LIV2/ansible-modules-hashivault
1
0
Fork 0
mirror of https://github.com/LIV2/ansible-modules-hashivault.git synced 2025-12-05 22:22:45 +00:00
Code Issues Packages Projects Releases Wiki Activity

pep8 compliance

Browse Source
This commit is contained in:
Terry Howe 2019-03-26 17:03:23 -06:00
parent 3ca62f6886
commit 1a7c69dbc5
58 changed files with 418 additions and 328 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

70
ansible/module_utils/hashivault.py
View File

@ -1,28 +1,27 @@
import os
import warnings
from hvac.exceptions import InvalidPath
import hvac
from ansible.module_utils.basic import AnsibleModule
import requests
from ansible.module_utils.basic import AnsibleModule
from hvac.exceptions import InvalidPath
def hashivault_argspec():
argument_spec = dict(
url = dict(required=False, default=os.environ.get('VAULT_ADDR', ''), type='str'),
ca_cert = dict(required=False, default=os.environ.get('VAULT_CACERT', ''), type='str'),
ca_path = dict(required=False, default=os.environ.get('VAULT_CAPATH', ''), type='str'),
client_cert = dict(required=False, default=os.environ.get('VAULT_CLIENT_CERT', ''), type='str'),
client_key = dict(required=False, default=os.environ.get('VAULT_CLIENT_KEY', ''), type='str'),
verify = dict(required=False, default=(not os.environ.get('VAULT_SKIP_VERIFY', '')), type='bool'),
authtype = dict(required=False, default=os.environ.get('VAULT_AUTHTYPE', 'token'), type='str'),
token = dict(required=False, default=hashivault_default_token(), type='str', no_log=True),
username = dict(required=False, default=os.environ.get('VAULT_USER', ''), type='str'),
password = dict(required=False, default=os.environ.get('VAULT_PASSWORD', ''), type='str', no_log=True),
role_id = dict(required=False, default=os.environ.get('VAULT_ROLE_ID', ''), type='str', no_log=True),
secret_id = dict(required=False, default=os.environ.get('VAULT_SECRET_ID', ''), type='str', no_log=True),
namespace = dict(required=False, default=os.environ.get('VAULT_NAMESPACE', None), type='str')
url=dict(required=False, default=os.environ.get('VAULT_ADDR', ''), type='str'),
ca_cert=dict(required=False, default=os.environ.get('VAULT_CACERT', ''), type='str'),
ca_path=dict(required=False, default=os.environ.get('VAULT_CAPATH', ''), type='str'),
client_cert=dict(required=False, default=os.environ.get('VAULT_CLIENT_CERT', ''), type='str'),
client_key=dict(required=False, default=os.environ.get('VAULT_CLIENT_KEY', ''), type='str'),
verify=dict(required=False, default=(not os.environ.get('VAULT_SKIP_VERIFY', '')), type='bool'),
authtype=dict(required=False, default=os.environ.get('VAULT_AUTHTYPE', 'token'), type='str'),
token=dict(required=False, default=hashivault_default_token(), type='str', no_log=True),
username=dict(required=False, default=os.environ.get('VAULT_USER', ''), type='str'),
password=dict(required=False, default=os.environ.get('VAULT_PASSWORD', ''), type='str', no_log=True),
role_id=dict(required=False, default=os.environ.get('VAULT_ROLE_ID', ''), type='str', no_log=True),
secret_id=dict(required=False, default=os.environ.get('VAULT_SECRET_ID', ''), type='str', no_log=True),
namespace=dict(required=False, default=os.environ.get('VAULT_NAMESPACE', None), type='str')
)
return argument_spec
@ -36,6 +35,7 @@ def get_ec2_iam_role():
request.raise_for_status()
return request.content
def get_ec2_iam_credentials():
role_name = get_ec2_iam_role()
metadata_url = 'http://169.254.169.254/latest/meta-data/iam/security-credentials/{role}'.format(
@ -46,6 +46,7 @@ def get_ec2_iam_credentials():
security_credentials = response.json()
return security_credentials
def hashivault_client(params):
url = params.get('url')
ca_cert = params.get('ca_cert')
@ -83,12 +84,13 @@ def hashivault_auth(client, params):
elif authtype == 'ldap':
client.auth.ldap.login(username, password)
elif authtype == 'approle':
client = AppRoleClient(client,role_id,secret_id)
client = AppRoleClient(client, role_id, secret_id)
elif authtype == 'tls':
client.auth_tls()
elif authtype == 'aws':
credentials = get_ec2_iam_credentials()
client.auth_aws_iam(credentials['AccessKeyId'], credentials['SecretAccessKey'], credentials['Token'], role=role_id)
client.auth_aws_iam(credentials['AccessKeyId'], credentials['SecretAccessKey'], credentials['Token'],
role=role_id)
else:
client.token = token
return client
@ -101,7 +103,7 @@ def hashivault_auth_client(params):
def hashiwrapper(function):
def wrapper(*args, **kwargs):
result = { "changed": False, "rc" : 0}
result = {"changed": False, "rc": 0}
try:
result.update(function(*args, **kwargs))
except Exception as e:
@ -125,7 +127,7 @@ def hashivault_default_token():
@hashiwrapper
def hashivault_read(params):
result = { "changed": False, "rc" : 0}
result = {"changed": False, "rc": 0}
client = hashivault_auth_client(params)
version = params.get('version')
mount_point = params.get('mount_point')
@ -168,7 +170,7 @@ def hashivault_read(params):
try:
data = response.get('data', {})
data = data.get('data', {})
except:
except Exception:
data = str(response)
else:
data = response['data']
@ -196,29 +198,27 @@ class AppRoleClient(object):
"""
def __init__(self, client, role_id, secret_id):
object.__setattr__(self,'client',client)
object.__setattr__(self,'role_id',role_id)
object.__setattr__(self,'secret_id',secret_id)
object.__setattr__(self, 'client', client)
object.__setattr__(self, 'role_id', role_id)
object.__setattr__(self, 'secret_id', secret_id)
def __setattr__(self,name,val):
def __setattr__(self, name, val):
"""
sets attribute in decorated class (Client)
"""
client = object.__getattribute__(self,'client')
client.__setattr__(name,val)
client = object.__getattribute__(self, 'client')
client.__setattr__(name, val)
def __getattribute__ (self,name):
def __getattribute__(self, name):
"""
generates and sets new approle token in decorated class (Client)
returns decorated class (Client) attribute
"""
client = object.__getattribute__(self,'client')
client = object.__getattribute__(self, 'client')
attr = client.__getattribute__(name)
role_id = object.__getattribute__(self,'role_id')
secret_id = object.__getattribute__(self,'secret_id')
resp = client.auth_approle(role_id,secret_id)
role_id = object.__getattribute__(self, 'role_id')
secret_id = object.__getattribute__(self, 'secret_id')
resp = client.auth_approle(role_id, secret_id)
client.token = str(resp['auth']['client_token'])
return attr

