ansible-modules-hashivault
ansible-modules-hashivault copied to clipboard
TerryHowe
SSH CA configuration support
Would be nice if configuration of the SSH CA backend was supported.
https://www.vaultproject.io/api/secret/ssh
https://www.vaultproject.io/docs/secrets/ssh/signed-ssh-certificates
current way:
- name: enable SSH secrets engine
hashivault_secret_engine:
name: ssh
backend: ssh
environment: "{{ remote_env }}"
register: ssh_engine
when: configureSSHEnabled
- name: fetch old_public_key
uri:
url: "{{ remote_env.VAULT_ADDR }}/v1/ssh/public_key"
return_content: yes
register: old_public_key_result
changed_when: False
failed_when: not (old_public_key_result.status // 100 == 2 or old_public_key_result.status // 100 == 4)
# in case there is no key already in the vault, the above command returns a http 400 status code
- name: import private & public key
hashivault_write:
mount_point: ssh
secret: config/ca
data:
private_key: "{{ privateKey }}"
public_key: "{{ publicKey }}"
environment: "{{ remote_env }}"
register: import_keys
failed_when: import_keys.rc != 0 and ('keys are already configured' not in import_keys.msg)
when: configureSSHEnabled and (old_public_key_result.status // 100 == 4)
- name: "create{{ item }} role"
hashivault_write:
mount_point: ssh
secret: "roles/{{ item }}"
data:
allow_user_certificates: true
allowed_users: "*"
allowed_extensions: "permit-pty,permit-port-forwarding"
default_extensions:
- permit-pty: ""
- permit-port-forwarding: ""
key_type: "ca"
#default_user: "ubuntu"
ttl: "30m0s"
environment: "{{ remote_env }}"
register: ssh_role_result
when: configureSSHEnabled and 'ssh' in item.lower()
with_items: "{{ policies.names }}"
meh: https://github.com/hvac/hvac/issues/648
I sadly don't see any support for that in the project files: https://github.com/hvac/hvac/tree/develop/hvac/api/secrets_engines
