commit 206e5f86586edb400a98c699c92dd0599d32258e
author Mohammed Naser <mnaser@vexxhost.com> Wed Mar 16 20:21:14 2022 -0400
committer Mohammed Naser <mnaser@vexxhost.com> Wed Mar 16 21:02:52 2022 -0400
tree 4eabd96a4fa2dfd1db463e30519c860bd47893e3
parent daf1bee466ade9553b2ece9c71019903e06fa1c4

Added automatic secret generation

Sem-Ver: feature
Change-Id: Ie0b853b673e8ae518f57de1f03835152ea0d3890

playbooks/generate_secrets.yml

diff --git a/playbooks/generate_secrets.yml b/playbooks/generate_secrets.yml
new file mode 100644
index 0000000..88dbf23
--- /dev/null
+++ b/playbooks/generate_secrets.yml
@@ -0,0 +1,32 @@
+---
+- hosts: localhost
+  gather_facts: false
+  tasks:
+    - name: Ensure the secrets file exists
+      ansible.builtin.file:
+        path: "{{ secrets_path }}"
+        state: touch
+
+    - name: Load the current secrets into a variable
+      ansible.builtin.include_vars:
+        file: "{{ secrets_path }}"
+        name: secrets
+
+    - name: Generate secrets for missing variables
+      ansible.builtin.set_fact:
+        secrets: "{{ secrets| default({}) | combine({item: lookup('password', '/dev/null chars=ascii_lowercase,ascii_uppercase,digits length=32')}) }}"
+      # NOTE(mnaser): We don't want to override existing secrets, so we generate
+      #               a new one if and only if it doesn't exist
+      when: item not in secrets
+      # NOTE(mnaser): This is absolutely hideous but there's no clean way of
+      #               doing this using `with_fileglob` or `with_filetree`
+      with_lines: >
+        ls {{ playbook_dir }}/../roles/*/defaults/main.yml |
+          xargs grep undef |
+            egrep -v '(_host|region_name)' |
+              cut -d':' -f2
+
+    - name: Write new secrets file to disk
+      ansible.builtin.copy:
+        content: "{{ secrets | to_nice_yaml }}"
+        dest: "{{ secrets_path }}"