10
ansible/modules/hashivault/hashivault_approle_role_create.py
View File

@ -23,7 +23,8 @@ options:
default: to environment variable VAULT_CACERT
ca_path:
description:
- "path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate : if ca_cert is specified, its value will take precedence"
- "path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate : if ca_cert
is specified, its value will take precedence"
default: to environment variable VAULT_CAPATH
client_cert:
description:
@ -35,7 +36,8 @@ options:
default: to environment variable VAULT_CLIENT_KEY
verify:
description:
- "if set, do not verify presented TLS certificate before communicating with Vault server : setting this variable is not recommended except during testing"
- "if set, do not verify presented TLS certificate before communicating with Vault server : setting this
variable is not recommended except during testing"
default: to environment variable VAULT_SKIP_VERIFY
authtype:
description:
@ -119,7 +121,7 @@ def main():
@hashiwrapper
def hashivault_approle_role_create(params):
ARGS = [
args = [
'bind_secret_id',
'bound_cidr_list',
'secret_id_num_uses',
@ -136,7 +138,7 @@ def hashivault_approle_role_create(params):
kwargs = {
'policies': policies,
}
for arg in ARGS:
for arg in args:
value = params.get(arg)
if value is not None:
kwargs[arg] = value

6
ansible/modules/hashivault/hashivault_approle_role_get.py
View File

@ -23,7 +23,8 @@ options:
default: to environment variable VAULT_CACERT
ca_path:
description:
- "path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate : if ca_cert is specified, its value will take precedence"
- "path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate : if ca_cert
is specified, its value will take precedence"
default: to environment variable VAULT_CAPATH
client_cert:
description:
@ -35,7 +36,8 @@ options:
default: to environment variable VAULT_CLIENT_KEY
verify:
description:
- "if set, do not verify presented TLS certificate before communicating with Vault server : setting this variable is not recommended except during testing"
- "if set, do not verify presented TLS certificate before communicating with Vault server : setting this
variable is not recommended except during testing"
default: to environment variable VAULT_SKIP_VERIFY
authtype:
description:

6
ansible/modules/hashivault/hashivault_approle_role_id.py
View File

@ -23,7 +23,8 @@ options:
default: to environment variable VAULT_CACERT
ca_path:
description:
- "path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate : if ca_cert is specified, its value will take precedence"
- "path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate : if ca_cert
is specified, its value will take precedence"
default: to environment variable VAULT_CAPATH
client_cert:
description:
@ -35,7 +36,8 @@ options:
default: to environment variable VAULT_CLIENT_KEY
verify:
description:
- "if set, do not verify presented TLS certificate before communicating with Vault server : setting this variable is not recommended except during testing"
- "if set, do not verify presented TLS certificate before communicating with Vault server : setting this
variable is not recommended except during testing"
default: to environment variable VAULT_SKIP_VERIFY
authtype:
description:

6
ansible/modules/hashivault/hashivault_approle_role_list.py
View File

@ -23,7 +23,8 @@ options:
default: to environment variable VAULT_CACERT
ca_path:
description:
- "path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate : if ca_cert is specified, its value will take precedence"
- "path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate : if ca_cert
is specified, its value will take precedence"
default: to environment variable VAULT_CAPATH
client_cert:
description:
@ -35,7 +36,8 @@ options:
default: to environment variable VAULT_CLIENT_KEY
verify:
description:
- "if set, do not verify presented TLS certificate before communicating with Vault server : setting this variable is not recommended except during testing"
- "if set, do not verify presented TLS certificate before communicating with Vault server : setting this
variable is not recommended except during testing"
default: to environment variable VAULT_SKIP_VERIFY
authtype:
description:

6
ansible/modules/hashivault/hashivault_approle_role_secret_accessor_get.py
View File

@ -23,7 +23,8 @@ options:
default: to environment variable VAULT_CACERT
ca_path:
description:
- "path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate : if ca_cert is specified, its value will take precedence"
- "path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate : if ca_cert
is specified, its value will take precedence"
default: to environment variable VAULT_CAPATH
client_cert:
description:
@ -35,7 +36,8 @@ options:
default: to environment variable VAULT_CLIENT_KEY
verify:
description:
- "if set, do not verify presented TLS certificate before communicating with Vault server : setting this variable is not recommended except during testing"
- "if set, do not verify presented TLS certificate before communicating with Vault server : setting this
variable is not recommended except during testing"
default: to environment variable VAULT_SKIP_VERIFY
authtype:
description:

6
ansible/modules/hashivault/hashivault_approle_role_secret_create.py
View File

@ -24,7 +24,8 @@ options:
default: to environment variable VAULT_CACERT
ca_path:
description:
- "path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate : if ca_cert is specified, its value will take precedence"
- "path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate : if ca_cert
is specified, its value will take precedence"
default: to environment variable VAULT_CAPATH
client_cert:
description:
@ -36,7 +37,8 @@ options:
default: to environment variable VAULT_CLIENT_KEY
verify:
description:
- "if set, do not verify presented TLS certificate before communicating with Vault server : setting this variable is not recommended except during testing"
- "if set, do not verify presented TLS certificate before communicating with Vault server : setting this
variable is not recommended except during testing"
default: to environment variable VAULT_SKIP_VERIFY
authtype:
description:

6
ansible/modules/hashivault/hashivault_approle_role_secret_delete.py
View File

@ -24,7 +24,8 @@ options:
default: to environment variable VAULT_CACERT
ca_path:
description:
- "path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate : if ca_cert is specified, its value will take precedence"
- "path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate : if ca_cert
is specified, its value will take precedence"
default: to environment variable VAULT_CAPATH
client_cert:
description:
@ -36,7 +37,8 @@ options:
default: to environment variable VAULT_CLIENT_KEY
verify:
description:
- "if set, do not verify presented TLS certificate before communicating with Vault server : setting this variable is not recommended except during testing"
- "if set, do not verify presented TLS certificate before communicating with Vault server : setting this
variable is not recommended except during testing"
default: to environment variable VAULT_SKIP_VERIFY
authtype:
description:

6
ansible/modules/hashivault/hashivault_approle_role_secret_get.py
View File

@ -24,7 +24,8 @@ options:
default: to environment variable VAULT_CACERT
ca_path:
description:
- "path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate : if ca_cert is specified, its value will take precedence"
- "path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate : if ca_cert
is specified, its value will take precedence"
default: to environment variable VAULT_CAPATH
client_cert:
description:
@ -36,7 +37,8 @@ options:
default: to environment variable VAULT_CLIENT_KEY
verify:
description:
- "if set, do not verify presented TLS certificate before communicating with Vault server : setting this variable is not recommended except during testing"
- "if set, do not verify presented TLS certificate before communicating with Vault server : setting this
variable is not recommended except during testing"
default: to environment variable VAULT_SKIP_VERIFY
authtype:
description:

6
ansible/modules/hashivault/hashivault_approle_role_secret_list.py
View File

@ -23,7 +23,8 @@ options:
default: to environment variable VAULT_CACERT
ca_path:
description:
- "path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate : if ca_cert is specified, its value will take precedence"
- "path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate : if ca_cert
is specified, its value will take precedence"
default: to environment variable VAULT_CAPATH
client_cert:
description:
@ -35,7 +36,8 @@ options:
default: to environment variable VAULT_CLIENT_KEY
verify:
description:
- "if set, do not verify presented TLS certificate before communicating with Vault server : setting this variable is not recommended except during testing"
- "if set, do not verify presented TLS certificate before communicating with Vault server : setting this
variable is not recommended except during testing"
default: to environment variable VAULT_SKIP_VERIFY
authtype:
description:

