From c8d77e553d7b3c97b6f6c5479e059b28289e9e2c Mon Sep 17 00:00:00 2001
From: Ian Fijolek <ian@iamthefij.com>
Date: Wed, 7 Sep 2022 11:05:27 -0700
Subject: [PATCH] Add playbook to unseal Vault

---
 nomad/Makefile         |  5 +++++
 nomad/unseal-vault.yml | 27 +++++++++++++++++++++++++++
 2 files changed, 32 insertions(+)
 create mode 100644 nomad/unseal-vault.yml

diff --git a/nomad/Makefile b/nomad/Makefile
index 01b48c6..e4d1f47 100644
--- a/nomad/Makefile
+++ b/nomad/Makefile
@@ -75,6 +75,11 @@ bootstrap-values: venv/bin/ansible galaxy
 		$(shell test -f vault-keys.json && echo '-e "@vault-keys.json"') \
 		-i ansible_hosts.yml -M ./roles ./bootstrap-values.yml
 
+.PHONY: unseal-vault
+unseal-vault: venv/bin/ansible galaxy
+	env VIRTUAL_ENV=/Users/ifij/workspace/iamthefij/orchestration-tests/nomad/venv ./venv/bin/ansible-playbook -K -vv \
+		-e "@vault-keys.json" -i ansible_hosts.yml -M ./roles ./unseal-vault.yml
+
 .PHONY: init
 init:
 	@terraform init
diff --git a/nomad/unseal-vault.yml b/nomad/unseal-vault.yml
new file mode 100644
index 0000000..db24e89
--- /dev/null
+++ b/nomad/unseal-vault.yml
@@ -0,0 +1,27 @@
+---
+- name: Unseal Vault
+  hosts: vault_instances
+
+  tasks:
+    - name: Get Vault status
+      uri:
+        url: http://127.0.0.1:8200/v1/sys/health
+        method: GET
+        status_code: 200, 429, 472, 473, 501, 503
+        body_format: json
+        return_content: true
+      register: vault_status
+
+    - name: Unseal Vault
+      no_log: true
+      command:
+        argv:
+          - "vault"
+          - "operator"
+          - "unseal"
+          - "-address=http://127.0.0.1:8200/"
+          - "{{ item }}"
+      loop: "{{ unseal_keys_hex }}"
+      when:
+        - unseal_keys_hex is defined
+        - vault_status.json["sealed"]