Sovereign Core changes

automation-roles/10-validation/load-vault-config/tasks/hashicorp-exchange-token.yml

@@ -0,0 +1,12 @@
+---
+- name: Exchange Hashicorp Vault token
+  community.hashi_vault.vault_token_create:
+    url: "{{ VAULT_URL | default(vault.vault_url) }}"
+    auth_method: token
+    token: '{{ VAULT_PASSWORD }}'
+    ttl: 24h
+    orphan: True
+  register: _hashicorp_vault_token_create
+
+- set_fact:
+    _hashicorp_ephemeral_token: "{{ _hashicorp_vault_token_create.login.auth.client_token }}"

automation-roles/10-validation/load-vault-config/tasks/main.yml

@@ -1,17 +1,19 @@
 ---
-# - name: Load yaml files for vault configuration
-#   include_vars:
-#     dir: "{{ config_dir }}/config"
-#     files_matching: '.*\.yaml$'
-
-- name: Read vault config
-  include_tasks: read-vault-config.yml
-  when: vault | default({}) != {}
-
 - set_fact:
-    vault_type: "file-vault"
-  when: vault_type is not defined
+    vault: "{{ _vault_default }}"
+  when: vault | default({}) == {}
 
 - set_fact:
-    vault_authentication_type: "none"
-  when: vault_authentication_type is not defined
+    vault: "{{ vault | combine({'vault_authentication_type':'none'}) }}"
+  when: vault.vault_authentication_type is not defined
+
+- fail:
+    msg: "For hashicorp-vault, either vault_url must be specified in the vault configuration, or VAULT_URL environment variable must be set"
+  when:
+  - vault.vault_type == 'hashicorp-vault'
+  - (VAULT_URL | default(vault.vault_url) | default(''))== ''
+
+- include_tasks: hashicorp-exchange-token.yml
+  when:
+  - vault.vault_type == 'hashicorp-vault'
+  - vault.vault_exchange_token | default(False) | bool

automation-roles/10-validation/load-vault-config/vars/main.yaml

@@ -0,0 +1,2 @@
+_vault_default:
+  vault_type: file-vault

automation-roles/10-validation/validate-variables-destroy/tasks/main.yml

@@ -2,8 +2,8 @@
 - name: Validate mandatory variables are defined
   assert:
     that:
-      - vault_type is defined
-      - vault_authentication_type is defined
+      - vault.vault_type is defined
+      - vault.vault_authentication_type is defined
       - cloud_platform is defined
 
 - name: Validate cloud_platform is supported

automation-roles/10-validation/validate-variables/tasks/main.yml

@@ -2,8 +2,8 @@
 - name: Validate mandatory variables are defined
   assert:
     that:
-      - vault_type is defined
-      - vault_authentication_type is defined
+      - vault.vault_type is defined
+      - vault.vault_authentication_type is defined
       - cloud_platform is defined
 
 - name: Validate cloud_platform is supported

automation-roles/50-install-cloud-pak/cp4d/cp4d-cluster-delete/tasks/cp4d-cluster-delete.yml

@@ -0,0 +1,20 @@
+---
+- name: Fail if destroy was not confirmed
+  fail:
+    msg: "Destroy of Cloud Pak for Data cluster {{ _p_current_cp4d_cluster.project }} was not confirmed with --confirm-destroy parameter or via global_config confirm_destroy property"
+  when:
+  - _confirm_destroy | bool != True
+  - not cpd_dry_run
+
+- name: Login to the OpenShift cluster "{{ _p_current_cp4d_cluster.openshift_cluster_name }}"
+  include_role:
+    name: openshift-login
+  vars:
+    _p_openshift_cluster_name: "{{ _p_current_cp4d_cluster.openshift_cluster_name }}"
+
+- name: Delete Cloud Pak for Data instance {{ _p_current_cp4d_cluster.project }} and its operators, logs are in {{ status_dir }}/log/{{ _p_current_cp4d_cluster.project }}-destroy.log
+  shell: |
+    {{ playbook_dir }}/../scripts/cp4d/cp4d-delete-instance.sh {{ _p_current_cp4d_cluster.project }} | tee -a {{ status_dir }}/log/{{ _p_current_cp4d_cluster.project }}-destroy.log
+  environment:
+    CPD_CONFIRM_DELETE: "true"
+    CPD_DESTROY_CLUSTER_WIDE: "false"

