• Working Directory: Documents/Courses/Pluralsight-GettingStartedWithAnsible

  • Sample Code: https://github.com/g0t4/course-ansible-getting-started

  • Install homebrew
    • Install bat
    • Install tree
      • tree -C alias
    • jq
    • httpie
    • curl
    • wget

Ad-hoc

Commands run:

ansible -m copy -a "src=master.gitconfig dest=~/.gitconfig" localhost

ansible -m copy -a "src=master.gitconfig dest=~/.gitconfig" --check --diff localhost

ansible -m shell -a "hostname" -vvvv  localhost

Managing Mac with Ansible

  • install homebrew
  • download linux setup from gitlab 
ansible -m copy -a "src=master.gitconfig dest=~/.gitconfig" --check --diff localhost
  • Manage these types of file with git repo
ansible -m homebrew -a "name=bat state=latest" localhost
  • install bat command from homebrew
ansible -m homebrew -a "name=jq state=latest" localhost

Playbooks

Intro to Playbooks

ansible-playbook playbook.yaml

spin up a quick docker container

docker run --rm -it python bash

connect to multiple machines using ansible

ansible-console containers
  • containers is defined in the inventory file as 3 docker containers

Module 4

Basic Auth

Vault Policies

  • Govern: Who, What, How for access
  • Policy is in HCL or JSON
  • Variables available for identities in path logic for dynamic policies
  • can specify parameters
  • two out of box policies: default & root policies

Policy Document:

path “path_of_secret_data/[*]” { capabilities = [“create”,”read”,”update”…] required parameters = [“param_name”] allowed parameters = { param_name = [“list”,”of”,”values”] } denied_paramters = { param_name = [“list”,”of”,”values”] } }

Working with policies

list all policies

vault policy list

create a policy

vault policy write [policy] [policy_file.hcl]

update a policy

vault write sys/policy/[policy] policy=[policy_file.hcl]

delete a policy

vault delete sys/policy[policy]

Client Tokens

  • Policies are added to tokens
  • updates to policies have an immediate affect on existing tokens
  • creating new policies does not update existing tokens
  • tokens are the foundation of access within vault
    • even if you auth via LDAP or something else it just gives you a token

Module 5 - How to setup Configure & Operate Vault Server as an Admin

Vault Server Architecture

Storage

  • over 19 options currently supported
  • consul is kinda the default

Installation Process for prod

  • Installation Scenario
    • Virtual Network
      • Vault Subnet
        • Vault VM
          • HTTPS on 8200 default port
          • Public IP in front of vault server
          • talks on 8201 for clustering
          • Consul Agent for storage
            • Gossip & RPC protocols
            • Consul agent runs server on 8500
          • vault configured in HA with another vault server
      • Consul Subnet
        • Consul VM
          • Replication on port 8300
      • Communication between the two

storage and configuration

Server Operations

Conclusion

  • nothing leaves the barrier unencrypted
  • everything in the barrier is audited
  • plan your pilot to support HA

Module 6 - Audting Actions in Vault

  • everything is audited
  • auditing must be available
  • sensitive data is hashed by default