Adding the Vault role

roles/vault/tasks/check_vault.yml

@@ -0,0 +1,77 @@
+---
+
+# Check if vault is reachable on the localhost
+- name: check_vault | Attempt to pull local vault health
+  uri:
+    url: "https://localhost:{{ vault_port }}/v1/sys/health"
+    headers: "{{ vault_client_headers }}"
+    validate_certs: no
+  ignore_errors: true
+  register: vault_local_service_health
+
+- name: check_vault | Set facts about local Vault health
+  set_fact:
+    vault_is_running: "{{ vault_local_service_health|succeeded }}"
+    vault_is_initialized: "{{ vault_local_service_health.get('json', {}).get('initialized', false) }}"
+    vault_is_sealed: "{{ vault_local_service_health.get('json', {}).get('sealed', true) }}"
+    vault_in_standby: "{{ vault_local_service_health.get('json', {}).get('standby', true) }}"
+    vault_run_version: "{{ vault_local_service_health.get('json', {}).get('version', '') }}"
+
+- name: check_vault | Set fact about the Vault cluster's initialization state
+  set_fact:
+    vault_cluster_is_initialized: "{{ vault_is_initialized or hostvars[item]['vault_is_initialized'] }}"
+  with_items: "{{ groups.vault }}"
+
+- name: check_vault | Set fact about the Vault Cluster's available hosts
+  set_fact:
+    vault_available_hosts: "{{ vault_available_hosts|default([]) + [item] }}"
+  with_items: "{{ groups.vault }}"
+  when: "hostvars[item]['vault_is_running'] and not hostvars[item]['vault_is_sealed']"
+
+- include: sync_file.yml
+  vars:
+    sync_file: "{{ item }}"
+    sync_file_dir: "{{ vault_secrets_dir }}"
+    sync_file_hosts: "{{ groups.vault }}"
+  with_items:
+    - root_token
+    - unseal_keys
+
+# Logic is hard to follow on this one, probably need to simplify somehow
+- name: "check_vault | Set fact based on sync_file_results"
+  set_fact:
+    vault_secrets_available: "{{ vault_secrets_available|default(true) and not item.no_srcs }}"
+  with_items: "{{ sync_file_results }}"
+
+- name: "check_vault | Reset sync_file_results to avoid variable bleed"
+  set_fact:
+    sync_file_results: []
+
+- name: "check_vault | Print out warning message if secrets are not available"
+  pause:
+    prompt: >
+         Vault orchestration may not be able to proceed. The Vault cluster is initialzed, but
+         'root_token' or 'unseal_keys' were not found in {{ vault_secrets_dir }}. These are
+         needed for many orchestration steps.
+  when: vault_cluster_is_initialized and not vault_secrets_available
+
+- name: "check_vault | Cat root_token from a vault host"
+  command: "cat {{ vault_secrets_dir }}/root_token"
+  register: vault_root_token_cat
+  when: vault_secrets_available and inventory_hostname == groups.vault|first
+
+- name: "check_vault | Cat unseal_keys from a vault host"
+  command: "cat {{ vault_secrets_dir }}/unseal_keys"
+  register: vault_unseal_keys_cat
+  when: vault_secrets_available and inventory_hostname == groups.vault|first
+
+- name: "check_vault | Set needed facts for Vault API interaction when Vault is already running"
+  set_fact:
+    vault_root_token: "{{ hostvars[groups.vault|first]['vault_root_token_cat']['stdout'] }}"
+    vault_unseal_keys: "{{ hostvars[groups.vault|first]['vault_unseal_keys_cat']['stdout_lines'] }}"
+  when: vault_secrets_available
+
+- name: "check-vault | Update vault_headers if we have the root_token"
+  set_fact:
+    vault_headers: "{{ vault_client_headers | combine({'X-Vault-Token': vault_root_token}) }}"
+  when: vault_secrets_available