awx/tools/docker-compose/ansible/roles/vault/tasks/plumb.yml

---
- name: Set vault_addr
  include_tasks: set_vault_addr.yml

- name: Load vault keys
  include_vars:
    file: "{{ vault_file }}"

- name: Get AWX admin password
  include_vars:
    file: "{{ admin_password_file }}"

- name: Create a HashiCorp Vault Credential
  awx.awx.credential:
    credential_type: HashiCorp Vault Secret Lookup
    name: Vault Lookup Cred
    organization: Default
    controller_host: "{{ awx_host }}"
    controller_username: admin
    controller_password: "{{ admin_password }}"
    validate_certs: false
    inputs:
      api_version: "v1"
      cacert: "{{ lookup('ansible.builtin.file', '{{ vault_server_cert }}', errors='ignore') }}"
      default_auth_path: "cert"
      kubernetes_role: ""
      namespace: ""
      client_cert_public: "{{ lookup('ansible.builtin.file', '{{ vault_client_cert }}', errors='ignore') }}"
      client_cert_private: "{{ lookup('ansible.builtin.file', '{{ vault_client_key }}', errors='ignore') }}"
      token: "{{ Initial_Root_Token }}"
      url: "{{ vault_addr_from_container }}"
  register: vault_cred

- name: Create a custom credential type
  awx.awx.credential_type:
    name: Vault Custom Cred Type
    kind: cloud
    controller_host: "{{ awx_host }}"
    controller_username: admin
    controller_password: "{{ admin_password }}"
    validate_certs: false
    injectors:
      extra_vars:
        the_secret_from_vault: "{{ '{{' }} password {{ '}}' }}"
    inputs:
      fields:
        - type: "string"
          id: "password"
          label: "Password"
          secret: true
  register: custom_vault_cred_type

- name: Create a credential of the custom type for token auth
  awx.awx.credential:
    credential_type: "{{ custom_vault_cred_type.id }}"
    controller_host: "{{ awx_host }}"
    controller_username: admin
    controller_password: "{{ admin_password }}"
    validate_certs: false
    name: Credential From HashiCorp Vault via Token Auth
    inputs: {}
    organization: Default
  register: custom_credential_via_token

- name: Use the Token Vault Credential For the new credential
  awx.awx.credential_input_source:
    input_field_name: password
    target_credential: "{{ custom_credential_via_token.id }}"
    source_credential: "{{ vault_cred.id }}"
    controller_host: "{{ awx_host }}"
    controller_username: admin
    controller_password: "{{ admin_password }}"
    validate_certs: false
    metadata:
      auth_path: ""
      secret_backend: "my_engine"
      secret_key: "my_key"
      secret_path: "/my_root/my_folder"
      secret_version: ""

- name: Create a HashiCorp Vault Credential for UserPass
  awx.awx.credential:
    credential_type: HashiCorp Vault Secret Lookup
    name: Vault UserPass Lookup Cred
    organization: Default
    controller_host: "{{ awx_host }}"
    controller_username: admin
    controller_password: "{{ admin_password }}"
    validate_certs: false
    inputs:
      api_version: "v1"
      default_auth_path: "userpass"
      kubernetes_role: ""
      namespace: ""
      url: "{{ vault_addr_from_container }}"
      username: "{{ vault_userpass_username }}"
      password: "{{ vault_userpass_password }}"
  register: vault_userpass_cred

- name: Create a credential from the Vault UserPass Custom Cred Type
  awx.awx.credential:
    credential_type: "{{ custom_vault_cred_type.id }}"
    controller_host: "{{ awx_host }}"
    controller_username: admin
    controller_password: "{{ admin_password }}"
    validate_certs: false
    name: Credential From HashiCorp Vault via UserPass Auth
    inputs: {}
    organization: Default
  register: custom_credential_via_userpass

- name: Use the Vault UserPass Credential  the new credential
  awx.awx.credential_input_source:
    input_field_name: password
    target_credential: "{{ custom_credential_via_userpass.id }}"
    source_credential: "{{ vault_userpass_cred.id }}"
    controller_host: "{{ awx_host }}"
    controller_username: admin
    controller_password: "{{ admin_password }}"
    validate_certs: false
    metadata:
      auth_path: ""
      secret_backend: "userpass_engine"
      secret_key: "my_key"
      secret_path: "userpass_root/userpass_secret"
      secret_version: ""