robertdebock.vault_snapshot

Panoramica Versioni Approfondimenti

Ansible Role for Vault Snapshot

This guide explains how to set up vault_snapshot on Vault using Ansible.

GitHub GitLab Downloads Version
github gitlab downloads Version

Example Playbook

Here’s a simple example taken from molecule/default/converge.yml, which is tested with each code change.

---
- name: Converge
  hosts: all
  become: true
  gather_facts: true

  pre_tasks:
    - name: Read token from remote machine
      ansible.builtin.slurp:
        src: /root/.vault-token
      register: token_raw

  roles:
    - role: robertdebock.vault_snapshot
      vault_snapshot_token: "{{ token_raw['content'] | b64decode }}"
      vault_snapshot_ssl_verify: false
      vault_snapshot_schedules:
        - name: hourly
          interval_seconds: 3600
          retain: 24
          path_prefix: /opt/vault/snapshots/
          storage_type: local
          local_max_space: 1073741824
        - name: hourly-aws
          interval_seconds: 3600
          retain: 24
          path_prefix: /hourly
          storage_type: aws-s3
          aws_s3_bucket: my-bucket
          aws_s3_region: eu-central-1
          aws_access_key_id: some_key
          aws_secret_access_key: some_secret
          aws_s3_enable_kms: false
        - name: hourly-azure
          interval_seconds: 3600
          retain: 24
          path_prefix: /hourly/
          storage_type: azure-blob
          azure_container_name: my-blob
          azure_account_name: some_account
          azure_account_key: some_key

Preparing the Machine

To prepare the machine, follow the steps in molecule/default/prepare.yml:

---
- name: Prepare
  hosts: all
  become: true
  gather_facts: false

  roles:
    - role: robertdebock.bootstrap
    - role: robertdebock.core_dependencies
    - role: robertdebock.hashicorp
    - role: robertdebock.vault
      vault_type: ent
      vault_hardening_disable_swap: false
    - role: robertdebock.vault_configuration
      vault_configuration_license: "{{ lookup('ansible.builtin.env', 'VAULT_LICENSE') }}"
      vault_configuration_listener_tcp:
        address: "127.0.0.1:8200"
        cluster_address: "127.0.0.1:8201"
        tls_disable: true
      vault_configuration_storage_raft:
        path: "/opt/vault/data"
        node_id: "{{ ansible_hostname }}"

  tasks:
    - name: Flush handlers
      ansible.builtin.meta: flush_handlers

    - name: Start Vault
      ansible.builtin.service:
        name: vault
        state: started

    - name: Initialize Vault
      ansible.builtin.command:
        cmd: vault operator init -format=yaml
      register: vault_init_raw
      environment:
        VAULT_ADDR: "https://localhost:8200"
        VAULT_SKIP_VERIFY: "true"
      changed_when: true

    - name: Store vault_init_raw output as YAML
      ansible.builtin.set_fact:
        vault_init: "{{ vault_init_raw.stdout | from_yaml }}"

    - name: Store root_token
      ansible.builtin.copy:
        content: "{{ vault_init.root_token }}"
        dest: /root/.vault-token
        owner: root
        group: root
        mode: "0640"

    - name: Unseal Vault
      ansible.builtin.command:
        cmd: vault operator unseal {{ item }}
      loop: "{{ vault_init.unseal_keys_b64 }}"
      environment:
        VAULT_ADDR: "https://localhost:8200"
        VAULT_SKIP_VERIFY: "true"
      changed_when: true

You can also read a full explanation with examples on how to use these roles.

Role Variables

The default variable values are in defaults/main.yml:

---
# defaults file for vault_snapshot

vault_snapshot_address: "https://localhost:8200"  # Vault instance address
vault_snapshot_token: ""  # Token for connecting to Vault
vault_snapshot_schedules: []  # List of snapshots to configure
vault_snapshot_ssl_verify: true  # Whether to disable SSL verification

Requirements

Other Required Roles

You can prepare your system using these roles:

Requirement GitHub GitLab
robertdebock.bootstrap Build Status GitHub Build Status GitLab
robertdebock.core_dependencies Build Status GitHub Build Status GitLab
robertdebock.hashicorp Build Status GitHub Build Status GitLab
robertdebock.vault Build Status GitHub Build Status GitLab
robertdebock.vault_configuration Build Status GitHub Build Status GitLab

Context

This role works with many other roles. Visit this documentation for more information.

Compatibility

The role has been tested on the following container images:

Container Tags
Amazon Candidate
Debian all
EL 9
Fedora 39
Ubuntu all

Ansible version 2.12 or higher is required. Testing has been done on multiple versions.

If you find any issues, please report them on GitHub.

License

This project is licensed under the Apache-2.0.

Author Information

Created by robertdebock.

Consider sponsoring me if you find this work helpful!

Informazioni sul progetto

Configure vault_snapshot on Vault.

role vaultsnapshot snapshot security
Installa
ansible-galaxy install robertdebock.vault_snapshot
GitHub repository
2 stelle
0 fork
0 problemi aperti
Licenza
apache-2.0
Download
78
Proprietario
Robert de Bock
I know my way around (Linux) infrastructure, have a passion for automation, Docker, Ansible, Molecule and ci/cd.