This Ansible role performs a basic Vault installation, including filesystem structure and example configuration.

It can also bootstrap a minimal development or evaluation server or HA Consul-backed cluster in a Vagrant and VirtualBox based environment. See README_VAGRANT.md and the associated Vagrantfile for more details about the developer mode setup.

This role requires FreeBSD, or a Debian or RHEL based Linux distribution. It might work with other software versions, but does work with the following specific software and versions:

• Ansible: 2.7.2
• Vault: 1.0.0
• Debian: 9
• FreeBSD 11
• Ubuntu 18.04

Sorry, there is no planned support at the moment for Windows.

The role defines variables in defaults/main.yml:

• version to install

  • Can be overridden with VAULT_VERSION environment variable
  • Will include "+prem" if vault_enterprise_premium=True
  • Will include ".hsm" if vault_enterprise_premium_hsm=True

• Default value: 1.0.0

• Set this to true when installing Vault Enterprise; this is not currently possible as a "remote only" install method
  • Can be overridden with VAULT_ENTERPRISE environment variable
• Default value: false

• package filename
• Default value: "vault_{{ vault_version }}_linux_amd64.zip"

• package filename
• Default value: "vault-enterprise_{{ vault_version }}_{{ vault_os }}_{{ vault_architecture }}.zip"

• Package download URL
• Default value: "https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version }}_linux_amd64.zip"
• Override this var if you have your zip hosted internally
• Works for enterprise installs also

• SHA summaries URL
• Override this var if you have your sha file is hosted internally
• Default value: "https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version}}_SHA256SUMS"

• SHA summaries filename (included for convenience not for modification)
• Default value: "vault_{{ vault_version }}_SHA256SUMS"

• SHA summaries filename (included for convenience not for modification)
• Will attempt to download from vault_checksum_file_url if not present in files/
• Default value: "vault-enterprise_{{ vault_version }}_SHA256SUMS"

• Binary installation path
• Default value: /usr/local/bin

• Configuration file path
• Default value: /etc/vault.d

• Data path
• Default value: /var/vault

• Log path - (not yet implemented)
• Default value: /var/log/vault

• PID file location
• Default value: /var/run/vault

• Should this role manage the vault user?
• Default value: true

• OS user name
• Default value: vault

• OS group name
• Default value: bin

• OS group create Should playbook create the group
• Default value: false

• Cluster name label
• Default value: dc1

• Datacenter label
• Default value: dc1

• Enable vault web ui
• Default value: false

• host:port value for connecting to Consul HA backend
• Default value: 127.0.0.1:8500

• Scheme for Consul backend
• Supported values: http, https
• Default value: http

• Name of Vault's Consul K/V root path
• Default value: vault

• Name of the Vault service to register in Consul
• Default value: vault

• ACL token for accessing Consul
• Default value: none

• Log level
  • Supported values: trace, debug, info, warn, err
• Default value: info

• Log to syslog (not yet impemented)
• Default value: true

• Network interface
  • Can be overridden with VAULT_IFACE environment variable
• Default value: eth1

• Primary network interface address to use
• Default value: "{{ hostvars[inventory_hostname]['ansible_'+vault_iface]['ipv4']['address'] }}"

• TCP port number to on which to listen
• Default value: 8200

• Short node name
• Default value: "{{ inventory_hostname_short }}"

• Configures the maximum possible lease duration for tokens and secrets.
• Default value: 768h (32 days)

• Configures the default lease duration for tokens and secrets.
• Default value: 768h (32 days)

• Main configuration file name (full path)
• Default value: "{{ vault_config_path }}/vault_main.hcl"

• Vault listener configuration template file
• Default value: vault_listener.hcl.j2

• Which storage backend should be selected, choices are: consul, file and mysql
• Default value: consul

• Backend consul template filename
• Default value: backend_consul.j2

• Backend file template filename
• Default value: backend_file.j2

• Address to bind to for cluster server-to-server requests
• Default value: "{{ hostvars[inventory_hostname]['ansible_'+vault_iface]['ipv4']['address'] }}:{{ (vault_port | int) + 1}}"

• Address to advertise to other Vault servers in the cluster for request forwarding
• Default value: "{{ vault_protocol }}://{{ vault_cluster_address }}"

• HA Client Redirect address
• Default value: "{{ vault_protocol }}://{{ vault_redirect_address or hostvars[inventory_hostname]['ansible_'+vault_iface]['ipv4']['address'] }}:{{ vault_port }}"
  • vault_redirect_address is kept for backward compatibility but is deprecated.

