Merge pull request #133 from drewmullen/db-engine-config

database secrets engine config
TerryHowe · Jun 18, 2019 · 6628cac · 6628cac
2 parents 46e841f + 0fc7868
commit 6628cac
Show file tree

Hide file tree

Showing 16 changed files with 893 additions and 48 deletions.
diff --git a/ansible.cfg b/ansible.cfg
@@ -1,2 +1,3 @@
 [defaults]
 retry_files_enabled = False
+nocows = 1
diff --git a/...ules/hashivault/hashivault_auth_enable.py → ...les/hashivault/_hashivault_auth_enable.py b/...ules/hashivault/hashivault_auth_enable.py → ...les/hashivault/_hashivault_auth_enable.py
diff --git a/...s/hashivault/hashivault_secret_disable.py → .../hashivault/_hashivault_secret_disable.py b/...s/hashivault/hashivault_secret_disable.py → .../hashivault/_hashivault_secret_disable.py
diff --git a/...es/hashivault/hashivault_secret_enable.py → ...s/hashivault/_hashivault_secret_enable.py b/...es/hashivault/hashivault_secret_enable.py → ...s/hashivault/_hashivault_secret_enable.py
diff --git a/ansible/modules/hashivault/hashivault_auth_method.py b/ansible/modules/hashivault/hashivault_auth_method.py
@@ -71,6 +71,7 @@
  config:
  description:
  - configuration set on auth method. expects a dict
+ default: "{'default_lease_ttl': 2764800, 'max_lease_ttl': 2764800, 'force_no_cache':False, 'token_type': 'default-service'}"
 '''
 EXAMPLES = '''
 ---
@@ -80,14 +81,15 @@
  method_type: userpass
 '''
 
+DEFAULT_TTL = 2764800
 
 def main():
  argspec = hashivault_argspec()
  argspec['method_type'] = dict(required=True, type='str')
  argspec['description'] = dict(required=False, type='str')
  argspec['state'] = dict(required=False, type='str', default='enabled', choices=['enabled','disabled','enable','disable'])
  argspec['mount_point'] = dict(required=False, type='str', default=None)
- argspec['config'] = dict(required=False, type='dict', default=None)
+ argspec['config'] = dict(required=False, type='dict', default={'default_lease_ttl':DEFAULT_TTL, 'max_lease_ttl':DEFAULT_TTL, 'force_no_cache':False, 'token_type': 'default-service'})
  module = hashivault_init(argspec)
  result = hashivault_auth_method(module)
  if result.get('failed'):
@@ -107,14 +109,16 @@ def hashivault_auth_method(module):
  state = params.get('state')
  exists = False
  changed = False
+ desired_state = dict()
+ current_state = dict()
 
  if mount_point == None:
  mount_point = method_type
 
  auth_methods = client.sys.list_auth_methods()
  path = (mount_point or method_type) + u"/"
 
- # is auth method enabled already?
+ # does auth method enabled already?
  if path in auth_methods['data'].keys():
  exists = True
 
@@ -125,12 +129,29 @@ def hashivault_auth_method(module):
  elif (state == 'disabled' or state == 'disable') and exists == True:
  changed = True
 
- if changed and not module.check_mode and (state == 'enabled' or state == 'enable'):
- client.sys.enable_auth_method(method_type, description=description, path=mount_point, config=config)
+ # its on, we want it on, need to check current config vs desired
+ if not changed and exists and (state == 'enabled' or state == 'enable'):
+ current_state = client.sys.read_auth_method_tuning(path=mount_point)
+ if 'default_lease_ttl' not in config:
+ config['default_lease_ttl'] = DEFAULT_TTL
+ if 'max_lease_ttl' not in config:
+ config['max_lease_ttl'] = DEFAULT_TTL
+ if 'force_no_cache' not in config:
+ config['force_no_cache'] = False
+ if 'token_type' not in config:
+ config['token_type'] = 'default-service'
+ if current_state['data'] != config:
+ changed = True
 