automation-roles/50-install-cloud-pak/cp4d/cp4d-cluster-delete/tasks/main.yml

@@ -1,20 +1,10 @@
 ---
-- name: Fail if destroy was not confirmed
-  fail:
-    msg: "Destroy of Cloud Pak for Data cluster {{ _p_current_cp4d_cluster.project }} was not confirmed with --confirm-destroy parameter or via global_config confirm_destroy property"
-  when:
-  - _confirm_destroy | bool != True
-  - not cpd_dry_run
+- name: Check if {{ _p_current_cp4d_cluster.project }} still exists
+  kubernetes.core.k8s_info:
+    kind: namespace
+    name: "{{ _p_current_cp4d_cluster.project }}"
+    api_version: v1
+  register: _cp4d_namespace
 
-- name: Login to the OpenShift cluster "{{ _p_current_cp4d_cluster.openshift_cluster_name }}"
-  include_role:
-    name: openshift-login
-  vars:
-    _p_openshift_cluster_name: "{{ _p_current_cp4d_cluster.openshift_cluster_name }}"
-
-- name: Delete Cloud Pak for Data instance {{ _p_current_cp4d_cluster.project }} and its operators, logs are in {{ status_dir }}/log/{{ _p_current_cp4d_cluster.project }}-destroy.log
-  shell: |
-    {{ playbook_dir }}/../scripts/cp4d/cp4d-delete-instance.sh {{ _p_current_cp4d_cluster.project }} | tee -a {{ status_dir }}/log/{{ _p_current_cp4d_cluster.project }}-destroy.log
-  environment:
-    CPD_CONFIRM_DELETE: "true"
-    CPD_DESTROY_CLUSTER_WIDE: "false"
+- include_tasks: cp4d-cluster-delete.yml
+  when: (_cp4d_namespace.resources | default([])) != []

automation-roles/99-generic/vault/vault-connect/tasks/connect-ansible-vault.yml

@@ -2,27 +2,27 @@
 - name: Validate mandatory variables for Ansible Vault
   assert:
     that:
-      - vault_password_file is defined
-      - vault_password_file != ''
+      - vault.vault_password_file is defined
+      - vault.vault_password_file != ''
     fail_msg: "vault_password_file must be defined for ansible-vault type"
 
 - name: Check if Ansible Vault password file exists
   stat:
-    path: "{{ vault_password_file }}"
-  register: vault_password_file_stat
+    path: "{{ vault.vault_password_file }}"
+  register: _vault_password_file_stat
 
 - name: Fail if Ansible Vault password file does not exist
   fail:
-    msg: "Ansible Vault password file {{ vault_password_file }} does not exist"
-  when: not vault_password_file_stat.stat.exists
+    msg: "Ansible Vault password file {{ vault.vault_password_file }} does not exist"
+  when: not _vault_password_file_stat.stat.exists
 
 - name: Validate Ansible Vault password file is readable
   assert:
     that:
-      - vault_password_file_stat.stat.readable
-    fail_msg: "Ansible Vault password file {{ vault_password_file }} is not readable"
+      - _vault_password_file_stat.stat.readable
+    fail_msg: "Ansible Vault password file {{ vault.vault_password_file }} is not readable"
 
 - name: Successfully connected to Ansible Vault
   debug:
-    msg: "Successfully validated Ansible Vault password file: {{ vault_password_file }}"
+    msg: "Successfully validated Ansible Vault password file: {{ vault.vault_password_file }}"
 

automation-roles/99-generic/vault/vault-connect/tasks/main.yaml

@@ -1,59 +1,59 @@
 ---
 
 - name: Validate vault_type is supported
-  fail: msg="Vault type {{ vault_type }} only support values {{ supported_vault_types }} "
-  when: "vault_type not in supported_vault_types"
+  fail: msg="Vault type {{ vault.vault_type }} only support values {{ supported_vault_types }} "
+  when: vault.vault_type not in supported_vault_types
 
 - name: Validate vault_authentication_type is supported
-  fail: msg="Vault Authentication type (vault_authentication_type) only support values {{ supported_vault_authentication_types }} "
-  when: "vault_authentication_type not in supported_vault_authentication_types"
+  fail: msg="Vault Authentication type (vault_authentication_type) only supports values {{ supported_vault_authentication_types }} "
+  when: vault.vault_authentication_type not in supported_vault_authentication_types
 
