make a new 1 hour ttl mount for dock-init creds

Bryan Kendall · Bryan Kendall · commit 3ecbd184820a · 2016-06-01T14:35:57.000-07:00
diff --git a/ansible/vault-values.yml b/ansible/vault-values.yml
@@ -4,45 +4,21 @@
     - group_vars/alpha-vault.yml
   tasks:
     - name: make sure httplib2 is installed
+      run_once: true
       become: true
       apt: package=python-httplib2 state=present
 
-    - name: get seal status
-      tags: [unseal]
-      run_once: true
-      uri:
-        method=GET
-        url=http://{{ ansible_default_ipv4.address }}:8200/v1/sys/seal-status
-        HEADER_X-Vault-Token="{{ vault_auth_token }}"
-        return_content=yes
-      register: seal_status
-
-    - name: unseal vault
-      tags: [unseal]
-      run_once: true
-      when: seal_status.json.sealed
-      uri:
-        method=PUT
-        url=http://{{ ansible_default_ipv4.address }}:8200/v1/sys/unseal
-        HEADER_X-Vault-Token="{{ vault_auth_token }}"
-        body_format=json
-        body='{{ item | to_json }}'
-      with_items:
-        - key: "{{ vault_token_01 }}"
-        - key: "{{ vault_token_02 }}"
-        - key: "{{ vault_token_03 }}"
-
-    - name: put values into vault
-      run_once: true
-      when: write_values is defined
-      uri:
-        method=PUT
-        url=http://{{ ansible_default_ipv4.address }}:8200/v1/{{ item.key }}
-        HEADER_X-Vault-Token="{{ vault_auth_token }}"
-        body_format=json
-        body='{{ item.data | to_json }}'
-        status_code=200,204
-      with_items: "{{ vault_seed_values }}"
+    # - name: put values into vault
+    #   run_once: true
+    #   when: write_values is defined
+    #   uri:
+    #     method=PUT
+    #     url=http://{{ ansible_default_ipv4.address }}:8200/v1/{{ item.key }}
+    #     HEADER_X-Vault-Token="{{ vault_auth_token }}"
+    #     body_format=json
+    #     body='{{ item.data | to_json }}'
+    #     status_code=200,204
+    #   with_items: "{{ vault_seed_values }}"
 
     - name: check for aws backend in vault
       run_once: true
@@ -56,23 +32,28 @@
 
     - name: mount aws backend in vault
       run_once: true
-      when: write_values is defined and mounts.json['aws/'] is not defined
+      when: write_values is defined and mounts.json['aws_1h/'] is not defined
       uri:
         method=POST
-        url=http://{{ ansible_default_ipv4.address }}:8200/v1/sys/mounts/aws
+        follow_redirects=all
+        url=http://{{ ansible_default_ipv4.address }}:8200/v1/sys/mounts/aws_1h
         HEADER_X-Vault-Token="{{ vault_auth_token }}"
         body_format=json
         body='{{ item | to_json }}'
         status_code=204
       with_items:
         - type: "aws"
+          config:
+            default_lease_ttl: "3600s" # 1 hour, in seconds
+            max_lease_ttl: "3600s" # 1 hour, in seconds
 
     - name: configure aws root credentials
       run_once: true
       when: (write_values is defined and write_root_creds is defined) or (write_values is defined and mounts.json['aws/'] is not defined)
       uri:
         method=POST
-        url=http://{{ ansible_default_ipv4.address }}:8200/v1/aws/config/root
+        follow_redirects=all
+        url=http://{{ ansible_default_ipv4.address }}:8200/v1/aws_1h/config/root
         HEADER_X-Vault-Token="{{ vault_auth_token }}"
         body_format=json
         body='{{ item | to_json }}'
@@ -88,7 +69,8 @@
       when: write_values is defined
       uri:
         method=GET
-        url=http://{{ ansible_default_ipv4.address }}:8200/v1/aws/roles/dock-init
+        follow_redirects=all
+        url=http://{{ ansible_default_ipv4.address }}:8200/v1/aws_1h/roles/dock-init
         HEADER_X-Vault-Token="{{ vault_auth_token }}"
         status_code=200,404
       register: role
@@ -98,19 +80,12 @@
       when: write_values is defined and role.status == 404
       uri:
         method=POST
-        url=http://{{ ansible_default_ipv4.address }}:8200/v1/aws/roles/dock-init
+        follow_redirects=all
+        url=http://{{ ansible_default_ipv4.address }}:8200/v1/aws_1h/roles/dock-init
         HEADER_X-Vault-Token="{{ vault_auth_token }}"
         body_format=json
         body='{{ item | to_json | replace("\\\\", "") }}'
         status_code=204
       register: creds
       with_items:
         - policy: "{{ vault_seed_policy }}"
-
-    - name: seal vault
-      run_once: true
-      uri:
-        method=PUT
-        url=http://{{ ansible_default_ipv4.address }}:8200/v1/sys/seal
-        HEADER_X-Vault-Token="{{ vault_auth_token }}"
-        status_code=204
