semaphore/test-vault.yml

---
- name: Vault
  hosts: localhost
  # become: true
  gather_facts: false


# apt-get install sshpass

# #
# # @author Stéphane Gratias (2021).
#

  pre_tasks:


# "{{ lookup('hashi_vault', 'secret=apps/data/my-app token=s.7z1Vxxx url=https://vault.kar.int')['data']['username'] }}"

# pip install hvac

# https://open-amt-cloud-toolkit.github.io/docs/2.0/Docker/dockerLocal_prodVault/

# https://elatov.github.io/2022/01/using-hashicorp-vault-with-ansible/

#  vault secrets enable -path=apps kv-v2
# vault kv get apps/my-app
# vault token create -explicit-max-ttl=8760h -policy=test -ttl=720h -renewable=true -display-name=test

      # - ansible.builtin.debug:
      #     msg: "{{ lookup('community.hashi_vault.hashi_vault', 'secret=/apps/my-app:test token= url=http://myvault:8200') }}"

      # - name: Return all secrets from a path
      #   delegate_to: localhost
      #   vars:
      #     # ansible_hashi_vault_url: 'https://myvault:8282'
      #     # ansible_hashi_vault_auth_method: ldap
      #   ansible.builtin.debug:
      #     msg: "{{ lookup('community.hashi_vault.hashi_vault', 'secret=/kv/data/test token= url=https://pwd.jingoh.fr') }}"


      # - name: Vault that requires authentication via LDAP
      #   vars:
      #     ansible_hashi_vault_url: 'https://myvault:8282'
      #     ansible_hashi_vault_auth_method: ldap
      #     ansible_hashi_vault_mount_point: ldap 
      #     ansible_hashi_vault_username: lbouvier@jingoh.fr 
      #     ansible_hashi_vault_password: ptoto
      #   ansible.builtin.debug:
      #     msg: "{{ lookup('community.hashi_vault.hashi_vault', 'secret=/kv/data/test url=https://pwd.jingoh.fr auth_method=ldap mount_point=ldap username=lbouvier@jingoh.fr password=ptoto') }}"


# ! local mac os : export OBJC_DISABLE_INITIALIZE_FORK_SAFETY=YES

      # - name: Vault that requires authentication via LDAP
      #   vars:
      #     ansible_hashi_vault_url: 'https://pwd.jingoh.fr'
      #     ansible_hashi_vault_auth_method: ldap
      #     ansible_hashi_vault_mount_point: ldap 
      #     ansible_hashi_vault_username: lbouvier@jingoh.fr 
      #     ansible_hashi_vault_password: ptoto
      #   ansible.builtin.debug:
      #     msg: "{{ lookup('community.hashi_vault.vault_list', 'secret=/kv/test') }}"


      - name: Login and use the resulting token
        community.hashi_vault.vault_login:
          url: https://pwd.jingoh.fr
          auth_method: userpass
          username: lbouvier@jingoh.fr
          password: ptoto
        register: login_data


      - name: Vault that requires authentication via LDAP
        ansible.builtin.debug:
          msg: "{{ lookup('community.hashi_vault.hashi_vault', '/kv/data/test auth_method=ldap mount_point=ldap username=lbouvier@jingoh.fr password=ptoto url=https://pwd.jingoh.fr') }}"


      - name: List kv2 secrets from Vault via the remote host with userpass auth
        community.hashi_vault.vault_list:
          url: 'https://pwd.jingoh.fr'
          path: /kv/data/test
          # For kv2, the path needs to follow the pattern 'mount_point/metadata' or 'mount_point/metadata/path' to list all secrets in that path
          auth_method: ldap
          username: lbouvier@jingoh.fr
          password: ptoto
        register: secret

      - name: Display the secrets found at the path provided above
        ansible.builtin.debug:
          msg: "{{ secret.data.data['keys'] }}"
          # Note that secret.data.data.keys won't work as 'keys' is a built-in method

      - name: List access policies from Vault via the remote host
        community.hashi_vault.vault_list:
          url: 'https://pwd.jingoh.fr'
          path: sys/policies/acl
        register: policies

      - name: Display the policy names
        ansible.builtin.debug:
          msg: "{{ policies.data.data['keys'] }}"
          # Note that secret.data.data.keys won't work as 'keys' is a built-in method
# url=https://pwd.jingoh.fr auth_method=ldap mount_point=ldap username=lbouvier@jingoh.fr password=ptoto