search

TerryHowe / ansible-modules-hashivault

Ansible module for Hashicorp Vault.
https://pypi.python.org/pypi/ansible-modules-hashivault
MIT License
451 stars 156 forks source link

SSH CA configuration support #338

Open jxsl13 opened 3 years ago

jxsl13 commented 3 years ago

Would be nice if configuration of the SSH CA backend was supported.

https://www.vaultproject.io/api/secret/ssh

https://www.vaultproject.io/docs/secrets/ssh/signed-ssh-certificates

current way:

 - name: enable SSH secrets engine
    hashivault_secret_engine:
      name: ssh
      backend: ssh
    environment: "{{ remote_env }}"
    register: ssh_engine
    when: configureSSHEnabled

  - name: fetch old_public_key
    uri:
      url: "{{ remote_env.VAULT_ADDR }}/v1/ssh/public_key"
      return_content: yes
    register: old_public_key_result
    changed_when: False
    failed_when: not (old_public_key_result.status // 100 == 2 or old_public_key_result.status // 100 == 4)

  # in case there is no key already in the vault, the above command returns a http 400 status code
  - name: import private & public key
    hashivault_write:
      mount_point: ssh
      secret: config/ca
      data:
        private_key: "{{ privateKey }}"
        public_key: "{{ publicKey }}"
    environment: "{{ remote_env }}"
    register: import_keys
    failed_when: import_keys.rc != 0 and ('keys are already configured' not in import_keys.msg)
    when: configureSSHEnabled and (old_public_key_result.status // 100 == 4)

  - name: "create{{ item }} role"
    hashivault_write:
      mount_point: ssh
      secret: "roles/{{ item }}"
      data:
        allow_user_certificates: true
        allowed_users: "*"
        allowed_extensions: "permit-pty,permit-port-forwarding"
        default_extensions:
          - permit-pty: ""
          - permit-port-forwarding: ""
        key_type: "ca"
        #default_user: "ubuntu"
        ttl: "30m0s"
    environment: "{{ remote_env }}"
    register: ssh_role_result
    when: configureSSHEnabled and 'ssh' in item.lower()
    with_items: "{{ policies.names }}"
TerryHowe commented 3 years ago

I assume hvac would have support for this, so might not be too hard.

jxsl13 commented 3 years ago

meh: https://github.com/hvac/hvac/issues/648

I sadly don't see any support for that in the project files: https://github.com/hvac/hvac/tree/develop/hvac/api/secrets_engines

colin-pm commented 2 years ago

Currently trying to add support in hvac/hvac#811