-
Notifications
You must be signed in to change notification settings - Fork 8
/
Copy pathvenafi-role-playbook-example.yml
109 lines (99 loc) · 5.55 KB
/
venafi-role-playbook-example.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
---
# We need Docker provisioning only for demo purpose
- name: "Bring up Docker containers for Docker connection inventory iface"
hosts: localhost
roles:
- role: provision_docker
provision_docker_privileged: true
provision_docker_inventory_group: "{{ groups['robots'] }}"
provision_docker_use_docker_connection: true
when: docker_demo is defined
- name: Prepare
hosts: all
gather_facts: false
tasks:
- name: "Set CN fact"
set_fact:
cn: "{{ 10000|random }}"
- hosts: robots
vars:
certificate_common_name: "{{ ansible_fqdn }}-{{ cn }}.venafi.example.com"
certificate_alt_name: "IP:{{ansible_default_ipv4.address}},DNS:{{ ansible_fqdn }}-{{ cn }}-alt.venafi.example.com"
certificate_cert_dir: "/tmp/ansible/etc/ssl/{{ certificate_common_name }}"
certificate_cert_path: "{{ certificate_cert_dir }}/{{ certificate_common_name }}.pem"
certificate_chain_path: "{{ certificate_cert_dir }}/{{ certificate_common_name }}.chain.pem"
certificate_privatekey_path: "{{ certificate_cert_dir }}/{{ certificate_common_name }}.key"
certificate_csr_path: "{{ certificate_cert_dir }}/{{ certificate_common_name }}.csr"
# Where to execute venafi_certificate module. If set to false certificate will be
# created on Ansible master host and then copied to the remote server
certificate_remote_execution: false
# remote location where to place the certificate.
certificate_remote_cert_dir: "/etc/ssl"
certificate_remote_cert_path: "{{ certificate_remote_cert_dir }}/{{ certificate_common_name }}.pem"
certificate_remote_chain_path: "{{ certificate_remote_cert_dir }}/{{ certificate_common_name }}.chain.pem"
certificate_remote_privatekey_path: "{{ certificate_remote_cert_dir }}/{{ certificate_common_name }}.key"
# Set to false if you don't want to copy private key to remote location
certificate_copy_private_key_to_remote: true
roles:
- role: "ansible-role-venafi"
# This tasks needed only for certificate verification
tasks:
- name: "Install vcert for verification"
pip:
name:
- vcert
- name: "Verify Venafi certificate on remote host"
venafi_certificate:
url: "{{ venafi.url | default(omit) }}"
token: "{{ venafi.token | default(omit) }}"
zone: "{{ venafi.zone | default(omit) }}"
test_mode: "{{ venafi.test_mode if venafi.test_mode is defined else 'false' }}"
user: "{{ venafi.user | default(omit) }}"
password: "{{ venafi.password | default(omit) }}"
trust_bundle: "{{ venafi.trust_bundle | default(omit) }}"
cert_path: "{{ certificate_remote_cert_path if certificate_remote_cert_path is defined else certificate_cert_path }}"
chain_path: "{{ certificate_remote_chain_path if certificate_remote_chain_path else certificate_chain_path }}"
privatekey_path: "{{ certificate_remote_privatekey_path if certificate_remote_privatekey_path else certificate_privatekey_path }}"
common_name: "{{ certificate_common_name }}"
alt_name: "{{ certificate_alt_name }}"
check_mode: true
register: cert_validation
- debug:
msg: "Certificate {{ certificate_common_name }} is not in valid state: {{ cert_validation.changed_msg }}"
when: cert_validation is changed
- name: "Example verification which will always fail with debug message"
venafi_certificate:
url: "{{ venafi.url | default(omit) }}"
token: "{{ venafi.token | default(omit) }}"
zone: "{{ venafi.zone | default(omit) }}"
test_mode: "{{ venafi.test_mode if venafi.test_mode is defined else 'false' }}"
user: "{{ venafi.user | default(omit) }}"
password: "{{ venafi.password | default(omit) }}"
trust_bundle: "{{ venafi.trust_bundle | default(omit) }}"
cert_path: "{{ certificate_remote_cert_path if certificate_remote_cert_path is defined else certificate_cert_path }}"
chain_path: "{{ certificate_remote_chain_path if certificate_remote_chain_path else certificate_chain_path }}"
privatekey_path: "{{ certificate_remote_privatekey_path if certificate_remote_privatekey_path else certificate_privatekey_path }}"
common_name: "{{ certificate_common_name }}-fail-check"
alt_name: "{{ certificate_alt_name }}"
check_mode: true
register: cert_validation_failed
- debug:
msg: "Certificate {{ certificate_common_name }} is not in valid state: {{ cert_validation_failed.changed_msg }}"
when: cert_validation_failed is changed
- name: "This one shouldn't enroll new Venafi certificate on remote host because it's valid"
venafi_certificate:
url: "{{ venafi.url | default(omit) }}"
token: "{{ venafi.token | default(omit) }}"
zone: "{{ venafi.zone | default(omit) }}"
test_mode: "{{ venafi.test_mode if venafi.test_mode is defined else 'false' }}"
user: "{{ venafi.user | default(omit) }}"
password: "{{ venafi.password | default(omit) }}"
trust_bundle: "{{ venafi.trust_bundle | default(omit) }}"
cert_path: "{{ certificate_remote_cert_path if certificate_remote_cert_path is defined else certificate_cert_path }}"
chain_path: "{{ certificate_remote_chain_path if certificate_remote_chain_path else certificate_chain_path }}"
privatekey_path: "{{ certificate_remote_privatekey_path if certificate_remote_privatekey_path else certificate_privatekey_path }}"
common_name: "{{ certificate_common_name }}"
register: result
- name: "Certificate is in following state:"
debug:
msg: "{{ result }}"