Merge pull request #484 from CodeNow/new-one-hour-aws-mount

New one hour aws mount

Author: anandkumarpatel

ansible/vault-values.yml

@@ -4,34 +4,10 @@
     - group_vars/alpha-vault.yml
   tasks:
     - name: make sure httplib2 is installed
+      run_once: true
       become: true
       apt: package=python-httplib2 state=present
 
-    - name: get seal status
-      tags: [unseal]
-      run_once: true
-      uri:
-        method=GET
-        url=http://{{ ansible_default_ipv4.address }}:8200/v1/sys/seal-status
-        HEADER_X-Vault-Token="{{ vault_auth_token }}"
-        return_content=yes
-      register: seal_status
-
-    - name: unseal vault
-      tags: [unseal]
-      run_once: true
-      when: seal_status.json.sealed
-      uri:
-        method=PUT
-        url=http://{{ ansible_default_ipv4.address }}:8200/v1/sys/unseal
-        HEADER_X-Vault-Token="{{ vault_auth_token }}"
-        body_format=json
-        body='{{ item | to_json }}'
-      with_items:
-        - key: "{{ vault_token_01 }}"
-        - key: "{{ vault_token_02 }}"
-        - key: "{{ vault_token_03 }}"
-
     - name: put values into vault
       run_once: true
       when: write_values is defined
@@ -56,23 +32,28 @@
 
     - name: mount aws backend in vault
       run_once: true
-      when: write_values is defined and mounts.json['aws/'] is not defined
+      when: write_values is defined and mounts.json['aws_1h/'] is not defined
       uri:
         method=POST
-        url=http://{{ ansible_default_ipv4.address }}:8200/v1/sys/mounts/aws
+        follow_redirects=all
+        url=http://{{ ansible_default_ipv4.address }}:8200/v1/sys/mounts/aws_1h
         HEADER_X-Vault-Token="{{ vault_auth_token }}"
         body_format=json
         body='{{ item | to_json }}'
         status_code=204
       with_items:
         - type: "aws"
+          config:
+            default_lease_ttl: "3600s" # 1 hour, in seconds
+            max_lease_ttl: "3600s" # 1 hour, in seconds
 
     - name: configure aws root credentials
       run_once: true
       when: (write_values is defined and write_root_creds is defined) or (write_values is defined and mounts.json['aws/'] is not defined)
       uri:
         method=POST
-        url=http://{{ ansible_default_ipv4.address }}:8200/v1/aws/config/root
+        follow_redirects=all
+        url=http://{{ ansible_default_ipv4.address }}:8200/v1/aws_1h/config/root
         HEADER_X-Vault-Token="{{ vault_auth_token }}"
         body_format=json
         body='{{ item | to_json }}'
@@ -88,7 +69,8 @@
       when: write_values is defined
       uri:
         method=GET
-        url=http://{{ ansible_default_ipv4.address }}:8200/v1/aws/roles/dock-init
+        follow_redirects=all
+        url=http://{{ ansible_default_ipv4.address }}:8200/v1/aws_1h/roles/dock-init
         HEADER_X-Vault-Token="{{ vault_auth_token }}"
         status_code=200,404
       register: role
@@ -98,19 +80,12 @@
       when: write_values is defined and role.status == 404
       uri:
         method=POST
-        url=http://{{ ansible_default_ipv4.address }}:8200/v1/aws/roles/dock-init
+        follow_redirects=all
+        url=http://{{ ansible_default_ipv4.address }}:8200/v1/aws_1h/roles/dock-init
         HEADER_X-Vault-Token="{{ vault_auth_token }}"
         body_format=json
         body='{{ item | to_json | replace("\\\\", "") }}'
         status_code=204
       register: creds
       with_items:
         - policy: "{{ vault_seed_policy }}"
-
-    - name: seal vault
-      run_once: true
-      uri:
-        method=PUT
-        url=http://{{ ansible_default_ipv4.address }}:8200/v1/sys/seal
-        HEADER_X-Vault-Token="{{ vault_auth_token }}"
-        status_code=204