database secrets engine config

[drewmullen]

new module hashivault_db_secret_engine_config for enabling a db config. can optionally take a file as input

new module hashivault_db_secret_engine_role for enabling a db role. can optionally take a file as input

new module hashivault_secret_engine for enabling or disabling a secret engine. this module is idempotent on the mount and its tuned values, takes state as a param, is compatible with check mode.

deprecate: still usable but should be removed eventually. deprecated by prepending _ to module name

• hashivault_secret_enable
• hashivault_secret_disable
• hashivault_auth_enable
  see final comment below

tests included but disabled because they require connection to actual db

both require a new hvac module with some fixes pending PR. I was told they'll cut the 9.2 release next week. issues: hvac/hvac#456 , hvac/hvac#454 , hvac/hvac#453, hvac/hvac#459. PR: hvac/hvac#457, https://github.com/hvac/hvac/pull/461/files

fixes for #129, #134

configuration idempotence fixes for hashivault_auth_method, hashivault_azure_secret_engine_config, and hashivault_azure_auth_config

[drewmullen]

shoot. thats going to fail until this is merged: hvac/hvac#459

this should be included in the 9.2 release

[drewmullen]

looks like the travis job was failing because of 4684e46 where i basically prefixed 3 modules with a _ which makes them still usable to ansible however they throw a deprecation warning. removing but would like to know if theres a way to do this still and pass the travis doc job

nvm. thats not why the doc job is failing...

[drewmullen]

@TerryHowe any advice on how to read the build issue travis is catching?

[TerryHowe]

We are still waiting on hvac 9.2 here, right? If you have changes not dependent on that, throw them in another PR if you like. Either way, thanks.

[drewmullen]

im fine waiting since most of this content will rely on 9.2 release. just trying to figure out why the travis job keeps failing on documentation (not functional testing)

i cant seem to find a true error message in the stdout

[drewmullen]

@TerryHowe not sure if im missing something but the output from the doc builder is garbage as far as i can tell. all these modules work so im in favor of disabling the test until we can tune it to get better output

hvac 9.2 was released saturday btw so once we get past this doc hurdle we should be good to release

[TerryHowe]

I'll look at the log issue sometime today

[TerryHowe]

Can't really hijack username and password, probably should be database_user and database_password or some such

[drewmullen]

ah. the userpass auth method...

[drewmullen]

so based on my understanding of the db engine... it may HAVE to hijack it https://www.vaultproject.io/docs/secrets/databases/index.html

username and password appear to be reserved words for the engine to interpolate

[drewmullen]

so what i will try is set the ansible param to db_username / db_password and after the client is authed, they will overwrite the values in desired state

[TerryHowe]

I'm wondering if the document problem is this should be named hashivault_secret_engine

[drewmullen]

this has got to be it. now that 9.2 is released i can enable to test too

[TerryHowe]

This desired_state isn't used and probably current_state should be set here

[drewmullen]

sadly didnt fix the doc issue. im looking into the python issue right now... weird because these work locally for me...

im wondering if its because my venv is 3.7.x

[drewmullen]

interesting... so 3.6 is the problem... trying an upgrade to 3.7 and we'll see what breaks...

[drewmullen]

okay so the new tests are enabled and passing.

validation.py", line 250, in check_required_if
    ValueError: too many values to unpack (expected 3)

the ansible engine didnt like how many values were in the required_one_of validator. 3.7 didnt have a problem with it but its not critical so i just removed it

docs are still failing though

[drewmullen]

@TerryHowe is there any way to get a better output or some kind of error message? ive probably spent more time on this than writing an entire other module

[TerryHowe]

I doubt you'd see more if you installed sphinx locally. All I'm seeing is this and it isn't clear if these errors are fatal:

/home/travis/build/TerryHowe/ansible-modules-hashivault/ansible-repo/ansible/docs/docsite/rst/modules/community_maintained.rst:44: WARNING: undefined label: hashivault_policy_set_from_file_module (if the link has no caption the label must precede a section header)
/home/travis/build/TerryHowe/ansible-modules-hashivault/ansible-repo/ansible/docs/docsite/rst/modules/community_maintained.rst:52: WARNING: undefined label: hashivault_secret_engine_module (if the link has no caption the label must precede a section header)
/home/travis/build/TerryHowe/ansible-modules-hashivault/ansible-repo/ansible/docs/docsite/rst/modules/list_of_all_modules.rst:44: WARNING: undefined label: hashivault_policy_set_from_file_module (if the link has no caption the label must precede a section header)
/home/travis/build/TerryHowe/ansible-modules-hashivault/ansible-repo/ansible/docs/docsite/rst/modules/list_of_all_modules.rst:52: WARNING: undefined label: hashivault_secret_engine_module (if the link has no caption the label must precede a section header)
/home/travis/build/TerryHowe/ansible-modules-hashivault/ansible-repo/ansible/docs/docsite/rst/modules/list_of_hashivault_modules.rst:44: WARNING: undefined label: hashivault_policy_set_from_file_module (if the link has no caption the label must precede a section header)
/home/travis/build/TerryHowe/ansible-modules-hashivault/ansible-repo/ansible/docs/docsite/rst/modules/list_of_hashivault_modules.rst:52: WARNING: undefined label: hashivault_secret_engine_module (if the link has no caption the label must precede a section header)

But the real fatal error which may or may not be caused by the above:

RecursionError: maximum recursion depth exceeded while calling a Python object

I'll kick a build with no change and see if it fails in case some other change is triggering the problem

[TerryHowe]

Build on master has the same problem, it is something else:

https://travis-ci.org/TerryHowe/ansible-modules-hashivault/jobs/543942010

[drewmullen]

that makes sense since my builds started failing 11 days ago and that was when the last PR was merged... hmm

[drewmullen]

@TerryHowe can we just disable the doc check? i get what youre going for with the tool but this seems to be more trouble than its worth. id also like to start using this code soon :D

[TerryHowe]

The last merge the docs built fine, so it is probably a change in ansible or sphinx that is causing the problem. I'm hoping I can get far enough on the $day_job today to see if I can fix that.

[drewmullen]

thank you for helping and taking a look

[TerryHowe]

I have been unable to reproduce the problem locally

[drewmullen]

I have been unable to reproduce the problem locally

thoughts on next steps?

[TerryHowe]

Created a makedoc.sh script to make it easier to test locally.

Created an issue #137

[TerryHowe]

It is still broken, but just because I'm ignoring the failure from make. I assume either ansible, sphinxx, or Travis changed and that is what is causing the problem.

[drewmullen]

@TerryHowe can you publish some notes on how to run the docs locally?

[TerryHowe]

On the master branch is a makedocs.sh script I extracted from the .travis.yml

[drewmullen]

thanks for clarifying. i saw your comment about that file but didnt see a PR so i missed the actual file.

yeah, its succeeding for me too... hmm build succeeded, 165 warnings.

[TerryHowe]

This document seems wrong to me like this should be a yaml dictionary rather than a string.

[drewmullen]

you talking about the default line? yeah, interestingly it works either way. when i first submitted the PR it was in standard {} format but after i started getting the sphinx issues i was messing with the format because i didnt know what was borking it.

i agree though, the doc example should show without the ", though it does work either way

[TerryHowe]

Should this really be gone?

[drewmullen]

so for some reason, python 36 and 27 fail on this line... something about "too many arguments". however, 37 it works... i removed it but left it for future re-integration. i probably should have included a note on that though

[TerryHowe]

required_together is actually the 4th arg, so I'm going to change this back.

[drewmullen]

thanks!

[TerryHowe]

Connect with me on https://www.linkedin.com/in/terrylhowe/ if you like

[TerryHowe]

Sorry it took me so long to get this merged, smaller PRs would help me so if I have a concern with X and doesn't stop Y getting in the code. Thanks!

[drewmullen]

yeah, no problem man. sorry i pushed a whole bunch at once lol... theres just a lot im trying to do atm and as i was writing some i found some issues and i just decided to resolve them

hopefully that wont happen again in the future

if you're interested, we should consider putting this into its own github org and i can help with maintenance! i was also considering asking you what you thought about making this into a new Ansible Collection. thats a new design pattern they provided but thats how they want users to manage their code going forward

[TerryHowe]

Yes, help with maintenance would be good. I'll have to look at the options, thanks!