8
ansible/modules/hashivault/hashivault_audit_enable.py
View File

@ -23,7 +23,8 @@ options:
default: to environment variable VAULT_CACERT
ca_path:
description:
- "path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate : if ca_cert is specified, its value will take precedence"
- "path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate : if ca_cert
is specified, its value will take precedence"
default: to environment variable VAULT_CAPATH
client_cert:
description:
@ -35,7 +36,8 @@ options:
default: to environment variable VAULT_CLIENT_KEY
verify:
description:
- "if set, do not verify presented TLS certificate before communicating with Vault server : setting this variable is not recommended except during testing"
- "if set, do not verify presented TLS certificate before communicating with Vault server : setting this
variable is not recommended except during testing"
default: to environment variable VAULT_SKIP_VERIFY
authtype:
description:
@ -97,7 +99,7 @@ def hashivault_audit_enable(params):
if path in backends and backends[path]["options"] == options:
return {'changed': False}
client.sys.enable_audit_device(name, description=description, options=options)
return {'changed': True }
return {'changed': True}
if __name__ == '__main__':

6
ansible/modules/hashivault/hashivault_audit_list.py
View File

@ -23,7 +23,8 @@ options:
default: to environment variable VAULT_CACERT
ca_path:
description:
- "path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate : if ca_cert is specified, its value will take precedence"
- "path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate : if ca_cert
is specified, its value will take precedence"
default: to environment variable VAULT_CAPATH
client_cert:
description:
@ -35,7 +36,8 @@ options:
default: to environment variable VAULT_CLIENT_KEY
verify:
description:
- "if set, do not verify presented TLS certificate before communicating with Vault server : setting this variable is not recommended except during testing"
- "if set, do not verify presented TLS certificate before communicating with Vault server : setting this
variable is not recommended except during testing"
default: to environment variable VAULT_SKIP_VERIFY
authtype:
description:

8
ansible/modules/hashivault/hashivault_auth_enable.py
View File

@ -23,7 +23,8 @@ options:
default: to environment variable VAULT_CACERT
ca_path:
description:
- "path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate : if ca_cert is specified, its value will take precedence"
- "path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate : if ca_cert
is specified, its value will take precedence"
default: to environment variable VAULT_CAPATH
client_cert:
description:
@ -35,7 +36,8 @@ options:
default: to environment variable VAULT_CLIENT_KEY
verify:
description:
- "if set, do not verify presented TLS certificate before communicating with Vault server : setting this variable is not recommended except during testing"
- "if set, do not verify presented TLS certificate before communicating with Vault server : setting this
variable is not recommended except during testing"
default: to environment variable VAULT_SKIP_VERIFY
authtype:
description:
@ -61,7 +63,7 @@ options:
- description of authenticator
mount_point:
description:
- location where this auth backend will be mounted
- location where this auth backend will be mounted
'''
EXAMPLES = '''
---

6
ansible/modules/hashivault/hashivault_auth_list.py
View File

@ -23,7 +23,8 @@ options:
default: to environment variable VAULT_CACERT
ca_path:
description:
- "path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate : if ca_cert is specified, its value will take precedence"
- "path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate : if ca_cert
is specified, its value will take precedence"
default: to environment variable VAULT_CAPATH
client_cert:
description:
@ -35,7 +36,8 @@ options:
default: to environment variable VAULT_CLIENT_KEY
verify:
description:
- "if set, do not verify presented TLS certificate before communicating with Vault server : setting this variable is not recommended except during testing"
- "if set, do not verify presented TLS certificate before communicating with Vault server : setting this
variable is not recommended except during testing"
default: to environment variable VAULT_SKIP_VERIFY
authtype:
description:

45
ansible/modules/hashivault/hashivault_aws_ec2_role_create.py
View File

@ -26,7 +26,8 @@ options:
default: to environment variable VAULT_CACERT
ca_path:
description:
- "path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate : if ca_cert is specified, its value will take precedence"
- "path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate : if ca_cert
is specified, its value will take precedence"
default: to environment variable VAULT_CAPATH
client_cert:
description:
@ -38,7 +39,8 @@ options:
default: to environment variable VAULT_CLIENT_KEY
verify:
description:
- "if set, do not verify presented TLS certificate before communicating with Vault server : setting this variable is not recommended except during testing"
- "if set, do not verify presented TLS certificate before communicating with Vault server : setting this
variable is not recommended except during testing"
default: to environment variable VAULT_SKIP_VERIFY
authtype:
description:
@ -56,17 +58,17 @@ options:
description:
- password to login to vault.
default: to environment variable VAULT_PASSWORD
name:
description:
- role name.
bound_ami_id:
description:
- defines a constraint on the EC2 instances that can perform the login operation that they should be using the AMI ID specified
- "defines a constraint on the EC2 instances that can perform the login operation that they should be using\
the AMI ID specified"
bound_vpc_id:
description:
- defines a constraint on the EC2 instances that can perform the login operation that they be associated with the VPC ID that matches the value
- "defines a constraint on the EC2 instances that can perform the login operation that they be associated\
with the VPC ID that matches the value"
policies:
description:
- policies for the role.
@ -78,22 +80,26 @@ options:
- auth type permitted for this role. Valid choices are ec2 and iam
bound_account_id:
description:
- defines a constraint on the EC2 instances that can perform the login operation that they should be using the account ID
- "defines a constraint on the EC2 instances that can perform the login operation that they should be using\
the account ID"
bound_iam_instance_profile_arn:
description:
- defines a constraint on the EC2 instances that can perform the login operation that they must be associated with an IAM instance profile
- "defines a constraint on the EC2 instances that can perform the login operation that they must be\
associated with an IAM instance profile"
bound_iam_role_arn:
description:
- defines a constraint on the EC2 instances that can perform the login operation that they must match the IAM role ARN
- "defines a constraint on the EC2 instances that can perform the login operation that they must match the\
IAM role ARN"
bound_subnet_id:
description:
- defines a constraint on the EC2 instances that can perform the login operation that they be associated with the subnet ID
- "defines a constraint on the EC2 instances that can perform the login operation that they be associated\
with the subnet ID"
allow_instance_migration:
description:
- if set to true, allows migration of the underlying instance where the client resides.
disallow_reauthentication:
description:
- If set to true, only allows a single token to be granted per instance ID.
- If set to true, only allows a single token to be granted per instance ID.
resolve_aws_unique_ids:
description:
- If set to true, the bound_iam_principal_arn is resolved to an AWS Unique ID for the bound principal ARN.
@ -103,9 +109,6 @@ options:
token_ttl:
description:
- The TTL period of tokens issued using this role, provided as a number of seconds
'''
EXAMPLES = '''
---
@ -119,6 +122,7 @@ EXAMPLES = '''
bound_iam_role_arn: arn:aws:iam::12345678:root/ec2-role
'''
def main():
argspec = hashivault_argspec()
argspec['name'] = dict(required=True, type='str')
@ -148,7 +152,7 @@ def main():
@hashiwrapper
def hashivault_aws_ec2_role_create(params):
ARGS = [
args = [
'bound_ami_id',
'bound_vpc_id',
'inferred_entity_type',
@ -169,20 +173,21 @@ def hashivault_aws_ec2_role_create(params):
kwargs = {
'policies': policies,
}
for arg in ARGS:
for arg in args:
value = params.get(arg)
if value is not None:
kwargs[arg] = value
if not 'aws/' in client.sys.list_auth_methods().keys():
return { 'failed' : True , 'msg' : 'aws auth backend is not enabled', 'rc' : 1}
if 'aws/' not in client.sys.list_auth_methods().keys():
return {'failed': True, 'msg': 'aws auth backend is not enabled', 'rc': 1}
try:
if client.get_role(name, 'aws'):
return {'changed': False}
except InvalidPath:
client.create_role(name, mount_point='aws', **kwargs)
return {'changed': True}
if __name__ == '__main__':
main()

