--- - name: ensure root cert exists copy: content: "{{ vault_ca_cert_payload }}" dest: "/usr/local/share/ca-certificates/{{ vault_ca_cert_name }}" mode: 0755 owner: root group: root register: root_ca - name: update ca certs shell: update-ca-certificates args: executable: /bin/bash when: root_ca.changed - name: check vault version shell: cmd: "vault --version | head -1 | cut -d'v' -f2" args: executable: /bin/bash changed_when: False register: installed_vault_version check_mode: False - name: get vault unarchive: src: "https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version }}_linux_{{ hashi_arch }}.zip" dest: /usr/local/bin/ mode: 0755 owner: root group: root remote_src: True when: (installed_vault_version.stdout is not defined) or (installed_vault_version.stdout != vault_version) - name: ensure pki cert directory file: path: /etc/pki/certs state: directory owner: root group: root mode: 0755 - name: ensure main pki directory file: path: /etc/pki/keys state: directory owner: root group: root mode: 0600 - name: ensure root cert exists for general use copy: content: "{{ vault_ca_cert_payload }}" dest: "/etc/pki/certs/{{ vault_ca_cert_name }}" mode: 0644 owner: root group: root register: root_ca - name: check if server cert is expiring in the next 5 days shell: "openssl x509 -checkend 432000 -noout -in /etc/pki/certs/{{ inventory_hostname_short }}.crt" args: executable: /bin/bash failed_when: False check_mode: False changed_when: False register: exp - name: get cert shell: "vault write pki_int/issue/{{ vault_pki_policy }} common_name={{ inventory_hostname_short }}.masked.name ttl=43200m" args: executable: /bin/bash environment: VAULT_ADDR: https://vault.service.masked.name:8200 VAULT_TOKEN: "{{ lookup('file', lookup('env', 'HOME') + '/.vault-token') }}" VAULT_FORMAT: json VAULT_SKIP_VERIFY: true register: cert_data when: exp.rc != 0 - name: write cert data to server copy: content: "{{ item.content }}" dest: "/etc/pki/{{ item.path }}" mode: '{{ item.mode }}' owner: root group: root when: cert_data.changed loop: - { content: "{{ (cert_data.stdout | from_json).data.certificate }}", path: "certs/{{ inventory_hostname_short }}.crt", mode: "0755" } - { content: "{{ (cert_data.stdout | from_json).data.private_key }}", path: "keys/{{ inventory_hostname_short }}.key", mode: "0600" } ...