ops/vault: destroy existing secrets before provisioning a new one

2022-03-20 10:20:25 +00:00 · 2022-03-20 10:20:25 +00:00 · 4020f310ce
commit 4020f310ce
parent 132cb805b3
2 changed files with 10 additions and 1 deletions
--- a/ops/vault/default.nix
+++ b/ops/vault/default.nix
@ -27,6 +27,9 @@
        exit $RET
      fi
      echo "$SECRET_ID" > /var/lib/vault-agent/secret-id
+
+      systemctl restart vault-agent
+      systemctl restart secretsmgr || true
    '';
  };
 }
--- a/ops/vault/reissue-secret-id.sh
+++ b/ops/vault/reissue-secret-id.sh
@ -10,5 +10,11 @@ export VAULT_ADDR=https://vault.int.lukegb.com/
 echo Checking login credentials... >&2
 vault token lookup >/dev/null || vault login -method=oidc role=admin >&2

+echo Destroying existing secrets for that server... >&2
+vault list -format=json "auth/approle/role/${server_name}/secret-id" | jq -r '.[]' | while read -r secret_id_accessor; do
+  echo -ne "\t$secret_id_accessor\n"
+  vault write "auth/approle/role/${server_name}/secret-id-accessor/destroy" secret_id_accessor="${secret_id_accessor}"
+done
+
 echo Creating new secret... >&2
-vault write -f -format=json -wrap-ttl=3m auth/approle/role/${server_name}/secret-id | jq -r '.wrap_info.token'
+vault write -f -format=json -wrap-ttl=3m "auth/approle/role/${server_name}/secret-id" | jq -r '.wrap_info.token'