Tuesday, July 9, 2024

Setting up the HashiCorp Vault and Ansible AAP AWX integration Part-4

 In this part we will setup a project in AAP and sync that from (github/gitlab) and using that project create job template execute the same.

So lets quickly go to github and create a repo and add a file name password.yml

---

- name: Genrate and set random password on Remote Servers

  hosts: all

  gather_facts: no

  tasks:


    - name: Check if server are reachable or not

      ansible.builtin.ping:

      register: ping_result


    - debug:

        msg: "{{ ping_result }}"

     


    - name: Generate Complex randome password

      set_fact:

        generated_password: "{{ lookup('community.general.random_string', length=12, min_lower=1, min_upper=1, min_numeric=1, min_special=1, override_special='-_=+!#$()[]') }}"


    - name: Write password to Vault using key value V2 engine

      delegate_to: 127.0.0.1

      community.hashi_vault.vault_write:

        path: secret/data/dev/{{inventory_hostname}}

#        auth_method: approle

#        role_id: ''

#        secret_id: ''

        data:

          data:

            password: "{{ generated_password }}"


    - name: Setting password for user

      ansible.builtin.user:

        name: "{{ ansible_user | trim }}"

        password: "{{ generated_password | password_hash('sha512', 'mysecretsalt') }}"


So in the  This file will help to setup the password on remote server also update it in the password vault so this way if required we can rapidly change the password without disrupting existing automation.

Also we will write one more playbook to test if password change worked and we can execute the play become and after the password change.This play will show you the output of ifconfig and hostname command.point being we can using the updated password from vault and able to connect 

---

- name: Debug AAP

  hosts: all

  tasks:

    - name: Running Hostname command to confirm and no funny bussness

      ansible.builtin.shell: hostname

      register: hostname


    - name: Show debug output

      ansible.builtin.debug:

        msg: "{{hostname.stdout}}"


    - name: Running ifconfig command to confirm and no funny bussness

      ansible.builtin.shell: ifconfig

      register: ifg


    - name: Show debug output

      ansible.builtin.debug:

        msg: "{{ifg.stdout}}"



lets we need to create a job template out in one job template select password.yml and in other select the test.yml also the execution environment will be custom-ee which we have created in the part 3 and Enjoy

we can see in the screen shot as below the execution

Changing/Rotating the Password

Updated Random pass for one of the server 


Able to connect even after changing the pass so no impact to existing automation

We are able to create a zero trust environment .In which we can rotate the password every 60 days if requireed to keep our system safe.

Let me know if on which ansible you want to know more and i am happy to help




 

Friday, July 5, 2024

Setting up the HashiCorp Vault and Ansible AAP AWX integration Part-3

 So Now lets start with building the required execution environment to use the collections which we need to execute our play we will required below collections

1.    community.general --> To Generate the Random Password

2. community.hashi_vault --> To interact with the HashiCorp vault

So lets get into the action lets Install the ansible builder don't go for the latest one as you may encounter some issues lets go for the one stable release as of writing the blog the the release version i know id 3.0.1 so i am installing the same 

We are installing pip if already not present and then using pip we are installing the ansible builder

# dnf install python3-pip

# pip install ansible-builder==3.0.1

Once the ansible builder is installed lets create some files like 

Note: EE stands for execution environment

Create a directory call EE and go to that directory

# mkdir EE and cd EE

create a first file execution-environment.yml and add following content:

cat <<EOT >> execution-environment.yml

---

version: 1

dependencies:

  galaxy: requirements.yml

  python: requirements.txt

  system: bindep.txt

additional_build_steps:

  prepend: |

    RUN whoami

    RUN cat /etc/os-release

  append:

    - RUN echo This is a post-install command!

    - RUN ls -la /etc

EOT

Now lets start create the dependencies which we have specified 


cat <<EOT >> requirements.yml

---

collections:

  - name: community.general

  - name: community.hashi_vault

EOT

We have some dependencies for the collections which will specify in the requirements.txt

cat <<EOT >> requirements.txt

gcp-cli

ncclient

netaddr

paramiko

hvac

EOT


If We have some binary dependencies then specify it bindep.txt

cat <<EOT >> bindep.txt

findutils [compile platform:centos-8 platform:rhel-8]

gcc [compile platform:centos-8 platform:rhel-8]

make [compile platform:centos-8 platform:rhel-8]

python39-devel [compile platform:centos-8 platform:rhel-8]

python39-cffi [platform:centos-8 platform:rhel-8]

python39-cryptography [platform:centos-8 platform:rhel-8]

python39-pycparser [platform:centos-8 platform:rhel-8]

