You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

48 lines
1.8 KiB

  1. ---
  2. # The JSON inside JSON here is intentional (Vault API wants it)
  3. - name: create_role | Create a policy for the new role allowing issuing
  4. uri:
  5. url: "{{ hostvars[groups.vault|first]['vault_leader_url'] }}/v1/sys/policy/{{ create_role_name }}"
  6. headers: "{{ hostvars[groups.vault|first]['vault_headers'] }}"
  7. method: PUT
  8. body_format: json
  9. body:
  10. rules: >-
  11. {%- if create_role_policy_rules|d("default") == "default" -%}
  12. {{
  13. { 'path': {
  14. create_role_mount_path + '/issue/' + create_role_name: {'policy': 'write'},
  15. create_role_mount_path + '/roles/' + create_role_name: {'policy': 'read'}
  16. }} | to_json + '\n'
  17. }}
  18. {%- else -%}
  19. {{ create_role_policy_rules | to_json + '\n' }}
  20. {%- endif -%}
  21. status_code: 204
  22. delegate_to: "{{ groups.vault|first }}"
  23. run_once: true
  24. - name: create_role | Create {{ create_role_name }} role in the {{ create_role_mount_path }} pki mount
  25. uri:
  26. url: "{{ hostvars[groups.vault|first]['vault_leader_url'] }}/v1/{{ create_role_mount_path }}/roles/{{ create_role_name }}"
  27. headers: "{{ hostvars[groups.vault|first]['vault_headers'] }}"
  28. method: POST
  29. body_format: json
  30. body: >-
  31. {%- if create_role_options|d("default") == "default" -%}
  32. {'allow_any_name': true}
  33. {%- else -%}
  34. {{ create_role_options }}
  35. {%- endif -%}
  36. status_code: 204
  37. delegate_to: "{{ groups.vault|first }}"
  38. run_once: true
  39. ## Userpass based auth method
  40. - include_tasks: gen_userpass.yml
  41. vars:
  42. gen_userpass_password: "{{ create_role_password }}"
  43. gen_userpass_policies: "{{ create_role_name }}"
  44. gen_userpass_role: "{{ create_role_name }}"
  45. gen_userpass_username: "{{ create_role_name }}"