-
Notifications
You must be signed in to change notification settings - Fork 156
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
database secrets engine config #133
Merged
Merged
Changes from 1 commit
Commits
Show all changes
23 commits
Select commit
Hold shift + click to select a range
3b31b19
include but disable db tests
drewmullen 7261209
include idemp db config module
drewmullen e6c3914
init module
drewmullen d5b3d4d
include but disable tests
drewmullen 851ea04
enable tests
drewmullen bb3310d
init module secret eng mgmt
drewmullen 4684e46
deprecate nonconformative modules
drewmullen 0d4725a
disable test until hvac 9.2 is released
drewmullen 8e25519
fix idempotence check for eng config
drewmullen 2220906
fix idempotent checks az auth cfg
drewmullen 9d17e88
revert deprecated name change, docs failing
drewmullen 7fdd60e
fix idempotence check for auth_method
drewmullen a283ca0
wip
drewmullen c892e4f
nocows =1 by default
drewmullen 79a8868
quoting docstring dictionaries
drewmullen 225acfe
default var causing doc job failure?
drewmullen 0bd59ab
replace non-problems with original changes
drewmullen d29a420
hvac 9.2 required
drewmullen de33a46
enable tests
drewmullen a8f02ff
fix tests but remain disabled
drewmullen 723f695
fix function name and un/pw vars
drewmullen 41d0101
upgrade test framework to 3.7. hold breath"
drewmullen 0fc7868
remove required check
drewmullen File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
init module secret eng mgmt
wip
- Loading branch information
commit bb3310d0ddc7dbe17d7d651a0e35b77d988f53d0
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,176 @@ | ||
#!/usr/bin/env python | ||
from ansible.module_utils.hashivault import hashivault_argspec | ||
from ansible.module_utils.hashivault import hashivault_auth_client | ||
from ansible.module_utils.hashivault import hashivault_init | ||
from ansible.module_utils.hashivault import hashiwrapper | ||
|
||
DEFAULT_TTL = 2764800 | ||
ANSIBLE_METADATA = {'status': ['stableinterface'], 'supported_by': 'community', 'version': '1.1'} | ||
DOCUMENTATION = ''' | ||
--- | ||
module: hashivualt_secret_engine | ||
version_added: "3.17.8" | ||
short_description: Hashicorp Vault secret enable/disable module | ||
description: | ||
- Module to enable secret backends in Hashicorp Vault. | ||
options: | ||
url: | ||
description: | ||
- url for vault | ||
default: to environment variable VAULT_ADDR | ||
ca_cert: | ||
description: | ||
- "path to a PEM-encoded CA cert file to use to verify the Vault server TLS certificate" | ||
default: to environment variable VAULT_CACERT | ||
ca_path: | ||
description: | ||
- "path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate : if ca_cert | ||
is specified, its value will take precedence" | ||
default: to environment variable VAULT_CAPATH | ||
client_cert: | ||
description: | ||
- "path to a PEM-encoded client certificate for TLS authentication to the Vault server" | ||
default: to environment variable VAULT_CLIENT_CERT | ||
client_key: | ||
description: | ||
- "path to an unencrypted PEM-encoded private key matching the client certificate" | ||
default: to environment variable VAULT_CLIENT_KEY | ||
verify: | ||
description: | ||
- "if set, do not verify presented TLS certificate before communicating with Vault server : setting this | ||
variable is not recommended except during testing" | ||
default: to environment variable VAULT_SKIP_VERIFY | ||
authtype: | ||
description: | ||
- "authentication type to use: token, userpass, github, ldap, approle" | ||
default: token | ||
token: | ||
description: | ||
- token for vault | ||
default: to environment variable VAULT_TOKEN | ||
username: | ||
description: | ||
- username to login to vault. | ||
default: to environment variable VAULT_USER | ||
password: | ||
description: | ||
- password to login to vault. | ||
default: to environment variable VAULT_PASSWORD | ||
name: | ||
description: | ||
- name of secret backend | ||
backend: | ||
description: | ||
- type of secret backend | ||
description: | ||
description: | ||
- description of secret backend | ||
config: | ||
description: | ||
- config of secret backend | ||
default: {'default_lease_ttl': 2764800, 'max_lease_ttl': 2764800, 'force_no_cache': False} | ||
state: | ||
description: | ||
- state of secret backend | ||
