hashicorp保险库的ansible模块
ansible-modules-hashivault的Python项目详细描述
Hashicorp保险库的Ansible模块。
安装此模块:
- 通过pip:
pip install ansible-modules-hashivault
- 通过ansible-galaxy(需要hvac>=0.7.0):
ansible-galaxy install 'git+https://github.com/TerryHowe/ansible-modules-hashivault.git'
Note: The ^{tt4}$ lookup plugin does not work with this last install method (ansible/ansible#28770). You can fallback to the build-in lookup plugin: hashi_vault
在大多数情况下,hashicorp保险库模块应该在本地主机上运行。
环境变量
需要将以下变量导出到运行ansible的环境中 为了验证您的hashicorp保险库实例:
- VAULT_ADDR: url for vault
- VAULT_SKIP_VERIFY=true: if set, do not verify presented TLS certificate before communicating with Vault server. Setting this variable is not recommended except during testing
- VAULT_AUTHTYPE: authentication type to use: token, userpass, github, ldap, approle
- VAULT_TOKEN: token for vault
- VAULT_ROLE_ID: (required by approle)
- VAULT_SECRET_ID: (required by approle)
- VAULT_USER: username to login to vault
- VAULT_PASSWORD: password to login to vault
- VAULT_CLIENT_KEY: path to an unencrypted PEM-encoded private key matching the client certificate
- VAULT_CLIENT_CERT: path to a PEM-encoded client certificate for TLS authentication to the Vault server
- VAULT_CACERT: path to a PEM-encoded CA cert file to use to verify the Vault server TLS certificate
- VAULT_CAPATH: path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate
- VAULT_NAMESPACE: specify the Vault Namespace, if you have one
读写
下面的例子用两个值来编写大秘密,然后 读取FIE值:
--- - hosts: localhost vars: foo_value: 'fum' fie_value: 'fum' tasks: - hashivault_status: register: 'vault_status' - hashivault_write: secret: 'giant' data: foo: '{{foo_value}}' fie: '{{fie_value}}' register: 'vault_write' - hashivault_read: secret: 'giant' key: 'fie' register: 'vault_read'
查找插件:
looky: "{{lookup('hashivault', 'giant', 'foo')}}"
默认情况下,hashivault_write、hashivault_read和lookup插件假定/secret挂载点。如果您正在访问另一个装入点,请以“/”开头:
--- - hosts: localhost tasks: - hashivault_write: secret: '/stories/stuart' data: last: 'little' - hashivault_read: secret: '/stories/charlotte' key: 'web' - set_fact: book: "{{lookup('hashivault', '/stories/charlotte', 'web')}}"
获取机密列表:
--- - hosts: localhost tasks: - hashivault_list: secret: '/stories' register: vault
ansible不能很好地处理二进制数据,因此提供这些模块是为了方便读/写文件:
--- - hashivault_read_to_file: secret: 'ssl_certs' key: 'der_format' dest: 'ssl_cert.cer' - hashivault_write_from_file: secret: 'ssl_certs' key: 'der_format' path: 'ssl_cert.cer'
初始化、密封和解封
您可以初始化保险库:
--- - hosts: localhost tasks: - hashivault_init: register: 'vault_init'
您也可以密封和打开保险库:
--- - hosts: localhost vars: vault_keys: "{{ lookup('env','VAULT_KEYS') }}" tasks: - hashivault_status: register: 'vault_status' - block: - hashivault_seal: register: 'vault_seal' when: "{{vault_status.status.sealed}} == False" - hashivault_unseal: keys: '{{vault_keys}}'
政策
政策支持:
--- - hosts: localhost vars: name: 'terry' rules: > path "secret/{{name}}/*" { capabilities = ["create", "read", "update", "delete", "list"] } path "secret/{{name}}" { capabilities = ["list"] } tasks: - hashivault_policy_set: name: "{{name}}" rules: "{{rules}}" register: 'vault_policy_set' - hashivault_policy_get: name: '{{name}}' register: 'vault_policy_get' - hashivault_policy_list: register: 'vault_policy_list'
文件中的策略
来自文件支持的策略:
--- - hosts: localhost vars: name: 'drew' tasks: - hashivault_policy_set_from_file: name: "{{name}}" rules_file: /home/drew/my_policy.hcl register: 'vault_policy_set' - hashivault_policy_get: name: '{{name}}' register: 'vault_policy_get' - hashivault_policy_list: register: 'vault_policy_list'
用户管理
为userpass添加和删除用户:
--- - hosts: localhost vars: username: 'portugal' userpass: 'Th3m@n!!' tasks: - hashivault_userpass_create: name: "{{username}}" pass: "{{userpass}}" policies: "{{username}}" register: 'vault_userpass_create' - hashivault_userpass_delete: name: "{{username}}" register: 'vault_userpass_delete'
身份验证后端
处理身份验证后端:
--- - hosts: localhost tasks: - hashivault_auth_list: register: 'vault_auth_list' - block: - hashivault_auth_method: method_type: "userpass" state: "enabled" register: 'vault_auth_enable' when: "'userpass/' not in vault_auth_list.backends"
调整验证后端:
--- - hosts: localhost tasks: - name: Tune ephermal secret store hashivault_mount_tune: mount_point: ephemeral default_lease_ttl: 3600 max_lease_ttl: 8600
审核后端
处理审核后端:
--- - hosts: localhost tasks: - hashivault_audit_list: register: 'vault_audit_list' - block: - hashivault_audit_enable: name: "syslog" register: 'vault_audit_enable' when: "'syslog/' not in vault_audit_list.backends"
重新设置保险库的密钥
各种密钥保管库操作:
--- - hashivault_rekey_init: secret_shares: 7 secret_threshold: 4 - hashivault_rekey: key: '{{vault_key}}' nonce: '{{nonce}}' - hashivault_rekey_status: register: "vault_rekey_status" - hashivault_rekey_cancel: register: "vault_rekey_cancel"
秘密后端
启用和禁用各种秘密后端:
--- - hashivault_secret_list: register: 'hashivault_secret_list' - hashivault_secret_enable: name: "ephemeral" backend: "generic" - hashivault_secret_disable: name: "ephemeral" backend: "generic"
令牌操作
各种令牌操作模块:
--- - hashivault_token_create: display_name: "syadm" policies: ["sysadm"] renewable: True token: "{{vault_root_token}}" register: "vault_token_admin" - hashivault_token_lookup: lookup_token: "{{client_token}}" register: "vault_token_lookup" - hashivault_token_revoke: revoke_token: "{{client_token}}" register: "vault_token_revoke" - hashivault_token_renew: renew_token: "{{client_token}}" register: "vault_token_renew"
接近
认可模块:
--- - hashivault_approle_role_create: name: testrole policies: - approle_test_policy - hashivault_approle_role_id: name: testrole register: 'vault_role_id' - hashivault_approle_role_secret_create: name: testrole register: 'vault_role_secret_create'
动作插件
如果不使用“保险存储地址”和“保险存储令牌”环境变量, 你可以通过一个动作插件来简化你的剧本。这个罐头 有点像这个example action plugin。
开发者注释
开发和测试这个模块的一个复杂问题是
ansible/module_utils/hashivault.py
本身不是一个目录
我认为Ansible有问题。因为这个限制
ansible,pip install -e .
的工作方式与其他
项目。解决此问题的两种可能方法是使用
link.sh
顶级目录中的脚本或每次更改都运行:
rm -rf dist; python setup.py sdist pip install ./dist/ansible-modules-hashivault-*.tar.gz
许可证
MIT。