest` 1482 | -------------------------------------------------------------------------------- /tasks/asserts.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: tasks/asserts.yml - Asserts for this role 3 | 4 | - name: Check distribution compatibility 5 | fail: 6 | msg: "{{ ansible_distribution }} is not supported by this role" 7 | when: 8 | - ansible_distribution not in _vault_nix_distros 9 | - ansible_os_family != 'Windows' 10 | 11 | - name: Fail if not a new release of Red Hat / CentOS 12 | fail: 13 | msg: "{{ ansible_distribution_version }} is not a supported version of {{ ansible_distribution }} for this role" 14 | when: 15 | - ansible_distribution in ['RedHat', 'CentOS'] 16 | - ansible_distribution_version is version(7, '<') 17 | 18 | - name: Fail if not a new release of Debian 19 | fail: 20 | msg: "{{ ansible_distribution_version }} is not a supported version of {{ ansible_distribution }} for this role" 21 | when: 22 | - ansible_distribution == "Debian" 23 | - (ansible_distribution_version != 'buster/sid') and (ansible_distribution_version is version(8.5, '<')) 24 | 25 | - name: Fail if not a new release of FreeBSD 26 | fail: 27 | msg: "{{ ansible_distribution_version }} is not a supported version." 28 | when: 29 | - ansible_distribution == "FreeBSD" 30 | - ansible_distribution_version is version(10, '<') 31 | 32 | - name: Fail if not a new release of Ubuntu 33 | fail: 34 | msg: "{{ ansible_distribution_version }} is not a supported version of {{ ansible_distribution }} for this role" 35 | when: 36 | - ansible_distribution == "Ubuntu" 37 | - ansible_distribution_version is version(13.04, '<') 38 | 39 | - name: Check for vault_redirect_address usage 40 | debug: 41 | msg: "vault_redirect_address is deprecated. Check for vault_api_addr in the README." 42 | when: vault_redirect_address is defined 43 | 44 | - name: Check if vault_transit_address and vault_transit_token has been specified 45 | fail: 46 | msg: "need vault_transit_address and vault_transit_token defined for vault transit seal configuration." 47 | when: 48 | - vault_transit | bool 49 | - not (vault_transit_address or vault_transit_token) 50 | -------------------------------------------------------------------------------- /tasks/backend_tls.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: tasks/backend_tls.yml - Backend TLS tasks for Vault 3 | 4 | - name: Create backend TLS directory 5 | become: true 6 | file: 7 | dest: "{{ vault_backend_tls_certs_path }}" 8 | state: directory 9 | owner: "{{ vault_user }}" 10 | group: "{{ vault_group }}" 11 | mode: "{{ vault_harden_file_perms | ternary('0555', '0755') }}" 12 | when: vault_tls_copy_keys | bool 13 | tags: 14 | - tls 15 | 16 | - name: Create private backend TLS directory 17 | become: true 18 | file: 19 | dest: "{{ vault_backend_tls_private_path }}" 20 | state: directory 21 | owner: "{{ vault_user }}" 22 | group: "{{ vault_group }}" 23 | mode: "{{ vault_harden_file_perms | ternary('0500', '0700') }}" 24 | when: 25 | - vault_tls_copy_keys | bool 26 | - vault_backend_tls_certs_path != vault_backend_tls_private_path 27 | tags: 28 | - tls 29 | 30 | - name: Vault backend SSL Certificate and Key 31 | become: true 32 | copy: 33 | remote_src: "{{ vault_tls_files_remote_src }}" 34 | src: "{{ item.src }}" 35 | dest: "{{ item.dest }}" 36 | owner: "{{ vault_user }}" 37 | group: "{{ vault_group }}" 38 | mode: "{{ item.mode }}" 39 | with_items: 40 | - src: "{{ vault_backend_tls_src_files }}/{{ vault_backend_tls_ca_file }}" 41 | dest: "{{ vault_backend_tls_certs_path }}/{{ vault_backend_tls_ca_file }}" 42 | mode: "{{ vault_harden_file_perms | ternary('0444', '0644') }}" 43 | - src: "{{ vault_backend_tls_src_files }}/{{ vault_backend_tls_cert_file }}" 44 | dest: "{{ vault_backend_tls_certs_path }}/{{ vault_backend_tls_cert_file }}" 45 | mode: "{{ vault_harden_file_perms | ternary('0444', '0644') }}" 46 | - src: "{{ vault_backend_tls_src_files }}/{{ vault_backend_tls_key_file }}" 47 | dest: "{{ vault_backend_tls_private_path }}/{{ vault_backend_tls_key_file }}" 48 | mode: "{{ vault_harden_file_perms | ternary('0400', '0600') }}" 49 | when: vault_tls_copy_keys | bool 50 | tags: 51 | - tls 52 | -------------------------------------------------------------------------------- /tasks/install.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: tasks/install.yml - package installation tasks for vault 3 | 4 | - name: OS packages 5 | become: true 6 | package: 7 | name: "{{ vault_os_packages }}" 8 | state: present 9 | update_cache: true 10 | tags: installation 11 | when: (vault_os_packages is defined) and (vault_os_packages | length > 0) 12 | 13 | # Temporary place for one-off version diff packages, etc. 14 | - name: OS packages diff (Debian) 15 | become: true 16 | package: 17 | name: "libcap2-bin" 18 | state: present 19 | tags: installation 20 | when: 21 | - ansible_distribution == "Debian" 22 | - (ansible_distribution_version == 'buster/sid') or (ansible_distribution_version is version(8.5, '>')) 23 | 24 | - name: Check Vault package file (local) 25 | stat: 26 | path: "{{ role_path }}/files/{{ vault_pkg }}" 27 | become: false 28 | run_once: true 29 | register: vault_package 30 | delegate_to: 127.0.0.1 31 | 32 | - name: "Download Vault (local) → {{ vault_zip_url }}" 33 | get_url: 34 | url: "{{ vault_zip_url }}" 35 | dest: "{{ role_path }}/files/{{ vault_pkg }}" 36 | checksum: 37 | "sha256:{{ (lookup('url', vault_checksum_file_url, wantlist=true) | select('match', '.*' + (vault_pkg | regex_escape()) + '$') | first).split()[0] }}" 38 | timeout: "42" 39 | mode: "0644" 40 | become: "{{ vault_privileged_install }}" 41 | run_once: true 42 | tags: installation 43 | when: not vault_package.stat.exists | bool 44 | delegate_to: 127.0.0.1 45 | 46 | - name: Unarchive Vault (local) 47 | unarchive: 48 | src: "{{ role_path }}/files/{{ vault_pkg }}" 49 | dest: "{{ role_path }}/files/" 50 | creates: "{{ role_path }}/files/vault" 51 | become: "{{ vault_privileged_install }}" 52 | run_once: true 53 | tags: installation 54 | delegate_to: 127.0.0.1 55 | 56 | - name: Install Vault 57 | become: true 58 | copy: 59 | src: "{{ role_path }}/files/vault" 60 | dest: "{{ vault_bin_path }}" 61 | owner: "{{ vault_user }}" 62 | group: "{{ vault_group }}" 63 | mode: "{{ vault_harden_file_perms | ternary('0555', '0755') }}" 64 | notify: Restart vault 65 | tags: installation 66 | 67 | - name: Cleanup (local) 68 | file: 69 | path: "{{ item }}" 70 | state: "absent" 71 | become: "{{ vault_privileged_install }}" 72 | with_fileglob: "{{ role_path }}/files/vault" 73 | run_once: true 74 | tags: installation 75 | delegate_to: 127.0.0.1 76 | -------------------------------------------------------------------------------- /tasks/install_hashi_repo.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: tasks/install_hashi_repo.yml 3 | # Install Vault via HashiCorp Linux repository 4 | 5 | - name: Add Vault/Hashicorp rpm repo 6 | yum_repository: 7 | name: hashicorp 8 | description: Hashicorp Stable - $basearch 9 | baseurl: "{{ vault_repository_url }}" 10 | gpgkey: "{{ vault_repository_key_url }}" 11 | gpgcheck: true 12 | enabled: true 13 | become: true 14 | when: 15 | - ansible_pkg_mgr in ['yum', 'dnf'] 16 | - not vault_rhsm_repo_id 17 | 18 | - name: Add Vault/Hashicorp apt key 19 | apt_key: 20 | url: "{{ vault_repository_key_url }}" 21 | state: present 22 | become: true 23 | when: ansible_pkg_mgr == 'apt' 24 | 25 | - name: Add Vault/Hashicorp apt repo 26 | apt_repository: 27 | repo: "deb {{ vault_repository_url }} {{ ansible_distribution_release }} main" 28 | state: present 29 | become: true 30 | when: ansible_pkg_mgr == 'apt' 31 | 32 | - name: Attach RHSM subscription / repo 33 | when: (vault_rhsm_repo_id) 34 | become: true 35 | block: 36 | - name: Check if Hashicorp/Vault RHSM repo subscription is enabled 37 | command: 38 | cmd: "subscription-manager list --consumed --matches={{ vault_rhsm_subscription_name | quote }} --pool-only" 39 | register: _subscription_manager_consumed 40 | changed_when: false 41 | when: (vault_rhsm_subscription_name) 42 | 43 | - name: Find Hashicorp/Vault RHSM repo subscription pool id 44 | command: 45 | cmd: "subscription-manager list --available --matches={{ vault_rhsm_subscription_name | quote }} --pool-only" 46 | register: _subscription_manager_available 47 | changed_when: false 48 | when: 49 | - (vault_rhsm_subscription_name) 50 | - _subscription_manager_consumed.stdout | length <= 0 51 | 52 | - name: Attach Hashicorp/Vault RHSM subscription 53 | command: 54 | cmd: "subscription-manager attach --pool={{ _subscription_manager_available.stdout }}" 55 | register: _subscription_manager_attach 56 | changed_when: _subscription_manager_attach.stdout is search('Successfully attached a subscription') 57 | failed_when: _subscription_manager_attach.stdout is search('could not be found') 58 | when: 59 | - (vault_rhsm_subscription_name) 60 | - _subscription_manager_consumed.stdout | default() | length <= 0 61 | - _subscription_manager_available.stdout | default() | length > 0 62 | 63 | - name: Enable RHSM repository 64 | rhsm_repository: 65 | name: "{{ vault_rhsm_repo_id }}" 66 | state: enabled 67 | 68 | - name: Ensure Enterprise package is not present when OSS is desired and vice versa 69 | package: 70 | name: "{{ 'vault' ~ ('-enterprise' if not (vault_enterprise | bool) else '') }}" 71 | state: absent 72 | become: true 73 | 74 | - name: "Install Vault package {{ _vault_repo_pkg }}" 75 | package: 76 | name: "{{ _vault_repo_pkg }}" 77 | state: present 78 | become: true 79 | vars: 80 | _vault_repo_pkg: "{% if (ansible_pkg_mgr in ['yum', 'dnf']) %}\ 81 | vault{{ '-enterprise' if vault_enterprise }}-{{ vault_version }}{{ vault_version_repo_suffix }}\ 82 | {% elif (ansible_pkg_mgr == 'apt') %}\ 83 | vault{{ '-enterprise' if vault_enterprise }}={{ vault_version }}{{ vault_version_repo_suffix }}{{ vault_version_debian_repo_suffix }}\ 84 | {% else %}\ 85 | vault{{ '-enterprise' if vault_enterprise }}={{ vault_version }}{{ vault_version_repo_suffix }}\ 86 | {% endif %}" 87 | notify: Restart vault 88 | 89 | - name: Mask default Vault config from package 90 | become: true 91 | copy: 92 | owner: root 93 | group: root 94 | mode: "{{ vault_harden_file_perms | ternary('0444', '0644') }}" 95 | dest: /etc/vault.d/vault.hcl 96 | content: | 97 | # Placeholder to mask default RPM/DPKG Vault config file. 98 | # 99 | # Package-installed config would interfere with Ansible-managed config files 100 | # in this directory. Keeping an empty placeholder prevents package updates 101 | # from re-installing the default config. 102 | when: ansible_pkg_mgr in ['yum', 'dnf', 'apt'] 103 | 104 | - name: Harden binary perms 105 | become: true 106 | ansible.builtin.file: 107 | path: "{{ vault_bin_path }}/vault" 108 | mode: "0755" # Package default is 0775 109 | owner: root # Package default 110 | group: root # Package default 111 | when: vault_harden_file_perms 112 | 113 | - name: Delete vault.env 114 | become: true 115 | ansible.builtin.file: 116 | state: absent 117 | path: /etc/vault.d/vault.env 118 | when: vault_harden_file_perms 119 | 120 | - name: Harden perms of default cert/key 121 | ansible.builtin.file: 122 | path: "/opt/vault/tls/{{ item }}" 123 | mode: "0400" 124 | with_items: 125 | - tls.crt 126 | - tls.key 127 | when: 128 | - vault_harden_file_perms 129 | - not vault_tls_disable 130 | - not vault_tls_copy_keys 131 | 132 | - name: Delete default cert/key 133 | become: true 134 | ansible.builtin.file: 135 | state: absent 136 | path: "/opt/vault/tls/{{ item }}" 137 | with_items: 138 | - tls.crt 139 | - tls.key 140 | when: vault_tls_disable or vault_tls_copy_keys 141 | -------------------------------------------------------------------------------- /tasks/install_remote.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: tasks/install_remote.yml 3 | # Package installation tasks for vault 4 | 5 | - name: OS packages 6 | become: true 7 | package: 8 | name: "{{ vault_os_packages }}" 9 | state: present 10 | tags: installation 11 | when: (vault_os_packages is defined) and (vault_os_packages | length > 0) 12 | 13 | - name: Ensure remote vault dir exists 14 | file: 15 | path: /tmp/vault 16 | state: directory 17 | mode: "0750" 18 | 19 | - name: Check Vault package file 20 | stat: 21 | path: "/tmp/vault/{{ vault_pkg }}" 22 | register: vault_package 23 | tags: installation 24 | 25 | - name: "Download Vault → {{ vault_zip_url }}" 26 | get_url: 27 | url: "{{ vault_zip_url }}" 28 | dest: "/tmp/vault/{{ vault_pkg }}" 29 | checksum: "sha256:{{ (lookup('url', vault_checksum_file_url, wantlist=true) | select('match', '.*' + vault_pkg + '$') | first).split()[0] }}" 30 | timeout: "42" 31 | mode: "0644" 32 | tags: installation 33 | when: not vault_package.stat.exists | bool 34 | 35 | - name: Unarchive Vault and install binary 36 | become: true 37 | unarchive: 38 | remote_src: true 39 | src: "/tmp/vault/{{ vault_pkg }}" 40 | dest: "{{ vault_bin_path }}" 41 | owner: "{{ vault_user }}" 42 | group: "{{ vault_group }}" 43 | mode: "{{ vault_harden_file_perms | ternary('0555', '0755') }}" 44 | notify: Restart vault 45 | tags: installation 46 | 47 | - name: Cleanup 48 | file: 49 | path: "/tmp/vault" 50 | state: absent 51 | tags: installation 52 | -------------------------------------------------------------------------------- /tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Include asserts 3 | include_tasks: asserts.yml 4 | 5 | - name: Add Vault group 6 | become: true 7 | group: 8 | name: "{{ vault_group }}" 9 | state: present 10 | when: vault_manage_group | bool 11 | 12 | - name: Add Vault user 13 | become: true 14 | user: 15 | name: "{{ vault_user }}" 16 | comment: "Vault user" 17 | group: "{{ vault_group }}" 18 | groups: "{{ vault_groups }}" 19 | system: true 20 | when: vault_manage_user | bool 21 | 22 | - name: Include OS-specific variables 23 | include_vars: "{{ lookup('first_found', params) }}" 24 | vars: 25 | params: 26 | files: 27 | - "{{ ansible_os_family }}{{ ansible_distribution_major_version }}.yml" 28 | - "{{ ansible_os_family }}.yml" 29 | paths: 30 | - vars 31 | 32 | - name: Check Vault installation 33 | shell: command -v vault # noqa command-instead-of-shell # command is a shell builtin 34 | environment: 35 | PATH: "{{ vault_bin_path }}:{{ ansible_env.PATH }}" 36 | register: vault_installation 37 | changed_when: false 38 | ignore_errors: true 39 | check_mode: false 40 | 41 | - name: Get installed Vault version 42 | shell: | 43 | set -o pipefail 44 | {{ vault_installation.stdout }} -version | cut -d' ' -f2 | tr -d 'v' 45 | args: 46 | executable: /bin/bash 47 | when: not vault_installation is failed 48 | changed_when: false 49 | check_mode: false 50 | register: installed_vault_version 51 | 52 | - name: Compute if installation is required 53 | set_fact: 54 | installation_required: "{{ vault_installation is failed or installed_vault_version.stdout != vault_version~('+ent' if vault_enterprise) }}" 55 | 56 | - name: Install OS packages and Vault via control host 57 | include_tasks: install.yml 58 | when: 59 | - not vault_install_remotely | bool 60 | - not vault_install_hashi_repo | bool 61 | - installation_required | bool 62 | 63 | - name: Install Vault via HashiCorp repository 64 | include_tasks: install_hashi_repo.yml 65 | when: 66 | - not vault_install_remotely | bool 67 | - vault_install_hashi_repo | bool 68 | - installation_required | bool 69 | 70 | - name: Install OS packages and Vault via remote hosts 71 | include_tasks: install_remote.yml 72 | when: 73 | - not vault_enterprise | bool 74 | - vault_install_remotely | bool 75 | - not vault_install_hashi_repo | bool 76 | - installation_required | bool 77 | 78 | - name: Check Vault mlock capability 79 | become: true 80 | command: "setcap cap_ipc_lock=+ep {{ vault_bin_path }}/vault" 81 | changed_when: false # read-only task 82 | ignore_errors: true 83 | register: vault_mlock_capability 84 | 85 | - name: Enable non root mlock capability 86 | become: true 87 | command: "setcap cap_ipc_lock=+ep {{ vault_bin_path }}/vault" 88 | register: output 89 | changed_when: output.rc != 0 90 | when: vault_mlock_capability is failed 91 | 92 | - name: Create directories 93 | become: true 94 | file: 95 | dest: "{{ item.path }}" 96 | state: directory 97 | owner: "{{ vault_user }}" 98 | group: "{{ vault_group }}" 99 | mode: "{{ item.mode }}" 100 | with_items: 101 | - path: "{{ vault_config_path }}" 102 | mode: "{{ vault_harden_file_perms | ternary('0550', '0750') }}" 103 | - path: "{{ vault_plugin_path }}" 104 | mode: "{{ vault_harden_file_perms | ternary('0555', '0755') }}" 105 | - path: "{{ vault_data_path }}" 106 | mode: "0750" 107 | - path: "{{ vault_log_path }}" 108 | mode: "0750" 109 | - path: "{{ vault_run_path }}" 110 | mode: "0750" 111 | 112 | - name: Enable logrotate for vault 113 | become: true 114 | template: 115 | src: "{{ vault_logrotate_template }}" 116 | dest: /etc/logrotate.d/vault 117 | owner: root 118 | group: root 119 | mode: "0644" 120 | when: vault_enable_logrotate | bool 121 | 122 | - name: TLS configuration 123 | include_tasks: ../tasks/tls.yml 124 | when: not vault_tls_disable | bool 125 | 126 | - name: Backend storage TLS configuration 127 | include_tasks: ../tasks/backend_tls.yml 128 | when: vault_tls_gossip | bool 129 | 130 | - name: "Get content of GCP Credentials from file" 131 | set_fact: 132 | vault_gkms_credentials_content: "{{ lookup('file', vault_gkms_credentials_src_file) }}" 133 | when: 134 | - vault_gkms | bool 135 | - vault_gkms_credentials_src_file | length > 0 136 | 137 | - name: "Copy over GCP Credentials for Auto Unseal" # noqa template-instead-of-copy # https://github.com/ansible/ansible-lint/issues/2501 138 | copy: 139 | content: "{{ vault_gkms_credentials_content }}" 140 | dest: "{{ vault_gkms_credentials }}" 141 | owner: "{{ vault_user }}" 142 | group: "{{ vault_group }}" 143 | mode: "{{ vault_harden_file_perms | ternary('0400', '0600') }}" 144 | when: 145 | - vault_gkms | bool 146 | - vault_gkms_credentials_content | length > 0 or 147 | vault_gkms_copy_sa | bool 148 | 149 | - name: "Copy GCP Credentials for gcs backend" 150 | copy: 151 | src: "{{ vault_gcs_credentials_src_file }}" 152 | dest: "{{ vault_gcs_credentials_dst_file }}" 153 | owner: "{{ vault_user }}" 154 | group: "{{ vault_group }}" 155 | mode: "{{ vault_harden_file_perms | ternary('0400', '0600') }}" 156 | when: 157 | - vault_backend == "gcs" 158 | - vault_gcs_copy_sa | bool 159 | 160 | - name: Vault main configuration 161 | become: true 162 | template: 163 | src: "{{ vault_main_configuration_template }}" 164 | dest: "{{ vault_main_config }}" 165 | owner: "{{ vault_user }}" 166 | group: "{{ vault_group }}" 167 | mode: "{{ vault_harden_file_perms | ternary('0400', '0600') }}" 168 | backup: "{{ vault_backup_config | default('false') | bool | lower }}" 169 | notify: 170 | - Restart vault 171 | - Reload vault 172 | 173 | - name: Vault transit seal configuration 174 | become: true 175 | template: 176 | src: "{{ vault_transit_backend }}" 177 | dest: "{{ vault_transit_config }}" 178 | owner: "{{ vault_user }}" 179 | group: "{{ vault_group }}" 180 | mode: "{{ vault_harden_file_perms | ternary('0400', '0600') }}" 181 | backup: "{{ vault_backup_config | default('false') | bool | lower }}" 182 | when: vault_transit | bool 183 | notify: Restart vault 184 | 185 | - name: Vault awskms seal configuration 186 | become: true 187 | template: 188 | src: "{{ vault_awskms_backend }}" 189 | dest: "{{ vault_awskms_config }}" 190 | owner: "{{ vault_user }}" 191 | group: "{{ vault_group }}" 192 | mode: "{{ vault_harden_file_perms | ternary('0400', '0600') }}" 193 | backup: "{{ vault_backup_config | default('false') | bool | lower }}" 194 | when: vault_awskms | bool 195 | notify: Restart vault 196 | 197 | - name: Vault azurekeyvault seal configuration 198 | become: true 199 | template: 200 | src: "{{ vault_azurekeyvault_backend }}" 201 | dest: "{{ vault_azurekeyvault_config }}" 202 | owner: "{{ vault_user }}" 203 | group: "{{ vault_group }}" 204 | mode: "{{ vault_harden_file_perms | ternary('0400', '0600') }}" 205 | backup: "{{ vault_backup_config | default('false') | bool | lower }}" 206 | when: vault_azurekeyvault | bool 207 | notify: Restart vault 208 | 209 | - name: Upload Vault license file to vault_license_path 210 | become: true 211 | copy: 212 | src: "{{ vault_license_file }}" 213 | dest: "{{ vault_license_path }}" 214 | owner: "{{ vault_user }}" 215 | group: "{{ vault_group }}" 216 | mode: "{{ vault_harden_file_perms | ternary('0400', '0644') }}" 217 | when: 218 | - vault_configure_enterprise_license | bool 219 | - vault_license_file | length > 0 220 | 221 | - name: "Set Exec output to log path when enabled log" 222 | set_fact: 223 | vault_exec_output: ">> {{ vault_log_path }}/vault.log 2>&1" 224 | when: vault_enable_log 225 | 226 | - name: BSD init script 227 | template: 228 | src: "{{ vault_bsdinit_template }}" 229 | dest: /etc/rc.d/vault 230 | owner: root 231 | group: wheel 232 | mode: "0755" 233 | when: ansible_os_family == "FreeBSD" 234 | 235 | - name: SYSV init script 236 | template: 237 | src: "{{ vault_sysvinit_template }}" 238 | dest: /etc/init.d/vault 239 | owner: root 240 | group: root 241 | mode: "0755" 242 | when: 243 | - not ansible_service_mgr == "systemd" 244 | - not ansible_os_family == "Debian" 245 | - not ansible_os_family == "FreeBSD" 246 | - not ansible_os_family == "Solaris" 247 | 248 | - name: Debian init script 249 | template: 250 | src: "{{ vault_debian_init_template }}" 251 | dest: /etc/init.d/vault 252 | owner: root 253 | group: root 254 | mode: "0755" 255 | when: 256 | - not ansible_service_mgr == "systemd" 257 | - ansible_os_family == "Debian" 258 | - not ansible_os_family == "FreeBSD" 259 | - not ansible_os_family == "Solaris" 260 | 261 | - name: Extract systemd version 262 | shell: | 263 | set -o pipefail 264 | systemctl --version systemd | head -n 1 | cut -d' ' -f2 265 | args: 266 | executable: /bin/bash 267 | changed_when: false 268 | check_mode: false 269 | register: systemd_version 270 | when: 271 | - ansible_service_mgr == "systemd" 272 | - not ansible_os_family == "FreeBSD" 273 | - not ansible_os_family == "Solaris" 274 | tags: skip_ansible_lint 275 | 276 | - name: Systemd unit 277 | become: true 278 | template: 279 | src: "{{ vault_systemd_template }}" 280 | dest: "{{ vault_systemd_unit_path }}/{{ vault_systemd_service_name }}.service" 281 | force: true 282 | owner: root 283 | group: root 284 | mode: "0644" 285 | register: systemd_unit 286 | when: 287 | - ansible_service_mgr == "systemd" 288 | - not ansible_os_family == "FreeBSD" 289 | - not ansible_os_family == "Solaris" 290 | - systemd_version is defined 291 | 292 | - name: Reload systemd 293 | become: true 294 | systemd: 295 | daemon-reload: true 296 | notify: Restart Vault 297 | when: 298 | - ansible_service_mgr == "systemd" 299 | - not ansible_os_family == "FreeBSD" 300 | - not ansible_os_family == "Solaris" 301 | - systemd_version is defined 302 | - systemd_unit is changed 303 | 304 | - name: Start Vault 305 | become: true 306 | service: 307 | name: '{{ vault_systemd_service_name }}' 308 | state: started 309 | enabled: true 310 | register: start_vault 311 | 312 | - name: Pause to let Vault startup correctly 313 | pause: 314 | seconds: "{{ vault_start_pause_seconds }}" 315 | when: 316 | - start_vault is changed # noqa no-handler 317 | - vault_start_pause_seconds | int > 0 318 | 319 | - name: Restart Vault if needed 320 | meta: flush_handlers 321 | 322 | - name: Compute TLS friendly vault_addr 323 | set_fact: 324 | vault_addr: "{{ (vault_address == '0.0.0.0') | ternary('127.0.0.1', vault_address) }}" 325 | 326 | - name: Insert http(s) export in dotfile 327 | become: true 328 | lineinfile: 329 | path: "{{ vault_home }}/{{ vault_dotfile }}" 330 | regexp: "^export VAULT_ADDR=" 331 | line: "export VAULT_ADDR='{{ vault_tls_disable | ternary('http', 'https') }}://{{ vault_addr }}:{{ vault_port }}'" 332 | owner: "{{ vault_user }}" 333 | group: "{{ vault_group }}" 334 | create: true 335 | mode: "0600" 336 | when: 337 | - not vault_dotfile_disable 338 | - ansible_os_family != 'Windows' 339 | 340 | - name: Insert CA cert export in dotfile 341 | become: true 342 | lineinfile: 343 | path: "{{ vault_home }}/{{ vault_dotfile }}" 344 | regexp: "^export VAULT_CACERT=" 345 | line: "export VAULT_CACERT={{ vault_tls_certs_path }}/{{ vault_tls_ca_file }}" 346 | owner: "{{ vault_user }}" 347 | group: "{{ vault_group }}" 348 | create: true 349 | mode: "0600" 350 | when: 351 | - not vault_dotfile_disable 352 | - not vault_tls_disable | bool 353 | - ansible_os_family != 'Windows' 354 | 355 | # This should succeed regardless of seal state 356 | - name: Vault API reachable? 357 | # Attempt to help with long lines > 160 issues 358 | vars: 359 | vault_addr_protocol: "{{ vault_tls_disable | ternary('http', 'https') }}" 360 | environment: 361 | no_proxy: "{{ vault_api_addr | urlsplit('hostname') }}" 362 | uri: 363 | validate_certs: "{{ validate_certs_during_api_reachable_check | bool }}" 364 | url: "{{ vault_api_addr }}/v1/sys/health" 365 | method: GET 366 | # 200 if initialized, unsealed, and active 367 | # 429 if unsealed and standby 368 | # 472 if data recovery mode replication secondary and active 369 | # 473 if performance standby 370 | # 501 if not initialized 371 | # 503 if sealed 372 | # See: https://www.vaultproject.io/api/system/health.html 373 | status_code: 200, 429, 472, 473, 501, 503 374 | body_format: json 375 | register: check_result 376 | retries: 6 377 | until: check_result is succeeded 378 | delay: 10 379 | changed_when: false 380 | tags: 381 | - check_vault 382 | when: 383 | - not vault_disable_api_health_check | bool 384 | 385 | - name: Install/configure vault plugins 386 | include_tasks: "plugins/{{ _index_plugin }}.yml" 387 | loop: "{{ ('molecule-notest' not in ansible_skip_tags) | ternary(vault_plugins_enable, 388 | lookup('fileglob', 'tasks/plugins/*.yml', wantlist=true) | map('basename') | map('splitext') | map('first')) }}" 389 | loop_control: 390 | loop_var: _index_plugin 391 | args: 392 | apply: 393 | environment: 394 | VAULT_ADDR: "{{ lookup('env', 'VAULT_ADDR') | 395 | default(vault_tls_disable | ternary('http', 'https') ~ '://' ~ vault_addr ~ ':' ~ vault_port, true) }}" 396 | VAULT_CACERT: "{{ lookup('env', 'VAULT_CACERT') | 397 | default(vault_tls_config_path ~ '/' ~ vault_tls_ca_file if not (vault_tls_disable) else '', true) }}" 398 | VAULT_TOKEN: "{{ lookup('env', 'VAULT_TOKEN') | default(lookup('file', '~/.vault-token', errors='ignore'), true) }}" 399 | when: vault_plugin_install | bool 400 | 401 | - name: Vault status 402 | debug: 403 | msg: "Vault is {{ vault_http_status[check_result.status | string] }}" 404 | tags: 405 | - check_vault 406 | when: 407 | - not vault_disable_api_health_check | bool 408 | -------------------------------------------------------------------------------- /tasks/plugins/acme.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Looking up latest version of acme plugin 3 | set_fact: 4 | vault_plugin_acme_version: "{{ (lookup('url', 'https://api.github.com/repos/remilapeyre/vault-acme/releases', split_lines=false) | 5 | from_json)[0].get('tag_name') | replace('v', '') }}" 6 | when: 'vault_plugin_acme_version == "latest"' 7 | 8 | - name: Vault acme plugin installation 9 | block: 10 | - name: Fetch acme vault plugin 11 | delegate_to: "{{ (vault_plugin_acme_install == 'local') | ternary('localhost', inventory_hostname) }}" 12 | block: 13 | - name: Install dependencies 14 | package: 15 | name: "{{ vault_os_packages }}" 16 | state: present 17 | become: true 18 | when: 19 | - (vault_plugin_acme_install == 'remote') 20 | - (vault_os_packages is defined) and (vault_os_packages | length > 0) 21 | 22 | - name: Create temporary directory for acme vault plugin 23 | file: 24 | path: "{{ (vault_plugin_acme_install == 'local') | ternary(vault_plugins_src_dir_local, vault_plugins_src_dir_remote) }}/acme" 25 | state: directory 26 | mode: "0755" 27 | owner: "{{ (vault_plugin_acme_install == 'local') | ternary(omit, vault_user) }}" 28 | group: "{{ (vault_plugin_acme_install == 'local') | ternary(omit, vault_group) }}" 29 | register: __vault_plugin_acme_zip_dir 30 | run_once: "{{ (vault_plugin_acme_install == 'local') }}" 31 | 32 | - name: Download acme vault plugin 33 | get_url: 34 | url: "{{ vault_plugin_acme_release_url }}/{{ vault_plugin_acme_zip }}" 35 | dest: "{{ __vault_plugin_acme_zip_dir.path }}" 36 | checksum: "sha256:{{ vault_plugin_acme_zip_sha256sum }}" 37 | mode: "0644" 38 | register: __vault_plugin_acme_zip_file 39 | run_once: "{{ (vault_plugin_acme_install == 'local') }}" 40 | 41 | - name: Extract acme vault plugin 42 | unarchive: 43 | remote_src: "{{ (vault_plugin_acme_install == 'remote') }}" 44 | src: "{{ __vault_plugin_acme_zip_file.dest }}" 45 | dest: "{{ __vault_plugin_acme_zip_dir.path }}" 46 | mode: "0644" 47 | run_once: "{{ (vault_plugin_acme_install == 'local') }}" 48 | 49 | - name: Install acme vault plugin 50 | copy: 51 | remote_src: "{{ (vault_plugin_acme_install == 'remote') }}" 52 | src: "{{ __vault_plugin_acme_zip_dir.path }}/{{ item.src }}" 53 | dest: "{{ item.dest }}" 54 | mode: "{{ vault_harden_file_perms | ternary('0555', '0755') }}" 55 | owner: "{{ vault_user }}" 56 | group: "{{ vault_group }}" 57 | when: (item.when | default(true)) 58 | loop: 59 | - src: "acme-plugin" 60 | dest: "{{ vault_plugin_path }}/acme" 61 | - src: "sidecar" 62 | dest: "/usr/local/bin/vault-acme-sidecar" 63 | when: "{{ vault_plugin_acme_sidecar_install }}" 64 | 65 | always: 66 | - name: "Clean up src directory" 67 | file: 68 | path: "{{ __vault_plugin_acme_zip_dir.path }}" 69 | state: absent 70 | delegate_to: "{{ (vault_plugin_acme_install == 'local') | ternary('localhost', inventory_hostname) }}" 71 | run_once: "{{ (vault_plugin_acme_install == 'local') }}" 72 | when: (vault_plugins_src_dir_cleanup) 73 | 74 | - name: "Check vault authentication" 75 | command: vault token lookup 76 | changed_when: false 77 | failed_when: false 78 | register: __vault_token_lookup 79 | no_log: true 80 | 81 | - name: Enable acme plugin 82 | when: 83 | - (check_result.status == 200) 84 | - (__vault_token_lookup.rc == 0) 85 | block: 86 | - name: "Look up registered acme plugin sha256" 87 | command: vault plugin info -field=sha256 secret acme 88 | changed_when: false 89 | failed_when: false 90 | register: __vault_plugin_acme_registered_sha256 91 | 92 | - name: "Get acme plugin sha256sum" 93 | stat: 94 | path: "{{ vault_plugin_path }}/acme" 95 | checksum_algorithm: sha256 96 | register: __vault_plugin_acme_sha256sum 97 | 98 | - name: "Register acme plugin in vault catalog" 99 | command: 100 | cmd: "vault write sys/plugins/catalog/secret/acme 101 | sha_256={{ __vault_plugin_acme_sha256sum.stat.checksum }} 102 | version={{ vault_plugin_acme_version }} command=acme" 103 | become: true 104 | become_user: "{{ vault_user }}" 105 | register: __vault_write_acme 106 | changed_when: __vault_write_acme.stdout is search('Success!') 107 | when: __vault_plugin_acme_registered_sha256.stdout != __vault_plugin_acme_sha256sum.stat.checksum 108 | 109 | - name: "Enable acme plugin" 110 | command: 111 | cmd: vault secrets enable -path acme -plugin-name acme plugin 112 | register: __vault_plugin_acme_enable 113 | changed_when: __vault_plugin_acme_enable.stdout is search('Enabled the acme secrets engine') 114 | failed_when: __vault_plugin_acme_enable.stdout is search('plugin not found in the catalog') 115 | -------------------------------------------------------------------------------- /tasks/tls.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: tasks/tls.yml - TLS tasks for Vault 3 | 4 | - name: Create TLS directory 5 | become: true 6 | file: 7 | dest: "{{ vault_tls_certs_path }}" 8 | state: directory 9 | owner: "{{ vault_user }}" 10 | group: "{{ vault_group }}" 11 | mode: "{{ vault_harden_file_perms | ternary('0555', '0755') }}" 12 | when: vault_tls_copy_keys | bool 13 | tags: 14 | - tls 15 | 16 | - name: Create private TLS directory 17 | file: 18 | dest: "{{ vault_tls_private_path }}" 19 | state: directory 20 | owner: "{{ vault_user }}" 21 | group: "{{ vault_group }}" 22 | mode: "{{ vault_harden_file_perms | ternary('0500', '0700') }}" 23 | when: 24 | - vault_tls_copy_keys | bool 25 | - vault_tls_certs_path != vault_tls_private_path 26 | tags: 27 | - tls 28 | 29 | - name: Vault SSL Certificate and Key 30 | become: true 31 | copy: 32 | remote_src: "{{ vault_tls_files_remote_src }}" 33 | src: "{{ item.src }}" 34 | dest: "{{ item.dest }}" 35 | owner: "{{ vault_user }}" 36 | group: "{{ vault_group }}" 37 | mode: "{{ item.mode }}" 38 | with_items: 39 | - src: "{{ vault_tls_src_files }}/{{ vault_tls_ca_file }}" 40 | dest: "{{ vault_tls_certs_path }}/{{ vault_tls_ca_file }}" 41 | mode: "{{ vault_harden_file_perms | ternary('0444', '0644') }}" 42 | - src: "{{ vault_tls_src_files }}/{{ vault_tls_cert_file }}" 43 | dest: "{{ vault_tls_certs_path }}/{{ vault_tls_cert_file }}" 44 | mode: "{{ vault_harden_file_perms | ternary('0444', '0644') }}" 45 | - src: "{{ vault_tls_src_files }}/{{ vault_tls_key_file }}" 46 | dest: "{{ vault_tls_private_path }}/{{ vault_tls_key_file }}" 47 | mode: "{{ vault_harden_file_perms | ternary('0400', '0600') }}" 48 | when: vault_tls_copy_keys | bool 49 | notify: 50 | - Restart vault 51 | - Reload vault 52 | tags: 53 | - tls 54 | -------------------------------------------------------------------------------- /templates/vault_backend_consul.j2: -------------------------------------------------------------------------------- 1 | backend "consul" { 2 | address = "{{ vault_consul }}" 3 | path = "{{ vault_consul_path }}" 4 | service = "{{ vault_consul_service }}" 5 | {% if vault_consul_token is defined and vault_consul_token %} 6 | token = "{{ vault_consul_token }}" 7 | {% endif %} 8 | scheme = "{{ vault_consul_scheme }}" 9 | {% if vault_tls_gossip | bool %} 10 | tls_ca_file="{{ vault_backend_tls_certs_path }}/{{ vault_backend_tls_ca_file }}" 11 | tls_cert_file = "{{ vault_backend_tls_certs_path }}/{{ vault_backend_tls_cert_file }}" 12 | tls_key_file = "{{ vault_backend_tls_private_path }}/{{ vault_backend_tls_key_file }}" 13 | {% endif %} 14 | } 15 | -------------------------------------------------------------------------------- /templates/vault_backend_dynamodb.j2: -------------------------------------------------------------------------------- 1 | backend "dynamodb" { 2 | {% if vault_dynamodb is string and vault_dynamodb|length %} 3 | endpoint = "{{ vault_dynamodb }}" 4 | {% endif %} 5 | {% if vault_dynamodb_table is string and vault_dynamodb_table|length %} 6 | table = "{{ vault_dynamodb_table }}" 7 | {% endif %} 8 | {% if vault_dynamodb_ha_enabled | bool %} 9 | ha_enabled = "{{ vault_dynamodb_ha_enabled }}" 10 | {% endif %} 11 | {% if vault_dynamodb_max_parallel is string and vault_dynamodb_max_parallel|length %} 12 | max_parallel = "{{ vault_dynamodb_max_parallel }}" 13 | {% endif %} 14 | {% if vault_dynamodb_region is string and vault_dynamodb_region|length %} 15 | region = "{{ vault_dynamodb_region }}" 16 | {% endif %} 17 | {% if vault_dynamodb_read_capacity is defined and vault_dynamodb_read_capacity|int %} 18 | read_capacity = {{ vault_dynamodb_read_capacity }} 19 | {% endif %} 20 | {% if vault_dynamodb_write_capacity is defined and vault_dynamodb_write_capacity|int %} 21 | write_capacity = {{ vault_dynamodb_write_capacity }} 22 | {% endif %} 23 | {% if vault_dynamodb_access_key is string and vault_dynamodb_access_key|length %} 24 | access_key = "{{ vault_dynamodb_access_key }}" 25 | {% endif %} 26 | {% if vault_dynamodb_secret_key is string and vault_dynamodb_secret_key|length %} 27 | secret_key = "{{ vault_dynamodb_secret_key }}" 28 | {% endif %} 29 | {% if vault_dynamodb_session_token is string and vault_dynamodb_secret_key|length %} 30 | session_token = "{{ vault_dynamodb_session_token }}" 31 | {% endif %} 32 | } 33 | -------------------------------------------------------------------------------- /templates/vault_backend_etcd.j2: -------------------------------------------------------------------------------- 1 | backend "etcd" { 2 | address = "{{ vault_etcd }}" 3 | path = "{{ vault_etcd_path }}" 4 | api = "{{ vault_etcd_api }}" 5 | request_timeout = "{{ vault_etcd_request_timeout }}" 6 | lock_timeout = "{{ vault_etcd_lock_timeout }}" 7 | sync = "{{ vault_etcd_sync }}" 8 | ha_enabled = "{{ vault_etcd_ha_enabled }}" 9 | {% if vault_etcd_discovery_srv is defined and vault_etcd_discovery_srv|length -%} 10 | discovery_srv = "{{ vault_etcd_discovery_srv }}" 11 | discovery_srv_name = "{{ vault_etcd_discovery_srv_name }}" 12 | {% endif -%} 13 | {% if vault_etcd_username is defined and vault_etcd_username|length -%} 14 | username = "{{ vault_etcd_username }}" 15 | password = "{{ vault_etcd_password }}" 16 | {% endif -%} 17 | {% if vault_tls_gossip | bool -%} 18 | tls_ca_file="{{ vault_backend_tls_certs_path }}/{{ vault_backend_tls_ca_file }}" 19 | tls_cert_file = "{{ vault_backend_tls_certs_path }}/{{ vault_backend_tls_cert_file }}" 20 | tls_key_file = "{{ vault_backend_tls_private_path }}/{{ vault_backend_tls_key_file }}" 21 | {% endif -%} 22 | } 23 | -------------------------------------------------------------------------------- /templates/vault_backend_file.j2: -------------------------------------------------------------------------------- 1 | storage "file" { 2 | path = "{{ vault_data_path }}" 3 | } 4 | -------------------------------------------------------------------------------- /templates/vault_backend_gcs.j2: -------------------------------------------------------------------------------- 1 | storage "gcs" { 2 | bucket = "{{ vault_gcs_bucket }}" 3 | ha_enabled = "{{ vault_gcs_ha_enabled | bool | lower }}" 4 | {% if vault_gcs_chunk_size is defined and vault_gcs_chunk_size|length -%} 5 | chunk_size = "{{ vault_gcs_chunk_size }}" 6 | {% endif -%} 7 | {% if vault_gcs_max_parallel is defined and vault_gcs_max_parallel|length -%} 8 | max_parallel = {{ vault_gcs_max_parallel }} 9 | {% endif -%} 10 | } 11 | -------------------------------------------------------------------------------- /templates/vault_backend_mysql.j2: -------------------------------------------------------------------------------- 1 | storage "mysql" { 2 | username = "{{ vault_mysql_username }}" 3 | password = "{{ vault_mysql_password }}" 4 | {% if vault_mysql is defined and vault_mysql|length -%} 5 | address = "{{ vault_mysql }}" 6 | {% endif -%} 7 | {% if vault_mysql_database is defined and vault_mysql_database|length -%} 8 | database = "{{ vault_mysql_database }}" 9 | {% endif -%} 10 | {% if vault_mysql_table is defined and vault_mysql_table|length -%} 11 | table = "{{ vault_mysql_table }}" 12 | {% endif -%} 13 | {% if vault_mysql_tls_ca_file is defined and vault_mysql_tls_ca_file|length -%} 14 | tls_ca_file = "{{ vault_mysql_tls_ca_file }}" 15 | {% endif -%} 16 | {% if vault_mysql_max_parallel is defined and vault_mysql_max_parallel|length -%} 17 | max_parallel = "{{ vault_mysql_max_parallel }}" 18 | {% endif -%} 19 | {% if vault_mysql_max_idle_connections is defined and vault_mysql_max_idle_connections|length -%} 20 | max_idle_connections = "{{ vault_mysql_max_idle_connections }}" 21 | {% endif -%} 22 | {% if vault_mysql_max_connection_lifetime is defined and vault_mysql_max_connection_lifetime|length -%} 23 | max_connection_lifetime = "{{ vault_mysql_max_connection_lifetime }}" 24 | {% endif -%} 25 | } 26 | -------------------------------------------------------------------------------- /templates/vault_backend_raft.j2: -------------------------------------------------------------------------------- 1 | storage "raft" { 2 | path = "{{ vault_raft_data_path }}" 3 | node_id = "{{ vault_raft_node_id }}" 4 | {% if vault_raft_performance_multiplier is defined and vault_raft_performance_multiplier %} 5 | performance_multiplier = "{{ vault_raft_performance_multiplier }}" 6 | {% endif %} 7 | {% if vault_raft_trailing_logs is defined and vault_raft_trailing_logs %} 8 | trailing_logs = "{{ vault_raft_trailing_logs }}" 9 | {% endif %} 10 | {% if vault_raft_snapshot_threshold is defined and vault_raft_snapshot_threshold %} 11 | snapshot_threshold = "{{ vault_raft_snapshot_threshold }}" 12 | {% endif %} 13 | {% if vault_raft_max_entry_size is defined and vault_raft_max_entry_size %} 14 | max_entry_size = "{{ vault_raft_max_entry_size }}" 15 | {% endif %} 16 | {% if vault_raft_autopilot_reconcile_interval is defined and vault_raft_autopilot_reconcile_interval %} 17 | autopilot_reconcile_interval = "{{ vault_raft_autopilot_reconcile_interval }}" 18 | {% endif %} 19 | {% if vault_raft_cloud_auto_join is defined and vault_raft_cloud_auto_join %} 20 | retry_join { 21 | auto_join = "{{ vault_raft_cloud_auto_join }}" 22 | {% if vault_raft_cloud_auto_join_scheme is defined and vault_raft_cloud_auto_join_scheme %} 23 | auto_join_scheme = "{{ vault_raft_cloud_auto_join_scheme }}" 24 | {% endif %} 25 | {% if vault_raft_cloud_auto_join_port is defined and vault_raft_cloud_auto_join_port %} 26 | auto_join_port = "{{ vault_raft_cloud_auto_join_port }}" 27 | {% endif %} 28 | } 29 | {% endif %} 30 | {% if not vault_raft_cloud_auto_join_exclusive %} 31 | {% for raft_peer in vault_raft_cluster_members | rejectattr('peer', 'equalto', inventory_hostname) %} 32 | {% if not (vault_tls_disable | bool) and vault_tls_client_ca_file != "" %} 33 | retry_join { 34 | leader_api_addr = "{{ raft_peer.api_addr }}" 35 | {% if vault_raft_leader_tls_servername is defined %} 36 | leader_tls_servername = "{{ vault_raft_leader_tls_servername }}" 37 | {% endif %} 38 | leader_ca_cert_file = "{{ vault_backend_tls_certs_path }}/{{ vault_backend_tls_ca_file }}" 39 | leader_client_cert_file = "{{ vault_backend_tls_certs_path }}/{{ vault_backend_tls_cert_file }}" 40 | leader_client_key_file = "{{ vault_backend_tls_private_path }}/{{ vault_backend_tls_key_file }}" 41 | } 42 | {% else %} 43 | retry_join { 44 | leader_api_addr = "{{ raft_peer.api_addr }}" 45 | } 46 | {% endif %} 47 | {% endfor %} 48 | {% endif %} 49 | } 50 | 51 | // HashiCorp recommends disabling mlock when using Raft. 52 | disable_mlock = {{ vault_disable_mlock | default('true') | bool | lower }} 53 | -------------------------------------------------------------------------------- /templates/vault_backend_s3.j2: -------------------------------------------------------------------------------- 1 | storage "s3" { 2 | access_key = "{{ vault_s3_access_key }}" 3 | secret_key = "{{ vault_s3_secret_key }}" 4 | bucket = "{{ vault_s3_bucket }}" 5 | region = "{{ vault_s3_region }}" 6 | disable_ssl = "{{ vault_s3_disable_ssl }}" 7 | 8 | vault_s3_max_parallel = "{{ vault_s3_max_parallel }}" 9 | 10 | {% if vault_s3_endpoint is defined and vault_s3_endpoint|length -%} 11 | endpoint = "{{ vault_s3_endpoint }}" 12 | {% endif %} 13 | {% if vault_s3_kms_key_id is defined and vault_s3_kms_key_id|length -%} 14 | kms_key_id = "{{ vault_s3_kms_key_id }}" 15 | {% endif %} 16 | {% if vault_s3_session_token is defined and vault_s3_session_token|length -%} 17 | session_token = "{{ vault_s3_session_token }}" 18 | {% endif %} 19 | 20 | s3_force_path_style = "{{ vault_s3_force_path_style }}" 21 | } 22 | -------------------------------------------------------------------------------- /templates/vault_entropy_seal.j2: -------------------------------------------------------------------------------- 1 | entropy "seal" { 2 | mode = "augmentation" 3 | } 4 | -------------------------------------------------------------------------------- /templates/vault_logrotate.j2: -------------------------------------------------------------------------------- 1 | # {{ ansible_managed }} 2 | 3 | {{ vault_log_path }}/vault.log 4 | { 5 | missingok 6 | copytruncate 7 | rotate {{ vault_logrotate_freq }} 8 | daily 9 | dateext 10 | compress 11 | postrotate 12 | /bin/systemctl reload vault 2> /dev/null || true 13 | endscript 14 | } 15 | -------------------------------------------------------------------------------- /templates/vault_main_configuration.hcl.j2: -------------------------------------------------------------------------------- 1 | # {{ ansible_managed }} 2 | 3 | cluster_name = "{{ vault_cluster_name }}" 4 | max_lease_ttl = "{{ vault_max_lease_ttl }}" 5 | default_lease_ttl = "{{ vault_default_lease_ttl }}" 6 | 7 | disable_clustering = "{{ vault_cluster_disable }}" 8 | cluster_addr = "{{ vault_cluster_addr }}" 9 | api_addr = "{{ vault_api_addr }}" 10 | 11 | plugin_directory = "{{ vault_plugin_path }}" 12 | 13 | {% for l in vault_tcp_listeners %} 14 | listener "tcp" { 15 | address = "{{ l.vault_address }}:{{ l.vault_port }}" 16 | cluster_address = "{{ l.vault_cluster_address }}" 17 | {% if (l.vault_proxy_protocol_behavior is defined and l.vault_proxy_protocol_behavior) -%} 18 | proxy_protocol_behavior = "{{ l.vault_proxy_protocol_behavior }}" 19 | {% if (l.vault_proxy_protocol_authorized_addrs is defined) -%} 20 | proxy_protocol_authorized_addrs = "{{ l.vault_proxy_protocol_authorized_addrs }}" 21 | {% endif -%} 22 | {% endif -%} 23 | {% if not (l.vault_tls_disable | bool) -%} 24 | {% if (l.vault_tls_client_ca_file is defined) -%} 25 | tls_client_ca_file="{{ l.vault_tls_certs_path }}/{{ l.vault_tls_client_ca_file }}" 26 | {% endif -%} 27 | tls_cert_file = "{{ l.vault_tls_certs_path }}/{{ l.vault_tls_cert_file }}" 28 | tls_key_file = "{{ l.vault_tls_private_path }}/{{ l.vault_tls_key_file }}" 29 | tls_min_version = "{{ l.vault_tls_min_version }}" 30 | {% if vault_tls_cipher_suites is defined and vault_tls_cipher_suites -%} 31 | tls_cipher_suites = "{{ l.vault_tls_cipher_suites}}" 32 | {% endif -%} 33 | {% if (l.vault_tls_require_and_verify_client_cert | bool) -%} 34 | tls_require_and_verify_client_cert = "{{ l.vault_tls_require_and_verify_client_cert | bool | lower}}" 35 | {% endif -%} 36 | {% if (l.vault_tls_disable_client_certs | bool) -%} 37 | tls_disable_client_certs = "{{ l.vault_tls_disable_client_certs | bool | lower}}" 38 | {% endif -%} 39 | {% endif -%} 40 | tls_disable = "{{ l.vault_tls_disable | bool | lower }}" 41 | {% if (l.vault_x_forwarded_for_authorized_addrs is defined and l.vault_x_forwarded_for_authorized_addrs) -%} 42 | x_forwarded_for_authorized_addrs = "{{ l.vault_x_forwarded_for_authorized_addrs }}" 43 | {% if (l.vault_x_forwarded_for_hop_skips is defined) -%} 44 | x_forwarded_for_hop_skips = "{{ l.vault_x_forwarded_for_hop_skips }}" 45 | {% endif -%} 46 | {% if (l.vault_x_forwarded_for_reject_not_authorized is defined) -%} 47 | x_forwarded_for_reject_not_authorized = "{{ l.vault_x_forwarded_for_reject_not_authorized | bool | lower }}" 48 | {% endif -%} 49 | {% if (l.vault_x_forwarded_for_reject_not_present is defined) -%} 50 | x_forwarded_for_reject_not_present = "{{ l.vault_x_forwarded_for_reject_not_present | bool | lower }}" 51 | {% endif -%} 52 | {% endif -%} 53 | {% if (vault_unauthenticated_metrics_access | bool) -%} 54 | telemetry { 55 | unauthenticated_metrics_access = "true" 56 | } 57 | {% endif %} 58 | } 59 | {% endfor %} 60 | 61 | {% if (vault_listener_localhost_enable | bool) -%} 62 | listener "tcp" { 63 | address = "127.0.0.1:{{ vault_port }}" 64 | cluster_address = "127.0.0.1:8201" 65 | tls_disable = "true" 66 | } 67 | {% endif -%} 68 | 69 | {# 70 | Select which storage backend you want generated and placed 71 | in the vault configuration file. 72 | #} 73 | {% if vault_backend == 'consul' -%} 74 | {% include vault_backend_consul with context -%} 75 | {% elif vault_backend == 'etcd' -%} 76 | {% include vault_backend_etcd with context -%} 77 | {% elif vault_backend == 'file' -%} 78 | {% include vault_backend_file with context -%} 79 | {% elif vault_backend == 's3' -%} 80 | {% include vault_backend_s3 with context -%} 81 | {% elif vault_backend == 'dynamodb' -%} 82 | {% include vault_backend_dynamodb with context -%} 83 | {% elif vault_backend == 'mysql' -%} 84 | {% include vault_backend_mysql with context -%} 85 | {% elif vault_backend == 'gcs' -%} 86 | {% include vault_backend_gcs with context -%} 87 | {% elif vault_backend == 'raft' -%} 88 | {% include vault_backend_raft with context -%} 89 | {% endif %} 90 | 91 | {% if vault_service_registration_consul_enable -%} 92 | {% include vault_service_registration_consul_template with context -%} 93 | {% endif %} 94 | {% if vault_service_registration_kubernetes_enable -%} 95 | {% include vault_service_registration_kubernetes_template with context -%} 96 | {% endif %} 97 | 98 | {% if vault_ui -%} 99 | ui = {{ vault_ui | bool | lower }} 100 | {% endif %} 101 | 102 | {% if vault_entropy_seal | bool -%} 103 | {% include 'vault_entropy_seal.j2' with context %} 104 | {% endif %} 105 | 106 | {% if vault_enterprise_hsm | bool -%} 107 | {% include vault_backend_seal with context %} 108 | {% endif %} 109 | 110 | {% if vault_gkms | bool -%} 111 | {% include vault_backend_gkms with context %} 112 | {% endif %} 113 | 114 | {% if vault_ocikms | bool -%} 115 | {% include vault_ocikms_backend with context %} 116 | {% endif %} 117 | 118 | {% if vault_telemetry_enabled | bool -%} 119 | telemetry { 120 | {% if vault_statsite_address is defined %} 121 | statsite_address = "{{vault_statsite_address}}" 122 | {% endif -%} 123 | {% if vault_statsd_address is defined %} 124 | statsd_address = "{{vault_statsd_address}}" 125 | {% endif -%} 126 | {% if vault_prometheus_retention_time is defined %} 127 | prometheus_retention_time = "{{ vault_prometheus_retention_time }}" 128 | {% endif -%} 129 | {% if vault_telemetry_disable_hostname is defined %} 130 | disable_hostname = {{vault_telemetry_disable_hostname | bool | lower }} 131 | {% endif -%} 132 | {% if vault_telemetry_usage_gauge_period is defined %} 133 | usage_gauge_period = "{{ vault_telemetry_usage_gauge_period }}" 134 | {% endif -%} 135 | } 136 | {% endif -%} 137 | 138 | {% if vault_configure_enterprise_license | bool -%} 139 | license_path = "{{ vault_license_path }}" 140 | {% endif -%} 141 | 142 | {% if vault_custom_configuration is defined -%} 143 | {{ vault_custom_configuration }} 144 | {% endif -%} 145 | -------------------------------------------------------------------------------- /templates/vault_seal_awskms.j2: -------------------------------------------------------------------------------- 1 | seal "awskms" { 2 | kms_key_id = "{{ vault_awskms_key_id }}" 3 | {% if vault_awskms_region is string and vault_awskms_region|length %} 4 | region = "{{ vault_awskms_region }}" 5 | {% endif %} 6 | {% if vault_awskms_access_key is string and vault_awskms_access_key|length %} 7 | access_key = "{{ vault_awskms_access_key }}" 8 | {% endif %} 9 | {% if vault_awskms_secret_key is string and vault_awskms_secret_key|length %} 10 | secret_key = "{{ vault_awskms_secret_key }}" 11 | {% endif %} 12 | {% if vault_awskms_endpoint is string and vault_awskms_endpoint|length %} 13 | endpoint = "{{ vault_awskms_endpoint }}" 14 | {% endif %} 15 | } 16 | -------------------------------------------------------------------------------- /templates/vault_seal_azurekeyvault.j2: -------------------------------------------------------------------------------- 1 | seal "azurekeyvault" { 2 | tenant_id = "{{ vault_azurekeyvault_tenant_id }}" 3 | {% if vault_azurekeyvault_client_id is defined -%} 4 | client_id = "{{ vault_azurekeyvault_client_id }}" 5 | {% endif -%} 6 | {% if vault_azurekeyvault_client_secret is defined -%} 7 | client_secret = "{{ vault_azurekeyvault_client_secret }}" 8 | {% endif -%} 9 | {% if vault_azurekeyvault_vault_name is defined -%} 10 | vault_name = "{{ vault_azurekeyvault_vault_name }}" 11 | {% endif -%} 12 | {% if vault_azurekeyvault_key_name is defined -%} 13 | key_name = "{{ vault_azurekeyvault_key_name }}" 14 | {% endif -%} 15 | } 16 | -------------------------------------------------------------------------------- /templates/vault_seal_gcpkms.j2: -------------------------------------------------------------------------------- 1 | seal "gcpckms" { 2 | {% if vault_gkms_copy_sa and vault_gkms_credentials_src_file is defined and vault_gkms_credentials|length -%} 3 | credentials = "{{ vault_gkms_credentials }}" 4 | {% endif -%} 5 | project = "{{ vault_gkms_project }}" 6 | region = "{{ vault_gkms_region }}" 7 | key_ring = "{{ vault_gkms_key_ring }}" 8 | crypto_key = "{{ vault_gkms_crypto_key }}" 9 | } 10 | -------------------------------------------------------------------------------- /templates/vault_seal_ocikms.j2: -------------------------------------------------------------------------------- 1 | seal "ocikms" { 2 | key_id = "{{ vault_ocikms_key_id }}" 3 | auth_type_api_key = "{{ vault_ocikms_auth_type_api_key }}" 4 | {% if vault_ocikms_crypto_endpoint is string and vault_ocikms_crypto_endpoint|length %} 5 | crypto_endpoint = "{{ vault_ocikms_crypto_endpoint }}" 6 | {% endif %} 7 | {% if vault_ocikms_management_endpoint is string and vault_ocikms_management_endpoint|length %} 8 | management_endpoint = "{{ vault_ocikms_management_endpoint }}" 9 | {% endif %} 10 | } 11 | -------------------------------------------------------------------------------- /templates/vault_seal_pkcs11.j2: -------------------------------------------------------------------------------- 1 | seal "pkcs11" { 2 | lib = "{{ vault_seal_lib }}" 3 | {% if vault_softcard_enable %} 4 | token_label = "{{ vault_seal_token_label }}" 5 | {% else %} 6 | slot = "{{ vault_seal_slot }}" 7 | {% endif %} 8 | pin = "{{ vault_seal_pin }}" 9 | key_label = "{{ vault_seal_key_label }}" 10 | {% if vault_seal_hmac_key_label != '' %} 11 | hmac_key_label = "{{ vault_seal_hmac_key_label }}" 12 | {% endif %} 13 | generate_key = "{{ vault_seal_generate_key }}" 14 | {% if vault_seal_key_mechanism != '' %} 15 | mechanism = "{{ vault_seal_key_mechanism }}" 16 | {% endif %} 17 | } 18 | -------------------------------------------------------------------------------- /templates/vault_seal_transit.j2: -------------------------------------------------------------------------------- 1 | seal "transit" { 2 | address = "{{ vault_transit_address }}" 3 | token = "{{ vault_transit_token }}" 4 | disable_renewal = {{ '"true"' if vault_transit_disable_renewal else '"false"' }} 5 | 6 | // Key configuration 7 | key_name = "{{ vault_transit_key_name }}" 8 | mount_path = "{{ vault_transit_mount_path }}" 9 | {% if vault_transit_namespace is defined %} 10 | namespace = "{{ vault_transit_namespace }}" 11 | {% endif %} 12 | 13 | // TLS Configuration 14 | {% if vault_transit_tls_skip_verify | bool %} 15 | tls_skip_verify = "true" 16 | {% else %} 17 | tls_ca_cert = "{{ vault_backend_tls_certs_path }}/{{ vault_transit_tls_ca_cert_file }}" 18 | tls_client_cert = "{{ vault_backend_tls_certs_path }}/{{ vault_transit_tls_client_cert_file }}" 19 | tls_client_key = "{{ vault_backend_tls_private_path }}/{{ vault_transit_tls_client_key_file }}" 20 | {% if vault_transit_tls_server_name is defined %} 21 | tls_server_name = "{{ vault_transit_tls_server_name }}" 22 | {% endif %} 23 | {% endif %} 24 | } 25 | -------------------------------------------------------------------------------- /templates/vault_service_bsd_init.j2: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # {{ ansible_managed }} 3 | # 4 | # PROVIDE: vault 5 | # REQUIRE: LOGIN 6 | # KEYWORD: shutdown 7 | 8 | # shellcheck disable=SC1091,2034,2154 9 | . /etc/rc.subr 10 | 11 | name="vault" 12 | rcvar=$(set_rcvar) 13 | 14 | 15 | load_rc_config $name 16 | : "${vault_enable="NO"}" 17 | : "${vault_users="vault"}" 18 | 19 | restart_cmd=vault_restart 20 | start_cmd=vault_start 21 | stop_cmd=vault_stop 22 | 23 | vault_start() { 24 | echo "Starting ${name}." 