ansible-community / ansible-vault Goto Github PK

Ansible-lint found an issue in this role.

Using shell instead of command

The shell module is potentially more dangerous than the command module (ok, nothing is really stopping you doing command: rm -rf --no-preserve-root) and should only be used when you actually need shell functionality. So if you’re not stringing two commands together (using pipes or even just && or ;), you don’t really need the shell module. Similarly, expanding shell variables or file globs require the shell module. If you’re not using these features, don’t use the shell module. If you are using these features, think twice if you can rewrite the shell command to make it more Ansibley.

Will Thames

setcap: not found
to fix it, libcap2-bin should be installed

TASK [brianshumate.vault : Enable non root mlock capability] *******************************************************************************************************************************************************
fatal: [vault1]: FAILED! => {"changed": false, "cmd": "setcap cap_ipc_lock=+ep /usr/local/bin/vault", "msg": "[Errno 2] No such file or directory", "rc": 2}
fatal: [vault2]: FAILED! => {"changed": false, "cmd": "setcap cap_ipc_lock=+ep /usr/local/bin/vault", "msg": "[Errno 2] No such file or directory", "rc": 2}
fatal: [vault3]: FAILED! => {"changed": false, "cmd": "setcap cap_ipc_lock=+ep /usr/local/bin/vault", "msg": "[Errno 2] No such file or directory", "rc": 2}

Setting vault_node_name has no effect because it is not implemented in the template for vault_main.hcl.

https://github.com/brianshumate/ansible-vault/search?q=vault_node_name&unscoped_q=vault_node_name

In version v2.0.7 of this role, the systemd unit file includes the following line:

AmbientCapabilities=CAP_SYSLOG CAP_IPC_LOCK

However, on a Centos7 host running Linux 3.10.0-693.11.1.el7.x86_64 with systemd 219, this causes vault to fail to start with the following log message:

systemd[20617]: Failed at step CAPABILITIES spawning /usr/local/bin/vault: Operation not permitted

Removing this line allows systemd to start.

It sounds to me like the playbook should only attempt to include that line if the software version supports it, perhaps this should be wrapped in a conditional check instead of being included on every system.

Note: Yum shows no pending upgrades available for this system, so I don't think this can be solved with a yum upgrade.

Not sure when this popped up. But you now have to specify the exact version you want to install (ansible-galaxy install -vvv brianshumate.vault,v2.0.1).

This is related to: pulp/pulp_ansible#18 and may be either a duplicate version tag or the tag of 1.2.10 compared to all the other tags that start with v.

Under ansible-galaxy 2.4.3:

ansible-galaxy 2.4.3.0
  config file = /Users/ytjohn/vsprojects/metallica-ansible/ansible.cfg
  configured module search path = ['/Users/ytjohn/vsprojects/metallica-ansible/ext_roles/plugins/library', '/Users/ytjohn/vsprojects/metallica-ansible/library']
  ansible python module location = /Users/ytjohn/.venvs/py3/lib/python3.6/site-packages/ansible
  executable location = /Users/ytjohn/.venvs/py3/bin/ansible-galaxy
  python version = 3.6.0 (default, Dec 24 2016, 08:01:42) [GCC 4.2.1 Compatible Apple LLVM 8.0.0 (clang-800.0.42.1)]
Using /Users/ytjohn/vsprojects/metallica-ansible/ansible.cfg as config file
Opened /Users/ytjohn/.ansible_galaxy
Processing role brianshumate.vault
Opened /Users/ytjohn/.ansible_galaxy
- downloading role 'vault', owned by brianshumate
https://galaxy.ansible.com/api/v1/roles/?owner__username=brianshumate&name=vault
https://galaxy.ansible.com/api/v1/roles/15830/versions/?page_size=50
https://galaxy.ansible.com/api/v1/roles/15830/versions/?page=2&page_size=50
ERROR! Unexpected Exception, this is probably a bug: '<' not supported between instances of 'int' and 'str'

Upgraded to 2.5.4:

