Chef Vault Role
The chef_vault
role verifies that it is a valid Chef server for which to execute on, then depending on which tags are selected, it will create a vault bag and item, update the search parameters on a vault item, and ensure everyone in the admins
group has been added as admins to the vault item.
One of these options is required to execute this role.
--tags chef_vault_create
--tags chef_vault_set_search
--tags chef_vault_set_admins
---
# If may be multiple chef servers, but only the ones with the chef_user are relevant.
- name: "Check if the {{ chef_user }} user directory exists."
become: True
stat:
path: "{{ chef_home }}"
register: p
tags:
- chef_vault_create
- chef_vault_set_admins
- chef_vault_set_search
- name: Gather vault admin list
import_tasks: chef_vault_get_admins.yml
when:
- p.stat.isdir is defined
- p.stat.isdir
tags:
- chef_vault_create
- chef_vault_set_admins
- chef_vault_set_search
- name: Set vault admin list
import_tasks: chef_vault_set_admins.yml
when:
- p.stat.isdir is defined
- p.stat.isdir
tags:
- chef_vault_set_admins
- name: Set vault node search criteria
import_tasks: chef_vault_set_search.yml
when:
- p.stat.isdir is defined
- p.stat.isdir
tags:
- chef_vault_set_search
- name: Create a new vault and bag
import_tasks: chef_vault_create.yml
when:
- p.stat.isdir is defined
- p.stat.isdir
tags:
- chef_vault_create
...
---
- name: Pull list of admins from chef server
shell:
cmd: "knife group show admins -Fjson"
chdir: "{{ chef_home }}"
become: True
become_user: "{{ chef_user }}"
become_flags: "-i"
register: admins_grp
- name: Capture users into a variable
set_fact:
admin_users: "{{ admins_grp.stdout | from_json }}"
- name: Create list of admin users.
set_fact:
admin_list: "{{ admin_users.users | difference(exclude_acct_list) | join(',') }}"
...
---
# Admin user cleanup.
- name: Get current admins for {{ vault_name | lower }} {{ vault_item | lower }}
shell:
cmd: "knife vault show {{ vault_name | lower }} {{ vault_item | lower }} -Fjson -p admins --mode client"
chdir: "{{ chef_home }}"
become: True
become_user: "{{ chef_user }}"
become_flags: "-i"
register: current_admins
- name: Capture current admins into a variable
set_fact:
vault_admin_list: "{{ current_admins.stdout | from_json }}"
- name: Create list of admin users.
set_fact:
remove_list: "{{ vault_admin_list.admins | difference(admin_list) | join(',') }}"
- name: Remove users that are no longer admins for {{ vault_name | lower }} {{ vault_item | lower }}
shell:
cmd: "knife vault remove {{ vault_name | lower }} {{ vault_item | lower }} --admins {{ remove_list }} --mode client"
chdir: "{{ chef_home }}"
become: True
become_user: "{{ chef_user }}"
become_flags: "-i"
when:
- remove_list is defined
- remove_list|length > 0
# Add new admin users.
- name: Set admins for {{ vault_name | lower }} {{ vault_item | lower }}
shell:
cmd: "knife vault update {{ vault_name | lower }} {{ vault_item | lower }} --admins {{ admin_list }} --mode client"
chdir: "{{ chef_home }}"
become: True
become_user: "{{ chef_user }}"
become_flags: "-i"
...
---
# Admin user cleanup.
- name: Get current admins for {{ vault_name | lower }} {{ vault_item | lower }}
shell:
cmd: "knife vault show {{ vault_name | lower }} {{ vault_item | lower }} -Fjson -p admins --mode client"
chdir: "{{ chef_home }}"
become: True
become_user: "{{ chef_user }}"
become_flags: "-i"
register: current_admins
- name: Capture current admins into a variable
set_fact:
vault_admin_list: "{{ current_admins.stdout | from_json }}"
- name: Create list of admin users.
set_fact:
remove_list: "{{ vault_admin_list.admins | difference(admin_list) | join(',') }}"
- name: Remove users that are no longer admins for {{ vault_name | lower }} {{ vault_item | lower }}
shell:
cmd: "knife vault remove {{ vault_name | lower }} {{ vault_item | lower }} --admins {{ remove_list }} --mode client"
chdir: "{{ chef_home }}"
become: True
become_user: "{{ chef_user }}"
become_flags: "-i"
when:
- remove_list is defined
- remove_list|length > 0
# Update the search criteria.
- name: "Set vault node search criteria for {{ vault_name | lower }} {{ vault_item | lower }}"
shell:
cmd: "knife vault update {{ vault_name | lower }} {{ vault_item | lower }} --search \"({{ search_criteria }})\" --admins {{ admin_list }} --mode client"
chdir: "{{ chef_home }}"
become: True
become_user: "{{ chef_user }}"
become_flags: "-i"
...
---
- name: "Create vault {{ vault_name | lower }} {{ vault_item | lower }}"
shell:
cmd: "knife vault create {{ vault_name | lower }} {{ vault_item | lower }} '{\"user\":\"<set a user>\",\"password\":\"<set a pass>\"}' --search \"{{ search_criteria }}" --admins {{ admin_list }} --mode client"
chdir: "{{ chef_home }}"
become: True
become_user: "{{ chef_user }}"
become_flags: "-i"
...