1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
|
# Contributing to the Ansible Conjur Collection
Thanks for your interest in Conjur. Before contributing, please take a moment to
read and sign our <a href="https://github.com/cyberark/community/blob/master/documents/CyberArk_Open_Source_Contributor_Agreement.pdf" download="conjur_contributor_agreement">Contributor Agreement</a>.
This provides patent protection for all Conjur users and allows CyberArk to enforce
its license terms. Please email a signed copy to <a href="oss@cyberark.com">oss@cyberark.com</a>.
For general contribution and community guidelines, please see the [community repo](https://github.com/cyberark/community).
- [Contributing to the Ansible Conjur Collection](#contributing-to-the-ansible-conjur-collection)
* [Prerequisites](#prerequisites)
* [Set up a development environment](#set-up-a-development-environment)
+ [Verification](#verification)
+ [Useful links](#useful-links)
* [Testing](#testing)
+ [Unit tests](#unit-tests)
+ [Integration tests](#integration-tests)
* [Releasing](#releasing)
- [Ansible Conjur Collection Quick Start](#ansible-conjur-collection-quick-start)
* [Setup a conjur OSS Environment](#setup-a-conjur-oss-environment)
* [Load policy to set up Conjur Ansible integration](#load-policy-to-set-up-conjur-ansible-integration)
* [Create Ansible managed nodes](#create-ansible-managed-nodes)
* [Use Conjur Ansible Role to set up identity on managed nodes](#use-conjur-ansible-role-to-set-up-identity-on-managed-nodes)
* [Use Conjur Lookup Plugin to provide secrets to Ansible Playbooks](#use-conjur-lookup-plugin-to-provide-secrets-to-ansible-playbooks)
<small><i><a href='http://ecotrust-canada.github.io/markdown-toc/'>Table of contents generated with markdown-toc</a></i></small>
## Prerequisites
Before getting started, the following tools need to be installed:
1. [Git][get-git] to manage source code
2. [Docker][get-docker] to manage dependencies and runtime environments
3. [Docker Compose][get-docker-compose] to orchestrate Docker environments
[get-docker]: https://docs.docker.com/engine/installation
[get-docker-compose]: https://docs.docker.com/compose/install
[get-git]: https://git-scm.com/downloads
## Set up a development environment
The `dev` directory contains a `docker-compose` file which creates a development
environment :
- A Conjur Open Source instance
- An Ansible control node
- Managed nodes to push tasks to
To use it:
1. Install dependencies (as above)
1. To use the dev environment, clone the
[Collection repository](https://github.com/cyberark/ansible-conjur-collection)
and run the setup script:
```sh-session
$ git clone https://github.com/cyberark/ansible-conjur-collection.git
$ cd ansible-conjur-collection/dev
$ ./start.sh
```
### Verification
When the Conjur and Ansible containers have been successfully setup, the
terminal prints the following:
```sh-session
...
PLAY RECAP *********************************************************************
ansibleplugingtestingconjurhostidentity-test_app_centos-1 : ok=17 ...
ansibleplugingtestingconjurhostidentity-test_app_centos-2 : ok=17 ...
ansibleplugingtestingconjurhostidentity-test_app_ubuntu-1 : ok=16 ...
ansibleplugingtestingconjurhostidentity-test_app_ubuntu-2 : ok=16 ...
```
Your Conjur instance will be configured with the following:
* Account: `cucumber`
* User: `admin`
* Password: Run `conjurctl role retrieve-key cucumber:user:admin` inside the
Conjur container shell to retrieve the admin user API key
### Useful links
- [Official documentation for Conjur's Ansible integration](https://docs.conjur.org/Latest/en/Content/Integrations/ansible.html)
- [Conjur Collection on Ansible Galaxy](https://galaxy.ansible.com/cyberark/conjur)
- [Ansible documentation for the Conjur collection](https://docs.ansible.com/ansible/latest/collections/cyberark/conjur/index.html)
## Testing
### Unit tests
Unit tests are only available for the Conjur Variable Lookup plugin. To run
these tests:
```
./dev/test_unit.sh
```
### Integration tests
The collection has integration tests for both the Variable Lookup plugin and the
Host Identity role that will validate each against live Conjur and Ansible
containers.