• Disable HA clustering
• Default value: false

• Disable Certificate Validation for API reachability check
• Default value: false

• Path to TLS certificate and key
• Default value /etc/vault/tls

• Disable TLS
  • Can be overridden with VAULT_TLS_DISABLE environment variable
• Default value: 1

• Enable TLS Gossip to Consul Backend
• Default value: 0

• User-specified source directory for TLS files
  • Override with VAULT_TLS_SRC_FILES environment variable
• Default value: {{ role_path }}/files

• Path to TLS certificate and key
• Default value /etc/vault/tls

• CA certificate filename
  • Override with VAULT_TLS_CA_CRT environment variable
• Default value: ca.crt

• Server certificate
  • Override with VAULT_TLS_CERT_FILE environment variable
• Default value: server.crt

• Server key
  • Override with VAULT_TLS_KEY_FILE environment variable
• Default value: server.key

• Minimum acceptable TLS version
  • Can be overridden with VAULT_TLS_MIN_VERSION environment variable
• Default value: tls12

• Comma-separated list of supported ciphersuites
• Default value: "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA"

• Prefer server's cipher suite over client cipher suite
  • Can be overridden with VAULT_TLS_PREFER_SERVER_CIPHER_SUITES environment variable
• Default value: false

• Require clients to present a valid client certificate
• Default value: false

• Disable requesting for client certificates
• Default value: false

• Copy from remote source if TLS files are already on host
• Default value: no

• BSD init template file
• Default value: vault_bsdinit.j2

• SysV init template file
• Default value: vault_sysvinit.j2

• Debian init template file
• Default value: vault_debian.init.j2

• Systemd service template file
• Default value: vault_systemd.service.j2

• Enable Vault telemetry
• If enabled, you must set vault_statsite_address or vault_statsd_address with a format of "FQDN:PORT"
• If enabled, optionally set vault_telemetry_disable_hostname to strip the hostname prefix from telemetry data
• Default value: false

The consul binary works on most Linux platforms and is not distribution specific. However, some distributions require installation of specific OS packages with different naming, so this role was built with support for popular Linux distributions and defines these variables to deal with the differences across distributions:

• Vault package filename
• Default value: {{ vault_version }}_linux_amd64.zip

• Vault package download URL
• Default value: {{ vault_zip_url }}

• List of OS packages to install
• Default value: list

• Vault package filename
• Default value: "{{ vault_version }}_linux_amd64.zip"

• Vault package download URL
• Default value: "{{ vault_zip_url }}"

• Vault download SHA256 summary
• Default value: SHA256 SUM

• List of OS packages to install
• Default value: list

• Vault package filename
• Default value: "{{ vault_version }}_linux_amd64.zip"

• Vault package download URL
• Default value: "{{ vault_zip_url }}"

• Vault package SHA256 summary
• Default value: SHA256 SUM

• List of OS packages to install
• Default value: list

• Vault package filename
• Default value: "{{ vault_version }}_linux_amd64.zip"

• Vault package download URL
• Default value: "{{ vault_zip_url }}"

• Used to auto initialize a vault instance, this is mainly used for testing
• Default value: false

• Vault package SHA256 summary
• Default value: SHA256 SUM

• Enable logrotation for systemd based systems
• Default value: false

• Determines how frequently to rotate vault logs
• Default value: 7

• Logrotate template file
• Default value: vault_logrotate.j2

• List of OS packages to install
• Default value: list

NOTE: Read these before executing the role to avoid certain frequently encountered issues which are resolved by installing the correct dependencies.

Ansible requires GNU tar and this role performs some local use of the unarchive module, so ensure that your system has gtar installed.

The role depends on python-netaddr so:

pip install netaddr

on the Ansible control host prior to executing the role.

