hashicorp保险库的ansible模块
ansible-modules-hashivault的Python项目详细描述
Hashicorp保险库的Ansible模块。
安装此模块:
- 通过pip:
pip install ansible-modules-hashivault
- 通过ansible-galaxy(需要hvac>=0.7.0):
ansible-galaxy install 'git+https://github.com/TerryHowe/ansible-modules-hashivault.git'
Note: The ^{tt4}$ lookup plugin does not work with this last install method (ansible/ansible#28770). You can fallback to the build-in lookup plugin: hashi_vault
在大多数情况下,hashicorp保险库模块应该在本地主机上运行。
环境变量
需要将以下变量导出到运行ansible的环境中 为了验证您的hashicorp保险库实例:
- VAULT_ADDR: url for vault
- VAULT_SKIP_VERIFY=true: if set, do not verify presented TLS certificate before communicating with Vault server. Setting this variable is not recommended except during testing
- VAULT_AUTHTYPE: authentication type to use: token, userpass, github, ldap, approle
- VAULT_TOKEN: token for vault
- VAULT_ROLE_ID: (required by approle)
- VAULT_SECRET_ID: (required by approle)
- VAULT_USER: username to login to vault
- VAULT_PASSWORD: password to login to vault
- VAULT_CLIENT_KEY: path to an unencrypted PEM-encoded private key matching the client certificate
- VAULT_CLIENT_CERT: path to a PEM-encoded client certificate for TLS authentication to the Vault server
- VAULT_CACERT: path to a PEM-encoded CA cert file to use to verify the Vault server TLS certificate
- VAULT_CAPATH: path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate
- VAULT_NAMESPACE: specify the Vault Namespace, if you have one
读写
下面的例子用两个值来编写大秘密,然后 读取FIE值:
---
- hosts: localhost
vars:
foo_value: 'fum'
fie_value: 'fum'
tasks:
- hashivault_status:
register: 'vault_status'
- hashivault_write:
secret: 'giant'
data:
foo: '{{foo_value}}'
fie: '{{fie_value}}'
register: 'vault_write'
- hashivault_read:
secret: 'giant'
key: 'fie'
register: 'vault_read'
查找插件:
looky: "{{lookup('hashivault', 'giant', 'foo')}}"
默认情况下,hashivault_write、hashivault_read和lookup插件假定/secret挂载点。如果您正在访问另一个装入点,请以“/”开头:
---
- hosts: localhost
tasks:
- hashivault_write:
secret: '/stories/stuart'
data:
last: 'little'
- hashivault_read:
secret: '/stories/charlotte'
key: 'web'
- set_fact:
book: "{{lookup('hashivault', '/stories/charlotte', 'web')}}"
获取机密列表:
---
- hosts: localhost
tasks:
- hashivault_list:
secret: '/stories'
register: vault
ansible不能很好地处理二进制数据,因此提供这些模块是为了方便读/写文件:
---
- hashivault_read_to_file:
secret: 'ssl_certs'
key: 'der_format'
dest: 'ssl_cert.cer'
- hashivault_write_from_file:
secret: 'ssl_certs'
key: 'der_format'
path: 'ssl_cert.cer'
初始化、密封和解封
您可以初始化保险库:
---
- hosts: localhost
tasks:
- hashivault_init:
register: 'vault_init'
您也可以密封和打开保险库:
---
- hosts: localhost
vars:
vault_keys: "{{ lookup('env','VAULT_KEYS') }}"
tasks:
- hashivault_status:
register: 'vault_status'
- block:
- hashivault_seal:
register: 'vault_seal'
when: "{{vault_status.status.sealed}} == False"
- hashivault_unseal:
keys: '{{vault_keys}}'
政策
政策支持:
---
- hosts: localhost
vars:
name: 'terry'
rules: >
path "secret/{{name}}/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
path "secret/{{name}}" {
capabilities = ["list"]
}
tasks:
- hashivault_policy_set:
name: "{{name}}"
rules: "{{rules}}"
register: 'vault_policy_set'
- hashivault_policy_get:
name: '{{name}}'
register: 'vault_policy_get'
- hashivault_policy_list:
register: 'vault_policy_list'
文件中的策略
来自文件支持的策略:
---
- hosts: localhost
vars:
name: 'drew'
tasks:
- hashivault_policy_set_from_file:
name: "{{name}}"
rules_file: /home/drew/my_policy.hcl
register: 'vault_policy_set'
- hashivault_policy_get:
name: '{{name}}'
register: 'vault_policy_get'
- hashivault_policy_list:
register: 'vault_policy_list'
用户管理
为userpass添加和删除用户:
---
- hosts: localhost
vars:
username: 'portugal'
userpass: 'Th3m@n!!'
tasks:
- hashivault_userpass_create:
name: "{{username}}"
pass: "{{userpass}}"
policies: "{{username}}"
register: 'vault_userpass_create'
- hashivault_userpass_delete:
name: "{{username}}"
register: 'vault_userpass_delete'
身份验证后端
处理身份验证后端:
---
- hosts: localhost
tasks:
- hashivault_auth_list:
register: 'vault_auth_list'
- block:
- hashivault_auth_method:
method_type: "userpass"
state: "enabled"
register: 'vault_auth_enable'
when: "'userpass/' not in vault_auth_list.backends"
调整验证后端:
---
- hosts: localhost
tasks:
- name: Tune ephermal secret store
hashivault_mount_tune:
mount_point: ephemeral
default_lease_ttl: 3600
max_lease_ttl: 8600
审核后端
处理审核后端:
---
- hosts: localhost
tasks:
- hashivault_audit_list:
register: 'vault_audit_list'
- block:
- hashivault_audit_enable:
name: "syslog"
register: 'vault_audit_enable'
when: "'syslog/' not in vault_audit_list.backends"
重新设置保险库的密钥
各种密钥保管库操作:
---
- hashivault_rekey_init:
secret_shares: 7
secret_threshold: 4
- hashivault_rekey:
key: '{{vault_key}}'
nonce: '{{nonce}}'
- hashivault_rekey_status:
register: "vault_rekey_status"
- hashivault_rekey_cancel:
register: "vault_rekey_cancel"
秘密后端
启用和禁用各种秘密后端:
---
- hashivault_secret_list:
register: 'hashivault_secret_list'
- hashivault_secret_enable:
name: "ephemeral"
backend: "generic"
- hashivault_secret_disable:
name: "ephemeral"
backend: "generic"
令牌操作
各种令牌操作模块:
---
- hashivault_token_create:
display_name: "syadm"
policies: ["sysadm"]
renewable: True
token: "{{vault_root_token}}"
register: "vault_token_admin"
- hashivault_token_lookup:
lookup_token: "{{client_token}}"
register: "vault_token_lookup"
- hashivault_token_revoke:
revoke_token: "{{client_token}}"
register: "vault_token_revoke"
- hashivault_token_renew:
renew_token: "{{client_token}}"
register: "vault_token_renew"
接近
认可模块:
---
- hashivault_approle_role_create:
name: testrole
policies:
- approle_test_policy
- hashivault_approle_role_id:
name: testrole
register: 'vault_role_id'
- hashivault_approle_role_secret_create:
name: testrole
register: 'vault_role_secret_create'
动作插件
如果不使用“保险存储地址”和“保险存储令牌”环境变量, 你可以通过一个动作插件来简化你的剧本。这个罐头 有点像这个example action plugin。
开发者注释
开发和测试这个模块的一个复杂问题是
ansible/module_utils/hashivault.py本身不是一个目录
我认为Ansible有问题。因为这个限制
ansible,pip install -e .的工作方式与其他
项目。解决此问题的两种可能方法是使用
link.sh顶级目录中的脚本或每次更改都运行:
rm -rf dist; python setup.py sdist pip install ./dist/ansible-modules-hashivault-*.tar.gz
许可证
MIT。
欢迎加入QQ群-->: 979659372