EOT 

One we have added everything we will start building the image using command 

ansible-builder build -v3 -t custom-ee 

Once the image is build we can tag the image 

podman tag custom-ee  aap2.example.com/custom-ee

podman push aap2.example.com/custom-ee

Once we have done with this 


Once we are done with this We can start with the building playbook

Wednesday, July 3, 2024

Setting up the HashiCorp Vault and Ansible AAP AWX integration Part-2

 In the Second part lets Start working with the AAP login to AAP and login as a Admin user and go to the Credential Type and click on Add

Create a New Credential called HashiCorp

Input Configuration:

fields:

  - id: vault_server

    type: string

    label: URL for Vault Server

  - id: vault_token_id

    type: string

    label: Vault token ID

    secret: true

required:

  - vault_server

  - vault_token_id


And Injector Configuration 

env:
  VAULT_ADDR: '{{ vault_server }}'
  VAULT_TOKEN: '{{ vault_token_id }}'

Its Looks like This






































Now Go to Credentials and Create a Credential call hashicorp_token
Enter the values which are associated with the vault 















Now go to inventory and create a Inventory i have created a inventory name hashi and add a host which will look like this just make sure you add the below line in variables

ansible_password: "{{ lookup('hashi_vault', 'secret=secret/data/dev/{{ inventory_hostname }}:password')}}"


We are almost done from host setup stand point in the in AAP all which is remaining is writting a playbook to change the password.

Now lets take a look at setting up the initial password in the hashicorp vault 

login to vault with the taken available in the init file present on path /etc/vault/init.file

Login to UI of Vault and go to Secrets Engine Go to generic inside select the KV

Path : secret 

After the Engine is enable the screen will look like this 



Click on secret and create a paths as per the environment for me its a development environment so i have label it dev and the FQDN or the IP address which we have specify in the inventory

and create a password secret once you build the secrets it may look like this 




As we are done with this part we are almost done We will create the execution environment in the AAP or AWX







Tuesday, July 2, 2024

Setting up the HashiCorp Vault and Ansible AAP AWX integration Part-1

 Hello Guys ,

Welcome back to my block couple of weeks back i need to work on a specific client request when they want to change the passwords of all of the server for the automation_user without interrupting the automation and daily operation so they ask me how one can achieve this. They came to me with below problem statement

 So the problem statement like this 

Business own the around 1000 server and

 they want to change the password for the automation user

they want to rotate the password every 90 days and 

there should not be any interruption in the operations 

So I came up with an idea if we have to go through the exercise every 90 days so we have to do it again and again so its best we should automate it so they we don't face the problem again and again and it will keep on doing it in the background 

 So i recommended the we should setup a vault and let the vault manage the passwords(store the passwords) and since the HashiCorp vault is the community driven and open source its of my choice below are the steps i have taken to set it up

Download and Unzip the vault binary on the server

cd /opt/
sudo wget https://releases.hashicorp.com/vault/0.10.3/vault_0.10.3_linux_amd64.zip && sudo unzip vault_0.10.3_linux_amd64.zip -d .   

Copy the binary to appropriate paths on the linux system

sudo cp vault /usr/bin/

Create the config , data, and logs directory so that vault can store the data

sudo mkdir /etc/vault
sudo mkdir /vault-data
sudo mkdir -p /var/log/vault/

 Create the config file with below configs

sudo vi /etc/vault/config.json

Below are the config

Note: here 192.168.1.18 is the ip address of my server

{
"listener": [{
"tcp": {
"address" : "0.0.0.0:8200",
"tls_disable" : 1
}
}],
"api_addr": "http://192.168.1.18:8200",
"storage": {
    "file": {
    "path" : "/vault-data"
    }
 },
"max_lease_ttl": "10h",
"default_lease_ttl": "10h",
"ui":true
}

Create a service file to start,stop and restart the service

sudo vi /etc/systemd/system/vault.service

Below are the configs

[Unit]
Description=vault service
Requires=network-online.target
After=network-online.target
ConditionFileNotEmpty=/etc/vault/config.json

[Service]
EnvironmentFile=-/etc/sysconfig/vault
Environment=GOMAXPROCS=2
Restart=on-failure
ExecStart=/usr/bin/vault server -config=/etc/vault/config.json
StandardOutput=/var/log/vault/output.log
StandardError=/var/log/vault/error.log
LimitMEMLOCK=infinity
ExecReload=/bin/kill -HUP $MAINPID
KillSignal=SIGTERM

[Install]
WantedBy=multi-user.target

Start the service

sudo systemctl start vault.service

Check the status

sudo systemctl status vault.service

In order to connect from command line make the below changes in the bashrc config

export VAULT_ADDR=http://192.168.1.18:8200
echo "export VAULT_ADDR=http://192.168.1.18:8200" >> ~/.bashrc

Check the vault status

vault status

Initialise the vault

vault operator init > /etc/vault/init.file

Access the vault and unseal the same from UI using the keys available in the init.file which is available at /etc/vault/init.file

http://IPADDRESS:8200/ui


In the part 2 will cover the integration with AAP and how we can do it...