ソースを参照

secret management role

master
コミット
3771aaa7d1
5個のファイルの変更113行の追加0行の削除
  1. +9
    -0
      defaults/main.yaml
  2. +17
    -0
      tasks/main.yaml
  3. +5
    -0
      tasks/store/facts.yaml
  4. +25
    -0
      tasks/store/local_facts.yaml
  5. +57
    -0
      vars/main.yaml

+ 9
- 0
defaults/main.yaml ファイルの表示

@@ -1 +1,10 @@
---

secrets: {}

secrets_definitions: {}

secrets_default_store: facts
secrets_default_generator: password
secrets_default_password_length: 24
secrets_default_password_chars: ascii_letters,digits

+ 17
- 0
tasks/main.yaml ファイルの表示

@@ -1 +1,18 @@
---

- name: secret pre-store debug
debug:
msg:
secrets: "{{ secrets }}"
secrets_set: "{{ secrets_set }}"
secrets_reset: "{{ secrets_reset }}"
secrets_set_by_store: "{{ secrets_set_by_store }}"
secrets_reset_by_store: "{{ secrets_reset_by_store }}"

- import_tasks: store/facts.yaml
- import_tasks: store/local_facts.yaml

- name: secret post-store debug
debug:
msg:
secrets: "{{ secrets }}"

+ 5
- 0
tasks/store/facts.yaml ファイルの表示

@@ -0,0 +1,5 @@
---

- name: set secrets in facts
set_fact:
secrets: "{{ secrets_set_by_store.facts | combine(secrets) | combine(secrets_reset_by_store.facts) }}"

+ 25
- 0
tasks/store/local_facts.yaml ファイルの表示

@@ -0,0 +1,25 @@
---

# TODO remove secrets that are defined for other stores

- name: ansible local facts directory
file:
path: /etc/ansible/facts.d
state: directory

- name: save secrets in ansible local secrets fact
copy:
content: "{{ secrets_set_by_store.local_facts | combine(ansible_local.secrets | default({})) | combine(secrets_reset_by_store.local_facts) | to_json }}"
dest: /etc/ansible/facts.d/secrets.fact
mode: 0600
register: _local_facts_set

- name: gathering ansible local facts
setup:
gather_subset: min
filter: ansible_local
when: _local_facts_set.changed

- name: set secrets gathered from ansible local secrets fact
set_fact:
secrets: "{{ secrets | combine(ansible_local.secrets) }}"

+ 57
- 0
vars/main.yaml ファイルの表示

@@ -1 +1,58 @@
---
secrets_generators:
- password
#- xkcd

secrets_stores:
- facts
- local_facts

secrets_set: |-
{
{% for secret_name in secrets_definitions.keys() %}
{% set secrets_definition = secrets_definitions[secret_name] %}
{% set password_length = secrets_definition.password_length | default(secrets_default_password_length) | string %}
{% set password_chars = secrets_definition.password_chars|default(secrets_default_password_chars) %}
{{secret_name|to_json}}:
{{ lookup('password', '/dev/null length='+password_length+' chars='+password_chars ) | to_json }}
,
{% endfor %}
}

secrets_reset: |-
{
{% for secret_name in secrets_definitions.keys() %}
{% set secrets_definition = secrets_definitions[secret_name] %}
{% if secrets_definition.reset | default(false) %}
{{secret_name|to_json}}: {{ secrets_set[secret_name] | to_json }},
{% endif %}
{% endfor %}
}

secrets_set_by_store: |-
{
{% for store_name in secrets_stores %}
{{store_name|to_json}}: {
{% for secret_name in secrets_set.keys() %}
{% set secrets_definition = secrets_definitions[secret_name] %}
{% if store_name == secrets_definition.store | default(secrets_default_store) %}
{{secret_name|to_json}}: {{ secrets_set[secret_name] | to_json }},
{% endif %}
{% endfor %}
},
{% endfor %}
}

secrets_reset_by_store: |-
{
{% for store_name in secrets_stores %}
{{store_name|to_json}}: {
{% for secret_name in secrets_reset.keys() %}
{% set secrets_definition = secrets_definitions[secret_name] %}
{% if store_name == secrets_definition.store | default(secrets_default_store) %}
{{secret_name|to_json}}: {{ secrets_reset[secret_name] | to_json }},
{% endif %}
{% endfor %}
},
{% endfor %}
}

読み込み中…
キャンセル
保存