Vault v1.1.2 and more

CHANGELOG.md

@@ -1,3 +1,16 @@
+## v2.1.9
+
+- Vault version 1.1.2
+- Feature: add etcd storage (thanks @cordula-grau)
+- Fix: Resolve deprecation warnings (thanks @cordula-grau)
+- Fix: Move become flag to required resources (thanks @cordula-grau)
+- Reposition some main variables
+- Remove `vault_tls_cipher_suites` values/fall back to Vault defaults
+- Remove unimplemented `vault_syslog_enable`
+- Rename `vault_listener_template` to `vault_main_configuration_template`
+  - Rename corresponding template file to `vault_main_configuration.hcl.j2`
+- Update documentation
+
 ## v2.1.8
 
 - Vault version 1.1.1
@@ -497,7 +510,7 @@
 - Remove vars dir
 - Enable download once / copy many install
 
-## v1.1.1
+## v1.1.2
 
 - Move all vars to defaults
 - Documentation updates

CONTRIBUTORS.md

@@ -25,3 +25,4 @@ Thank you to all these fine folks for helping with ansible-vault!
 - [@enqack](https://github.com/enqack)
 - [@gfeun](https://github.com/gfeun)
 - [@kwevers](https://github.com/kwevers)
+- [@cordula-grau](https://github.com/cordula-grau)

README.md

@@ -18,8 +18,8 @@ This role requires FreeBSD, or a Debian or RHEL based Linux distribution. It
 might work with other software versions, but does work with the following
 specific software and versions:
 
-* Ansible: 2.7.9
-* Vault: 1.1.1
+* Ansible: 2.7.10
+* Vault: 1.1.2
 * Debian: 9
 * FreeBSD 11
 * Ubuntu 18.04
@@ -37,7 +37,7 @@ The role defines variables in `defaults/main.yml`:
   - Will include "+prem" if vault_enterprise_premium=True
   - Will include ".hsm" if vault_enterprise_premium_hsm=True
 
-- Default value: 1.1.1
+- Default value: 1.1.2
 
 ### `vault_enterprise`
 
@@ -140,6 +140,19 @@ The role defines variables in `defaults/main.yml`:
 - Enable vault web UI
 - Default value:  true
 
+## Storage Backend Variables
+
+### `vault_backend`
+- Which storage backend should be selected, choices are: consul, etcd, file, and mysql
+- Default value: consul
+
+### Consul Storage Backend
+
+### `vault_backend_consul`
+
+- Backend consul template filename
+- Default value: `backend_consul.j2`
+
 ### `vault_consul`
 
 - host:port value for connecting to Consul HA backend
@@ -166,16 +179,76 @@ The role defines variables in `defaults/main.yml`:
 - ACL token for accessing Consul
 - Default value: none
 
+### etcd Storage Backend
+
+### vault_etcd
+
+- Address of etcd storage
+- Default value: 127.0.0.1:2379
+
+### vault_etcd_api:
+
+- API version
+- Default value: v3
+
+### vault_etcd_path
+
+- Path for Vault storage
+- Default value: /vault/
+
+### vault_etcd_discovery_srv
+
+- Discovery server
+- Default value: none
+
+### vault_etcd_discovery_srv_name
+
+- Discovery server name
+- Default value: none
+
+### vault_etcd_ha_enabled
+
+- Use storage for High Availability mode
+- Default value: false
+
+### vault_etcd_sync
+
+- Use etcdsync
+- Default value: true
+
+### vault_etcd_username
+
+- Username
+- Default value: none
+
+### vault_etcd_password
+
+- Password
+- Default value: none
+
+### vault_etcd_request_timeout
+
+-Request timeout
+- Default value: "5s"
+
+### vault_etcd_lock_timeout
+
+- Lock timeout
+- Default value: "15s"
+
+### File Storage Backend
+
+### `vault_backend_file`
+
+- Backend file template filename
+- Default value: `backend_file.j2`
+
 ### `vault_log_level`
 
 - [Log level](https://www.consul.io/docs/agent/options.html#_log_level)
   - Supported values: trace, debug, info, warn, err
 - Default value: info
-
-### `vault_syslog_enable`
-
-- Log to syslog (not yet impemented)
-- Default value: true
+- Requires Vault version 0.11.1 or higher
 
 ### `vault_iface`
 
@@ -213,23 +286,10 @@ The role defines variables in `defaults/main.yml`:
 - Main configuration file name (full path)
 - Default value: `"{{ vault_config_path }}/vault_main.hcl"`
 