+ # brand new
+ if changed and not exists and not module.check_mode and (state == 'enabled' or state == 'enable'):
+ client.sys.enable_auth_method(method_type, description=description, path=mount_point, config=config)
+ # delete existing
  if changed and not module.check_mode and (state == 'disabled' or state == 'disable'):
  client.sys.disable_auth_method(path=mount_point)
-
+ # update existing
+ if changed and exists and not module.check_mode and (state == 'enabled' or state == 'enable'):
+ client.sys.tune_auth_method(description=description, path=mount_point, **config)
  return {'changed': changed}
 
 if __name__ == '__main__':

diff --git a/ansible/modules/hashivault/hashivault_azure_auth_config.py b/ansible/modules/hashivault/hashivault_azure_auth_config.py
@@ -126,6 +126,8 @@ def hashivault_azure_auth_config(module):
  changed = False
  config_file = params.get('config_file')
  mount_point = params.get('mount_point')
+ desired_state = dict()
+ current_state = dict()
 
  # do not want a trailing slash in mount_point
  if mount_point[-1]:
@@ -134,36 +136,41 @@ def hashivault_azure_auth_config(module):
  # if config_file is set, set sub_id, ten_id, client_id, client_secret from file
  # else set from passed args
  if config_file:
- config = json.loads(open(params.get('config_file'), 'r').read())
- tenant_id = config.get('tenant_id')
- client_id = config.get('client_id')
- client_secret = config.get('client_secret') 
- resource = config.get('resource') 
+ desired_state = json.loads(open(params.get('config_file'), 'r').read()) 
+ if 'resource' not in desired_state:
+  desired_state['resource'] = params.get('resource')
+ if 'environment' not in desired_state:
+  desired_state['environment'] = params.get('environment')
  else:
- tenant_id = params.get('tenant_id')
- client_id = params.get('client_id')
- client_secret = params.get('client_secret')
- resource = params.get('resource') 
+ desired_state['tenant_id'] = params.get('tenant_id')
+ desired_state['client_id'] = params.get('client_id')
+ desired_state['client_secret'] = params.get('client_secret')
+ desired_state['resource'] = params.get('resource') 
+ desired_state['environment'] = params.get('environment') 
 
  # check if engine is enabled
  if (mount_point + "/") not in client.sys.list_auth_methods()['data'].keys():
  return {'failed': True, 'msg': 'auth mount is not enabled', 'rc': 1}
 
  # check if any config exists
  try:
- current = client.auth.azure.read_config()
+ current_state = client.auth.azure.read_config()
  except:
  changed = True
 
  # check if current config matches desired config values, if they dont match, set changed true
- if changed == False:
- mismatched = {k:v for k, v in current.items() if params[k] != v}
- if mismatched:
+ for k, v in current_state.items():
+ if v != desired_state[k]:
  changed = True
 
+ # if changed == False:
+ # mismatched = {k:v for k, v in current.items() if params[k] != v}
+ # if mismatched:
+ # changed = True
+
  # if configs dont match and checkmode is off, complete the change
  if changed == True and not module.check_mode:
- result = client.auth.azure.configure(tenant_id=tenant_id, client_id=client_id, client_secret=client_secret, resource=resource, mount_point=mount_point)
+ result = client.auth.azure.configure(mount_point=mount_point, **desired_state)
 
  return {'changed': changed}
 

diff --git a/ansible/modules/hashivault/hashivault_azure_auth_role.py b/ansible/modules/hashivault/hashivault_azure_auth_role.py
@@ -133,9 +133,9 @@ def main():
  argspec['num_uses'] = dict(required=False, type='int', default=0)
 
  supports_check_mode=True
- required_one_of=[['bound_service_principal_ids', 'bound_group_ids', 'bound_locations', 'bound_subscription_ids', 'bound_resource_groups', 'bound_scale_sets', 'role_file', 'state']]
+ # required_one_of=[['bound_service_principal_ids', 'bound_group_ids', 'bound_locations', 'bound_subscription_ids', 'bound_resource_groups', 'bound_scale_sets', 'role_file', 'state']]
 