choices: enabled, present, disabled, absent | ||
options: | ||
description: | ||
- Specifies mount type specific options that are passed to the backend. NOT included unless backend == kv | ||
''' | ||
EXAMPLES = ''' | ||
--- | ||
- hosts: localhost | ||
tasks: | ||
- hashivault_secret_engine: | ||
name: "ephemeral" | ||
backend: "generic" | ||
''' | ||
|
||
def main(): | ||
argspec = hashivault_argspec() | ||
argspec['name'] = dict(required=True, type='str') | ||
argspec['backend'] = dict(required=False, type='str', default='') | ||
argspec['description'] = dict(required=False, type='str') | ||
argspec['config'] = dict(required=False, type='dict', default={'default_lease_ttl': DEFAULT_TTL, 'max_lease_ttl': DEFAULT_TTL, 'force_no_cache': False}) | ||
argspec['state'] = dict(required=False, type='str', choices=['present', 'enabled', 'absent', 'disabled'], default='present') | ||
argspec['options'] = dict(required=False, type='dict', default={'version': '1'}) | ||
module = hashivault_init(argspec) | ||
result = hashivault_secret_enable(module) | ||
if result.get('failed'): | ||
module.fail_json(**result) | ||
else: | ||
module.exit_json(**result) | ||
|
||
|
||
@hashiwrapper | ||
def hashivault_secret_enable(module): | ||
params = module.params | ||
client = hashivault_auth_client(params) | ||
name = params.get('name') | ||
backend = params.get('backend') | ||
description = params.get('description') | ||
config = params.get('config') | ||
state = params.get('state') | ||
options = params.get('options') | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This desired_state isn't used and probably current_state should be set here |
||
desired_state = dict() | ||
exists = False | ||
changed = False | ||
|
||
if not backend: | ||
backend = name | ||
try: | ||
# does the mount exist already? | ||
current_state = client.sys.read_mount_configuration(path=name)['data'] | ||
exists = True | ||
except: | ||
# doesnt exist | ||
pass | ||
|
||
# doesnt exist and should or does exist and shouldnt | ||
if (exists and state == 'absent') or (exists and state == 'disabled') or (not exists and state == 'present') or (not exists and state == 'enabled'): | ||
changed = True | ||
|
||
# want to exist so we'll check current state against desired state | ||
if not changed and (state == 'present' or state == 'enabled'): | ||
# verify config has ['default_lease_ttl: DEFAULT_TTL', 'max_lease_ttl: DEFAULT_TTL, 'force_no_cache': False'] | ||
if 'default_lease_ttl' not in config: | ||
config['default_lease_ttl'] = DEFAULT_TTL | ||
if 'max_lease_ttl' not in config: | ||
config['max_lease_ttl'] = DEFAULT_TTL | ||
if 'force_no_cache' not in config: | ||
config['force_no_cache'] = False | ||
|
||
for k, v in current_state.items(): #while not changed? | ||
# options is passed in ['data'] but set outside 'config':{}, manually check | ||
if k == 'options': | ||
if v != options: | ||
changed = True | ||
elif v != config[k]: | ||
changed = True | ||
|
||
# make changes! | ||
# only pass 'options' when working on a kv backend | ||
|
||
# doesnt exist and should | ||
if changed and not exists and (state == 'present' or state == 'enabled') and not module.check_mode: | ||
if backend == 'kv': | ||
client.sys.enable_secrets_engine(backend, description=description, path=name, config=config, options=options) | ||
else: | ||
client.sys.enable_secrets_engine(backend, description=description, path=name, config=config) | ||
|
||
# needs to be updated | ||
elif changed and exists and (state == 'present' or state == 'enabled') and not module.check_mode: | ||
if backend == 'kv': | ||
client.sys.tune_mount_configuration(description=description, path=name, options=options, **config) | ||
else: | ||
client.sys.tune_mount_configuration(description=description, path=name, **config) | ||
|
||
# exists and shouldnt | ||
elif changed and (state == 'absent' or state == 'disabled') and not module.check_mode: | ||
client.sys.disable_secrets_engine(path=name) | ||
|
||
return {'changed': changed} | ||
|
||
|
||
if __name__ == '__main__': | ||
main() |
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm wondering if the document problem is this should be named hashivault_secret_engine
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this has got to be it. now that 9.2 is released i can enable to test too