(py3) jh1:metallica-ansible ytjohn$ ansible-galaxy install -vvv brianshumate.vault
ansible-galaxy 2.5.4
  config file = /Users/ytjohn/vsprojects/metallica-ansible/ansible.cfg
  configured module search path = ['/Users/ytjohn/vsprojects/metallica-ansible/ext_roles/plugins/library', '/Users/ytjohn/vsprojects/metallica-ansible/library']
  ansible python module location = /Users/ytjohn/.venvs/py3/lib/python3.6/site-packages/ansible
  executable location = /Users/ytjohn/.venvs/py3/bin/ansible-galaxy
  python version = 3.6.0 (default, Dec 24 2016, 08:01:42) [GCC 4.2.1 Compatible Apple LLVM 8.0.0 (clang-800.0.42.1)]
Using /Users/ytjohn/vsprojects/metallica-ansible/ansible.cfg as config file
Opened /Users/ytjohn/.ansible_galaxy
Processing role brianshumate.vault
Opened /Users/ytjohn/.ansible_galaxy
- downloading role 'vault', owned by brianshumate
https://galaxy.ansible.com/api/v1/roles/?owner__username=brianshumate&name=vault
https://galaxy.ansible.com/api/v1/roles/15830/versions/?page_size=50
https://galaxy.ansible.com/api/v1/roles/15830/versions/?page=2&page_size=50
 [WARNING]: - brianshumate.vault was NOT installed successfully: Unable to compare role versions (v1.3.3, v1.3.4, v1.3.5, v1.3.6, v1.3.7, v1.3.8, v1.3.9, v1.4.0, v1.4.1, v1.5.0, v1.5.1, v1.5.2, v1.5.3, v1.5.4,
v1.5.5, v1.5.6, v1.5.7, v1.6.0, v1.6.1, v1.6.2, v1.6.3, v1.6.4, v1.6.5, v1.6.6, v1.6.7, v1.6.8, v1.7.0, v1.7.1, v1.7.2, v1.7.3, v1.7.4, v1.7.5, v1.7.6, v1.7.7, v1.7.8, v1.8.0, v2.0.0, v2.0.1, v0.9.1, v1.0.0,
v1.0.1, v1.0.2, v1.0.3, v1.0.4, v1.0.5, v1.0.6, v1.0.7, v1.0.8, v1.0.9, v1.0.10, v1.0.11, v1.2.0, v1.2.1, v1.2.2, v1.2.3, v1.2.4, v1.2.5, v1.2.6, v1.2.7, v1.2.8, v1.2.9, v1.2.10, v1.3.0, v1.3.1, v1.3.10, v1.3.11,
1.2.10) to determine the most recent version due to incompatible version formats. Please contact the role author to resolve versioning conflicts, or specify an explicit role version to install.

Hi,
great ansible role!
I figured out a small glitches in documentation / defaults/main.yml of roles vars.

• vault_tls_cert_file defaults to vault.crt
• vault_tls_key_file defaults to vault.key

in READMD.md these variables defaults are document as

• server.crt
• server.key

I personally would like the later as it would be consistent with your ansible-consul role.

regards
Holger

The task Get installed Vault version fail with the following error:

fatal: [myhost]: FAILED! => changed=false
  cmd: |-
    set -o pipefail
    "/usr/local/bin/vault -version | cut -d' ' -f2 | tr -d 'v'"
  delta: '0:00:00.006511'
  ...
  stderr: '/bin/sh: line1: /usr/local/bin/vault -version | cut -d'' '' -f2 | tr -d ''v'': No such file or directory'
  ...

Double quotes must be removed around the vault binary call, as it is a multi-line declaration the quotes are not needed:

- name: Get installed Vault version
  shell: |
    set -o pipefail
    {{ vault_installation.stdout }} -version | cut -d' ' -f2 | tr -d 'v'
  when: not vault_installation is failed
  changed_when: false
  check_mode: false
  register: installed_vault_version

I'm using this play:

- hosts: ca
  vars:
    vault_backend: file
    vault_cluster_disable: True
    vault_cluster_name: telx
    vault_datacenter: telx
    vault_iface: ens3
  roles:
    - hashicorp-vault

During the "Vault API reachable?" task, the URL gets created malformed as seen below in the debug output. It's trying to reach "\"http\" \"://10.128.18.163\" \":8200/v1/sys/health\"\n".

If I instead change the task to construct the url on one line with "url: "{{ vault_tls_disable | ternary('http', 'https') }}://{{ (vault_address == '0.0.0.0') | ternary('127.0.0.1', vault_address) }}:{{ vault_port }}/v1/sys/health" it works fine. This is using ansible 2.7.9 on Ubuntu 18.04.