Basic installation is possible using the included site.yml playbook:

ansible-playbook -i hosts site.yml

You can also pass variables in using the --extra-vars option to the ansible-playbook command:

ansible-playbook -i hosts site.yml --extra-vars "vault_datacenter=maui"

Specify a template file with a different backend definition (see templates/backend_consul.j2):

ansible-playbook -i hosts site.yml --extra-vars "vault_backed=backend_file.j2"

You need to make sure that the template file backend_file.j2 is in the role directory for this to work.

See examples/README_VAGRANT.md for details on quick Vagrant deployments under VirtualBox for testing, etc.

example playbook for a file based auto intializing single node vault instance.

- hosts: all
  gather_facts: True
  become: true
  vars:

    vault_user: vault
    vault_group: vault
    vault_manage_group: True
    vault_ui: True
    vault_iface: eth1
    vault_backend: file
    vault_cluster_disable: True
    vault_log_level: debug
    vault_auto_initialize: True

  roles:
    - vault

The role can install Vault Enterprise based instances.

Place the Vault Enterprise zip archive into {{ role_path }}/files and set vault_enterprise: true or use the VAULT_ENTERPRISE="true" environment variable. Attempts to download the package from vault_zip_url if zip is not found in files/.

• Set to True if using premium binary. Basically just includes "+prem" in "vault_version" var
• Default value: False

The role can configure HSM based instances. Make sure to reference the HSM support page and take notice of the behavior changes after HSM is installed.

• Set to True if using premium hsm binary. Basically just includes ".hsm" in "vault_version" var
• Default value: False

• Set which cryptography app to use.
• Default value: pkcs11

• Backend seal template filename
• Default value: vault_backend_seal.j2

• Set to the absolute path of the HSM library vault will call
• Default value: /lib64/hsmlibrary.so

• The PIN for login. May also be specified by the VAULT_HSM_PIN environment variable. If set via the environment variable, Vault will obfuscate the environment variable after reading it, and it will need to be re-set if Vault is restarted.
• Default value: 12345

• The label of the key to use. If the key does not exist and generation is enabled, this is the label that will be given to the generated key. May also be specified by the VAULT_HSM_KEY_LABEL environment variable.
• Default value: vault-hsm-key

• If no existing key with the label specified by key_label can be found at Vault initialization time, instructs Vault to generate a key. This is a boolean expressed as a string (e.g. "true"). May also be specified by the VAULT_HSM_GENERATE_KEY environment variable. Vault may not be able to successfully generate keys in all circumstances, such as if proprietary vendor extensions are required to create keys of a suitable type.
• Default value: false

• Do not change this unles you know you need to. The encryption/decryption mechanism to use, specified as a decimal or hexadecimal (prefixed by 0x) string. May also be specified by the VAULT_HSM_MECHANISM environment variable.
• Default value: ''
• Example for RSA: 0x0009

• The slot token label to use. May also be specified by the VAULT_HSM_TOKEN_LABEL environment variable. This label will only be applied when vault_softcard_enable is true.
• Default value: ''

• Enable if you plan to use a softcard on your HSM.
• Default value: false

• The slot number to use, specified as a string (e.g. "0"). May also be specified by the VAULT_HSM_SLOT environment variable. This label will only be applied when vault_softcard_enable is false (default).
• Default value: 0

This feature enables operators to delegate the unsealing process to Google Key Management System Cloud to ease operations in the event of partial failure and to aid in the creation of new or ephemeral clusters.

This Auto-unseal mechanism is Open Source in Vault 1.0 but would require Enterprise binaries for any earlier version.

• Set to True to enable Google Cloud KMS Auto-Unseal.
• Default value: false

• Backend seal template filename
• Default value: vault_backend_gkms.j2

• GCP Project where the key reside.
• Default value: ''

• User-specified source directory for GCP Credential on Ansible control node.
• Default value: ''

• Path to GCP credential on Vault server.
• Default value: /home/vault/vault-kms.json

• GCP Region where the key reside.
• Default value: global

• The id of the Google Cloud Platform KeyRing to which the key shall belong.
• Default value: vault

• The CryptoKey's name. A CryptoKey's name must be unique within a location and match the regular expression [a-zA-Z0-9_-]{1,63}
• Default value: vault_key

BSD

Brian Shumate

Special thanks to the folks listed in CONTRIBUTORS.md for their contributions to this project.