snapshot wip

Author: aurelienmaury

playbooks/vault_snapshot.yml

@@ -0,0 +1,20 @@
+---
+- name: "[VAULT] Snapshot"
+  hosts: "hashistack_masters[0]"
+  become: false
+  gather_facts: true
+
+  vars:
+    ansible_ssh_user: "vault-snapshot"
+
+  tasks:
+    - name: "Vault"
+      include_role:
+        name: "vault"
+        tasks_from: "__snapshot.yml"
+        apply:
+          tags:
+            - vault
+      tags:
+        - vault
+

roles/infra/templates/scw_one/_group_vars.hashistack.yml.j2

@@ -45,6 +45,13 @@ glxclans_host_service_user_default_key_dir: "group_vars/hashistack/secrets"
 glxclans_host_service_user_default_private_key_file: >-
   {{ glxclans_host_service_user_default_key_dir }}/default.key
 
+hs_vault_addon_snapshot_authorized_keys:
+  - >-
+    {{ 
+      lookup('file', 
+             hs_workspace_root + '/' + glxclans_host_service_user_default_private_key_file + '.pub')
+    }}
+
 hs_vault_service_fqdn: "vault.{{ public_domain }}"
 #
 # Role configuration: wescale.hashistack.consul

roles/stage1_bootstrap/tasks/common/_normalize.yml

@@ -4,8 +4,7 @@
     path: "{{ hs_workspace_root }}/ssh.cfg"
     regexp: >-
       ^  User *{{ hs_infra_default_user }}$
-    replace: >-
-        User {{ glxclans_host_service_user_name }}
+    replace: "  User                  {{ glxclans_host_service_user_name }}"
   become: false
   run_once: true
   delegate_to: localhost

roles/vault/files/snapshot/main.tf

@@ -0,0 +1,15 @@
+locals {
+  policy_name          = "snapshot"
+  policy_file_snapshot = "${path.module}/policies/snapshot.hcl"
+}
+
+resource "vault_policy" "snapshot" {
+  name   = local.policy_name
+  policy = file(local.policy_file_snapshot)
+}
+
+resource "vault_token" "snapshot" {
+  policies  = [vault_policy.snapshot.name]
+  no_parent = true
+}
+

roles/vault/files/snapshot/output.tf

@@ -0,0 +1,6 @@
+output "snapshot_token" {
+  sensitive = true
+  value     = vault_token.snapshot.client_token
+}
+
+

roles/vault/files/snapshot/policies/snapshot.hcl

@@ -0,0 +1,4 @@
+path "/sys/storage/raft/snapshot" {
+  capabilities = ["read"]
+}
+

roles/vault/files/snapshot/providers.tf

@@ -0,0 +1,10 @@
+terraform {
+  required_providers {
+    vault = {
+      source  = "hashicorp/vault"
+      version = "4.3.0"
+    }
+  }
+}
+
+provider "vault" {}

roles/vault/tasks/__snapshot.yml

@@ -0,0 +1,16 @@
+---
+# Implementation of:
+# https://developer.hashicorp.com/vault/tutorials/standard-procedures/sop-backup
+- name: "Load collection common vars"
+  import_role:
+    name: "vault_vars"
+  tags:
+    - always
+
+- name: "Snapshot"
+  shell:
+    cmd: >-
+      source {{ __hs_vault_snapshot_home_dir }}/.bash_profile &&
+      vault operator raft snapshot save vault.{{ ansible_date_time.iso8601_basic_short }}.snapshot
+    executable: /usr/bin/bash
+

roles/vault/tasks/common/_configure.yml

@@ -1,19 +1,19 @@
 ---
-- name: Common private ssl directory
+- name: "Common private ssl directory"
   file:
     path: "{{ __hs_vault_tls_dir }}"
     owner: root
     group: "{{ __hs_vault_ssl_cert_group }}"
     state: directory
     mode: 0750
 
-- name: Add vault to ssl-cert group
+- name: "Add vault to ssl-cert group"
   user:
     name: vault
     groups: "{{ __hs_vault_ssl_cert_group }}"
     append: true
 