8
ansible/modules/hashivault/hashivault_delete.py
View File

@ -27,7 +27,8 @@ options:
default: to environment variable VAULT_CACERT
ca_path:
description:
- "path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate : if ca_cert is specified, its value will take precedence"
- "path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate : if ca_cert
is specified, its value will take precedence"
default: to environment variable VAULT_CAPATH
client_cert:
description:
@ -39,7 +40,8 @@ options:
default: to environment variable VAULT_CLIENT_KEY
verify:
description:
- "if set, do not verify presented TLS certificate before communicating with Vault server : setting this variable is not recommended except during testing"
- "if set, do not verify presented TLS certificate before communicating with Vault server : setting this
variable is not recommended except during testing"
default: to environment variable VAULT_SKIP_VERIFY
authtype:
description:
@ -93,7 +95,7 @@ def main():
@hashiwrapper
def hashivault_delete(params):
result = { "changed": False, "rc" : 0}
result = {"changed": False, "rc": 0}
client = hashivault_auth_client(params)
version = params.get('version')
mount_point = params.get('mount_point')

6
ansible/modules/hashivault/hashivault_generate_root.py
View File

@ -23,7 +23,8 @@ options:
default: to environment variable VAULT_CACERT
ca_path:
description:
- "path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate : if ca_cert is specified, its value will take precedence"
- "path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate : if ca_cert
is specified, its value will take precedence"
default: to environment variable VAULT_CAPATH
client_cert:
description:
@ -35,7 +36,8 @@ options:
default: to environment variable VAULT_CLIENT_KEY
verify:
description:
- "if set, do not verify presented TLS certificate before communicating with Vault server : setting this variable is not recommended except during testing"
- "if set, do not verify presented TLS certificate before communicating with Vault server : setting this
variable is not recommended except during testing"
default: to environment variable VAULT_SKIP_VERIFY
authtype:
description:

9
ansible/modules/hashivault/hashivault_generate_root_cancel.py
View File

@ -23,7 +23,8 @@ options:
default: to environment variable VAULT_CACERT
ca_path:
description:
- "path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate : if ca_cert is specified, its value will take precedence"
- "path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate : if ca_cert
is specified, its value will take precedence"
default: to environment variable VAULT_CAPATH
client_cert:
description:
@ -35,7 +36,8 @@ options:
default: to environment variable VAULT_CLIENT_KEY
verify:
description:
- "if set, do not verify presented TLS certificate before communicating with Vault server : setting this variable is not recommended except during testing"
- "if set, do not verify presented TLS certificate before communicating with Vault server : setting this
variable is not recommended except during testing"
default: to environment variable VAULT_SKIP_VERIFY
authtype:
description:
@ -77,9 +79,10 @@ def hashivault_generate_root_cancel(params):
client = hashivault_client(params)
# Check if generate_root is on-going & return when generate_root not in progress
status = client.generate_root_status
if not status['started']:
if not status['started']:
return {'changed': False}
return {'status': client.cancel_generate_root(), 'changed': True}
if __name__ == '__main__':
main()

10
ansible/modules/hashivault/hashivault_generate_root_init.py
View File

@ -23,7 +23,8 @@ options:
default: to environment variable VAULT_CACERT
ca_path:
description:
- "path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate : if ca_cert is specified, its value will take precedence"
- "path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate : if ca_cert
is specified, its value will take precedence"
default: to environment variable VAULT_CAPATH
client_cert:
description:
@ -35,7 +36,8 @@ options:
default: to environment variable VAULT_CLIENT_KEY
verify:
description:
- "if set, do not verify presented TLS certificate before communicating with Vault server : setting this variable is not recommended except during testing"
- "if set, do not verify presented TLS certificate before communicating with Vault server : setting this
variable is not recommended except during testing"
default: to environment variable VAULT_SKIP_VERIFY
authtype:
description:
@ -74,6 +76,7 @@ EXAMPLES = '''
pgp_key: key
'''
def main():
argspec = hashivault_argspec()
argspec['pgp_key'] = dict(required=False, type='str', default='')
@ -90,10 +93,11 @@ def hashivault_generate_root_init(params):
client = hashivault_client(params)
# Check if rekey is on-going
status = client.generate_root_status
if status['started']:
if status['started']:
return {'changed': False}
pgp = params.get('pgp_key')
return {'status': client.start_generate_root(pgp, otp=False), 'changed': True}
if __name__ == '__main__':
main()

8
ansible/modules/hashivault/hashivault_generate_root_status.py
View File

@ -23,7 +23,8 @@ options:
default: to environment variable VAULT_CACERT
ca_path:
description:
- "path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate : if ca_cert is specified, its value will take precedence"
- "path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate : if ca_cert
is specified, its value will take precedence"
default: to environment variable VAULT_CAPATH
client_cert:
description:
@ -35,7 +36,8 @@ options:
default: to environment variable VAULT_CLIENT_KEY
verify:
description:
- "if set, do not verify presented TLS certificate before communicating with Vault server : setting this variable is not recommended except during testing"
- "if set, do not verify presented TLS certificate before communicating with Vault server : setting this
variable is not recommended except during testing"
default: to environment variable VAULT_SKIP_VERIFY
authtype:
description:
@ -61,6 +63,7 @@ EXAMPLES = '''
- hashivault_generate_root_status:
'''
def main():
argspec = hashivault_argspec()
module = hashivault_init(argspec)
@ -76,5 +79,6 @@ def hashivault_generate_root_status(params):
client = hashivault_client(params)
return {'status': client.generate_root_status}
if __name__ == '__main__':
main()

