vault_auditdevice
Ansible role vault_auditdevice
Install and configure vault_auditdevice on your system.
GitHub | GitLab | Downloads | Version |
---|---|---|---|
Example Playbook
This example is taken from molecule/default/converge.yml
and is tested on each push, pull request and release.
---
- name: Converge
hosts: all
become: true
gather_facts: false
pre_tasks:
- name: Read /root/.vault-token
ansible.builtin.slurp:
src: /root/.vault-token
register: vault_auditdevice_token_slurped
roles:
- role: robertdebock.vault_auditdevice
vault_auditdevice_ssl_verify: false
vault_auditdevice_token: "{{ vault_auditdevice_token_slurped['content'] | b64decode }}"
vault_auditdevice_list:
- name: local_file/ # Make sure the value is trailed by a `/`.
type: file
description: File Audit Device
options:
file_path: /opt/vault/vault_audit.log
The machine needs to be prepared. In CI this is done using molecule/default/prepare.yml
:
---
- name: Prepare
hosts: all
become: true
gather_facts: false
roles:
- role: robertdebock.bootstrap
- role: robertdebock.core_dependencies
- role: robertdebock.hashicorp
- role: robertdebock.vault
vault_hardening_disable_swap: false
tasks:
- name: Flush handlers
ansible.builtin.meta: flush_handlers
- name: Initialize vault
ansible.builtin.command:
cmd: vault operator init -format=yaml
register: vault_auditdevice_init
changed_when: true
environment:
VAULT_SKIP_VERIFY: true
notify:
- Unseal vault
- name: Format vault_auditdevice_init_yaml
ansible.builtin.set_fact:
vault_auditdevice_init_yaml: "{{ vault_auditdevice_init.stdout | from_yaml }}"
when:
- vault_auditdevice_init is defined
- name: Store vault token
ansible.builtin.copy:
content: "{{ vault_auditdevice_init_yaml['root_token'] }}"
dest: /root/.vault-token
owner: root
group: root
mode: 0600
when:
- vault_auditdevice_init is defined
handlers:
- name: Unseal vault
ansible.builtin.command:
cmd: vault operator unseal "{{ item }}"
changed_when: true
loop: "{{ vault_auditdevice_init_yaml['unseal_keys_b64'] }}"
environment:
VAULT_SKIP_VERIFY: true
when:
- vault_auditdevice_init is defined
Also see a full explanation and example on how to use these roles.
Role Variables
The default values for the variables are set in defaults/main.yml
:
---
# defaults file for vault_auditdevice
# Set the vault instance address. Similar to `VAULT_ADDR`.
vault_auditdevice_address: "https://localhost:8200"
# Set a token to connect to Vault. Similar to `VAULT_TOKEN`.
vault_auditdevice_token: "simple"
# A list of audit devices to configure. Please have look in `molecule/default/converge.yml` for a complete example.
vault_auditdevice_list: []
# Should SSL certificate verification be disabled?
vault_auditdevice_ssl_verify: true
Requirements
- pip packages listed in requirements.txt.
State of used roles
The following roles are used to prepare a system. You can prepare your system in another way.
Requirement | GitHub | GitLab |
---|---|---|
robertdebock.bootstrap | ||
robertdebock.core_dependencies | ||
robertdebock.hashicorp | ||
robertdebock.vault |
Context
This role is a part of many compatible roles. Have a look at the documentation of these roles for further information.
Here is an overview of related roles:
Compatibility
This role has been tested on these container images:
container | tags |
---|---|
Amazon | Candidate |
Debian | bullseye |
EL | 9 |
Fedora | 39 |
Ubuntu | all |
The minimum version of Ansible required is 2.12, tests have been done to:
- The previous version.
- The current version.
- The development version.
If you find issues, please register them in GitHub.
License
Author Information
Please consider sponsoring me.
Install and configure vault_auditdevice on your system.
ansible-galaxy install robertdebock/ansible-role-vault_auditdevice