codebymikey · September 25, 2019 10:25 · Aug 23, 2019 · Apr 16, 2019
diff --git a/rotate-secrets.yml b/rotate-secrets.yml
@@ -25,7 +25,7 @@
           name: "vars_to_change"
           file: "{{ secrets_path }}"
 
-      - name: "change koala secrets"
+      - name: "change nested secrets"
         set_fact: &replace_nested_secrets
           # This takes the duplicated secrets, loops over the selected keys,
           # replaces each value by a generated password, and merges that new
@@ -41,39 +41,27 @@
             },
             recursive=True) }}"
         vars:
-          secrets_category: "vault_secret_koala"
+          secrets_category: "vault_secret_example1_nested"
         with_dict: "{{ vars_to_change[secrets_category] }}"
 
-      - name: "change mysql passwords"
+      - name: "change more nested secrets"
         set_fact: *replace_nested_secrets
         vars:
-          secrets_category: "vault_secret_mysql_passwords"
+          secrets_category: "vault_secret_example2_nested"
         with_dict: "{{ vars_to_change[secrets_category] }}"
 
-      - name: "change django secret for pretix"
+      - name: "change subset of more nested secrets"
         set_fact: *replace_nested_secrets
         vars:
-          secrets_category: "vault_secret_pretix"
+          secrets_category: "vault_secret_example3_nested"
         with_dict: "{{ vars_to_change[secrets_category] }}"
-        when: "item.key == 'django_secret'"
-
-      - name: "change metrics + pma secrets"
-        set_fact:
-          vars_to_change:
-            "{{ vars_to_change |
-            combine({
-              item:
-                lookup('password', '/dev/null length=' ~ password_length)
-            }) }}"
-        with_items:
-          - "vault_secret_metrics_password"
-          - "vault_secret_phpmyadmin_blowfish_secret"
+        when: "item.key == 'secret_that_needs_rotation'"
 
       - name:
           "encrypt and save changed vars to disk"
         command:
           "ansible-vault encrypt --vault-id
-          {{ deploy_env }}@../scripts/get-vault-pass-from-bitwarden-client.sh
+          {{ deploy_env }}@script-outputting-vault-passphrase.sh
           --output={{ secrets_path }}"
         args:
           stdin:

diff --git a/rotate-secrets.yml b/rotate-secrets.yml
@@ -0,0 +1,82 @@
+---
+# This playbook rotates Ansible Vault-encrypted secrets that are defined
+# as dictionaries in the group_vars of an Ansible repository.
+#
+# The changes are split over multiple tasks, because the dictionary logic
+# doesn't handle looping over secrets on differing levels within a
+# dictionary.
+
+- hosts: "all"
+  user: "ansible"
+  force_handlers: true
+  gather_facts: false
+
+  vars:
+    deploy_env: "{{ group_names | difference(['all']) | first }}"
+    secrets_path: "../group_vars/{{ deploy_env }}/vault.yml"
+    password_length: 32
+
+  tasks:
+    - name: "unlogged block to prevent logging of secrets"
+      no_log: true
+      block:
+      - name: "import current secrets"
+        include_vars:
+          name: "vars_to_change"
+          file: "{{ secrets_path }}"
+
+      - name: "change koala secrets"
+        set_fact: &replace_nested_secrets
+          # This takes the duplicated secrets, loops over the selected keys,
+          # replaces each value by a generated password, and merges that new
+          # pair with the existing dictionary.
+          vars_to_change:
+            "{{ vars_to_change |
+            combine({
+              secrets_category: {
+                item.key:
+                  lookup('password',
+                  '/dev/null length=' ~ password_length)
+              }
+            },
+            recursive=True) }}"
+        vars:
+          secrets_category: "vault_secret_koala"
+        with_dict: "{{ vars_to_change[secrets_category] }}"
+
+      - name: "change mysql passwords"
+        set_fact: *replace_nested_secrets
+        vars:
+          secrets_category: "vault_secret_mysql_passwords"
+        with_dict: "{{ vars_to_change[secrets_category] }}"
+
+      - name: "change django secret for pretix"
+        set_fact: *replace_nested_secrets
+        vars:
+          secrets_category: "vault_secret_pretix"
+        with_dict: "{{ vars_to_change[secrets_category] }}"
+        when: "item.key == 'django_secret'"
+
+      - name: "change metrics + pma secrets"
+        set_fact:
+          vars_to_change:
+            "{{ vars_to_change |
+            combine({
+              item:
+                lookup('password', '/dev/null length=' ~ password_length)
+            }) }}"
+        with_items:
+          - "vault_secret_metrics_password"
+          - "vault_secret_phpmyadmin_blowfish_secret"
+
+      - name:
+          "encrypt and save changed vars to disk"
+        command:
+          "ansible-vault encrypt --vault-id
+          {{ deploy_env }}@../scripts/get-vault-pass-from-bitwarden-client.sh
+          --output={{ secrets_path }}"
+        args:
+          stdin:
+            "{{ vars_to_change | to_nice_yaml(default_style='\"',
+            explicit_start=True, indent=2, width=79) }}"
+        delegate_to: "localhost"