init vault

Author: ildoc

ansible/roles/vault/files/docker-compose.yml

@@ -8,6 +8,7 @@ services:
     volumes:
       - ./config:/vault/config
       - ./data:/vault/file
+      - ./init-vault.sh/init-vault.sh:ro
     cap_add:
       - IPC_LOCK
     command: "vault server -config=/vault/config/vault-config.json"

ansible/roles/vault/files/init-vault.sh

@@ -4,38 +4,51 @@ set -euo pipefail
 # CONFIGURATIONS
 POLICY_NAME="ansible-policy"
 ROLE_NAME="ansible-role"
-SECRET_PATH="ansible"
+# Usa un array per i percorsi dei segreti
+SECRET_PATHS=("ansible" "terraform")
 VAULT_ADDR="${VAULT_ADDR:-http://127.0.0.1:8200}"
-VAULT_TOKEN="${VAULT_TOKEN:?VAULT_TOKEN mancante}"
+VAULT_TOKEN="${VAULT_TOKEN:?VAULT_TOKEN missing}"
 
 # Install dependencies
 apk add jq
 
 echo "[+] Init Vault..."
 
-# Check if secret engine is already enabled
-if vault secrets list -format=json | jq -e ".[\"$SECRET_PATH/\"]"; then
-  echo "[+] Secret engine '$SECRET_PATH/' already enabled."
-else
-  echo "[+] Enabling secret engine '$SECRET_PATH/' (kv-v2)..."
-  vault secrets enable -path="$SECRET_PATH" -version=2 kv
-fi
+# Abilita tutti i motori di segreti specificati nell'array
+for SECRET_PATH in "${SECRET_PATHS[@]}"; do
+  # Check if secret engine is already enabled
+  if vault secrets list -format=json | jq -e ".[\"$SECRET_PATH/\"]" > /dev/null 2>&1; then
+    echo "[+] Secret engine '$SECRET_PATH/' already enabled."
+  else
+    echo "[+] Enabling secret engine '$SECRET_PATH/' (kv-v2)..."
+    vault secrets enable -path="$SECRET_PATH" -version=2 kv
+  fi
+done
 
 # Check if Approle auth method is already enabled
-if vault auth list -format=json | jq -e '."approle/"'; then
+if vault auth list -format=json | jq -e '."approle/"' > /dev/null 2>&1; then
   echo "[+] Auth method AppRole already enabled."
 else
   echo "[+] Enabling auth method AppRole..."
   vault auth enable approle
 fi
 
-# Create or update policy
+# Crea una policy che include tutti i path specificati
 echo "[+] Writing policy '$POLICY_NAME'..."
-cat <<EOF | vault policy write "$POLICY_NAME" -
-path "$SECRET_PATH/data/*" {
-  capabilities = ["create", "read", "update", "delete", "list"]
+
+# Inizia la policy con un'intestazione vuota
+POLICY_CONTENT=""
+
+# Aggiungi ogni percorso alla policy
+for SECRET_PATH in "${SECRET_PATHS[@]}"; do
+  POLICY_CONTENT+="path \"$SECRET_PATH/data/*\" {
+  capabilities = [\"create\", \"read\", \"update\", \"delete\", \"list\"]
 }
-EOF
+"
+done
+
+# Scrivi la policy completa
+echo "$POLICY_CONTENT" | vault policy write "$POLICY_NAME" -
 
 # Check if role is already created
 if vault read -format=json "auth/approle/role/$ROLE_NAME" > /dev/null 2>&1; then

ansible/roles/vault/tasks/main.yaml

@@ -15,6 +15,12 @@
     update_compose_local_path: "{{ local_path }}"
     update_compose_project_path: "{{ project_path }}"
 
+- name: Copy init-vault.sh
+  ansible.builtin.copy:
+    src: "{{ vault_files_path }}/init-vault.sh"
+    dest: ~/init-vault.sh
+    mode: '0644'
+
 - name: Read remote vault-config.json
   ansible.builtin.stat:
     path: ~/config/vault-config.json