 - name: Login to Hashicorp vault
   block:
     - name: Validate mandatory variables are defined
       assert:
         that:
-          - vault_type is defined
-          - vault_authentication_type is defined
+          - vault.vault_type is defined
+          - vault.vault_authentication_type is defined
     - debug:
-        msg: "Hashicorp Vault URL: {{ vault_url }}"
-  when: "vault_type == 'hashicorp-vault'"
+        msg: "Hashicorp Vault URL: {{ VAULT_URL | default(vault.vault_url) }}"
+  when: vault.vault_type == 'hashicorp-vault'
 
 - name: Login to IBMCloud vault
   block:
 
     - name: Validate mandatory variables are defined
       assert:
         that:
-          - vault_type is defined
-          - vault_authentication_type is defined
+          - vault.vault_type is defined
+          - vault.vault_authentication_type is defined
 
     - include_tasks: connect-ibmcloud.yml
       vars:
-        ibmcloud_vault_address: "{{ vault_url }}"
+        ibmcloud_vault_address: "{{ vault.vault_url }}"
         ibmcloud_api_key: "{{ vault_api_key }}"
         ibmcloud_vault_group: "{{ vault_secret_group }}"
-  when: "vault_type == 'ibmcloud-vault'"  
+  when: vault.vault_type == 'ibmcloud-vault'
 
 - name: Login to file vault
   block:
     - name: No login to file fault needed
       debug:
         msg: File vault directory is {{ status_dir }}/vault
-  when: "vault_type == 'file-vault'"
+  when: vault.vault_type == 'file-vault'
 
 - name: Login to Ansible vault
   block:
 
     - name: Validate mandatory variables are defined
       assert:
         that:
-          - vault_type is defined
-          - vault_authentication_type is defined
+          - vault.vault_type is defined
+          - vault.vault_authentication_type is defined
 
     - include_tasks: connect-ansible-vault.yml
-      when: vault_authentication_type == 'password-file'
-  when: "vault_type == 'ansible-vault'"
+      when: vault.vault_authentication_type == 'password-file'
+  when: vault.vault_type == 'ansible-vault'
 
 - set_fact:
     vault_login_success: "true"

automation-roles/99-generic/vault/vault-delete-secret/tasks/delete-secret-file.yml

@@ -8,12 +8,12 @@
 - name: Check that vault file {{ secret_group }} exists
   stat:
     path: "{{ status_dir }}/vault/{{ secret_group }}"
-  register: vault_file_details
+  register: _vault_file_details
 
 - name: Fail if the secret file was not found
   fail:
     msg: "File {{ status_dir }}/vault/{{ secret_group }} does not exist"
-  when: not vault_file_details.stat.exists
+  when: not v_ault_file_details.stat.exists
 
 - name: Add or replace secret in file {{ status_dir }}/vault/{{ secret_group }}
   lineinfile:

automation-roles/99-generic/vault/vault-delete-secret/tasks/delete-secret-hashicorp-certificate.yml

@@ -8,15 +8,11 @@
       - VAULT_CERT_CERT_FILE is defined
       - hashicorp_secret_name_path is defined
 
-- name: Delete the secret
-  shell: |
-    vault kv delete \
-      -ca-cert={{ VAULT_CERT_CA_FILE }} \
-      -client-cert={{ VAULT_CERT_CERT_FILE }} \
-      -client-key={{ VAULT_CERT_KEY_FILE }} \
-      -address={{ hashicorp_vault_address }} \ 
-      {{ hashicorp_secret_name_path }}
-
-- name: Successfully deleted secret
-  debug:
-    msg: "Secret {{ hashicorp_secret_name_path }} deleted..."
+- name: Delete secret {{ hashicorp_secret_name_path }}
+  community.hashi_vault.vault_kv2_delete:
+    url: "{{ hashicorp_vault_address }}"
+    path: "{{ hashicorp_secret_name_path }}"
+    auth_method: cert
+    ca_cert: "{{ VAULT_CERT_CA_FILE }}"
+    cert_auth_private_key: "{{ VAULT_CERT_KEY_FILE }}"
+    cert_auth_public_key: "{{ VAULT_CERT_CERT_FILE }}"

automation-roles/99-generic/vault/vault-delete-secret/tasks/delete-secret-hashicorp-token.yml