FAILED - RETRYING: Vault API reachable? (30 retries left).Result was: {                                                                                                         "attempts": 1,                                                                                                                                                              "changed": false,                                                                                                                                                           "content": "",
    "invocation": {
        "module_args": {
            "attributes": null,
            "backup": null,
            "body": null,
            "body_format": "json",
            "client_cert": null,
            "client_key": null,
            "content": null,
            "creates": null,
            "delimiter": null,
            "dest": null,
            "directory_mode": null,
            "follow": false,
            "follow_redirects": "safe",
            "force": false,
            "force_basic_auth": false,
            "group": null,
            "headers": {
                "Content-Type": "application/json"
            },
            "http_agent": "ansible-httpget",
            "method": "GET",
            "mode": null,
            "owner": null,
            "regexp": null,
            "remote_src": null,
            "removes": null,
            "return_content": false,
            "selevel": null,
            "serole": null,
            "setype": null,
            "seuser": null,
            "src": null,
            "status_code": [
                "200"
            ],
            "timeout": 30,
            "unsafe_writes": null,
            "url": "\"http\" \"://10.128.18.163\" \":8200/v1/sys/health\"\n",
            "url_password": null,
            "url_username": null,
            "use_proxy": true,
            "validate_certs": false
        }
    },
    "msg": "Status code was -1 and not [200]: Request failed: <urlopen error unknown url type: \"http\" \">",
    "redirected": false,
    "retries": 31,
    "status": -1,
    "url": "\"http\" \"://10.128.18.163\" \":8200/v1/sys/health\"\n"
}

Hello,
I'm interested in seeing this ansible-vault role support configuring telemetry information for vault. I've looked and there doesn't seem to be an option for this yet.

In the sister role for ansible-consul, this was implemented like so: https://github.com/brianshumate/ansible-consul#custom-configuration-section

I'm wondering if the same would work here, or if it instead just deserves it's own telemetry section.

Starting this Issue as a discussion point, I may end up implementing this myself.

This seems to be an issue with Python 3:

TASK [brianshumate.vault : Get Vault package checksum file] *********************************************************************
fatal: [vault]: FAILED! => changed=false 
  msg: 'Failed to validate the SSL certificate for releases.hashicorp.com:443. Make sure your managed systems have a valid CA certificate installed. You can use validate_certs=False if you do not need to confirm the servers identity but this is unsafe and not recommended. Paths checked for this platform: /etc/ssl/certs, /etc/pki/ca-trust/extracted/pem, /etc/pki/tls/certs, /usr/share/ca-certificates/cacert.org, /etc/ansible. The exception msg was: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852).'
  status: -1
  url: https://releases.hashicorp.com/vault/1.1.2/vault_1.1.2_SHA256SUMS

TASK [brianshumate.vault : Download Vault → https://releases.hashicorp.com/vault/1.1.2/vault_1.1.2_linux_amd64.zip] *************
fatal: [vault]: FAILED! => changed=false 
  msg: 'Failed to validate the SSL certificate for releases.hashicorp.com:443. Make sure your managed systems have a valid CA certificate installed. You can use validate_certs=False if you do not need to confirm the servers identity but this is unsafe and not recommended. Paths checked for this platform: /etc/ssl/certs, /etc/pki/ca-trust/extracted/pem, /etc/pki/tls/certs, /usr/share/ca-certificates/cacert.org, /etc/ansible. The exception msg was: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852).'
  status: -1
  url: https://releases.hashicorp.com/vault/1.1.2/vault_1.1.2_linux_amd64.zip

Ansible version: 2.8.1
Python version: 3.7.3

I can only complete the role when I'm adding validate_certs: no to both get_uri tasks, but that defies the whole point …

Some of the nodes in our infrastructure require the vault agent to be installed without configuring it as a server so that they can authenticate via various means or query the cluster state.

It would be great if there were a configuration flag on the role that installed Vault in "agent mode only".

I'm happy to contribute this code if we can agree on a design, but I'm hoping that this exists already and that I've missed the appropriate flag! :)

God, I hope I'm not just being clueless.

I had set the variable vault_tls_ca_file but with no effect. A grep of the source doesn't return any hits for this value.

