38 lines
1.1 KiB
YAML
38 lines
1.1 KiB
YAML
---
|
|
# Unseal Vault using keys from vault_unseal_keys list.
|
|
# Submits keys one at a time until Vault reports unsealed.
|
|
# Requires vault_init_key_threshold keys in vault_unseal_keys.
|
|
|
|
- name: Submit unseal keys
|
|
ansible.builtin.uri:
|
|
url: "{{ vault_url }}/v1/sys/unseal"
|
|
method: POST
|
|
validate_certs: "{{ vault_validate_certs }}"
|
|
body_format: json
|
|
body:
|
|
key: "{{ item }}"
|
|
status_code: 200
|
|
loop: "{{ vault_unseal_keys[:vault_init_key_threshold] }}"
|
|
register: __vault_unseal_result
|
|
no_log: true
|
|
|
|
- name: Check unseal status
|
|
ansible.builtin.uri:
|
|
url: "{{ vault_url }}/v1/sys/health"
|
|
method: GET
|
|
validate_certs: "{{ vault_validate_certs }}"
|
|
status_code: [200, 429]
|
|
register: __vault_health
|
|
|
|
- name: Assert Vault unsealed successfully
|
|
ansible.builtin.assert:
|
|
that:
|
|
- not __vault_health.json.sealed | bool
|
|
fail_msg: >-
|
|
Vault is still sealed after submitting {{ vault_init_key_threshold }} keys.
|
|
Check that vault_unseal_keys contains the correct keys and try again.
|
|
|
|
- name: Register unseal success
|
|
ansible.builtin.set_fact:
|
|
__vault_unsealed: true
|