Loop problem
27 views
Skip to first unread message
Sergio Fernández
Apr 13, 2019, 1:47:17 PM4/13/19
to Ansible Project
Hi,
I am using Ansible along with HashiCorp's Vault to store sensible data.
I will be weekly sending a Secret_ID to each server, in order for them to get a token. With this token, they can access the contents of the Vault.
The problem is that we must send a secret ID per host, and they can only be generated in the server where Ansible is installed.
So here is my current Ansible Playbook file:
I am using Ansible along with HashiCorp's Vault to store sensible data.
I will be weekly sending a Secret_ID to each server, in order for them to get a token. With this token, they can access the contents of the Vault.
The problem is that we must send a secret ID per host, and they can only be generated in the server where Ansible is installed.
So here is my current Ansible Playbook file:
---
- hosts: localhost
gather_facts: no
tasks:
- name: Generate secret_id
shell: vault write -f auth/approle/role/my_role/secret-id -format=json | jq '.data.secret_id'
register: secret_id
- set_fact:
secret_id_clean: "{{ secret_id.stdout | replace('\"', '') | replace('\','') }}"
- hosts: MyServers
gather_facts: no
tasks:
- name: Get Approle Token
shell: source /etc/profile && vault write auth/approle/login role_id=$VAULT_ROLE_ID secret_id="{{ hostvars['localhost']['secret_id_clean'] }}" -format=json | jq '.auth.client_token'
args:
executable: /bin/bash
register: token
- set_fact:
token_clean: "{{ token.stdout | replace('\"', '') | replace('\','') }}"
in hosts file:
[MyServers]
[MyServers]
1.1.1.1
2.2.2.2
3.3.3.3
But currently only 1 Secret_ID is generated and sent to the servers, so only the fastest one gets the token, the rest not, and that's a problem
I am thinking about doing this inside another programming language, but I prefer just to do it inside the playbook, it must be a way of doing it.
There are some posts:
https://stackoverflow.com/questions/43140086/loop-through-hosts-with-ansible
https://devops.stackexchange.com/questions/2978/execute-multiple-ansible-tasks-with-the-same-list-of-items
But they don't explain how could I get to create 5 Secret_IDs and saving them to a different register/fact
Thank you very much
I am thinking about doing this inside another programming language, but I prefer just to do it inside the playbook, it must be a way of doing it.
There are some posts:
https://stackoverflow.com/questions/43140086/loop-through-hosts-with-ansible
https://devops.stackexchange.com/questions/2978/execute-multiple-ansible-tasks-with-the-same-list-of-items
But they don't explain how could I get to create 5 Secret_IDs and saving them to a different register/fact
Thank you very much
Message has been deleted
Sergio Fernández
Apr 13, 2019, 2:50:07 PM4/13/19
to Ansible Project
I've tried with another file, like this, without success:
---
- hosts: localhost
gather_facts: no
vars:
tasks:
- name: Invoke loop
loop: "{{ query('inventory_hostnames', 'MyServers') }}"
- include: myPlay.yml
vars:
host: "{{ item }}"
Kai Stian Olstad
Apr 13, 2019, 2:54:49 PM4/13/19
to ansible...@googlegroups.com
On 13.04.2019 19:47, Sergio Fernández wrote:
> Hi,
>
> I am using Ansible along with HashiCorp's Vault to store sensible data.
> I will be weekly sending a Secret_ID to each server, in order for them to
> get a token. With this token, they can access the contents of the Vault.
> The problem is that we must send a secret ID per host, and they can only be
> generated in the server where Ansible is installed.
> So here is my current Ansible Playbook file:
Do you mean that you need to create a uniq secret for each server with the command
> Hi,
>
> I am using Ansible along with HashiCorp's Vault to store sensible data.
> I will be weekly sending a Secret_ID to each server, in order for them to
> get a token. With this token, they can access the contents of the Vault.
> The problem is that we must send a secret ID per host, and they can only be
> generated in the server where Ansible is installed.
> So here is my current Ansible Playbook file:
vault write -f auth/approle/role/my_role/secret-id -format=json | jq '.data.secret_id' ?
Or create one secret that get sent to all the server?
--
Kai Stian Olstad
Sergio Fernández
Apr 13, 2019, 5:53:17 PM4/13/19
to Ansible Project
Currently as the script is displayed, it creates 1 and send it all to all of the servers.
But the requirements are to give each one its own secret_id, so if I have 3 servers, I need to create 3 different secret_id and send them!
But the requirements are to give each one its own secret_id, so if I have 3 servers, I need to create 3 different secret_id and send them!
Kai Stian Olstad
Apr 13, 2019, 6:08:20 PM4/13/19
to ansible...@googlegroups.com
On 13.04.2019 23:53, Sergio Fernández wrote:
> Currently as the script is displayed, it creates 1 and send it all to all
> of the servers.
> But the requirements are to give each one its own secret_id, so if I have 3
> servers, I need to create 3 different secret_id and send them!
Then you need to run both task for all the host and with delegate_to you can run the task on localhost, but the variable will be registered on the remote host.
> Currently as the script is displayed, it creates 1 and send it all to all
> of the servers.
> But the requirements are to give each one its own secret_id, so if I have 3
> servers, I need to create 3 different secret_id and send them!
---
- hosts: MyServers
gather_facts: no
tasks:
- name: Generate secret_id
gather_facts: no
tasks:
shell: vault write -f auth/approle/role/my_role/secret-id -format=json | jq '.data.secret_id'
register: secret_id
delegate_to: localhost
- set_fact:
secret_id_clean: "{{ secret_id.stdout | replace('\"', '') | replace('\','') }}"
secret_id_clean: "{{ secret_id.stdout | replace('\"', '') | replace('\','') }}"
- name: Get Approle Token
shell: source /etc/profile && vault write auth/approle/login role_id=$VAULT_ROLE_ID secret_id="{{ secret_id_clean }}" -format=json | jq '.auth.client_token'
args:
executable: /bin/bash
register: token
- set_fact:
token_clean: "{{ token.stdout | replace('\"', '') | replace('\','') }}"
--
executable: /bin/bash
register: token
- set_fact:
token_clean: "{{ token.stdout | replace('\"', '') | replace('\','') }}"
Kai Stian Olstad
Sergio Fernández
Apr 14, 2019, 9:10:08 AM4/14/19
to Ansible Project
Didn't know about that function! Thank you so much.
Reply all
Reply to author
Forward
0 new messages