If I get a chance I'll try to submit a patch, but it may be a couple of weeks

Follow up:
Same basic issue github version at commit 6d6d742 is not the same version as retrieved by the ansible-galaxy command. Github version does work. as expected and documented in this case.6d6d74242dbb06844ff5d15d02451884b21a4767 as latest commit.

Starting in Vault 1.4, it is now possible to do separate specification for service registration. This is useful for example when using separate Consul clusters for k/v / service discovery.

https://www.vaultproject.io/docs/configuration/service-registration

In HA mode, only one vault node will become active node and therefore return status code 200 when queried for /sys/health. All other nodes will become standby and return 429 (unsealed and standby). Still, if return code 429 is returned, it means that node is unsealed and part of the "cluster".

Would it make sense that task called "Vault API reachable? If not please unseal it" in tasks/main.yml accepts status_code 429 besides 200?

Rerefence:
https://www.vaultproject.io/api/system/health.html
https://www.vaultproject.io/docs/concepts/ha.html

In the 2.0.4 tagged release, the systemd service file that is deployed appears to have an extraneous malformed line.

This line: https://github.com/brianshumate/ansible-vault/blob/v2.0.4/templates/vault_systemd.service.j2#L39

Is causing the following error, determined by trial-and-error removing different parts of the file:

Sep 15 03:27:38 $HOSTNAME systemd[1]: [/usr/lib/systemd/system/vault.service:38] Missing '='.

I see that this is already resolved in the master branch, could you push a new tagged release at your earliest convenience?

Thanks kindly!

#2 extended the backend template to be configurable, but the main template is still static. It would be nice to be able to specify our own main template or at least exposing the following that are currently specified:

• vault_cluster_name (c01d293 #4)
• vault_tls_disable

And optionally include the following:

• vault_cluster_address
• vault_tls_cert_file
• vault_tls_key_file
• vault_tls_min_version
• vault_tls_cipher_suites
• vault_tls_prefer_server_cipher_suites

Based on the documentation I believe that the variable vault_tls_src_files should determine the path to the TLS files to be installed /etc/vault/tls. It's not working for me and performing a grep -r vault_tls_src_files in the tasks directory (on the most current install from ansible galaxy) brings up no hits.

Work around is to specify the full path for vault_tls_key_file and vault_tls_cert_file

Followup:
Interesting - the version I get with ansible-galaxy install is different than the github version. The github version does include vault_tls_src_files. The github version I'm comparing is showing 6d6d742 as latest commit.

Hi,

I happened to notice an odd complaint like this from ansible-review in some code that included this role.

ERROR: Standard "bare words are deprecated for with_items" not met:
./vault/tasks/install_remote.yml:61: [ANSIBLE0015] Found a bare variable '/tmp/vault' used in a 'with_fileglob' loop. You should use the full variable syntax ('{{/tmp/vault}}')

This error seems to be complaining about this line. Is there any reason to use with_fileglob: here (apparently to delete that entire directory, without using any * wildcard) ? Why not just something like:

- name: Cleanup
  file:
    path: "/tmp/vault"
    state: absent
  tags: installation

Currently, the role seems to always start the vault service with the templated vault_main.hcl which has a hard-wired consol-backend. This makes it impossible to properly use the role with any other backend because starting the service fails.

It should be possible to either configure the backend.

When attempting to use the Azure KMS seal, the generated configuration only contained the tenant_id and if I'm understanding correctly it looks like the bool filter is preventing these values from landing in the template -

seal "azurekeyvault" {
  tenant_id     = "{{ vault_azurekeyvault_tenant_id }}"
{% if vault_azurekeyvault_client_id | bool %}
  client_id     = "{{ vault_azurekeyvault_client_id }}"
{% endif %}
...
}

The ansible docs state that this filter is used for truthy strings so I'm pretty sure this is the problem, but it looks like these were added deliberately so I wanted to make sure before filing a PR. (Update template filenames, apply bool filter, and update docs)

https://docs.ansible.com/ansible/latest/user_guide/playbooks_conditionals.html -

Variables defined in the playbooks or inventory can also be used, just make sure to apply the |bool filter to non boolean variables (ex: string variables with content like ‘yes’, ‘on’, ‘1’, ‘true’).

