~xenrox/ansible

a3f051d882e17543beabcbdafbdd61479fe8dac8 — Thorben Günther 2 years ago 8041ae7
terraform: Use hc vault instead of ansible
4 files changed, 11 insertions(+), 37 deletions(-)

D misc/read-vault.py
M terraform_hetzner/hetzner.tf
M terraform_keycloak/keycloak.tf
M terraform_vault/secrets.tf
D misc/read-vault.py => misc/read-vault.py +0 -26
@@ 1,26 0,0 @@
#!/usr/bin/python

import sys
from json import dumps
from os import chdir
from pathlib import Path

from ansible.cli import CLI
from ansible.constants import DEFAULT_VAULT_IDENTITY_LIST
from ansible.parsing.dataloader import DataLoader

vault_path = sys.argv[1]

project_root = Path(__file__).resolve().parents[1]
chdir(project_root)

loader = DataLoader()
vault_secret = CLI.setup_vault_secrets(
    loader=loader,
    vault_ids=DEFAULT_VAULT_IDENTITY_LIST,
    vault_password_files=["misc/vault-pass.sh"],
)
loader.set_vault_secrets(vault_secret)
data = loader.load_from_file(vault_path)

print(dumps(data))

M terraform_hetzner/hetzner.tf => terraform_hetzner/hetzner.tf +3 -4
@@ 4,13 4,12 @@ terraform {
  }
}

data "external" "vault_hetzner" {
  program = ["${path.module}/../misc/read-vault.py",
  "group_vars/all/vault_hetzner.yml"]
data "vault_generic_secret" "hetzner" {
  path = "ansible/hetzner"
}

provider "hetznerdns" {
  apitoken = data.external.vault_hetzner.result.vault_hetzner_dns_key
  apitoken = data.vault_generic_secret.hetzner.data["dns_key"]
}

resource "hetznerdns_zone" "xenrox_net" {

M terraform_keycloak/keycloak.tf => terraform_keycloak/keycloak.tf +4 -5
@@ 8,9 8,8 @@ data "vault_generic_secret" "keycloak" {
  path = "ansible/keycloak"
}

data "external" "vault_email" {
  program = ["${path.module}/../misc/read-vault.py",
  "group_vars/all/vault_email.yml"]
data "vault_generic_secret" "email" {
  path = "ansible/email"
}

provider "keycloak" {


@@ 41,8 40,8 @@ resource "keycloak_realm" "xenrox" {
    ssl                   = true

    auth {
      username = data.external.vault_email.result.vault_email_noreply_mail
      password = data.external.vault_email.result.vault_email_noreply_password
      username = data.vault_generic_secret.email.data["noreply_user"]
      password = data.vault_generic_secret.email.data["noreply_password"]
    }
  }


M terraform_vault/secrets.tf => terraform_vault/secrets.tf +4 -2
@@ 1,6 1,8 @@
locals {
  users           = toset(["xenrox", "seeguen", "test"])
  ansible_secrets = toset(["keycloak", "nextcloud", "peertube", "vault"])
  users = toset(["xenrox", "seeguen", "test"])
  ansible_secrets = toset([
    "email", "hetzner", "keycloak", "nextcloud", "peertube", "vault"
  ])
}

resource "vault_generic_secret" "ansible_secrets" {