39
ansible/modules/hashivault/hashivault_identity_entity.py
View File

@ -23,7 +23,8 @@ options:
default: to environment variable VAULT_CACERT
ca_path:
description:
- "path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate : if ca_cert is specified, its value will take precedence"
- "path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate : if ca_cert
is specified, its value will take precedence"
default: to environment variable VAULT_CAPATH
client_cert:
description:
@ -35,7 +36,8 @@ options:
default: to environment variable VAULT_CLIENT_KEY
verify:
description:
- "if set, do not verify presented TLS certificate before communicating with Vault server : setting this variable is not recommended except during testing"
- "if set, do not verify presented TLS certificate before communicating with Vault server : setting this
variable is not recommended except during testing"
default: to environment variable VAULT_SKIP_VERIFY
authtype:
description:
@ -98,7 +100,8 @@ def main():
module.exit_json(**result)
def hashivault_identity_entity_update(entity_details, client, entity_id, entity_name, entity_metadata, entity_disabled, entity_policies ):
def hashivault_identity_entity_update(entity_details, client, entity_id, entity_name, entity_metadata, entity_disabled,
entity_policies):
if entity_metadata is None:
entity_metadata = entity_details['metadata']
if entity_policies is None:
@ -106,10 +109,8 @@ def hashivault_identity_entity_update(entity_details, client, entity_id, entity_
if entity_disabled is None:
entity_disabled = entity_details['disabled']
if entity_details['name'] != entity_name or \
entity_details['disabled'] != entity_disabled or \
entity_details['metadata'] != entity_metadata or \
set(entity_details['policies']) != set(entity_policies):
if entity_details['name'] != entity_name or entity_details['disabled'] != entity_disabled or \
entity_details['metadata'] != entity_metadata or set(entity_details['policies']) != set(entity_policies):
try:
client.secrets.identity.update_entity(
entity_id=entity_id,
@ -123,6 +124,7 @@ def hashivault_identity_entity_update(entity_details, client, entity_id, entity_
return {'changed': True}
return {'changed': False}
def hashivault_identity_entity_create_or_update(params):
client = hashivault_auth_client(params)
entity_name = params.get('name')
@ -136,13 +138,12 @@ def hashivault_identity_entity_create_or_update(params):
entity_details = client.secrets.identity.read_entity(entity_id=entity_id)
except Exception as e:
return {'failed': True, 'msg': str(e)}
return hashivault_identity_entity_update(entity_details['data'], client,
entity_name, entity_id, entity_metadata, entity_disabled,
entity_policies)
return hashivault_identity_entity_update(entity_details['data'], client, entity_name, entity_id,
entity_metadata, entity_disabled, entity_policies)
elif entity_name is not None:
try:
entity_details = client.secrets.identity.read_entity_by_name(name=entity_name)
except:
except Exception:
response = client.secrets.identity.create_or_update_entity_by_name(
name=entity_name,
metadata=entity_metadata,
@ -150,12 +151,10 @@ def hashivault_identity_entity_create_or_update(params):
disabled=entity_disabled
)
return {'changed': True, 'data': response['data']}
return hashivault_identity_entity_update(entity_details['data'], client,
entity_name=entity_name,
entity_id=entity_details['data']['id'],
entity_metadata=entity_metadata,
entity_disabled=entity_disabled,
entity_policies=entity_policies)
return hashivault_identity_entity_update(entity_details['data'], client, entity_name=entity_name,
entity_id=entity_details['data']['id'],
entity_metadata=entity_metadata,
entity_disabled=entity_disabled, entity_policies=entity_policies)
return {'failed': True, 'msg': "Either name or id must be provided"}
@ -167,19 +166,20 @@ def hashivault_identity_entity_delete(params):
if entity_id is not None:
try:
client.secrets.identity.read_entity(entity_id=entity_id)
except:
except Exception:
return {'changed': False}
client.secrets.identity.delete_entity(entity_id=entity_id)
return {'changed': True}
elif entity_name is not None:
try:
client.secrets.identity.read_entity_by_name(name=entity_name)
except:
except Exception:
return {'changed': False}
client.secrets.identity.delete_entity_by_name(name=entity_name)
return {'changed': True}
return {'failed': True, 'msg': "Either name or id must be provided"}
@hashiwrapper
def hashivault_identity_entity(params):
state = params.get('state')
@ -190,5 +190,6 @@ def hashivault_identity_entity(params):
else:
return {'failed': True, 'msg': 'Unknown state'}
if __name__ == '__main__':
main()

134
ansible/modules/hashivault/hashivault_identity_entity_alias.py
View File

@ -23,7 +23,8 @@ options:
default: to environment variable VAULT_CACERT
ca_path:
description:
- "path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate : if ca_cert is specified, its value will take precedence"
- "path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate : if ca_cert
is specified, its value will take precedence"
default: to environment variable VAULT_CAPATH
client_cert:
description:
@ -35,7 +36,8 @@ options:
default: to environment variable VAULT_CLIENT_KEY
verify:
description:
- "if set, do not verify presented TLS certificate before communicating with Vault server : setting this variable is not recommended except during testing"
- "if set, do not verify presented TLS certificate before communicating with Vault server : setting this
variable is not recommended except during testing"
default: to environment variable VAULT_SKIP_VERIFY
authtype:
description:
@ -100,86 +102,71 @@ def main():
def hashivault_identity_entity_alias_update(client, alias_id, alias_name, canonical_id, mount_accessor):
try:
alias_details = client.secrets.identity.read_entity_alias(
alias_id=alias_id
)
alias_details = client.secrets.identity.read_entity_alias(alias_id=alias_id)
except Exception as e:
return {'failed': True, 'msg': str(e)}
else:
if alias_details['data']['canonical_id'] == canonical_id:
return {'changed': False}
else:
try:
client.secrets.identity.update_entity_alias(
alias_id=alias_id,
name=alias_name,
canonical_id=canonical_id,
mount_accessor=mount_accessor
)
except Exception as e:
return {'failed': True, 'msg': str(e)}
else:
return {'changed': True}
if alias_details['data']['canonical_id'] == canonical_id:
return {'changed': False}
try:
client.secrets.identity.update_entity_alias(
alias_id=alias_id,
name=alias_name,
canonical_id=canonical_id,
mount_accessor=mount_accessor
)
except Exception as e:
return {'failed': True, 'msg': str(e)}
return {'changed': True}
def hashivault_identity_entity_alias_create(client, alias_name, canonical_id, mount_accessor):
try:
list_of_aliases = client.secrets.identity.list_entity_aliases()
except Exception as e:
except Exception:
try:
alias_details = client.secrets.identity.create_or_update_entity_alias(
name=alias_name,
canonical_id=canonical_id,
mount_accessor=mount_accessor
)
name=alias_name,
canonical_id=canonical_id,
mount_accessor=mount_accessor
)
except Exception as e:
return {'failed': True, 'msg': str(e)}
else:
return {'changed': True, 'data': alias_details['data']}
return {'changed': True, 'data': alias_details['data']}
for key, value in dict(list_of_aliases['data']['key_info']).items():
if value['mount_accessor'] == mount_accessor and value['name'] == alias_name:
return hashivault_identity_entity_alias_update(client, alias_id=key, alias_name=alias_name,
canonical_id=canonical_id,
mount_accessor=mount_accessor)
else:
for key, value in dict(list_of_aliases['data']['key_info']).items():
if value['mount_accessor'] == mount_accessor and \
value['name'] == alias_name :
return hashivault_identity_entity_alias_update(client,
alias_id=key,
alias_name=alias_name,
canonical_id=canonical_id,
mount_accessor=mount_accessor
)
else:
try:
alias_details = client.secrets.identity.create_or_update_entity_alias(
name=alias_name,
canonical_id=canonical_id,
mount_accessor=mount_accessor
)
except Exception as e:
return {'failed': True, 'msg': str(e)}
else:
return {'changed': True}
try:
client.secrets.identity.create_or_update_entity_alias(name=alias_name, canonical_id=canonical_id,
mount_accessor=mount_accessor)
except Exception as e:
return {'failed': True, 'msg': str(e)}
return {'changed': True}
def hashivault_identity_entity_alias_delete(client, alias_id, alias_name, mount_accessor, canonical_id):
try:
list_of_aliases = client.secrets.identity.list_entity_aliases()
except Exception as e:
except Exception:
return {'changed': False}
else:
if alias_id is not None:
if alias_id not in list_of_aliases['data']['keys']:
return {'changed': False}
else:
client.secrets.identity.delete_entity_alias(alias_id=alias_id)
return {'changed': True}
client.secrets.identity.delete_entity_alias(alias_id=alias_id)
return {'changed': True}
elif alias_name is not None:
for key, value in dict(list_of_aliases['data']['key_info']).items():
if value['mount_accessor'] == mount_accessor and \
value['name'] == alias_name and \
value['canonical_id'] == canonical_id:
if value['mount_accessor'] == mount_accessor and \
value['name'] == alias_name and \
value['canonical_id'] == canonical_id:
client.secrets.identity.delete_entity_alias(alias_id=key)
return {'changed': True}
else:
return {'changed': False}
else:
return {'failed': True, 'msg': 'Either alias_id or name must be provided'}
return {'changed': False}
return {'failed': True, 'msg': 'Either alias_id or name must be provided'}
@hashiwrapper
def hashivault_identity_entity_alias(params):
@ -197,7 +184,7 @@ def hashivault_identity_entity_alias(params):
auth_method_details = client.read(path="/sys/auth/")
try:
mount_accessor = auth_method_details['data'][authtype + "/"]['accessor']
except:
except Exception:
return {'failed': True, 'msg': 'Auth method %s not found. Use mount_accessor?' % authtype}
# Get canonical_id if not provided
@ -209,35 +196,24 @@ def hashivault_identity_entity_alias(params):
entity_details = client.secrets.identity.read_entity_by_name(
name=entity_name
)
except Exception as e:
except Exception:
return {'failed': True, 'msg': 'No entity with name %s' % entity_name}
canonical_id = entity_details['data']['id']
if state == 'present':
if alias_id is not None:
return hashivault_identity_entity_alias_update(client,
alias_id=alias_id,
alias_name=alias_name,
mount_accessor=mount_accessor,
canonical_id=canonical_id
)
return hashivault_identity_entity_alias_update(client, alias_id=alias_id, alias_name=alias_name,
mount_accessor=mount_accessor, canonical_id=canonical_id)
elif alias_name is not None:
return hashivault_identity_entity_alias_create(client,
alias_name=alias_name,
mount_accessor=mount_accessor,
canonical_id=canonical_id
)
return hashivault_identity_entity_alias_create(client, alias_name=alias_name, mount_accessor=mount_accessor,
canonical_id=canonical_id)
else:
return {'failed': True, 'msg': 'Either alias_id or name must be provided'}
elif state == 'absent':
return hashivault_identity_entity_alias_delete(client,
alias_id=alias_id,
alias_name=alias_name,
mount_accessor=mount_accessor,
canonical_id=canonical_id
)
else:
return {'failed': True, 'msg': 'Unknown state'}
return hashivault_identity_entity_alias_delete(client, alias_id=alias_id, alias_name=alias_name,
mount_accessor=mount_accessor, canonical_id=canonical_id)
return {'failed': True, 'msg': 'Unknown state'}
if __name__ == '__main__':
main()

8
ansible/modules/hashivault/hashivault_init.py
View File

@ -23,7 +23,8 @@ options:
default: to environment variable VAULT_CACERT
ca_path:
description:
- "path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate : if ca_cert is specified, its value will take precedence"
- "path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate : if ca_cert
is specified, its value will take precedence"
default: to environment variable VAULT_CAPATH
client_cert:
description:
@ -35,7 +36,8 @@ options:
default: to environment variable VAULT_CLIENT_KEY
verify:
description:
- "if set, do not verify presented TLS certificate before communicating with Vault server : setting this variable is not recommended except during testing"
- "if set, do not verify presented TLS certificate before communicating with Vault server : setting this
variable is not recommended except during testing"
default: to environment variable VAULT_SKIP_VERIFY
authtype:
description:
@ -123,7 +125,7 @@ def hashivault_initialize(params):
client = hashivault_client(params)
if client.sys.is_initialized():
return {'changed': False}
result = {'changed': True}
result = {'changed': True}
secret_shares = params.get('secret_shares')
secret_threshold = params.get('secret_threshold')
pgp_keys = params.get('pgp_keys')

6
ansible/modules/hashivault/hashivault_list.py
View File

@ -28,7 +28,8 @@ options:
default: to environment variable VAULT_CACERT
ca_path:
description:
- "path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate : if ca_cert is specified, its value will take precedence"
- "path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate : if ca_cert
is specified, its value will take precedence"
default: to environment variable VAULT_CAPATH
client_cert:
description:
@ -40,7 +41,8 @@ options:
default: to environment variable VAULT_CLIENT_KEY
verify:
description:
- "if set, do not verify presented TLS certificate before communicating with Vault server : setting this variable is not recommended except during testing"
- "if set, do not verify presented TLS certificate before communicating with Vault server : setting this
variable is not recommended except during testing"
default: to environment variable VAULT_SKIP_VERIFY
authtype:
description:

9
ansible/modules/hashivault/hashivault_mount_tune.py
View File

@ -23,7 +23,8 @@ options:
default: to environment variable VAULT_CACERT
ca_path:
description:
- "path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate : if ca_cert is specified, its value will take precedence"
- "path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate : if ca_cert
is specified, its value will take precedence"
default: to environment variable VAULT_CAPATH
client_cert:
description:
@ -35,7 +36,8 @@ options:
default: to environment variable VAULT_CLIENT_KEY
verify:
description:
- "if set, do not verify presented TLS certificate before communicating with Vault server : setting this variable is not recommended except during testing"
- "if set, do not verify presented TLS certificate before communicating with Vault server : setting this
variable is not recommended except during testing"
default: to environment variable VAULT_SKIP_VERIFY
authtype:
description:
@ -103,7 +105,8 @@ def hashivault_mount_tune(module):
changed = True
if not module.check_mode:
client.sys.tune_mount_configuration(mount_point, default_lease_ttl=default_lease_ttl, max_lease_ttl=max_lease_ttl)
client.sys.tune_mount_configuration(mount_point, default_lease_ttl=default_lease_ttl,
max_lease_ttl=max_lease_ttl)
return {'changed': changed}

6
ansible/modules/hashivault/hashivault_policy_delete.py
View File

@ -23,7 +23,8 @@ options:
default: to environment variable VAULT_CACERT
ca_path:
description:
- "path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate : if ca_cert is specified, its value will take precedence"
- "path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate : if ca_cert
is specified, its value will take precedence"
default: to environment variable VAULT_CAPATH
client_cert:
description:
@ -35,7 +36,8 @@ options:
default: to environment variable VAULT_CLIENT_KEY
verify:
description:
- "if set, do not verify presented TLS certificate before communicating with Vault server : setting this variable is not recommended except during testing"
- "if set, do not verify presented TLS certificate before communicating with Vault server : setting this
variable is not recommended except during testing"
default: to environment variable VAULT_SKIP_VERIFY
authtype:
description:

10
ansible/modules/hashivault/hashivault_policy_get.py
View File

@ -23,7 +23,8 @@ options:
default: to environment variable VAULT_CACERT
ca_path:
description:
- "path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate : if ca_cert is specified, its value will take precedence"
- "path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate : if ca_cert
is specified, its value will take precedence"
default: to environment variable VAULT_CAPATH
client_cert:
description:
@ -35,7 +36,8 @@ options:
default: to environment variable VAULT_CLIENT_KEY
verify:
description:
- "if set, do not verify presented TLS certificate before communicating with Vault server : setting this variable is not recommended except during testing"
- "if set, do not verify presented TLS certificate before communicating with Vault server : setting this
variable is not recommended except during testing"
default: to environment variable VAULT_SKIP_VERIFY
authtype:
description:
@ -85,8 +87,8 @@ def hashivault_policy_get(params):
client = hashivault_auth_client(params)
policy = client.get_policy(name)
if policy is None:
result = { "changed": False, "rc" : 1, "failed": True}
result['msg'] = u"Policy \"%s\" does not exist." % (name)
result = {"changed": False, "rc": 1, "failed": True}
result['msg'] = u"Policy \"%s\" does not exist." % name
return result
else:
return {'rules': policy}

