-
Notifications
You must be signed in to change notification settings - Fork 26
/
97_vault-unseal.yml
60 lines (53 loc) · 2.15 KB
/
97_vault-unseal.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
---
- name: "AT Computing - HashiCorp Demo - Vault"
hosts: servers
become: true
vars_files:
- vars/hashicorp/general.yml
- vars/hashicorp/vault.yml
- vars/hashicorp/ssl.yml
tasks:
- name: Check the Vault sealed status.
ansible.builtin.shell: "{{ vault_binary }} status | grep -i sealed | awk '{print $2}'"
environment:
VAULT_ADDR: "{{ vault_address }}"
VAULT_CACERT: "{{ vault_ssl_ca_dest }}"
VAULT_SKIP_VERIFY: "true"
changed_when: false
register: vault_is_sealed
- name: Unseal
block:
- name: "HashiCorp - Vault : Retrieve local token file."
ansible.builtin.set_fact:
token_file_output: "{{ lookup('file', vault_bootstrap_init_local_path).split('\n') }}"
delegate_to: localhost
run_once: true
- name: "HashiCorp - Vault : Retrieve first unseal key from initialization info."
ansible.builtin.set_fact:
vault_unseal_key_1: "{{ token_file_output[0].split('Unseal Key 1: ')[1] }}"
delegate_to: localhost
run_once: true
- name: "HashiCorp - Vault : Retrieve second unseal key from initialization info."
ansible.builtin.set_fact:
vault_unseal_key_2: "{{ token_file_output[1].split('Unseal Key 2: ')[1] }}"
delegate_to: localhost
run_once: true
- name: "HashiCorp - Vault : Retrieve third unseal key from initialization info."
ansible.builtin.set_fact:
vault_unseal_key_3: "{{ token_file_output[2].split('Unseal Key 3: ')[1] }}"
delegate_to: localhost
run_once: true
- name: "HashiCorp - Vault : Ensure the Vault is unsealed."
ansible.builtin.command: "vault operator unseal {{ item }}"
changed_when: false
environment:
VAULT_ADDR: "{{ vault_address }}"
VAULT_CACERT: "{{ vault_ssl_ca_dest }}"
VAULT_SKIP_VERIFY: "true"
no_log: true
with_items:
- "{{ vault_unseal_key_1 }}"
- "{{ vault_unseal_key_2 }}"
- "{{ vault_unseal_key_3 }}"
when:
- vault_is_sealed.stdout == "true"