Extend functionality to write out files and generate certs

Author: k-s-dean

roles/vault/defaults/main.yml

@@ -33,7 +33,14 @@ vault_config: >
         {% else %}
         "tls_disable": "true"
         {% endif %}
+      }{% if vault_bind_address != '127.0.0.1' %},
+    },
+    {
+      "tcp": {
+        "address": "127.0.0.1:8200",
+        "tls_disable": "true"
       }
+    {% endif %}
     }],
     "storage": {
     "consul": {

roles/vault/tasks/consul.yml

@@ -23,4 +23,4 @@
       -retry-join "{{ hostvars[host].ansible_facts[consul_bind_interface].ipv4.address }}"
       {% endif %}
       {% endfor %}
-  become: True
+  become: true

roles/vault/tasks/main.yml

@@ -1,4 +1,9 @@
 ---
-- import_tasks: prechecks.yml
-- import_tasks: consul.yml
-- import_tasks: vault.yml
+- name: "Vault Prechecks"
+  import_tasks: prechecks.yml
+
+- name: "Deploy Consul"
+  import_tasks: consul.yml
+
+- name: "Deploy Vault"
+  import_tasks: vault.yml

roles/vault/tasks/vault.yml

@@ -14,7 +14,7 @@
       VAULT_LOCAL_CONFIG: "{{ vault_config | to_json }}"
     command: >
       server
-  become: True
+  become: true
 
 - name: Check if vault is initialized
   uri:
@@ -25,7 +25,8 @@
   run_once: true
   until: vault_init_status.status == 200
 
-- block:
+- name: "Initialize vault"
+  block:
     - name: Initialize vault
       hashivault_init:
         url: "{{ vault_api_addr }}"

roles/vault_pki/README.md

@@ -0,0 +1,39 @@
+This role Generates a Root and Intermediate certificate and generates leaf certificates
+
+Requirements
+------------
+
+`ansible-modules-hashivault` Python package installed on the Ansible control host
+`hvac` Python package installed on the remote hosts
+
+Note that since version `4.6.4`, `ansible-modules-hashivault` requires
+`ansible>4`.
+
+Role variables
+--------------
+
+* Vault Create Root
+    * `vault_pki_root_create`: Wether to create a RootCA certificate or not (default: `true`)
+    * Mandatory if `vault_pki_root_create` equals `true`
+        * `vault_pki_root_ca_name`: The name of the RootCA to create (string)
+        * `vault_pki_root_ca_common_name`: The common name of the RootCA (default: vault_pki_root_ca_name)
+    * `vault_pki_write_root_ca_to_file`: Wether to write the root CA certificate to a file for importing into a systems trust store (default: `false`)
+
+* Vault Create Intermediate
+    * `vault_pki_intermediate_create`: Wether to create an intermediate CA or not (default: `true`)
+    * `vault_pki_intermediate_import`: Wether to import a pre-existing intermediate pem bundle (default: `false`)
+    * `vault_pki_intermediate_export`: Wether to export the generated intermediate pem bundle (default: `false`)
+
+        * Mandatory if `vault_pki_intermediate_create` equals `true`
+            * `vault_pki_intermediate_ca_name`: The name of the Intermediate CA to create
+            * `vault_pki_intermediate_ca_common_name`:  The common name of the RootCA (default: `vault_pki_intermediate_ca_name`)
+        * Mandatory if `vault_pki_intermediate_import`: equals `true`
+            * `vault_pki_intermediate_ca_bundle`: Concatenated certificate, intermediate and private key
+    * `vault_pki_intermediate_roles`: Certificate Roles to create for the intermediate CA. List of Dicts containing `{name: <role_name>, config: { <pki_option>: <value> ...}`
+
+* Certificate Output
+    * `vault_pki_generate_certificates`: whether to generate leaf certificates or not (default: `false`)
+    * `vault_pki_write_certificates_host:` The host on which certificates will be written to. (default: "localhost")
+    * `vault_pki_certificates_directory`: directory to output certificate files to.
+    * `vault_pki_write_certificates`: wether to write generated certificates to a file or not (default: `false`)
+    * `vault_pki_certificate_subject`: The certificate subject parameters e.g. `ttl` `ip_sans`. List of Dicts containing `{role: <name of Certificate role>, common_name: <common name of certificate>, extra_params: {ttl: <value>, alt_sans: <value>, ip_sans: <value> }}`

roles/vault_pki/defaults/main.yml

@@ -1,12 +1,22 @@
 ---
-vault_pki_root_create: True
+vault_pki_root_create: true
 vault_pki_root_ca_name: ""
 vault_pki_root_ca_common_name: "{{ vault_pki_root_ca_name }}"
+vault_pki_write_root_ca_to_file: false
 