I believe there is a documentation error. If I'm not mistaken vault_tls_server_crt_file should be vault_tls_cert_file

We get a lint warning from ansible-lint on this, we should look at an alternative

If Consul is using HTTPS there's currently no way to configure this in the Consul backend.

Hello,

Thank you for your role to deploy Hashcorp Vault with Ansible.

As asked in the contributing guide, I'm opening an issue before to submit my PR for review.

I'm facing this bug with the role:

TASK [ansible-vault : Get Vault package checksum (local)] **********************************************************************************************************************************************************
fatal: [vault-01.xxxx -> 127.0.0.1]: FAILED! => {
    "changed": true,
    "cmd": "set -o pipefail\n grep \"vault_1.1.2_linux_amd64.zip\" \"/home/fleu42/Code/ansible/roles/ansible-vault/files/vault_1.1.2_SHA256SUMS\" | awk '{print $1}'",
    "delta": "0:00:00.002455",
    "end": "2019-05-21 16:51:43.528522",
    "rc": 2,
    "start": "2019-05-21 16:51:43.526067"
}

STDERR:

/bin/sh: 1: set: Illegal option -o pipefail


MSG:

non-zero return code

pipefail is a bash option that's obviously why the task fails.

I use:

$ python --version                                                                                                                                                  
Python 3.6.7

and

$ ansible --version                                                                                                                                                 
ansible 2.7.10                                                                                                                                                                                                     
  config file = /home/fleu42/Code/ansible/playbooks/ansible.cfg
  configured module search path = ['/home/fleu42/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/fleu42/Code/ansible/playbooks/ansible/lib/python3.6/site-packages/ansible
  executable location = /home/fleu42/Code/ansible/playbooks/ansible/bin/ansible
  python version = 3.6.7 (default, Oct 22 2018, 11:32:17) [GCC 8.2.0]

Hi,

I'm not sure if this is a newbie mistake on my end, but when I run Vault as a service using this role, I can't see the access tokens and root token to unseal vault. Is this an issue with the playbook or am I missing something very basic...

Thanks!!

/etc/vault.d/vault_main.hcl has an IP address for api_addr, this is not included in my certificate.
This causes a TLS problem when I try using Seth Vargo's Plugin

api_addr = "https://10.1.1.64:8200"

I would rather use "{{ ansible_fqdn }}" or "{{ inventory_hostname }}". Why not?

Our Vault VMs came with pre-installed TLS keys, certs, and CAs. These were located in subdirectories of /etc/pki/tls (e.g., /etc/pki/tls/private).

We tried to work around this by defining TLS location variables to include a subdirectory, such as:

vault_tls_key_file: private/server-vault.key

However, this breaks the Ansible role (because, in this example, private does not exist under the destination vault_tls_config_path, resulting in a file not found error).

To proceed, we could either (a) copy the files to a single source directory so the role would work as-is, (b) modify the role to create subdirectories under vault_tls_config_path, or (c) modify the role to copy files from source subdirectories into vault_tls_config_path without subdirectories. We chose the latter.

The simplest approach was to add a "basename" filter where TLS variables were used, e.g.,

- dest: "{{ vault_tls_config_path }}/{{ vault_tls_key_file }}"
+ dest: "{{ vault_tls_config_path }}/{{ vault_tls_key_file | basename }}"

This enables vault_tls_key_file (and other TLS source location variables) to include a subdirectory prefix. This change should be backward-compatible with existing playbooks that expect TLS source files co-located in one directory.

This change is needed in several files (tasks/main.yml, tasks/tls.yml, templates/vault_backend_consul.j2, templates/vault_backend_etcd.j2, and templates/vault_main_configuration.hcl.j2), for the following variables:

• vault_tls_cert_file
• vault_tls_key_file
• vault_tls_ca_file

Currently in the task Vault API reachable? If not please unseal it there's no support for skipping certificate validation. This is problematic since the vault_address defaults to an IP address. It can also be useful if you rely on self-signed certs.

I can submit a PR for this.

I am hoping that by this time you haven't stuck my picture on a dartboard.