-- name: Upload CA certificate
+- name: "Upload CA certificate"
   copy:
     src: "{{ hs_vault_local_ca_cert }}"
     dest: "{{ __hs_vault_ca_certificate }}"
@@ -23,10 +23,10 @@
   notify: Update ca trust
   when: hs_vault_use_custom_ca
 
-- name: Flush
+- name: "Flush"
   meta: flush_handlers
 
-- name: Upload self certificate
+- name: "Upload self certificate"
   copy:
     src: "{{ _current_cert_part }}"
     dest: "{{ __hs_vault_tls_dir }}/{{ _current_cert_part.split('/')[-1] }}"
@@ -41,7 +41,7 @@
     loop_var: _current_cert_part
   notify: Restart vault
 
-- name: Upload license file if present
+- name: "Upload license file if present"
   copy:
     src: "{{ hs_vault_local_license_file }}"
     dest: "{{ __hs_vault_license_file }}"
@@ -52,7 +52,7 @@
   when:
     - (hs_vault_local_license_file | length) > 0
 
-- name: Write vault server configuration
+- name: "Write vault server configuration"
   template:
     src: "vault-server.hcl.j2"
     dest: "{{ __hs_vault_conf_file }}"
@@ -62,5 +62,5 @@
   notify: Restart vault
   when: __hs_vault_is_master
 
-- name: Flush
+- name: "Flush"
   meta: flush_handlers

roles/vault/tasks/tf_addons/_snapshot.yml

@@ -0,0 +1,110 @@
+---
+- name: "Create vault-snapshot system user"
+  user:
+    name: vault-snapshot
+    system: true
+    shell: "/usr/bin/bash"
+    group: vault
+    createhome: false
+    home: "{{ __hs_vault_snapshot_home_dir }}"
+    password: >-
+      {{ lookup('community.general.random_string', length=32, special=false) }}
+
+
+- name: "Create vault snapshot user home directory"
+  file:
+    path: "{{ __hs_vault_snapshot_home_dir }}"
+    state: directory
+    owner: vault-snapshot
+    group: vault
+    mode: 0700
+
+- name: "Authorize snapshot user keys"
+  ansible.posix.authorized_key:
+    user: vault-snapshot
+    key: "{{ _current_public_key }}"
+    exclusive: false
+    manage_dir: true
+  loop: "{{ hs_vault_addon_snapshot_authorized_keys }}"
+  loop_control:
+    loop_var: _current_public_key
+
+- name: "[LOCAL] Render {{ _current_conf_addon }} addon"    # noqa risky-file-permissions name[template]
+  copy:
+    src: "{{ role_path }}/files/{{ _current_conf_addon }}/"
+    dest: "{{ hs_vault_terraform_work_dir }}/vault_addon_{{ _current_conf_addon }}/"
+  delegate_to: localhost
+  become: false
+  when:
+    - __hs_vault_is_first_master
+
+- name: "[LOCAL] Render backend tf file"
+  template:
+    src: "tf_backend_{{ hs_vault_terraform_backend_type }}.tf.j2"
+    dest: "{{ hs_vault_terraform_work_dir }}/vault_addon_{{ _current_conf_addon }}/backend.tf"
+    mode: 0644
+  delegate_to: localhost
+  become: false
+  when:
+    - __hs_vault_is_first_master
+    - hs_vault_terraform_backend_type is defined
+    - (hs_vault_terraform_backend_type | length) > 0
+    - hs_vault_terraform_backend_type in ['s3']
+
+- name: "[LOCAL] Apply {{ _current_conf_addon }} addon"  # noqa name[template]
+  cloud.terraform.terraform:
+    project_path: "{{ hs_vault_terraform_work_dir }}/vault_addon_{{ _current_conf_addon }}"
+    state: "present"    # noqa args
+    force_init: true
+    backend_config: "{{ hs_vault_terraform_backend_config }}"
+    init_reconfigure: true
+    provider_upgrade: "{{ hs_tf_provider_upgrade | default(true) }}"
+    workspace: "{{ hs_vault_cluster_name }}"
+  environment:
+    VAULT_ADDR: "{{ hs_vault_external_url }}"
+    VAULT_TOKEN: "{{ vault_init_content.root_token }}"
+    VAULT_CACERT: "{{ hs_vault_use_custom_ca | ternary(hs_vault_local_ca_cert, '') }}"
+    TF_CLI_ARGS: ""
+    TF_CLI_ARGS_init: ""
+    TF_CLI_ARGS_plan: ""
+    TF_CLI_ARGS_apply: ""
+    TF_CLI_ARGS_destroy: ""
+  register: tf_result
+  throttle: 1
+  delegate_to: localhost
+  become: false
+  when:
+    - __hs_vault_is_first_master
+
+- name: "[LOCAL] Render {{ _current_conf_addon }} addon outputs"  # noqa name[template]
+  copy:
+    dest: "{{ hs_vault_local_secret_dir }}/vault_addon_{{ _current_conf_addon }}.yml"
+    content: |-
+      ---
+      {{
+        {
+          'hs_vault_snapshot_token': tf_result.outputs.snapshot_token.value
+        } | to_nice_yaml(indent=2)
+      }}
+    mode: 0600
+  delegate_to: localhost
+  become: false
+  when:
+    - __hs_vault_is_first_master
+
+- name: "Load secret dir"
+  include_vars:
+    dir: "{{ hs_vault_local_secret_dir }}"
+    ignore_unknown_extensions: true
+  no_log: true
+
+- name: "Render snapshot user bash profile"
+  copy:
+    dest: "{{ __hs_vault_snapshot_home_dir }}/.bash_profile"
+    content: |-
+      export PATH="/usr/bin/vault:${PATH}"
+      export VAULT_ADDR="https://{{ hs_vault_api_address }}:{{ hs_vault_api_port }}"
+      export VAULT_TOKEN="{{ hs_vault_snapshot_token }}"
+    mode: 0600
+    owner: vault-snapshot
+    group: vault