25 | {% if vault_http_proxy -%} 26 | export HTTP_PROXY={{ vault_http_proxy }} 27 | {% endif -%} 28 | {% if vault_https_proxy -%} 29 | export HTTPS_PROXY={{ vault_https_proxy }} 30 | {% endif -%} 31 | {% if vault_no_proxy -%} 32 | export NO_PROXY={{ vault_no_proxy }} 33 | {% endif -%} 34 | for user in ${vault_users}; do 35 | mkdir /var/run/vault 36 | chown -R "{{ vault_user }}:{{ vault_group }}" /var/run/vault/ 37 | su -m "${user}" -c "{{ vault_bin_path }}/vault server -config={{ vault_config_path if vault_use_config_path else vault_main_config }} {% if vault_log_level is defined %}-log-level={{ vault_log_level | lower }}{% endif %} {{ vault_exec_output }} &" 38 | done 39 | } 40 | 41 | vault_stop() { 42 | echo "Stopping $name." 43 | pids=$(pgrep vault) 44 | pkill vault 45 | wait_for_pids "${pids}" 46 | } 47 | 48 | vault_restart() { 49 | vault_stop 50 | vault_start 51 | } 52 | 53 | run_rc_command "$1" 54 | -------------------------------------------------------------------------------- /templates/vault_service_debian_init.j2: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # {{ ansible_managed }} 3 | # 4 | ### BEGIN INIT INFO 5 | # Provides: vault 6 | # Required-Start: $local_fs $remote_fs 7 | # Required-Stop: $local_fs $remote_fs 8 | # Default-Start: 2 3 4 5 9 | # Default-Stop: 0 1 6 10 | # Short-Description: Vault secret management tool 11 | # Description: Vault secret management tool 12 | ### END INIT INFO 13 | 14 | PATH="{{ vault_bin_path }}:/usr/sbin:/usr/bin:/sbin:/bin" 15 | DESC="Vault secret management tool" 16 | NAME=vault 17 | DAEMON="{{ vault_bin_path }}/$NAME" 18 | PIDFILE=/var/run/$NAME/$NAME.pid 19 | DAEMON_ARGS="server -config={{ vault_config_path if vault_use_config_path else vault_main_config }} -log-level={{ vault_log_level | lower }} {{ vault_exec_output }}" 20 | USER={{ vault_user }} 21 | SCRIPTNAME=/etc/init.d/$NAME 22 | 23 | [ -x "$DAEMON" ] || exit 0 24 | 25 | [ -r /etc/default/$NAME ] && . /etc/default/$NAME 26 | 27 | [ -f /etc/default/rcS ] && . /etc/default/rcS 28 | 29 | . /lib/lsb/init-functions 30 | 31 | mkrundir() { 32 | [ ! -d /var/run/vault ] && mkdir -p /var/run/vault 33 | chown $USER /var/run/vault 34 | } 35 | 36 | do_start() { 37 | {% if vault_http_proxy -%} 38 | export HTTP_PROXY={{ vault_http_proxy }} 39 | {% endif -%} 40 | {% if vault_https_proxy -%} 41 | export HTTPS_PROXY={{ vault_https_proxy }} 42 | {% endif -%} 43 | {% if vault_no_proxy -%} 44 | export NO_PROXY={{ vault_no_proxy }} 45 | {% endif -%} 46 | mkrundir 47 | start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON --chuid $USER --background --make-pidfile --test > /dev/null \ 48 | || return 1 49 | start-stop-daemon --start --quiet --pidfile $PIDFILE --chuid $USER --background --make-pidfile --background \ 50 | --startas /bin/bash -- -c "exec $DAEMON $DAEMON_ARGS" \ 51 | || return 2 52 | 53 | RETVAL=0 54 | for i in `seq 1 30`; do 55 | if ! start-stop-daemon --quiet --stop --test --pidfile $PIDFILE --exec $DAEMON --user $USER; then 56 | RETVAL=2 57 | sleep 1 58 | continue 59 | fi 60 | done 61 | return "$RETVAL" 62 | } 63 | 64 | do_stop() { 65 | if ("${DAEMON}" info 2>/dev/null | grep -q 'server = false' 2>/dev/null) ; then 66 | "$DAEMON" leave 67 | fi 68 | start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME 69 | RETVAL="$?" 70 | [ "$RETVAL" = 2 ] && return 2 71 | start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON 72 | [ "$?" = 2 ] && return 2 73 | rm -f $PIDFILE 74 | return "$RETVAL" 75 | } 76 | 77 | do_reload() { 78 | start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME 79 | return 0 80 | } 81 | 82 | case "$1" in 83 | start) 84 | [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME" 85 | do_start 86 | case "$?" in 87 | 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; 88 | 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; 89 | esac 90 | ;; 91 | stop) 92 | [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME" 93 | do_stop 94 | case "$?" in 95 | 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; 96 | 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; 97 | esac 98 | ;; 99 | restart) 100 | log_daemon_msg "Restarting $DESC" "$NAME" 101 | do_stop 102 | case "$?" in 103 | 0|1) 104 | do_start 105 | case "$?" in 106 | 0) log_end_msg 0 107 | ;; 108 | 1) log_end_msg 1 109 | ;; 110 | *) log_end_msg 1 111 | ;; 112 | esac 113 | ;; 114 | *) 115 | log_end_msg 1 116 | ;; 117 | esac 118 | ;; 119 | status) 120 | status_of_proc -p $PIDFILE $DAEMON $NAME && exit 0 || exit $? 121 | ;; 122 | *) 123 | echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2 124 | exit 3 125 | ;; 126 | esac 127 | : 128 | -------------------------------------------------------------------------------- /templates/vault_service_registration_consul.hcl.j2: -------------------------------------------------------------------------------- 1 | # {{ ansible_managed }} 2 | 3 | service_registration "consul" { 4 | address = "{{ vault_service_registration_consul_address }}" 5 | check_timeout = "{{ vault_service_registration_consul_check_timeout }}" 6 | disable_registration = "{{ vault_service_registration_consul_disable_registration }}" 7 | scheme = "{{ vault_service_registration_consul_scheme }}" 8 | service = "{{ vault_service_registration_consul_service }}" 9 | service_tags = "{{ vault_service_registration_consul_service_tags }}" 10 | {% if vault_service_registration_consul_service_address is defined and vault_service_registration_consul_service_address %} 11 | service_address = "{{ vault_service_registration_consul_service_address }}" 12 | {% endif %} 13 | {% if vault_service_registration_consul_token is defined and vault_service_registration_consul_token %} 14 | token = "{{ vault_service_registration_consul_token }}" 15 | {% endif %} 16 | 17 | {% if vault_service_registration_consul_scheme == "https" %} 18 | tls_ca_file="{{ vault_service_registration_consul_tls_certs_path }}/{{ vault_service_registration_consul_tls_ca_file }}" 19 | tls_cert_file = "{{ vault_service_registration_consul_tls_certs_path }}/{{ vault_service_registration_consul_tls_cert_file }}" 20 | tls_key_file = "{{ vault_service_registration_consul_tls_private_path }}/{{ vault_service_registration_consul_tls_key_file }}" 21 | tls_min_version = "{{ vault_service_registration_consul_tls_min_version }}" 22 | tls_skip_verify = "{{ vault_service_registration_consul_tls_skip_verify }}" 23 | {% endif %} 24 | } 25 | -------------------------------------------------------------------------------- /templates/vault_service_registration_kubernetes.hcl.j2: -------------------------------------------------------------------------------- 1 | # {{ ansible_managed }} 2 | 3 | service_registration "kubernetes" { 4 | namespace = "{{ vault_service_registration_kubernetes_namespace }}" 5 | pod_name = "{{ vault_service_registration_kubernetes_pod_name }}" 6 | } 7 | -------------------------------------------------------------------------------- /templates/vault_service_systemd.j2: -------------------------------------------------------------------------------- 1 | # {{ ansible_managed }} 2 | 3 | [Unit] 4 | Description="HashiCorp Vault - A tool for managing secrets" 5 | Documentation=https://www.vaultproject.io/docs/ 6 | Requires=network-online.target 7 | After=network-online.target 8 | {% if vault_use_config_path %} 9 | ConditionPathExists={{ vault_config_path }} 10 | {% else %} 11 | ConditionPathExists={{ vault_main_config }} 12 | {% endif %} 13 | 14 | [Service] 15 | User={{ vault_user }} 16 | Group={{ vault_group }} 17 | ProtectSystem=full 18 | ProtectHome=read-only 19 | PrivateTmp=yes 20 | PrivateDevices=yes 21 | SecureBits=keep-caps 22 | Capabilities=CAP_IPC_LOCK+ep 23 | {% if systemd_version.stdout is version('230', '>=') %} 24 | AmbientCapabilities=CAP_SYSLOG CAP_IPC_LOCK 25 | {% endif %} 26 | CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK 27 | NoNewPrivileges=yes 28 | {% if vault_gcs_copy_sa and vault_gcs_credentials_src_file is defined and vault_gcs_credentials_dst_file|length -%} 29 | Environment=GOOGLE_APPLICATION_CREDENTIALS={{ vault_gcs_credentials_dst_file }} 30 | {% endif -%} 31 | {% if vault_http_proxy -%} 32 | Environment=HTTP_PROXY={{ vault_http_proxy }} 33 | {% endif -%} 34 | {% if vault_https_proxy -%} 35 | Environment=HTTPS_PROXY={{ vault_https_proxy }} 36 | {% endif -%} 37 | {% if vault_no_proxy -%} 38 | Environment=NO_PROXY={{ vault_no_proxy }} 39 | {% endif -%} 40 | ExecStart=/bin/sh -c 'exec {{ vault_bin_path }}/vault server -config={{ vault_config_path if vault_use_config_path else vault_main_config }} -log-level={{ vault_log_level | lower }} {{ vault_exec_output }}' 41 | ExecReload=/bin/kill --signal HUP $MAINPID 42 | KillMode=process 43 | KillSignal=SIGINT 44 | Restart=on-failure 45 | RestartSec=5 46 | TimeoutStopSec=30 47 | StartLimitInterval=60 48 | StartLimitBurst=3 49 | LimitNOFILE=524288 50 | LimitNPROC=524288 51 | LimitMEMLOCK=infinity 52 | LimitCORE=0 53 | 54 | [Install] 55 | WantedBy=multi-user.target 56 | -------------------------------------------------------------------------------- /templates/vault_sysvinit.j2: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # {{ ansible_managed }} 3 | # 4 | # chkconfig: 2345 95 95 5 | # description: Vault secret management tool 6 | # processname: vault 7 | # pidfile: /var/run/vault/pidfile 8 | 9 | {% if ansible_distribution == "Ubuntu" %} 10 | . /lib/lsb/init-functions 11 | {% else %} 12 | . /etc/init.d/functions 13 | {% endif %} 14 | 15 | VAULT="{{ vault_bin_path }}/vault" 16 | CONFIG="{{ vault_config_path }}" 17 | PID_FILE=/var/run/vault/vault.pid 18 | 19 | [ -e /etc/sysconfig/vault ] && . /etc/sysconfig/vault 20 | 21 | export GOMAXPROCS=$(nproc) 22 | 23 | mkrundir() { 24 | [ ! -d /var/run/vault ] && mkdir -p /var/run/vault 25 | chown {{ vault_user }} /var/run/vault 26 | } 27 | 28 | KILLPROC_OPT="-p ${PID_FILE}" 29 | mkpidfile() { 30 | mkrundir 31 | [ ! -f $PID_FILE ] && pidofproc $VAULT > $PID_FILE 32 | chown {{ vault_user }} /var/run/vault 33 | if [ $? -ne 0 ] ; then 34 | rm $PID_FILE 35 | KILLPROC_OPT="" 36 | fi 37 | } 38 | 39 | start() { 40 | echo -n "Starting vault: " 41 | {% if vault_http_proxy -%} 42 | export HTTP_PROXY={{ vault_http_proxy }} 43 | {% endif -%} 44 | {% if vault_https_proxy -%} 45 | export HTTPS_PROXY={{ vault_https_proxy }} 46 | {% endif -%} 47 | {% if vault_no_proxy -%} 48 | export NO_PROXY={{ vault_no_proxy }} 49 | {% endif -%} 50 | mkrundir 51 | [ -f $PID_FILE ] && rm $PID_FILE 52 | daemon --user={{ vault_user }} \ 53 | --pidfile="$PID_FILE" \ 54 | "$VAULT" server -config={{ vault_config_path if vault_use_config_path else vault_main_config }} {% if vault_log_level is defined %}-log-level={{ vault_log_level | lower }}{% endif %} {{ vault_exec_output }} & 55 | retcode=$? 