I forked ansible-vault yesterday and have been using it instead of the galxy version. Unfortunately I found that the systemd vault service is invalid on my Ubuntu bionic system running systemd 237. There seem to be 3 problems:

• The Capabilities statement on line 26 is invalid. It appears to have been removed as per:
  https://github.com/systemd/systemd/blob/master/NEWS. I think it needs to be incorporated into the CapabilityBoundingSet setting on line 27

• the mlock item on line 39 is causing Missing '=' messages. If I understand hashicorp/vault#3605 then it can be removed since the presence of LimitMEMLOCK=infinity on line 40

• the StartLimitIntervalSec at 37 generates an unknown lvalue error. The https://github.com/systemd/systemd/blob/master/NEWS indicates that this item has been removed from the Service section to the Unit section.

• steve

A recent change introduced azure key vault auto unseal.

A commit afterward erased default vault_azurekeyvault variable which leads to an error when compiling template since the variable is undefined. This error cancels vault deployment.

See 044d546#r32408850

Hello,

If self-signing a cert with a tool like openssl, no CA file is created. Your role currently requires one. Would you consider adding a flag for disabling this?

Hello again, I'm hitting a problem with the dnsmasq portion of the playbook.

Problem: The ansible tasks for installing and configuring dnsmasq are gated behind the bootstrap state file existing, meaning that once consul has been deployed for the first time, running the ansible playbook cannot be used to update the dnsmasq config.

Actual Result:
Running the ansible playbook to update dnsmasq config after consul has been configured does not result in the new dnsmasq config being deployed.

Expected Result:
Running the ansible playbook to update dnsmasq config after consul has been deployed successfully updates the /etc/dnsmasq.d/10-consul file with the new value.

Proposed solution:
Unless there is a reason for the dnsmasq config to be gated behind that when condition for bootstrap_state, I propose that the task inclusion be moved below that block.

References:
The problem seems to be here: https://github.com/brianshumate/ansible-consul/blob/master/tasks/main.yml#L282

I try to run vault on port 443 (using default user/group), however, I get the following error:

error initializing listener of type tcp: listen tcp xx.xx.xx.xx:443: bind: permission denied

I tried adding CAP_NET_BIND_SERVICE to both CapabilityBoundingSet and AmbientCapabilities, but that still didn't work for me. Any ideas?

Issue is similar to: ansible-collections/ansible-consul#50
Implementation should be similar to: ansible-collections/ansible-consul#51

I see it tagged here, I see it moved from Brian's repo, I do not see it in ansible galaxy, am I missing something?

Thanks,
-Erinn

https://github.com/brianshumate/ansible-vault/blob/d3f4353c5ed9a1da120cc484b8c3ad106de9099f/tasks/main.yml#L238

This line here doesn't allow you to use a valid domain name so it will fail due to validate certs on https.

Hi there

I need the service registration commit : 6808efc

When will you make a tag ?

This issue is similar to #83 Vault API reachable? - fails. To use this role in a larger playbook, where auto-init and auto-unseal are implemented, it would help if the health_check at the end simply reports the status. Now it seems stuck in the loop when the status is just how this role delivers Vault: not initialized.

