From c404967af422cc63a946c35992efcf617d4bd1f1 Mon Sep 17 00:00:00 2001 From: Cordula Grau Date: Tue, 16 Apr 2019 15:20:36 +0200 Subject: [PATCH] fix: resolve deprecation warnings and move become flag to required resources --- handlers/main.yml | 1 + tasks/asserts.yml | 8 ++++---- tasks/install.yml | 4 +++- tasks/main.yml | 10 +++++++++- tasks/tls.yml | 2 ++ templates/vault_service_systemd.j2 | 2 +- 6 files changed, 20 insertions(+), 7 deletions(-) diff --git a/handlers/main.yml b/handlers/main.yml index 6adcca12..ffaabd35 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -2,4 +2,5 @@ # handlers file for vault - name: Restart vault + become: true service: name=vault state=restarted diff --git a/tasks/asserts.yml b/tasks/asserts.yml index 657d1474..24985554 100644 --- a/tasks/asserts.yml +++ b/tasks/asserts.yml @@ -11,28 +11,28 @@ msg: "{{ ansible_distribution_version }} is not a supported version of {{ ansible_distribution }} for this role" when: - ansible_distribution in ['RedHat', 'CentOS'] - - ansible_distribution_version|version_compare(7, '<') + - ansible_distribution_version is version(7, '<') - name: Fail if not a new release of Debian fail: msg: "{{ ansible_distribution_version }} is not a supported version of {{ ansible_distribution }} for this role" when: - ansible_distribution == "Debian" - - (ansible_distribution_version != 'buster/sid') and (ansible_distribution_version is version_compare(8.5, '<')) + - (ansible_distribution_version != 'buster/sid') and (ansible_distribution_version is version(8.5, '<')) - name: Fail if not a new release of FreeBSD fail: msg: "{{ ansible_distribution_version }} is not a supported version." when: - ansible_distribution == "FreeBSD" - - ansible_distribution_version|version_compare(10, '<') + - ansible_distribution_version is version(10, '<') - name: Fail if not a new release of Ubuntu fail: msg: "{{ ansible_distribution_version }} is not a supported version of {{ ansible_distribution }} for this role" when: - ansible_distribution == "Ubuntu" - - ansible_distribution_version|version_compare(13.04, '<') + - ansible_distribution_version is version(13.04, '<') - name: Check for vault_redirect_address usage debug: diff --git a/tasks/install.yml b/tasks/install.yml index 9a60b8d1..73d75c7b 100644 --- a/tasks/install.yml +++ b/tasks/install.yml @@ -2,6 +2,7 @@ # File: tasks/install.yml - package installation tasks for vault - name: OS packages + become: true package: name: "{{ item }}" state: present @@ -16,7 +17,7 @@ tags: installation when: - ansible_distribution == "Debian" - - (ansible_distribution_version == 'buster/sid') or (ansible_distribution_version is version_compare(8.5, '>')) + - (ansible_distribution_version == 'buster/sid') or (ansible_distribution_version is version(8.5, '>')) - name: Check Vault package checksum file (local) stat: @@ -77,6 +78,7 @@ delegate_to: 127.0.0.1 - name: Install Vault + become: true copy: src: "{{ role_path }}/files/vault" dest: "{{ vault_bin_path }}" diff --git a/tasks/main.yml b/tasks/main.yml index df843576..1cc61fe8 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -5,6 +5,7 @@ include: asserts.yml - name: "Add Vault user" + become: true user: name: "{{ vault_user }}" comment: "Vault user" @@ -57,16 +58,19 @@ - installation_required | bool - name: Check Vault mlock capability + become: true command: "setcap -v cap_ipc_lock=+ep {{ vault_bin_path }}/vault" changed_when: false # read-only task ignore_errors: true register: vault_mlock_capability - name: Enable non root mlock capability + become: true command: "setcap cap_ipc_lock=+ep {{ vault_bin_path }}/vault" when: vault_mlock_capability is failed - name: Create directories + become: true file: dest: "{{ item }}" state: directory @@ -89,7 +93,7 @@ - name: TLS configuration include: ../tasks/tls.yml - when: vault_tls_disable == 0 + when: vault_tls_disable == 0 or vault_tls_gossip == 1 - name: "Copy over GCP Credentials for Auto Unseal" copy: @@ -101,6 +105,7 @@ when: vault_gkms | bool - name: Listener configuration + become: true template: src: "{{ vault_listener_template }}" dest: "{{ vault_main_config }}" @@ -157,6 +162,7 @@ tags: skip_ansible_lint - name: systemd unit + become: true template: src: "{{ vault_systemd_template }}" dest: /lib/systemd/system/vault.service @@ -171,6 +177,7 @@ - systemd_version is defined - name: reload systemd + become: true systemd: daemon-reload: true when: @@ -181,6 +188,7 @@ - systemd_unit is changed - name: Start Vault + become: true service: name: vault state: started diff --git a/tasks/tls.yml b/tasks/tls.yml index 77909ebb..ad4d61cd 100644 --- a/tasks/tls.yml +++ b/tasks/tls.yml @@ -2,6 +2,7 @@ # File: tasks/tls.yml - TLS tasks for Vault - name: Create TLS directory + become: true file: dest: "{{ item }}" state: directory @@ -11,6 +12,7 @@ - "{{ vault_tls_config_path }}" - name: Vault SSL Certificate and Key + become: true copy: remote_src: "{{ vault_tls_files_remote_src }}" src: "{{ item.src }}" diff --git a/templates/vault_service_systemd.j2 b/templates/vault_service_systemd.j2 index 98715eec..8a81f3fd 100644 --- a/templates/vault_service_systemd.j2 +++ b/templates/vault_service_systemd.j2 @@ -25,7 +25,7 @@ PrivateTmp=yes PrivateDevices=yes SecureBits=keep-caps Capabilities=CAP_IPC_LOCK+ep -{% if systemd_version.stdout | version_compare('230', '>=') %} +{% if systemd_version.stdout is version('230', '>=') %} AmbientCapabilities=CAP_SYSLOG CAP_IPC_LOCK {% endif %} CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK