ptoal/toallab-automation
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
1862f2007438916b4f7d9c9601d4445660d06586
toallab-automation/roles/vault_setup/tasks/init.yml

55 lines
2.1 KiB
YAML
Raw Blame History

---
# Initialize Vault. Idempotent: skips if already initialized.
# On success, displays root token and unseal keys for manual saving to 1Password.
# After saving, rerun the playbook (default play) to complete configuration.
- name: Check Vault initialization status
ansible.builtin.uri:
url: "{{ vault_url }}/v1/sys/init"
method: GET
validate_certs: "{{ vault_validate_certs }}"
register: __vault_init_status
- name: Skip init (already initialized)
ansible.builtin.debug:
msg: "Vault is already initialized. Skipping init."
when: __vault_init_status.json.initialized | bool
- name: Initialize Vault
ansible.builtin.uri:
url: "{{ vault_url }}/v1/sys/init"
method: POST
validate_certs: "{{ vault_validate_certs }}"
body_format: json
body:
secret_shares: "{{ vault_init_key_shares }}"
secret_threshold: "{{ vault_init_key_threshold }}"
status_code: 200
register: __vault_init_result
no_log: true
when: not __vault_init_status.json.initialized | bool
- name: Display init output — SAVE TO 1PASSWORD NOW
ansible.builtin.debug:
msg:
- "*** VAULT INITIALIZED — SAVE THE FOLLOWING TO 1PASSWORD IMMEDIATELY ***"
- ""
- "Root Token:"
- " vault_vault_root_token: {{ __vault_init_result.json.root_token }}"
- ""
- "Unseal Keys (need {{ vault_init_key_threshold }} of {{ vault_init_key_shares }}):"
- "{% for key in __vault_init_result.json.keys_base64 %} unseal_key_{{ loop.index }}: {{ key }}{% endfor %}"
- ""
- "Save vault_unseal_keys as a list of {{ vault_init_key_threshold }} key strings in 1Password."
- "Save vault_vault_root_token to 1Password."
when: not __vault_init_status.json.initialized | bool
- name: Fail after init — save credentials before continuing
ansible.builtin.fail:
msg: >-
Vault initialization complete.
SAVE the root token and unseal keys to 1Password before continuing.
Then run the default play to unseal and configure OIDC:
ansible-navigator run playbooks/deploy_vault.yml
when: not __vault_init_status.json.initialized | bool
Reference in New Issue View Git Blame Copy Permalink