6
ansible/modules/hashivault/hashivault_policy_list.py
View File

@ -23,7 +23,8 @@ options:
default: to environment variable VAULT_CACERT
ca_path:
description:
- "path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate : if ca_cert is specified, its value will take precedence"
- "path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate : if ca_cert
is specified, its value will take precedence"
default: to environment variable VAULT_CAPATH
client_cert:
description:
@ -35,7 +36,8 @@ options:
default: to environment variable VAULT_CLIENT_KEY
verify:
description:
- "if set, do not verify presented TLS certificate before communicating with Vault server : setting this variable is not recommended except during testing"
- "if set, do not verify presented TLS certificate before communicating with Vault server : setting this
variable is not recommended except during testing"
default: to environment variable VAULT_SKIP_VERIFY
authtype:
description:

6
ansible/modules/hashivault/hashivault_policy_set.py
View File

@ -23,7 +23,8 @@ options:
default: to environment variable VAULT_CACERT
ca_path:
description:
- "path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate : if ca_cert is specified, its value will take precedence"
- "path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate : if ca_cert
is specified, its value will take precedence"
default: to environment variable VAULT_CAPATH
client_cert:
description:
@ -35,7 +36,8 @@ options:
default: to environment variable VAULT_CLIENT_KEY
verify:
description:
- "if set, do not verify presented TLS certificate before communicating with Vault server : setting this variable is not recommended except during testing"
- "if set, do not verify presented TLS certificate before communicating with Vault server : setting this
variable is not recommended except during testing"
default: to environment variable VAULT_SKIP_VERIFY
authtype:
description:

6
ansible/modules/hashivault/hashivault_policy_set_from_file.py
View File

@ -23,7 +23,8 @@ options:
default: to environment variable VAULT_CACERT
ca_path:
description:
- "path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate : if ca_cert is specified, its value will take precedence"
- "path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate : if ca_cert
is specified, its value will take precedence"
default: to environment variable VAULT_CAPATH
client_cert:
description:
@ -35,7 +36,8 @@ options:
default: to environment variable VAULT_CLIENT_KEY
verify:
description:
- "if set, do not verify presented TLS certificate before communicating with Vault server : setting this variable is not recommended except during testing"
- "if set, do not verify presented TLS certificate before communicating with Vault server : setting this
variable is not recommended except during testing"
default: to environment variable VAULT_SKIP_VERIFY
authtype:
description:

6
ansible/modules/hashivault/hashivault_read.py
View File

@ -23,7 +23,8 @@ options:
default: to environment variable VAULT_CACERT
ca_path:
description:
- "path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate : if ca_cert is specified, its value will take precedence"
- "path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate : if ca_cert
is specified, its value will take precedence"
default: to environment variable VAULT_CAPATH
client_cert:
description:
@ -35,7 +36,8 @@ options:
default: to environment variable VAULT_CLIENT_KEY
verify:
description:
- "if set, do not verify presented TLS certificate before communicating with Vault server : setting this variable is not recommended except during testing"
- "if set, do not verify presented TLS certificate before communicating with Vault server : setting this
variable is not recommended except during testing"
default: to environment variable VAULT_SKIP_VERIFY
authtype:
description:

3
ansible/modules/hashivault/hashivault_read_to_file.py
View File

@ -7,7 +7,8 @@ module: hashivault_read_to_file
version_added: "3.8.3"
short_description: Hashicorp Vault read module
description:
- Reads and deocdes a base64 encoded file from Hashicorp Vault and saves it to disk. Implementation in `/plugins/action/hashivault_read_to_file.py`.
- "Reads and deocdes a base64 encoded file from Hashicorp Vault and saves it to disk. Implementation in\
`/plugins/action/hashivault_read_to_file.py`."
options:
url:
description:

6
ansible/modules/hashivault/hashivault_rekey.py
View File

@ -24,7 +24,8 @@ options:
default: to environment variable VAULT_CACERT
ca_path:
description:
- "path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate : if ca_cert is specified, its value will take precedence"
- "path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate : if ca_cert
is specified, its value will take precedence"
default: to environment variable VAULT_CAPATH
client_cert:
description:
@ -36,7 +37,8 @@ options:
default: to environment variable VAULT_CLIENT_KEY
verify:
description:
- "if set, do not verify presented TLS certificate before communicating with Vault server : setting this variable is not recommended except during testing"
- "if set, do not verify presented TLS certificate before communicating with Vault server : setting this
variable is not recommended except during testing"
default: to environment variable VAULT_SKIP_VERIFY
authtype:
description:

8
ansible/modules/hashivault/hashivault_rekey_cancel.py
View File

@ -23,7 +23,8 @@ options:
default: to environment variable VAULT_CACERT
ca_path:
description:
- "path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate : if ca_cert is specified, its value will take precedence"
- "path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate : if ca_cert
is specified, its value will take precedence"
default: to environment variable VAULT_CAPATH
client_cert:
description:
@ -35,7 +36,8 @@ options:
default: to environment variable VAULT_CLIENT_KEY
verify:
description:
- "if set, do not verify presented TLS certificate before communicating with Vault server : setting this variable is not recommended except during testing"
- "if set, do not verify presented TLS certificate before communicating with Vault server : setting this
variable is not recommended except during testing"
default: to environment variable VAULT_SKIP_VERIFY
authtype:
description:
@ -78,7 +80,7 @@ def hashivault_rekey_cancel(params):
client = hashivault_client(params)
# Check if rekey is on-going & return when rekey not in progress
status = client.rekey_status
if not status['started']:
if not status['started']:
return {'changed': False}
return {'status': client.sys.cancel_rekey().ok, 'changed': True}

8
ansible/modules/hashivault/hashivault_rekey_init.py
View File

@ -23,7 +23,8 @@ options:
default: to environment variable VAULT_CACERT
ca_path:
description:
- "path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate : if ca_cert is specified, its value will take precedence"
- "path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate : if ca_cert
is specified, its value will take precedence"
default: to environment variable VAULT_CAPATH
client_cert:
description:
@ -35,7 +36,8 @@ options:
default: to environment variable VAULT_CLIENT_KEY
verify:
description:
- "if set, do not verify presented TLS certificate before communicating with Vault server : setting this variable is not recommended except during testing"
- "if set, do not verify presented TLS certificate before communicating with Vault server : setting this
variable is not recommended except during testing"
default: to environment variable VAULT_SKIP_VERIFY
authtype:
description:
@ -95,7 +97,7 @@ def hashivault_rekey_init(params):
client = hashivault_client(params)
# Check if rekey is on-going, exit if there is a rekey in progress
status = client.rekey_status
if status['started']:
if status['started']:
return {'changed': False}
secret_shares = params.get('secret_shares')
secret_threshold = params.get('secret_threshold')

7
ansible/modules/hashivault/hashivault_rekey_status.py
View File

@ -23,7 +23,8 @@ options:
default: to environment variable VAULT_CACERT
ca_path:
description:
- "path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate : if ca_cert is specified, its value will take precedence"
- "path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate : if ca_cert
is specified, its value will take precedence"
default: to environment variable VAULT_CAPATH
client_cert:
description:
@ -35,7 +36,8 @@ options:
default: to environment variable VAULT_CLIENT_KEY
verify:
description:
- "if set, do not verify presented TLS certificate before communicating with Vault server : setting this variable is not recommended except during testing"
- "if set, do not verify presented TLS certificate before communicating with Vault server : setting this
variable is not recommended except during testing"
default: to environment variable VAULT_SKIP_VERIFY
authtype:
description:
@ -62,6 +64,7 @@ EXAMPLES = '''
register: "vault_rekey_status"
'''
def main():
argspec = hashivault_argspec()
module = hashivault_init(argspec)

