Place vault role credentials only to vault group hosts

7 years ago · b930b0ef5a
5 changed files with 11 additions and 10 deletions
--- a/roles/vault/tasks/bootstrap/main.yml
+++ b/roles/vault/tasks/bootstrap/main.yml
@ -38,6 +38,7 @@
    - "{{ vault_pki_mounts.etcd }}"
  loop_control:
    loop_var: mount
+  when: inventory_hostname in groups.vault

 - include: ../shared/gen_ca.yml
  vars:
--- a/roles/vault/tasks/cluster/main.yml
+++ b/roles/vault/tasks/cluster/main.yml
@ -42,3 +42,4 @@
  when: inventory_hostname == groups.vault|first

 - include: create_roles.yml
+  when: inventory_hostname in groups.vault
--- a/roles/vault/tasks/shared/create_role.yml
+++ b/roles/vault/tasks/shared/create_role.yml
@ -19,7 +19,8 @@
             {{ create_role_policy_rules | to_json + '\n' }}
             {%- endif -%}
    status_code: 204
-  when: inventory_hostname == groups[create_role_group]|first
+  delegate_to: "{{ groups.vault|first }}"
+  run_once: true

 - name: create_role | Create {{ create_role_name }} role in the {{ create_role_mount_path }} pki mount
  uri:
@ -34,15 +35,14 @@
          {{ create_role_options }}
          {%- endif -%}
    status_code: 204
-  when: inventory_hostname == groups[create_role_group]|first
+  delegate_to: "{{ groups.vault|first }}"
+  run_once: true

 ## Userpass based auth method

 - include: gen_userpass.yml
  vars:
-    gen_userpass_group: "{{ create_role_group }}"
    gen_userpass_password: "{{ create_role_password }}"
    gen_userpass_policies: "{{ create_role_name }}"
    gen_userpass_role: "{{ create_role_name }}"
    gen_userpass_username: "{{ create_role_name }}"
-  when: inventory_hostname in groups[create_role_group]
--- a/roles/vault/tasks/shared/gen_userpass.yml
+++ b/roles/vault/tasks/shared/gen_userpass.yml
@ -10,13 +10,13 @@
      password: "{{ gen_userpass_password }}"
      policies: "{{ gen_userpass_role }}"
    status_code: 204
-  when: inventory_hostname == groups[gen_userpass_group]|first
+  delegate_to: "{{ groups.vault|first }}"
+  run_once: true

 - name: shared/gen_userpass | Ensure destination directory exists
  file:
    path: "{{ vault_roles_dir }}/{{ gen_userpass_role }}"
    state: directory
-  when: inventory_hostname in groups[gen_userpass_group]

 - name: shared/gen_userpass | Copy credentials to all hosts in the group
  copy:
@ -26,4 +26,3 @@
              'password': gen_userpass_password} | to_nice_json(indent=4)
             }}
    dest: "{{ vault_roles_dir }}/{{ gen_userpass_role }}/userpass"
-  when: inventory_hostname in groups[gen_userpass_group]
--- a/roles/vault/tasks/shared/issue_cert.yml
+++ b/roles/vault/tasks/shared/issue_cert.yml
@ -29,13 +29,13 @@
 - name: "issue_cert | Read in the local credentials"
  command: cat {{ vault_roles_dir }}/{{ issue_cert_role }}/userpass
  register: vault_creds_cat
-  delegate_to: "{{ issue_cert_hosts|first }}"
+  delegate_to: "{{  groups.vault|first }}"
  run_once: true

 - name: gen_certs_vault | Set facts for read Vault Creds
  set_fact:
    user_vault_creds: "{{ vault_creds_cat.stdout|from_json }}"
-  delegate_to: "{{ issue_cert_hosts|first }}"
+  delegate_to: "{{ groups.vault|first }}"
  run_once: true

 - name: gen_certs_vault | Log into Vault and obtain an token
@ -49,7 +49,7 @@
    body:
      password: "{{ user_vault_creds.password }}"
  register: vault_login_result
-  delegate_to: "{{ issue_cert_hosts|first }}"
+  delegate_to: "{{ groups.vault|first }}"
  run_once: true

 - name: gen_certs_vault | Set fact for vault_client_token