TASK [ansible-hashicorp-vault : Vault API reachable?] **************************
FAILED - RETRYING: Vault API reachable? (30 retries left).
FAILED - RETRYING: Vault API reachable? (29 retries left).
FAILED - RETRYING: Vault API reachable? (28 retries left).
FAILED - RETRYING: Vault API reachable? (27 retries left).
FAILED - RETRYING: Vault API reachable? (26 retries left).
FAILED - RETRYING: Vault API reachable? (25 retries left).
FAILED - RETRYING: Vault API reachable? (24 retries left).
FAILED - RETRYING: Vault API reachable? (23 retries left).
FAILED - RETRYING: Vault API reachable? (22 retries left).
FAILED - RETRYING: Vault API reachable? (21 retries left).
FAILED - RETRYING: Vault API reachable? (20 retries left).
FAILED - RETRYING: Vault API reachable? (19 retries left).
FAILED - RETRYING: Vault API reachable? (18 retries left).
FAILED - RETRYING: Vault API reachable? (17 retries left).
FAILED - RETRYING: Vault API reachable? (16 retries left).
FAILED - RETRYING: Vault API reachable? (15 retries left).
FAILED - RETRYING: Vault API reachable? (14 retries left).
FAILED - RETRYING: Vault API reachable? (13 retries left).
FAILED - RETRYING: Vault API reachable? (12 retries left).
FAILED - RETRYING: Vault API reachable? (11 retries left).
FAILED - RETRYING: Vault API reachable? (10 retries left).
FAILED - RETRYING: Vault API reachable? (9 retries left).
FAILED - RETRYING: Vault API reachable? (8 retries left).
FAILED - RETRYING: Vault API reachable? (7 retries left).
FAILED - RETRYING: Vault API reachable? (6 retries left).
FAILED - RETRYING: Vault API reachable? (5 retries left).
FAILED - RETRYING: Vault API reachable? (4 retries left).
FAILED - RETRYING: Vault API reachable? (3 retries left).
FAILED - RETRYING: Vault API reachable? (2 retries left).
FAILED - RETRYING: Vault API reachable? (1 retries left).
fatal: [myhost]: FAILED! => {"attempts": 30, "cache_control": "no-store", "changed": false, "connection": "close", "content": "{\"initialized\":false,\"sealed\":true,\"standby\":true,\"performance_standby\":false,\"replication_performance_mode\":\"unknown\",\"replication_dr_mode\":\"unknown\",\"server_time_utc\":1570612414,\"version\":\"1.2.2\"}\n", "content_length": "199", "content_type": "application/json", "date": "Wed, 09 Oct 2019 09:13:34 GMT", "elapsed": 0, "json": {"initialized": false, "performance_standby": false, "replication_dr_mode": "unknown", "replication_performance_mode": "unknown", "sealed": true, "server_time_utc": 1570612414, "standby": true, "version": "1.2.2"}, "msg": "Status code was 501 and not [200, 503]: HTTP Error 501: Not Implemented", "redirected": false, "status": 501, "url": "https://10.1.1.128:8200/v1/sys/health"}

Can we use this role without the use of the Vagrant? for installation / configuration of a simple vault and in HA mode?
Thank you in advance.

I have installed role on Debian 9.
My playbook contains:

- name: Converge
  hosts: vault
  roles:
    - { role: '/opt/git/hq_gitlab/ansible-vault' }
  vars:
      vault_version: 1.0.2
      vault_iface: ens18
      vault_ui: true
      vault_cluster_disable: true

But after installation was failed task "Vault API reachable?"
In log vault I saw messages
storage migration check error: error="Get http://127.0.0.1:8500/v1/kv/vault/core/migration: dial tcp 127.0.0.1:8500: connect: connection

fatal: [server01.consul -> 127.0.0.1]: FAILED! => {"changed": false, "cmd": "/bin/bash -c 'set -o pipefail\ngrep "vault_1.3.2_linux_amd64.zip" "/etc/ansible/roles/brianshumate.vault/files/vault_1.3.2_SHA256SUMS" | awk '"'"'{print $1}'"'"'\n'", "msg": "[Errno 2] No such file or directory: b'/bin/bash'", "rc": 2}
v2.5.2

Check the SHA file against the HashiCorp one and it matches there so not sure where else to look.

While deploying an Enterprise Vault/Consul Cluster for a customer, I discovered the following issue.

While setting up vault_checksum_file_url to the location where to find the Enterprise checksum for Vault Enterprise binary, which by default is set to https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version}}_SHA256SUMS for OSS which is the file itself. I encountered a failure scenario because in install_enterprise.yml Ansible add at the end of this URL another {{ vault_enterprise_shasums }} value.

So I ended up having something like this, which is obviously failing :/

https://FQDN/.../vault/ent/1.1.0/vault-enterprise_1.1.0%2Bent_SHA256SUMS/vault-enterprise_1.1.0%2Bent_SHA256SUMS

So I presume we should better document what is expected in that variable, I mean not the location of the SHASUM but the first part of the URL, or update Ansible code to align with the way it works for Open Source. Just my 2 cents.

Hope that helps.

The vault_version has a duplicate definition in the defaults file.

vault_version: "{{ lookup('env','VAULT_VERSION') | default('0.7.1', true) }}"                                                                                                                                        
vault_version: "{{ lookup('env','VAULT_ENTERPRISE_VERSION') | default('0.7.2', true) }}"

As the second definition will overwrite the first, the value will never be set to VAULT_VERSION.

Do we really want to differentiate between VAULT_ENTERPRISE_VERSION and VAULT_VERSION? It seems logical to me te use VAULT_VERSION in both enterprise and non enterprise setups.