56 | touch /var/lock/subsys/vault 57 | return $retcode 58 | } 59 | 60 | stop() { 61 | echo -n "Shutting down vault: " 62 | if ("${VAULT}" info 2>/dev/null | grep -q 'server = false' 2>/dev/null) ; then 63 | "$VAULT" leave 64 | fi 65 | 66 | mkpidfile 67 | killproc $KILLPROC_OPT $VAULT -9 68 | 69 | retcode=$? 70 | rm -f /var/lock/subsys/vault $PID_FILE 71 | return $retcode 72 | } 73 | 74 | case "$1" in 75 | start) 76 | start 77 | ;; 78 | stop) 79 | stop 80 | ;; 81 | status) 82 | "$VAULT" info 83 | ;; 84 | restart) 85 | stop 86 | start 87 | ;; 88 | reload) 89 | mkpidfile 90 | killproc $KILLPROC_OPT $VAULT -HUP 91 | ;; 92 | condrestart) 93 | [ -f /var/lock/subsys/vault ] && restart || : 94 | ;; 95 | *) 96 | echo "Usage: vault {start|stop|status|reload|restart}" 97 | exit 1 98 | ;; 99 | esac 100 | exit $? 101 | -------------------------------------------------------------------------------- /vars/Archlinux.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: vars/Archlinux.yml - Archlinux vars for Vault 3 | 4 | vault_os_packages: 5 | - git 6 | - unzip 7 | -------------------------------------------------------------------------------- /vars/Debian.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: vars/Debian.yml - Debian vars for Vault 3 | 4 | vault_os_packages: 5 | - git 6 | - unzip 7 | - acl 8 | 9 | _vault_repository_url: "https://apt.releases.hashicorp.com" 10 | _vault_repository_key_url: "{{ _vault_repository_url }}/gpg" 11 | -------------------------------------------------------------------------------- /vars/Flatcar.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: vars/Flatcar.yml - Flatcar Linux vars for Vault 3 | 4 | vault_os_packages: [] 5 | 6 | vault_systemd_unit_path: /etc/systemd/system 7 | 8 | vault_bin_path: /opt/bin 9 | 10 | vault_plugin_path: /opt/vault/plugins 11 | -------------------------------------------------------------------------------- /vars/FreeBSD.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: FreeBSD.yml - FreeBSD OS variables for Vault 3 | 4 | vault_os_packages: 5 | - git 6 | - unzip 7 | -------------------------------------------------------------------------------- /vars/RedHat.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # File: vars/RedHat.yml - Red Hat vars for Vault 3 | 4 | vault_os_packages: 5 | - "{{ 'libselinux-python' if ansible_python_version is version('3', '<') else 'python3-libselinux' }}" 6 | - git 7 | - unzip 8 | 9 | _vault_repository_url: "{% if (ansible_distribution | lower == 'fedora') %}\ 10 | https://rpm.releases.hashicorp.com/fedora/$releasever/$basearch/stable\ 11 | {% elif (ansible_distribution | lower == 'amazon') %}\ 12 | https://rpm.releases.hashicorp.com/AmazonLinux/{{ '$releasever' if (ansible_distribution_major_version | length <= 1) else 'latest' }}/$basearch/stable 13 | {% else %}\ 14 | https://rpm.releases.hashicorp.com/RHEL/$releasever/$basearch/stable\ 15 | {% endif %}" 16 | _vault_repository_key_url: "{{ _vault_repository_url | urlsplit('scheme') }}://{{ _vault_repository_url | urlsplit('netloc') }}/gpg" 17 | -------------------------------------------------------------------------------- /vars/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | vault_http_status: 3 | '200': 'initialized, unsealed, and active' 4 | '429': 'unsealed and standby' 5 | '472': 'data recovery mode replication secondary and active' 6 | '473': 'performance standby' 7 | '501': 'not initialized' 8 | '503': 'sealed' 9 | 10 | # Supported *nix distributions 11 | _vault_nix_distros: 12 | - 'AlmaLinux' 13 | - 'Amazon' 14 | - 'Amazon Linux 2' 15 | - 'Archlinux' 16 | - 'CentOS' 17 | - 'Debian' 18 | - 'Fedora' 19 | - 'Flatcar' 20 | - 'FreeBSD' 21 | - 'OracleLinux' 22 | - 'RedHat' 23 | - 'Rocky' 24 | - 'Ubuntu' 25 | -------------------------------------------------------------------------------- /vault_releases.md: -------------------------------------------------------------------------------- 1 | # Vault Releases 2 | 3 | From the [official release channels](https://www.hashicorp.com/official-release-channels), 4 | this role supports [Linux Repositories](https://www.hashicorp.com/official-packaging-guide) 5 | and the [Release Site](https://releases.hashicorp.com). 6 | 7 | The enterprise edition comes with optional support for 8 | [HSM](https://developer.hashicorp.com/vault/docs/enterprise/hsm) 9 | and/or [FIPS](https://developer.hashicorp.com/vault/docs/enterprise/fips). 10 | 11 | ## Release Site 12 | 13 | The file format of the release site is as follows: 14 | ``` 15 | https://releases.hashicorp.com/vault/1.18.2/vault_1.18.2_linux_amd64.zip 16 | https://releases.hashicorp.com/vault/1.18.2+ent/vault_1.18.2+ent_linux_amd64.zip 17 | https://releases.hashicorp.com/vault/1.18.2+ent.hsm/vault_1.18.2+ent.hsm_linux_amd64.zip 18 | https://releases.hashicorp.com/vault/1.18.1+ent.hsm.fips1402/vault_1.18.1+ent.hsm.fips1402_linux_amd64.zip 19 | ``` 20 | 21 | The checksum files follow the same naming scheme: 22 | ``` 23 | https://releases.hashicorp.com/vault/1.18.2+ent.hsm.fips1402/vault_1.18.2+ent.hsm.fips1402_SHA256SUMS 24 | https://releases.hashicorp.com/vault/1.18.2+ent.hsm.fips1402/vault_1.18.2+ent.hsm.fips1402_SHA256SUMS.sig 25 | https://releases.hashicorp.com/vault/1.18.2+ent.hsm.fips1402/vault_1.18.2+ent.hsm.fips1402_SHA256SUMS.72D7468F.sig 26 | ``` 27 | 28 | We see that the directory and filename of the enterprise edition 29 | contains `+ent`, and HSM and FIPS are separated with `.hsm` and 30 | `.fips1402`, respectively. 31 | 32 | ## Linux Repositories 33 | 34 | ### Debian 35 | 36 | ``` 37 | $ apt-cache show $(apt-cache search vault | awk '{print $1}') | grep -E 'Package|Maintainer' | grep HashiCorp -B1 | grep Package | sort -u 38 | Package: consul-template 39 | Package: envconsul 40 | Package: vault 41 | Package: vault-benchmark 42 | Package: vault-enterprise 43 | Package: vault-enterprise-fips1402 44 | Package: vault-enterprise-hsm 45 | Package: vault-enterprise-hsm-fips1402 46 | Package: vault-radar 47 | Package: vault-secrets-gateway 48 | ``` 49 | 50 | ``` 51 | $ apt-cache madison vault-enterprise 52 | vault-enterprise | 1.18.2+ent-1 | https://apt.releases.hashicorp.com bookworm/main amd64 Packages 53 | vault-enterprise | 1.18.1+ent-1 | https://apt.releases.hashicorp.com bookworm/main amd64 Packages 54 | vault-enterprise | 1.18.0+ent-1 | https://apt.releases.hashicorp.com bookworm/main amd64 Packages 55 | vault-enterprise | 1.17.9+ent-1 | https://apt.releases.hashicorp.com bookworm/main amd64 Packages 56 | ... 57 | ``` 58 | 59 | To install a specific version of a package, the version is added to the package name with a `=`, e.g.: 60 | ``` 61 | $ apt-get install vault-enterprise=1.18.2+ent-1 62 | ``` 63 | The trailing `-1` is mandatory. 64 | 65 | ### RPM 66 | 67 | The format of the package name and version for RPM is: 68 | ``` 69 | $ dnf list available | grep hashicorp | grep vault 70 | vault.x86_64 1.18.2-1 hashicorp 71 | vault-benchmark.x86_64 0.3.0-1 hashicorp 72 | vault-enterprise.i386 1.9.4+ent-1 hashicorp 73 | vault-enterprise.armv7hl 1.11.2+ent-1 hashicorp 74 | vault-enterprise.x86_64 1.18.2+ent-1 hashicorp 75 | vault-enterprise-fips1402.x86_64 1.18.2+ent-1 hashicorp 76 | vault-enterprise-hsm.x86_64 1.18.2+ent-1 hashicorp 77 | vault-enterprise-hsm-fips1402.x86_64 1.18.2+ent-1 hashicorp 78 | vault-radar.x86_64 0.19.0-1 hashicorp 79 | vault-secrets-gateway.x86_64 0.1.5-1 hashicorp 80 | ``` 81 | 82 | To install a specific version of a package, the version is added to the package name with a `-`, e.g.: 83 | ``` 84 | $ dnf install vault-enterprise-1.18.2+ent 85 | ``` 86 | Notice that, different to the Debian package, the trailing `-1` is not required. 87 | -------------------------------------------------------------------------------- /version.txt: -------------------------------------------------------------------------------- 1 | v2.5.9 2 | --------------------------------------------------------------------------------