-### `vault_listener_template`
-- Vault listener configuration template file
-- Default value: *vault_listener.hcl.j2*
-
-### `vault_backend`
-- Which storage backend should be selected, choices are: consul, file and mysql
-- Default value: consul
-
-### `vault_backend_consul`
+### `vault_main_configuration_template`
 
-- Backend consul template filename
-- Default value: `backend_consul.j2`
-
-### `vault_backend_file`
-
-- Backend file template filename
-- Default value: `backend_file.j2`
+- Vault main configuration template file
+- Default value: *vault_main_configuration.hcl.j2*
 
 ### `vault_cluster_address`
 
@@ -311,7 +371,7 @@ The role defines variables in `defaults/main.yml`:
 ### `vault_tls_cipher_suites`
 
 - [Comma-separated list of supported ciphersuites](https://www.vaultproject.io/docs/configuration/listener/tcp.html#tls_cipher_suites)
-- Default value: "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA"
+- Default value: ""
 
 ### `vault_tls_prefer_server_cipher_suites`
 

defaults/main.yml

@@ -6,7 +6,7 @@
 # ---------------------------------------------------------------------------
 
 # Package variables
-vault_version: "{{ lookup('env','VAULT_VERSION') | default('1.1.1', true) }}{{'+prem' if vault_enterprise_premium else '' }}{{'.hsm' if vault_enterprise_premium_hsm else '' }}"
+vault_version: "{{ lookup('env','VAULT_VERSION') | default('1.1.2', true) }}{{'+prem' if vault_enterprise_premium else '' }}{{'.hsm' if vault_enterprise_premium_hsm else '' }}"
 vault_architecture_map:
   # this first entry seems... redundant (but it's required for reasons)
   amd64: amd64
@@ -23,21 +23,21 @@ vault_checksum_file_url: "https://releases.hashicorp.com/vault/{{ vault_version
 # Install method variables
 vault_install_remotely: false
 
-### Paths
+# Paths
 vault_bin_path: /usr/local/bin
 vault_config_path: /etc/vault.d
 vault_data_path: /var/vault
 vault_log_path: /var/log/vault
 vault_run_path: /var/run/vault
 vault_home: /home
 
-### System user and group
+# System user and group
 vault_manage_user: true
 vault_user: vault
 vault_manage_group: false
 vault_group: bin
 
-### Logging
+# Logging
 vault_enable_logrotate: false
 vault_logrotate_freq: 7
 vault_logrotate_template: vault_logrotate.j2
@@ -50,15 +50,14 @@ vault_group_name: vault_instances
 vault_cluster_name: dc1
 vault_datacenter: dc1
 vault_log_level: "{{ lookup('env','VAULT_LOG_LEVEL') | default('info', true) }}"
-vault_syslog_enable: true
 vault_iface: "{{ lookup('env','VAULT_IFACE') | default('eth1', true) }}"
 vault_address: "{{ hostvars[inventory_hostname]['ansible_'+vault_iface]['ipv4']['address'] }}"
 vault_ui: "{{ lookup('env', 'VAULT_UI') | default(true, true) }}"
 
 vault_port: 8200
 vault_node_name: "{{ inventory_hostname_short }}"
 vault_main_config: "{{ vault_config_path }}/vault_main.hcl"
-vault_listener_template: vault_listener.hcl.j2
+vault_main_configuration_template: vault_main_configuration.hcl.j2
 
 # ---------------------------------------------------------------------------
 # Storage backend
@@ -82,7 +81,9 @@ vault_consul: 127.0.0.1:8500
 vault_consul_path: vault
 vault_consul_service: vault
 vault_consul_scheme: http
+# vault_consul_token:
 
+# etcd storage settings
 vault_etcd: 127.0.0.1:2379
 vault_etcd_api: v3
 vault_etcd_path: /vault/
@@ -95,8 +96,6 @@ vault_etcd_password: ""
 vault_etcd_request_timeout: "5s"
 vault_etcd_lock_timeout: "15s"
 
-# vault_consul_token:
-
 # ---------------------------------------------------------------------------
 # Initialization and startup script templates
 # ---------------------------------------------------------------------------
@@ -127,21 +126,12 @@ vault_tls_key_file: "{{ lookup('env','VAULT_TLS_KEY_FILE') | default('vault.key'
 vault_tls_ca_file: "{{ lookup('env','VAULT_TLS_CA_CRT') | default('ca.crt', true) }}"
 
 vault_tls_min_version: "{{ lookup('env','VAULT_TLS_MIN_VERSION') | default('tls12', true) }}"
-vault_tls_cipher_suites: "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA"
+vault_tls_cipher_suites: ""
 vault_tls_prefer_server_cipher_suites: "{{ lookup('env','VAULT_TLS_PREFER_SERVER_CIPHER_SUITES') | default('false', true) }}"
 vault_tls_files_remote_src: false
 vault_tls_require_and_verify_client_cert: false
 vault_tls_disable_client_certs: false
 