-vault_pki_intermediate_create: True
-vault_pki_intermediate_import: False
+vault_pki_intermediate_create: true
+vault_pki_intermediate_import: false
+vault_pki_intermediate_export: false
 vault_pki_intermediate_ca_name: ""
 vault_pki_intermediate_ca_common_name: "{{ vault_pki_intermediate_ca_name }}"
-vault_pki_intermediate_ca_type: "internal"
+vault_pki_intermediate_ca_bundle: ""
 
 vault_pki_intermediate_roles: {}
+
+vault_pki_generate_certificates: false
+
+vault_pki_write_certificates_host: "localhost"
+vault_pki_write_certificates_directory: ""
+vault_pki_write_certificate_files: false
+
+vault_pki_certificate_subject: []

roles/vault_pki/tasks/create_cert.yml

@@ -0,0 +1,23 @@
+---
+- name: "Generate Certificate"
+  hashivault_pki_cert_issue:
+    url: "{{ vault_api_addr }}"
+    token: "{{ vault_token }}"
+    mount_point: "{{ vault_pki_intermediate_ca_name }}"
+    common_name: "{{ item.common_name }}"
+    role: "{{ item.role }}"
+    extra_params: "{{ item.extra_params }}"
+  loop: "{{ vault_pki_certificate_subject }}"
+  register: certificate_data
+
+- name: "Write out certificate pem_bundle"
+  copy:
+    content: |
+      {{ item.data.certificate }}
+      {{ item.data.issuing_ca }}
+      {{ item.data.private_key }}
+    dest: "{{ vault_pki_certificates_directory }}/{{ item.item.common_name | replace(' ', '-') }}.pem"
+    mode: 0600
+  delegate_to: "{{ vault_pki_certificates_host }}"
+  loop: "{{ certificate_data.results }}"
+  when: vault_pki_write_certificate_files | bool

roles/vault_pki/tasks/intermediate.yml

@@ -14,12 +14,13 @@
         url: "{{ vault_api_addr }}"
         token: "{{ vault_token }}"
         mount_point: "{{ vault_pki_intermediate_ca_name }}"
-        type: "{{ vault_pki_intermediate_ca_type }}"
+        type: "{% if vault_pki_intermediate_export | bool %}exported{% else %}internal{% endif %}"
         common_name: "{{ vault_pki_intermediate_ca_common_name }}"
         kind: "intermediate"
         config:
           key_bits: 4096
           max_lease_ttl: "43830h"
+          default_lease_ttl: "43830h"
       register: intermediate_ca_csr
 
     - name: "Sign Intermediate CSR"
@@ -37,7 +38,35 @@
         url: "{{ vault_api_addr }}"
         token: "{{ vault_token }}"
         mount_point: "{{ vault_pki_intermediate_ca_name }}"
-        certificate: "{{ intermediate_ca_csr_signed.data.certificate }}\n{{ intermediate_ca_csr_signed.data.issuing_ca }}"
+        certificate: |
+          {{ intermediate_ca_csr_signed.data.certificate }}
+          {{ intermediate_ca_csr_signed.data.issuing_ca }}
+      when:
+        - not vault_pki_intermediate_export | bool
+
+    - name: "Set Exported Intermediate as signed"
+      hashivault_pki_ca_set:
+        url: "{{ vault_api_addr }}"
+        token: "{{ vault_token }}"
+        mount_point: "{{ vault_pki_intermediate_ca_name }}"
+        pem_bundle: |
+          {{ intermediate_ca_csr_signed.data.certificate }}
+          {{ intermediate_ca_csr_signed.data.issuing_ca }}
+          {{ intermediate_ca_csr.data.private_key }}
+      when:
+        - vault_pki_intermediate_export | bool
+
+    - name: "Write out Intermediate Certs and keys to file"
+      copy:
+        content: |
+          {{ intermediate_ca_csr_signed.data.certificate }}
+          {{ intermediate_ca_csr_signed.data.issuing_ca }}
+          {{ intermediate_ca_csr.data.private_key }}
+        dest: "{{ vault_pki_certificates_directory }}/{{ vault_pki_intermediate_ca_name |replace(' ', '-') }}.pem"
+        mode: 0600
+      delegate_to: "{{ vault_pki_certificates_host }}"
+      when:
+        - vault_pki_intermediate_export | bool
 
   when: not vault_pki_intermediate_import | bool
 
@@ -49,5 +78,5 @@
         token: "{{ vault_token }}"
         mount_point: "{{ vault_pki_intermediate_ca_name }}"
         pem_bundle: "{{ vault_pki_intermediate_ca_bundle }}"
- 
+
   when: vault_pki_intermediate_import | bool

roles/vault_pki/tasks/main.yml

@@ -1,10 +1,21 @@
 ---
-- include_tasks: "prechecks.yml"
-- include_tasks: "root.yml"
+- name: "Prechecks"
+  include_tasks: "prechecks.yml"
+
+- name: "Generate Root"
+  include_tasks: "root.yml"
   when: vault_pki_root_create | bool
 
-- include_tasks: "intermediate.yml"
+- name: "Generate Intermediate"
+  include_tasks: "intermediate.yml"
   when: vault_pki_intermediate_create | bool
 
-- include_tasks: "roles.yml"
+- name: "Define Roles"
+  include_tasks: "roles.yml"
   when: vault_pki_intermediate_roles | length > 0
+
+- name: "Generate Certificates"
+  include_tasks: "create_cert.yml"
+  when:
+    - vault_pki_generate_certificates | bool
+    - vault_pki_certificate_subject | length > 0

roles/vault_pki/tasks/prechecks.yml

@@ -4,7 +4,7 @@
     msg: "variable {{ item }} is not set"
   when:
     - vars[item.name] | length == 0
-    - item.when 
+    - item.when
   loop:
     - { "name": "vault_pki_root_ca_name", "when": "vault_pki_root_create | bool" }
     - { "name": "vault_pki_intermediate_ca_name", "when": "vault_pki_intermediate_create | bool" }