Hi @brianshumate - first of all - thanks for the role! :)

I'm running the latest ansible hacking-env setup:

•100% ➜ ansible --version
ansible 2.5.0 (devel 6643fe821e) last updated 2018/01/10 11:10:55 (GMT -700)
  python version = 2.7.14 (default, Sep 23 2017, 22:06:14) [GCC 7.2.0]

I'm running in to the following:

task path: /ansible/roles/brianshumate.vault/tasks/main.yml:55
[DEPRECATION WARNING]: Using tests as filters is deprecated. Instead of using `result|abs` instead use `result is abs`. This feature will be removed in version 2.9. Deprecation
warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.
fatal: [nspvault1]: FAILED! => {
    "attempts": 1,
    "changed": false,
    "msg": "AttributeError: 'int' object has no attribute 'startswith'"
}

I tracked this down to the first line of vault_backend_consul.j2, i.e.:

{% set _vault_plus_one_port = vault_port | int + 1 | abs -%}

If I remove the abs check, it all runs happily:

index efa2482..10a74d8 100644
--- a/templates/vault_backend_consul.j2
+++ b/templates/vault_backend_consul.j2
@@ -1,4 +1,4 @@
-{% set _vault_plus_one_port = vault_port | int + 1 | abs -%}
+{% set _vault_plus_one_port = vault_port | int + 1 -%}

 backend "consul" {
   address = "{{ vault_consul }}"```

https://github.com/brianshumate/ansible-vault/blob/26979377067b25597afbd5dec90238b5569661fe/templates/vault_systemd.service.j2#L19

Looks like vault doesn't fork and PIDFile= is only there to reliably read the main PID of the process for tracking forks.

Per docs:

PIDFile=
Takes an absolute path referring to the PID file of the service. Usage of this option is recommended for services where Type= is set to forking. The service manager will read the PID of the main process of the service from this file after start-up of the service. The service manager will not write to the file configured here

https://www.freedesktop.org/software/systemd/man/systemd.service.html

I believe its safe to remove this option.

I'm trying to run this against an Ubuntu 18.04 Bionic docker image, and the task run is failing:

    docker: TASK [brianshumate.vault : Get Vault package checksum file (local)] ************
    docker: fatal: [default -> vault-1.2.2-ubuntu18.04-20190829]: FAILED! => {"changed": false, "checksum_dest": null, "checksum_src": "65c329ae1c44ac95418d2b9e27283b81bedf1bce", "dest": "/home/apollo/Sites/packer-vault/base/ansible/roles/brianshumate.vault/files/vault_1.2.2_SHA256SUMS", "elapsed": 0, "msg": "Destination /home/apollo/Sites/packer-vault/base/ansible/roles/brianshumate.vault/files does not exist", "src": "/root/.ansible/tmp/ansible-tmp-1567100043.86-85675163808120/tmpCmRs2N", "url": "https://releases.hashicorp.com/vault/1.2.2/vault_1.2.2_SHA256SUMS"}

I confirmed the folder does exist, and set the chmod to 0777, the build it still failing.

Is this compatible with Docker? Maybe I could create a Pull Request, add a feature flag to the Ansible task to allow configuring the SHASUM check to run within the container?

connection: local does not change the target host - it simply changes the connection plugin to local.
See: ansible/ansible#16724 (comment)

This becomes problematic because the localhost inventory is not used for the task - the remote node inventory is used instead.

local_action is designed for running tasks on the ansible host and correctly uses the localhost inventory.

this looks great! just a quick note on the docs, you call out as an example to install using a site.yml file that doesnt exist

Basic installation is possible using the included site.yml playbook:

Hello, I'm sad to say but I can't get this role to successfully complete the Vault API reachable? task when running the example locally in Vagrant: https://github.com/brianshumate/ansible-vault/blob/master/tasks/main.yml#L179.

All the previous tasks seem to complete just fine when running vagrant up from the examples directory, but the uri module is cycling for 30 iterations without a response at http://10.1.42.240:8200/v1/sys/health and then exiting with an error on that task.

I have setup /etc/hosts and the vagrant-hosts plugin, and I even tried spinning up the consul role from https://github.com/brianshumate/ansible-consul to see if it was an expected dependency but no luck. I noticed a few minor typos in the readme: https://github.com/brianshumate/ansible-vault/blob/master/examples/README_VAGRANT.md. Is there a step I may be missing?

Thanks!