-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathvaultansible
executable file
·140 lines (115 loc) · 3.03 KB
/
vaultansible
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
#!/bin/bash
# Script to commit secrets to Hashi Vault
# Load GPG agent's soocket if it isn't there
[ -z "$SSH_AUTH_SOCK" ] && export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
# Defaults
PROJECTDIR=/opt/ansible/projects
ANSIBLE_VAULT_PASSWORD_FILE=.ansible-vault
# Set ANSIBLEUTILSDIR
ANSIBLEUTILSDIR="$(dirname `readlink -f $(which $0)`)"
# Override any defaults that are set by the user
test -f $HOME/.runansible.conf && . $HOME/.runansible.conf
test -f $ANSIBLE_VAULT_PASSWORD_FILE && export ANSIBLE_VAULT_PASSWORD_FILE
usage="Usage: $0 [-p project] [-n name] [-r length] [-s] value-to-encrypt
-p project Name of the project to encrypt a value for
-f file Instead of a value, store this file (see NOTE)
-n name Name of the variable
-r length Use a randomly generated password, requires pwgen
-s Generates a fully random password with symbols (see NOTE2)
-h This text
If the value-to-encrypt is not provided, the script will prompt for it.
NOTE: If uploading files, they will be encoded as base64. This might not work
for all files.
NOTE2: The pwgen program generates passwords which are designed to be easily
memorized by humans, while being as secure as possible. Passwords generated with
-s are not human-friendly (but can contain illegal symbols depending on the software
that uses it).
"
VARNAME=''
DEBUG=false
FILE=false
PWGEN=false
PWGEN_OPTS=''
while getopts "dfhn:p:r:s" opt; do
case ${opt} in
d)
DEBUG=true
PLAYBOOK_ARGS='-vvv'
;;
f)
FILE=true
;;
p)
PROJECT="${OPTARG}"
;;
n)
VARNAME="${OPTARG}"
;;
r)
PWGEN=true
PWGEN_LENGTH="${OPTARG}"
;;
s)
PWGEN_OPTS='-s -y'
;;
h)
echo -e "$usage"
exit 0
;;
esac
done
if [ -z "$VARNAME" ]
then
echo -e "$usage"
exit 1
fi
shift $[$OPTIND -1]
INPUT="$@"
if $FILE && [ -f "$INPUT" ]
then
INPUT=$(cat $(realpath "$INPUT") | base64 -w 0)
elif $FILE && [ ! -f "$INPUT" ]
then
echo "ERROR: File does not exist!"
exit 1
fi
if $PWGEN
then
INPUT=$(pwgen $PWGEN_OPTS $PWGEN_LENGTH 1)
fi
if [ -z "$INPUT" ]
then
echo 'Type the value to be encrypted, end with an empty line:'
while read i
do
if [ -z "$i" ]
then
INPUT=$(echo -e "$INPUT" | sed '/^[[:space:]]*$/d')
break
fi
INPUT+="$i\n"
done
fi
if [ -z "$PROJECT" ]
then
echo "$usage"
exit 1
fi
if $PWGEN
then
echo -e "Generated password: $INPUT \n"
fi
cd $PROJECTDIR/$PROJECT
ansible-playbook -vv $PLAYBOOK_ARGS $ANSIBLEUTILSDIR/upload_to_hashivault.yml -e input_name=$VARNAME -e input_secret="$INPUT" -e vault_debug=$DEBUG
echo "This variable is accessable using:
$VARNAME: {{ lookup('community.hashi_vault.vault_kv2_get', '$VARNAME')['data']['data']['value'] }}
"
if $FILE
then
echo "You can write it out to disk with:
- name: 'Write $VARNAME'
ansible.builtin.copy:
content: \"{{ lookup('community.hashi_vault.vault_kv2_get', 'file_tgz')['data']['data']['value'] | b64decode }}\"
dest: '/tmp/$VARNAME'
"
fi