- module = hashivault_init(argspec, supports_check_mode, required_one_of)
+ module = hashivault_init(argspec, supports_check_mode) #, required_one_of)
  result = hashivault_azure_auth_role(module)
  if result.get('failed'):
  module.fail_json(**result)

diff --git a/ansible/modules/hashivault/hashivault_azure_secret_engine_config.py b/ansible/modules/hashivault/hashivault_azure_secret_engine_config.py
@@ -59,7 +59,7 @@
  mount_point:
  description:
  - name of the secret engine mount name.
- default: azure
+ default: 'azure'
  subscription_id:
  description:
  - azure SPN subscription id
@@ -87,12 +87,12 @@
  - hashivault_azure_secret_engine_config:
  subscription_id: 1234
  tenant_id: 5689-1234
- tenant_id: 5689-1234
  client_id: 1012-1234
  client_secret: 1314-1234
 
  - hashivault_azure_secret_engine_config:
  config_file: /home/drewbuntu/azure-config.json
+ mount_point: azure
 '''
 
 
@@ -105,9 +105,10 @@ def main():
  argspec['client_secret'] = dict(required=False, type='str')
  argspec['environment'] = dict(required=False, type='str', default='AzurePublicCloud')
  argspec['config_file'] = dict(required=False, type='str', default=None)
+ supports_check_mode=True
  required_together=[['subscription_id', 'client_id', 'client_secret', 'tenant_id']]
 
- module = hashivault_init(argspec, supports_check_mode=True, required_together=required_together)
+ module = hashivault_init(argspec, supports_check_mode, required_together)
  result = hashivault_azure_secret_engine_config(module)
  if result.get('failed'):
  module.fail_json(**result)
@@ -119,48 +120,41 @@ def main():
 def hashivault_azure_secret_engine_config(module):
  params = module.params
  client = hashivault_auth_client(params)
- changed = True
+ changed = False
  config_file = params.get('config_file')
  mount_point = params.get('mount_point')
+ desired_state = dict()
 
  # do not want a trailing slash in mount_point
- if mount_point:
+ if mount_point[-1]:
  mount_point = mount_point.strip('/')
 
  # if config_file is set, set sub_id, ten_id, client_id, client_secret from file
  # else set from passed args
  if config_file:
- config = json.loads(open(params.get('config_file'), 'r').read())
- tenant_id = config.get('tenant_id')
- subscription_id = config.get('subscription_id')
- client_id = config.get('client_id')
- client_secret = config.get('client_secret') 
+ desired_state = json.loads(open(params.get('config_file'), 'r').read())
+ if 'environment' not in desired_state:
+ desired_state['environment'] = 'AzurePublicCloud' 
  else:
- tenant_id = params.get('tenant_id')
- subscription_id = params.get('subscription_id')
- client_id = params.get('client_id')
- client_secret = params.get('client_secret')
+ desired_state['tenant_id'] = params.get('tenant_id')
+ desired_state['subscription_id'] = params.get('subscription_id')
+ desired_state['client_id'] = params.get('client_id')
+ desired_state['client_secret'] = params.get('client_secret')
+ desired_state['environment'] = params.get('environment') 
 
  # check if engine is enabled
  if (mount_point + "/") not in client.sys.list_mounted_secrets_engines()['data'].keys():
  return {'failed': True, 'msg': 'secret engine is not enabled', 'rc': 1}
 
  # check if current config matches desired config values, if they match, set changed to false to prevent action
- current = client.secrets.azure.read_config()
- if sys.version_info[0] < 3:
- changed = False
- mismatched = {k:v for k, v in current.items() if params[k] != v}
- if mismatched:
+ current_state = client.secrets.azure.read_config()
+ for k, v in current_state.items():
+ if v != desired_state[k]:
  changed = True
- else:
- if current.items() < params.items():
- changed = False
 
  # if configs dont match and checkmode is off, complete the change
  if changed == True and not module.check_mode:
- result = client.secrets.azure.configure(tenant_id=tenant_id, subscription_id=subscription_id,
- client_id=client_id, client_secret=client_secret,
- mount_point=mount_point)
+ result = client.secrets.azure.configure(mount_point=mount_point, **desired_state)
 
  return {'changed': changed}