-# ---------------------------------------------------------------------------
-# Enterprise related variables
-# ---------------------------------------------------------------------------
-
-vault_enterprise: "{{ lookup('env','VAULT_ENTERPRISE') | default(false, true) }}"
-vault_enterprise_pkg: "vault-enterprise_{{ vault_version }}_{{ vault_os }}_{{ vault_architecture }}.zip"
-vault_enterprise_shasums: "vault-enterprise_{{ vault_version }}_SHA256SUMS"
-vault_enterprise_premium: false
-
 # ---------------------------------------------------------------------------
 # Seal variables
 # ---------------------------------------------------------------------------
@@ -155,11 +145,11 @@ vault_awskms_secret_key: "{{ lookup('env','AWS_SECRET_ACCESS_KEY') | default('',
 vault_awskms_key_id: "{{ lookup('env','VAULT_AWSKMS_SEAL_KEY_ID') | default('', false) }}"
 vault_awskms_endpoint: "{{ lookup('env','AWS_KMS_ENDPOINT') | default('', false) }}"
 
-## azurekeyvault seal
+# azurekeyvault seal
 vault_azurekeyvault: false
 vault_azurekeyvault_backend: vault_seal_azurekeyvault.j2
 
-## gcpkms seal
+# gcpkms seal
 vault_gkms: false
 vault_backend_gkms: vault_seal_gcpkms.j2
 vault_gkms_project: ''
@@ -169,7 +159,7 @@ vault_gkms_region: 'global'
 vault_gkms_key_ring: 'vault'
 vault_gkms_crypto_key: 'vault_key'
 
-## pkcs11 seal
+# pkcs11 seal
 vault_enterprise_premium_hsm: false
 # WARNING: the following variable is deprecated as this section will become
 #          _only_ a pkcs11 seal soon. Please take note that vault_hsm_app will
@@ -185,3 +175,12 @@ vault_seal_token_label: ''
 vault_seal_slot: 0
 vault_softcard_enable: false
 vault_telemetry_enabled: false
+
+# ---------------------------------------------------------------------------
+# Enterprise related variables
+# ---------------------------------------------------------------------------
+
+vault_enterprise: "{{ lookup('env','VAULT_ENTERPRISE') | default(false, true) }}"
+vault_enterprise_pkg: "vault-enterprise_{{ vault_version }}_{{ vault_os }}_{{ vault_architecture }}.zip"
+vault_enterprise_shasums: "vault-enterprise_{{ vault_version }}_SHA256SUMS"
+vault_enterprise_premium: false

examples/README_VAGRANT.md

@@ -75,7 +75,7 @@ Place the Vault Enterprise zip archive into `{{ role_path }}/files` and set `vau
 ## Notes
 
 1. This project functions with the following software versions:
-  * Vault version 1.1.1
+  * Vault version 1.1.2
   * Ansible: 2.7.2
   * VirtualBox version 5.2.22
   * Vagrant version 2.2.1

tasks/main.yml

@@ -104,10 +104,10 @@
     mode: "0600"
   when: vault_gkms | bool
 
-- name: Listener configuration
+- name: Vault main configuration
   become: true
   template:
-    src: "{{ vault_listener_template }}"
+    src: "{{ vault_main_configuration_template }}"
     dest: "{{ vault_main_config }}"
     owner: "{{ vault_user }}"
     group: "{{ vault_group }}"

templates/vault_listener.hcl.j2 → templates/vault_main_configuration.hcl.j2

@@ -29,7 +29,7 @@ listener "tcp" {
 }
 
 {#
-  Select which backend you want generated and placed
+  Select which storage backend you want generated and placed
   in the vault configuration file.
 #}
 {% if vault_backend == 'consul' -%}
@@ -38,11 +38,12 @@ listener "tcp" {
   {% include vault_backend_etcd with context -%}
 {% elif vault_backend == 'file' -%}
   {% include vault_backend_file with context -%}
+
+{# We don't currentlty have this backend template available! #}
 {% elif vault_backend == 'mysql' -%}
   {% include vault_backend_mysql with context -%}
 {% endif -%}
 
-
 {% if vault_ui -%}
 ui = {{ vault_ui | bool | lower }}
 {% endif -%}

version.txt

@@ -1 +1 @@
-v2.1.8
+v2.1.9