roles/vault_vars/defaults/main.yml

@@ -119,11 +119,19 @@ hs_vault_enable_default_policies: true
 # See below for specific configuration variables
 hs_vault_enabled_addons:
   - "telemetry"
+  - "snapshot"
   - "consul_service_mesh_ca"
   - "nomad"
 
 # #### auth_ldap
 
+# ```{admonition} Purpose
+# :class: note
+# Configure Vault instance auth engine backed by a third-party ldap service.
+#
+# See also: [Vault LDAP auth API](https://developer.hashicorp.com/vault/api-docs/auth/ldap)
+# ```
+
 # * Mount point of the auth engine in vault.
 hs_vault_addon_auth_ldap_path: 'ldap'
 
@@ -145,3 +153,14 @@ hs_vault_addon_auth_ldap_group_filter: ''  # MUST escape Go template by using
 # :class: note
 # * [Vault LDAP auth API](https://developer.hashicorp.com/vault/api-docs/auth/ldap)
 # ```
+
+# ### snapshot
+
+# ```{admonition} Purpose
+# :class: note
+# Configure Vault cluster hosts with a `vault-snapshot` user and a least-privilege policy token
+# for taking snapshots from this user.
+# ```
+
+# * List of public keys values to authorize for the `vault-snapshot` user.
+hs_vault_addon_snapshot_authorized_keys: []

roles/vault_vars/vars/main.yml

@@ -25,6 +25,7 @@ __hs_vault_ssl_cert_group: "ssl-cert"
 
 __hs_vault_conf_dir: "/etc/vault.d"
 __hs_vault_home_dir: "/opt/vault"
+__hs_vault_snapshot_home_dir: "/opt/vault-snapshot"
 __hs_vault_data_dir: "{{ __hs_vault_home_dir }}/data"
 
 __hs_vault_conf_file: "{{ __hs_vault_conf_dir }}/vault.hcl"