To run all tests:
```
./ci/test.sh -a
```
To run the tests for a particular module:
```
./ci/test.sh -d <role or plugin name>
```
Integration tests can be run against Conjur Enterprise by adding the `-e` flag:
```
./ci/test/sh -e -a
```
## Releasing
From a clean instance of main, perform the following actions to release a new version
of this plugin:
- Update the version number in [`galaxy.yml`](galaxy.yml) and [`CHANGELOG.md`](CHANGELOG.md)
- Verify that all changes for this version in `CHANGELOG.md` are clear and accurate,
and are followed by a link to their respective issue
- Create a PR with these changes
- Create an annotated tag with the new version, formatted as `v##.##.##`
- This will kick off an automated script which publish the release to
[Ansible Galaxy](https://galaxy.ansible.com/cyberark/conjur)
- Create the release on GitHub for that tag
- Build the release package with `./ci/build_release`
- Attach package to Github Release
# Ansible Conjur Collection Quick Start
## Setup a conjur OSS Environment
Generate the master key, which will be used to encrypt Conjur's database. Store
this value as an environment variable.
```sh-session
docker-compose run --no-deps --rm conjur data-key generate > data_key
export CONJUR_DATA_KEY="$(< data_key)"
```
Start the Conjur OSS environment. An account, named `cucumber`, will be
automatically created.
```sh-session
docker-compose up -d conjur
```
Retrieve the admin user's API key, and store the value in an environment variable.
```sh-session
export CLI_CONJUR_AUTHN_API_KEY="$(docker-compose exec conjur conjurctl role retrieve-key cucumber:user:admin)"
```
Start the Conjur CLI container. The CLI will be automatically authenticated as
the user `cucumber:user:admin`.
```sh-session
docker-compose up -d conjur_cli
```
## Load policy to set up Conjur Ansible integration
Policy defines Conjur entities and the relationships between them. An entity can
be a policy, a host, a user, a layer, a group, or a variable.
Check out the policy file, and load it into Conjur:
```sh-session
docker-compose exec conjur_cli cat /policy/root.yml
docker-compose exec conjur_cli conjur policy load root /policy/root.yml
```
Also, load a dummy secret value into the `ansible/target-password` variable.
This is a variable required by remote nodes in order to complete their workloads.
```sh-session
docker-compose exec conjur_cli conjur variable values add ansible/target-password S3cretV@lue
```
## Create Ansible managed nodes
The Ansible environment will include a control node and a number of managed
nodes. First, retrieve the API key for the Conjur host representing the control
node, then create it:
```sh-session
export ANSIBLE_CONJUR_AUTHN_API_KEY="$(docker-compose exec conjur conjurctl role retrieve-key cucumber:host:ansible/ansible-master)"
docker-compose up -d ansible
```
Next, create two instances of each managed node:
```sh-session
docker-compose up -d --scale test_app_ubuntu=2 test_app_ubuntu
docker-compose up -d --scale test_app_centos=2 test_app_centos
```
## Use Conjur Ansible Role to set up identity on managed nodes
To grant your Ansible host a Conjur identity, first install the Conjur
Collection on your Ansible control node:
```sh-session
docker-compose exec ansible ansible-galaxy collection install cyberark.conjur
```
Set up the host factory token in the HFTOKEN env var
```sh-session
export HFTOKEN="$(docker-compose exec conjur_cli conjur hostfactory tokens create ansible/ansible-factory | jq -r '.[0].token')"
```
Once you've done this, you can configure each Ansible node with a Conjur
identity by including a section like the example below in your Ansible playbook:
```yaml
---
- hosts: testapp
roles:
- role: cyberark.conjur.conjur_host_identity
conjur_appliance_url: 'https://conjur.myorg.com',
conjur_account: 'cucumber',
conjur_host_factory_token: "{{lookup('env', 'HFTOKEN')}}",
conjur_host_name: "{{inventory_hostname}}"
```
First we register the host with Conjur, adding it into the layer specific to the
provided host factory token, and then install Summon with the Summon Conjur
provider for secret retrieval from Conjur.
## Use Conjur Lookup Plugin to provide secrets to Ansible Playbooks
The Conjur lookup plugin can inject secret data directly into an Ansible
playbook, like it the following example:
```yaml
---
- hosts: testapp
tasks:
- name: Provide secret with Lookup plugin
debug:
msg: "{{ lookup('cyberark.conjur.conjur_variable', '/ansible/target-password') }}"
```
|