diff --git a/.envrc b/.envrc new file mode 100644 index 0000000..27f67a0 --- /dev/null +++ b/.envrc @@ -0,0 +1,4 @@ +export VAULT_CACERT=./ansible/files/vault-ca.crt +export VAULT_CLIENT_CERT=./ansible/files/vault-client-user.crt +export VAULT_CLIENT_KEY=./ansible/files/vault-client-user.key +export CONSUL_HTTP_TOKEN=$(pass services/consul/tokens/terraform) diff --git a/Makefile b/Makefile index 1246074..75f5227 100644 --- a/Makefile +++ b/Makefile @@ -43,8 +43,16 @@ secrets: pass services/consul/ca-crt > ansible/files/consul-ca.crt pass services/consul/client-crt > ansible/files/consul-client.crt pass services/consul/client-key > ansible/files/consul-client.key + pass services/vault/certs/root-ca/cert > ansible/files/vault-ca.crt + pass services/vault/certs/client-user/cert > ansible/files/vault-client-user.crt + pass services/vault/certs/client-user/privkey > ansible/files/vault-client-user.key -init-terraform: +consul-token-check: +ifndef CONSUL_HTTP_TOKEN + $(error No CONSUL_HTTP_TOKEN env variable set!) +endif + +init-terraform: consul-token-check terraform init -upgrade=true cleanup: diff --git a/ansible/lookup_plugins/vault.py b/ansible/lookup_plugins/vault.py new file mode 100644 index 0000000..e38b4b9 --- /dev/null +++ b/ansible/lookup_plugins/vault.py @@ -0,0 +1,85 @@ +#!/usr/bin/env python + +import json +import sys +import os +import hvac + + +from ansible.errors import AnsibleError +from ansible.plugins.lookup import LookupBase + +try: + from __main__ import display +except ImportError: + from ansible.utils.display import Display + display = Display() + + +DOCUMENTATION = """ +lookup: vault +auth: + - Alexis Pentori +requirements: + - hvac library + - VAULT_ADDR environment var + - VAULT_TOKEN environment var +short_description: look up data from a Hashicorp vault +decription: + - Use the hvac library to grab one or more items stored in a Hashicorp Vault +options: + path: + description: path of the secret in the Vault + required: true + field: + description: field to return from vault + required: true +""" + +Examples = """ +- name: get 'username' from Vault entry 'test' + debug: + msg: "{{ lookup('vault, 'test', field='username' ) }}" +""" + +RETURN = """ + _raw: + description: + - Items for Hashicorp Vault +""" + +class LookupModule(LookupBase): + + def run(self, terms, **kwargs): + VAULT_CACERT = os.environ.get('VAULT_CACERT', './ansible/files/vault-ca.crt') + VAULT_CLIENT_CERT = os.environ.get('VAULT_CLIENT_CERT', './ansible/files/vault-client-user.crt') + VAULT_CLIENT_KEY = os.environ.get('VAULT_CLIENT_KEY', './ansible/files/vault-client-user.key') + + self.vault = hvac.Client(cert=(VAULT_CLIENT_CERT, VAULT_CLIENT_KEY),verify=VAULT_CACERT) + values = [] + + for term in terms: + rval = self.lookup(term, kwargs) + if rval is None: + raise AnsibleError("No matching term, field found!") + values.append(rval) + + return values + + def lookup(self, term, kwargs): + field = kwargs.get('field') + val = self.vault.secrets.kv.read_secret_version(term) + if val: + return str(val['data']['data'][field]) + + +def main(): + if len(sys.argv) < 3: + print("Usage: %s " % os.path.basename(__file__)) + return -1 + print(LookupModule().run(sys.argv[1], field=sys.argv[2])) + + return 0 + +if __name__ == "__main__": + sys.exit(main()) diff --git a/flake.nix b/flake.nix index 16f6b46..6adfbcb 100644 --- a/flake.nix +++ b/flake.nix @@ -15,22 +15,23 @@ pkgs = pkgsFor.${system}; in { default = let - pythonPkgs = pkgs.python310.withPackages ( - _: with (pkgs.python310Packages); [ + pythonPkgs = pkgs.python311.withPackages ( + _: with (pkgs.python311Packages); [ ipython pyyaml jinja2 PyGithub pyopenssl cryptography + hvac ] ); in pkgs.mkShellNoCC { packages = with pkgs.buildPackages; [ # misc - git openssh jq fzf silver-searcher + git openssh jq fzf silver-searcher direnv # networking curl nmap nettools dnsutils # infra terraform ansible_2_16 pythonPkgs # security - pass bitwarden-cli yubikey-manager pwgen + pass vault bitwarden-cli yubikey-manager pwgen # cloud aliyun-cli awscli doctl google-cloud-sdk hcloud s3cmd scaleway-cli @@ -39,6 +40,8 @@ shellHook = '' ./ansible/roles.py --check || \ echo -e '\nWARNING: Your role versions appear to be incorrect!' >&2 + eval "$(direnv hook bash)" + direnv allow . ''; }; });