@@ -0,0 +1,27 @@
+---
+- name: Delete secret Validate mandatory variables are defined
+  assert:
+    that:
+      - hashicorp_vault_address is defined
+      - hashicorp_secret_name_path is defined
+
+- name: Get all versions for secret {{ hashicorp_secret_name_path }}
+  community.hashi_vault.vault_read:
+    url: "{{ hashicorp_vault_address }}"
+    path: "secret/metadata/{{ secret_group}}/{{ _secret_name }}"
+    auth_method: token
+    token: '{{ _hashicorp_ephemeral_token | default(VAULT_PASSWORD) }}'
+  register: _hashicorp_read_secret_results
+  failed_when: false
+
+- set_fact:
+    _secret_versions: "{{ range(1,_hashicorp_read_secret_results.data.data.current_version+1) }}"
+  when: _hashicorp_read_secret_results.data.data.current_version | default(0) != 0
+
+- name: Delete secret {{ hashicorp_secret_name_path }}
+  community.hashi_vault.vault_kv2_delete:
+    url: "{{ hashicorp_vault_address }}"
+    path: "{{ hashicorp_secret_name_path }}"
+    auth_method: token
+    token: '{{ _hashicorp_ephemeral_token | default(VAULT_PASSWORD) }}'
+    versions: "{{ _secret_versions | default(omit) }}"

automation-roles/99-generic/vault/vault-delete-secret/tasks/delete-secret.yml

@@ -4,7 +4,7 @@
     - name: Validate mandatory variables are defined for Hashicorp Vault
       assert:
         that:
-          - vault_secret_path is defined
+          - vault.vault_secret_path is defined
 
     - set_fact:
         _secret_name: "{{ secret_name }}"
@@ -14,46 +14,46 @@
       when: _secret_name is search("/")
 
     - set_fact:
-        _hashicorp_secret_name_path: "{{ vault_secret_path }}/{{ secret_group}}/{{ _secret_name }}"
+        _hashicorp_secret_name_path: "{{ secret_group}}/{{ _secret_name }}"
       when: 
-      - (vault_secret_path_append_group | default(True) | bool)
+      - (vault.vault_secret_path_append_group | default(True) | bool)
       - not _secret_name is search("/")
 
     - set_fact:
-        _hashicorp_secret_name_path: "{{ vault_secret_path }}/{{ _secret_name }}"
+        _hashicorp_secret_name_path: "{{ vault.vault_secret_path }}/{{ _secret_name }}"
       when: 
-      - not (vault_secret_path_append_group | default(True) | bool)
+      - not (vault.vault_secret_path_append_group | default(True) | bool)
       - not _secret_name is search("/")
 
-    - name: Delete Secret Hashicorp vault (API Key), path {{ _hashicorp_secret_name_path }}
+    - name: Delete Secret Hashicorp vault (token), path {{ _hashicorp_secret_name_path }}
       include_tasks: delete-secret-hashicorp-token.yml
       vars:
-        hashicorp_vault_address: "{{ vault_url }}"
+        hashicorp_vault_address: "{{ VAULT_URL | default(vault.vault_url) }}"
         hashicorp_secret_name_path: "{{ _hashicorp_secret_name_path }}"
-      when: vault_authentication_type == 'token'
+      when: vault.vault_authentication_type == 'token'
 
     - name: Delete Secret Hashicorp vault (Certificate), path {{ _hashicorp_secret_name_path }}
       include_tasks: delete-secret-hashicorp-certificate.yml
       vars:
-        hashicorp_vault_address: "{{ vault_url }}"
+        hashicorp_vault_address: "{{ VAULT_URL | default(vault.vault_url) }}"
         hashicorp_secret_name_path: "{{ _hashicorp_secret_name_path }}"
-      when: vault_authentication_type == 'certificate'      
-  when: "vault_type == 'hashicorp-vault'"
+      when: vault.vault_authentication_type == 'certificate'      
+  when: vault.vault_type == 'hashicorp-vault'
 
 - name: Delete Secret from Vault IBM Cloud
   block:
     - name: Delete secret from Vault IBMCloud
       include_tasks: delete-secret-ibmcloud.yml
       vars:
-        ibmcloud_vault_address: "{{ vault_url }}"
+        ibmcloud_vault_address: "{{ vault.vault_url }}"
         ibm_cloud_secret_name: "{{ secret_name }}"
-  when: "vault_type == 'ibmcloud-vault'"
+  when: vault.vault_type == 'ibmcloud-vault'
 
 - name: Delete Secret from Vault file
   block:
     - name: Get secret in Vault file
       include_tasks: delete-secret-file.yml
-  when: "vault_type == 'file-vault'"
+  when: vault.vault_type == 'file-vault'
 
 - name: Secret {{ secret_group }}/{{ secret_name }} was deleted
   debug: