From 65416b25891e73a8b9ca66977403c9e7c39d1e2f Mon Sep 17 00:00:00 2001
From: khalil <khalil@felcloud.tn>
Date: Tue, 6 May 2025 14:16:56 +0000
Subject: [PATCH] Actualiser inject_vault_secrets.yml

---
 inject_vault_secrets.yml | 38 +++++++++++++++++++++-----------------
 1 file changed, 21 insertions(+), 17 deletions(-)

diff --git a/inject_vault_secrets.yml b/inject_vault_secrets.yml
index f18d247..eaca341 100644
--- a/inject_vault_secrets.yml
+++ b/inject_vault_secrets.yml
@@ -6,23 +6,24 @@
 
   vars:
     target_group_vars_file: "/etc/ansible/group_vars/ctl"
+    env: "{{ lookup('env', 'ENV') }}"
 
     vault_secrets_map:
-      openstack_admin_project_passwd: { path: "services/openstack_admin_project", key: "passwd" }
-      git_token:                      { path: "services/git", key: "token" }
-      console_database_passwd:        { path: "services/console_db", key: "passwd" } # Assurez-vous que ce secret existe
-      smtp_passwd:                    { path: "services/smtp_noreply", key: "passwd" }
-      smtp_support_email_passwd:    { path: "services/smtp_support", key: "passwd" }
-      authentik_bear_token:           { path: "services/authentik_bear", key: "token" }
-      oidc_client_id:                 { path: "services/oidc_client", key: "id" } # Exemple si clé est 'id'
-      oidc_client_secret:             { path: "services/oidc_client", key: "secret" }
-      flouci_public_token:            { path: "services/flouci_public", key: "token" }
-      flouci_private_token:           { path: "services/flouci_private", key: "token" }
-      konnect_api_key:                { path: "services/konnect_api", key: "key" }
-      stripe_api_key:                 { path: "services/stripe_api", key: "key" }
-      stripe_test_api_key:            { path: "services/stripe_test_api", key: "key" }
-      stripe_front_api_key:           { path: "services/stripe_front_api", key: "key" }
-      stripe_front_test_api_key:    { path: "services/stripe_front_test_api", key: "key" }
+      openstack_admin_project_passwd: { path: "environnement/{{ env }}/openstack_admin_project", key: "passwd" }
+      git_token:                      { path: "environnement/{{ env }}/git", key: "token" }
+      console_database_passwd:        { path: "environnement/{{ env }}/console_db", key: "passwd" }
+      smtp_passwd:                    { path: "environnement/{{ env }}/smtp_noreply", key: "passwd" }
+      smtp_support_email_passwd:    { path: "environnement/{{ env }}/smtp_support", key: "passwd" }
+      authentik_bear_token:           { path: "environnement/{{ env }}/authentik_bear", key: "token" }
+      oidc_client_id:                 { path: "environnement/{{ env }}/oidc_client", key: "id" }
+      oidc_client_secret:             { path: "environnement/{{ env }}/oidc_client", key: "secret" }
+      flouci_public_token:            { path: "environnement/{{ env }}/flouci_public", key: "token" }
+      flouci_private_token:           { path: "environnement/{{ env }}/flouci_private", key: "token" }
+      konnect_api_key:                { path: "environnement/{{ env }}/konnect_api", key: "key" }
+      stripe_api_key:                 { path: "environnement/{{ env }}/stripe_api", key: "key" }
+      stripe_test_api_key:            { path: "environnement/{{ env }}/stripe_test_api", key: "key" }
+      stripe_front_api_key:           { path: "environnement/{{ env }}/stripe_front_api", key: "key" }
+      stripe_front_test_api_key:    { path: "environnement/{{ env }}/stripe_front_test_api", key: "key" }
 
     vault_kv_mount_point: "secret"
 
@@ -30,15 +31,17 @@
     - name: Vérifier l'accès/authentification à Vault
       vars:
         first_secret_info: "{{ vault_secrets_map.values() | first }}"
+        # Construit maintenant: secret/data/environnement/demo/openstack_admin_project:passwd
         test_lookup_string: "{{ vault_kv_mount_point }}/data/{{ first_secret_info.path }}:{{ first_secret_info.key }}"
       ansible.builtin.assert:
         that: lookup('community.hashi_vault.hashi_vault', test_lookup_string) is defined
-        fail_msg: "Échec de la connexion/authentification à Vault ou le premier secret test est inaccessible. Vérifiez VAULT_ADDR et l'authentification (login/token)."
+        fail_msg: "Échec de la connexion/authentification à Vault ou le premier secret test '{{ test_lookup_string }}' est inaccessible. Vérifiez VAULT_ADDR et l'authentification."
         quiet: yes
 
     - name: Injecter chaque secret dans {{ target_group_vars_file }}
       vars:
         ctl_variable_name: "{{ item.key }}"
+        # Construit maintenant: secret/data/environnement/demo/git:token (par exemple)
         vault_lookup_string: "{{ vault_kv_mount_point }}/data/{{ item.value.path }}:{{ item.value.key }}"
         secret_value: "{{ lookup('community.hashi_vault.hashi_vault', vault_lookup_string) }}"
       ansible.builtin.lineinfile:
@@ -50,4 +53,5 @@
       loop: "{{ vault_secrets_map | dict2items }}"
       when: secret_value is defined and secret_value not in [none, '']
       loop_control:
-        label: "{{ item.key }}"
\ No newline at end of file
+        label: "{{ item.key }}"
+      no_log: true # Remis pour la sécurité
\ No newline at end of file