add vault values playbook

Author: Bryan Kendall

ansible/gamma-hosts/variables

@@ -45,6 +45,16 @@ aws_access_key_id=AKIAJ3RCYU6FCULAJP2Q
 aws_secret_access_key=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
 shiva_rollbar_key=0526a90faec845d796e1ef5361a00526
 
+[vault:vars]
+vault_auth_token=e22c3ebc-11cf-653b-7df0-79d78a499458
+vault_token_01=71d7b4754686013c8b9cfb22bafae79c661849dcd67c483c89efba12c0466aa201
+vault_token_02=794d6f7a3459c332a1fd2bbcc9230a7f84f1639806039ee8be547828cd7ab03a02
+vault_token_03=2e67faeffe4343c038d0f3210bdb83f3d3a5bc468975cf13e977ce9b5922aefe03
+vault_hello_runnable_github_token=88ddc423c2312d02a8bbcaad76dd4c374a30e4af
+vault_aws_access_key_id=AKIAJ7R4UIM45KH2WGWQ
+vault_aws_secret_key=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
+vault_aws_region=us-east-1
+
 [gamma:vars]
 ansible_ssh_private_key_file=~/.ssh/gamma.pem
 datadog_host_address=10.4.6.251

ansible/group_vars/alpha-vault.yml

@@ -20,3 +20,23 @@ container_run_args: >
   -log-level=warn
   -config=/vault.hcl
   > /var/log/vault.log 2>&1
+
+# vault seed data
+# pulled 2015/16/12 - Bryan
+vault_seed_values:
+  - key: secret/loggly
+    data:
+      token: f673760d-e0b3-4a93-a15e-2862ea074f91
+  - key: secret/rabbitmq
+    data:
+      username: "{{ rabbit_username }}"
+      password: "{{ rabbit_password }}"
+  - key: secret/github/hellorunnable
+    data:
+      token: "{{ vault_hello_runnable_github_token }}"
+  - key: secret/swarm
+    data:
+      token: "{{ swarm_token }}"
+
+# for the love of all that you find holy, don't change the following unless you _KNOW WHAT YOU ARE DOING_.
+vault_seed_policy: "{\\\"Version\\\": \\\"2012-10-17\\\", \\\"Statement\\\": [{\\\"Action\\\": [\\\"ec2:DescribeInstances\\\", \\\"ec2:DescribeTags\\\"], \\\"Resource\\\": [\\\"*\\\"], \\\"Effect\\\": \\\"Allow\\\", \\\"Sid\\\": \\\"Stmt1445655064000\\\"}]}"

ansible/vault-values.yml

@@ -0,0 +1,116 @@
+---
+- hosts: vault
+  vars_files:
+    - group_vars/alpha-vault.yml
+  tasks:
+    - name: make sure httplib2 is installed
+      sudo: yes
+      apt: package=python-httplib2 state=present
+
+    - name: get seal status
+      tags: [unseal]
+      run_once: true
+      uri:
+        method=GET
+        url=http://{{ ansible_default_ipv4.address }}:8200/v1/sys/seal-status
+        HEADER_X-Vault-Token="{{ vault_auth_token }}"
+        return_content=yes
+      register: seal_status
+
+    - name: unseal vault
+      tags: [unseal]
+      run_once: true
+      when: seal_status.json.sealed
+      uri:
+        method=PUT
+        url=http://{{ ansible_default_ipv4.address }}:8200/v1/sys/unseal
+        HEADER_X-Vault-Token="{{ vault_auth_token }}"
+        body_format=json
+        body='{{ item | to_json }}'
+      with_items:
+        - key: "{{ vault_token_01 }}"
+        - key: "{{ vault_token_02 }}"
+        - key: "{{ vault_token_03 }}"
+
+    - name: put values into vault
+      run_once: true
+      when: write_values is defined
+      uri:
+        method=PUT
+        url=http://{{ ansible_default_ipv4.address }}:8200/v1/{{ item.key }}
+        HEADER_X-Vault-Token="{{ vault_auth_token }}"
+        body_format=json
+        body='{{ item.data | to_json }}'
+        status_code=200,204
+      with_items: "{{ vault_seed_values }}"
+
+    - name: check for aws backend in vault
+      run_once: true
+      when: write_values is defined
+      uri:
+        method=GET
+        url=http://{{ ansible_default_ipv4.address }}:8200/v1/sys/mounts
+        HEADER_X-Vault-Token="{{ vault_auth_token }}"
+        return_content=yes
+      register: mounts
+
+    - name: mount aws backend in vault
+      run_once: true
+      when: write_values is defined and mounts.json['aws/'] is not defined
+      uri:
+        method=POST
+        url=http://{{ ansible_default_ipv4.address }}:8200/v1/sys/mounts/aws
+        HEADER_X-Vault-Token="{{ vault_auth_token }}"
+        body_format=json
+        body='{{ item | to_json }}'
+        status_code=204
+      with_items:
+        - type: "aws"
+
+    - name: configure aws root credentials
+      run_once: true
+      when: (write_values is defined and write_root_creds is defined) or (write_values is defined and mounts.json['aws/'] is not defined)
+      uri:
+        method=POST
+        url=http://{{ ansible_default_ipv4.address }}:8200/v1/aws/config/root
+        HEADER_X-Vault-Token="{{ vault_auth_token }}"
+        body_format=json
+        body='{{ item | to_json }}'
+        status_code=204
+      register: creds
+      with_items:
+        - access_key: "{{ vault_aws_access_key_id }}"
+          secret_key: "{{ vault_aws_secret_key }}"
+          region: "{{ vault_aws_region }}"
+
+    - name: check for the dock-init role
+      run_once: true
+      when: write_values is defined
+      uri:
+        method=GET
+        url=http://{{ ansible_default_ipv4.address }}:8200/v1/aws/roles/dock-init
+        HEADER_X-Vault-Token="{{ vault_auth_token }}"
+        status_code=200,404
+      register: role
+
+    - name: write the dock-init role
+      run_once: true
+      when: write_values is defined and role.status == 404
+      uri:
+        method=POST
+        url=http://{{ ansible_default_ipv4.address }}:8200/v1/aws/roles/dock-init
+        HEADER_X-Vault-Token="{{ vault_auth_token }}"
+        body_format=json
+        body='{{ item | to_json | replace("\\\\", "") }}'
+        status_code=204
+      register: creds
+      with_items:
+        - policy: "{{ vault_seed_policy }}"
+
+    - name: seal vault
+      run_once: true
+      uri:
+        method=PUT
+        url=http://{{ ansible_default_ipv4.address }}:8200/v1/sys/seal
+        HEADER_X-Vault-Token="{{ vault_auth_token }}"
+        status_code=204