Merge pull request #492 from CodeNow/one-year-mount

add 1 year backend for aws

Author: anandkumarpatel

ansible/roles/vault/tasks/main.yml

@@ -21,6 +21,7 @@
     recurse=yes
 
 - name: copy vault config
+  tags: [ deploy ]
   become: true
   template:
     src=vault.hcl

ansible/roles/vault/templates/vault.hcl

@@ -19,3 +19,5 @@ listener "tcp" {
   tls_cert_file = "/opt/vault/server/cert.pem"
   tls_key_file = "/opt/vault/server/key.pem"
 }
+
+max_lease_ttl = "8760h"

ansible/vault-values.yml

@@ -30,7 +30,7 @@
         return_content=yes
       register: mounts
 
-    - name: mount aws backend in vault
+    - name: mount 1h aws backend in vault
       run_once: true
       when: write_values is defined and mounts.json['aws_1h/'] is not defined
       uri:
@@ -47,9 +47,26 @@
             default_lease_ttl: "3600s" # 1 hour, in seconds
             max_lease_ttl: "3600s" # 1 hour, in seconds
 
-    - name: configure aws root credentials
+    - name: mount 1yr aws backend in vault
       run_once: true
-      when: (write_values is defined and write_root_creds is defined) or (write_values is defined and mounts.json['aws/'] is not defined)
+      when: write_values is defined and mounts.json['aws_1yr/'] is not defined
+      uri:
+        method=POST
+        follow_redirects=all
+        url=http://{{ ansible_default_ipv4.address }}:8200/v1/sys/mounts/aws_1yr
+        HEADER_X-Vault-Token="{{ vault_auth_token }}"
+        body_format=json
+        body='{{ item | to_json }}'
+        status_code=204
+      with_items:
+        - type: "aws"
+          config:
+            default_lease_ttl: "8760h" # 1 year, in hours
+            max_lease_ttl: "8760h" # 1 year, in hours
+
+    - name: configure 1h aws root credentials
+      run_once: true
+      when: (write_values is defined and write_root_creds is defined) or (write_values is defined and mounts.json['aws_1h/'] is not defined)
       uri:
         method=POST
         follow_redirects=all
@@ -64,6 +81,23 @@
           secret_key: "{{ vault_aws_secret_key }}"
           region: "{{ vault_aws_region }}"
 
+    - name: configure 1yr aws root credentials
+      run_once: true
+      when: (write_values is defined and write_root_creds is defined) or (write_values is defined and mounts.json['aws_1yr/'] is not defined)
+      uri:
+        method=POST
+        follow_redirects=all
+        url=http://{{ ansible_default_ipv4.address }}:8200/v1/aws_1yr/config/root
+        HEADER_X-Vault-Token="{{ vault_auth_token }}"
+        body_format=json
+        body='{{ item | to_json }}'
+        status_code=204
+      register: creds
+      with_items:
+        - access_key: "{{ vault_aws_access_key_id }}"
+          secret_key: "{{ vault_aws_secret_key }}"
+          region: "{{ vault_aws_region }}"
+
     - name: check for the dock-init role
       run_once: true
       when: write_values is defined

ansible/vault.yml

@@ -10,6 +10,7 @@
 
   tasks:
   - name: get seal status
+    tags: [ deploy ]
     uri:
       method=GET
       url=http://{{ ansible_default_ipv4.address }}:8200/v1/sys/seal-status
@@ -18,6 +19,7 @@
     register: seal_status
 
   - name: unseal vault
+    tags: [ deploy ]
     when: seal_status.json.sealed
     uri:
       method=PUT