6
ansible/modules/hashivault/hashivault_seal.py
View File

@ -23,7 +23,8 @@ options:
default: to environment variable VAULT_CACERT
ca_path:
description:
- "path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate : if ca_cert is specified, its value will take precedence"
- "path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate : if ca_cert
is specified, its value will take precedence"
default: to environment variable VAULT_CAPATH
client_cert:
description:
@ -35,7 +36,8 @@ options:
default: to environment variable VAULT_CLIENT_KEY
verify:
description:
- "if set, do not verify presented TLS certificate before communicating with Vault server : setting this variable is not recommended except during testing"
- "if set, do not verify presented TLS certificate before communicating with Vault server : setting this
variable is not recommended except during testing"
default: to environment variable VAULT_SKIP_VERIFY
authtype:
description:

6
ansible/modules/hashivault/hashivault_secret_disable.py
View File

@ -23,7 +23,8 @@ options:
default: to environment variable VAULT_CACERT
ca_path:
description:
- "path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate : if ca_cert is specified, its value will take precedence"
- "path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate : if ca_cert
is specified, its value will take precedence"
default: to environment variable VAULT_CAPATH
client_cert:
description:
@ -35,7 +36,8 @@ options:
default: to environment variable VAULT_CLIENT_KEY
verify:
description:
- "if set, do not verify presented TLS certificate before communicating with Vault server : setting this variable is not recommended except during testing"
- "if set, do not verify presented TLS certificate before communicating with Vault server : setting this
variable is not recommended except during testing"
default: to environment variable VAULT_SKIP_VERIFY
authtype:
description:

6
ansible/modules/hashivault/hashivault_secret_enable.py
View File

@ -23,7 +23,8 @@ options:
default: to environment variable VAULT_CACERT
ca_path:
description:
- "path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate : if ca_cert is specified, its value will take precedence"
- "path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate : if ca_cert
is specified, its value will take precedence"
default: to environment variable VAULT_CAPATH
client_cert:
description:
@ -35,7 +36,8 @@ options:
default: to environment variable VAULT_CLIENT_KEY
verify:
description:
- "if set, do not verify presented TLS certificate before communicating with Vault server : setting this variable is not recommended except during testing"
- "if set, do not verify presented TLS certificate before communicating with Vault server : setting this
variable is not recommended except during testing"
default: to environment variable VAULT_SKIP_VERIFY
authtype:
description:

6
ansible/modules/hashivault/hashivault_secret_list.py
View File

@ -23,7 +23,8 @@ options:
default: to environment variable VAULT_CACERT
ca_path:
description:
- "path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate : if ca_cert is specified, its value will take precedence"
- "path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate : if ca_cert
is specified, its value will take precedence"
default: to environment variable VAULT_CAPATH
client_cert:
description:
@ -35,7 +36,8 @@ options:
default: to environment variable VAULT_CLIENT_KEY
verify:
description:
- "if set, do not verify presented TLS certificate before communicating with Vault server : setting this variable is not recommended except during testing"
- "if set, do not verify presented TLS certificate before communicating with Vault server : setting this
variable is not recommended except during testing"
default: to environment variable VAULT_SKIP_VERIFY
authtype:
description:

6
ansible/modules/hashivault/hashivault_status.py
View File

@ -23,7 +23,8 @@ options:
default: to environment variable VAULT_CACERT
ca_path:
description:
- "path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate : if ca_cert is specified, its value will take precedence"
- "path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate : if ca_cert
is specified, its value will take precedence"
default: to environment variable VAULT_CAPATH
client_cert:
description:
@ -35,7 +36,8 @@ options:
default: to environment variable VAULT_CLIENT_KEY
verify:
description:
- "if set, do not verify presented TLS certificate before communicating with Vault server : setting this variable is not recommended except during testing"
- "if set, do not verify presented TLS certificate before communicating with Vault server : setting this
variable is not recommended except during testing"
default: to environment variable VAULT_SKIP_VERIFY
authtype:
description:

12
ansible/modules/hashivault/hashivault_token_create.py
View File

@ -23,7 +23,8 @@ options:
default: to environment variable VAULT_CACERT
ca_path:
description:
- "path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate : if ca_cert is specified, its value will take precedence"
- "path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate : if ca_cert
is specified, its value will take precedence"
default: to environment variable VAULT_CAPATH
client_cert:
description:
@ -35,7 +36,8 @@ options:
default: to environment variable VAULT_CLIENT_KEY
verify:
description:
- "if set, do not verify presented TLS certificate before communicating with Vault server : setting this variable is not recommended except during testing"
- "if set, do not verify presented TLS certificate before communicating with Vault server : setting this
variable is not recommended except during testing"
default: to environment variable VAULT_SKIP_VERIFY
authtype:
description:
@ -89,13 +91,15 @@ options:
- Indicates that the response should be wrapped in a cubbyhole token with the requested TTL.
orphan:
description:
- If specified, the token will have no parent. Only This prevents the new token from being revoked with your token.
- "If specified, the token will have no parent. Only This prevents the new token from being revoked with\
your token."
renewable:
description:
- Whether or not the token is renewable to extend its TTL up to Vault's configured maximum TTL for tokens
period:
description:
- If specified, every renewal will use the given period. Periodic tokens do not expire (unless explicit_max_ttl is also provided).
- "If specified, every renewal will use the given period. Periodic tokens do not expire (unless\
explicit_max_ttl is also provided)."
explicit_max_ttl:
description:
- An explicit maximum lifetime for the token

9
ansible/modules/hashivault/hashivault_token_lookup.py
View File

@ -1,7 +1,4 @@
#!/usr/bin/env python
import warnings
import hvac
from ansible.module_utils.hashivault import hashivault_argspec
from ansible.module_utils.hashivault import hashivault_auth_client
@ -27,7 +24,8 @@ options:
default: to environment variable VAULT_CACERT
ca_path:
description:
- "path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate : if ca_cert is specified, its value will take precedence"
- "path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate : if ca_cert
is specified, its value will take precedence"
default: to environment variable VAULT_CAPATH
client_cert:
description:
@ -39,7 +37,8 @@ options:
default: to environment variable VAULT_CLIENT_KEY
verify:
description:
- "if set, do not verify presented TLS certificate before communicating with Vault server : setting this variable is not recommended except during testing"
- "if set, do not verify presented TLS certificate before communicating with Vault server : setting this
variable is not recommended except during testing"
default: to environment variable VAULT_SKIP_VERIFY
authtype:
description:

9
ansible/modules/hashivault/hashivault_token_renew.py
View File

@ -23,7 +23,8 @@ options:
default: to environment variable VAULT_CACERT
ca_path:
description:
- "path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate : if ca_cert is specified, its value will take precedence"
- "path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate : if ca_cert
is specified, its value will take precedence"
default: to environment variable VAULT_CAPATH
client_cert:
description:
@ -35,7 +36,8 @@ options:
default: to environment variable VAULT_CLIENT_KEY
verify:
description:
- "if set, do not verify presented TLS certificate before communicating with Vault server : setting this variable is not recommended except during testing"
- "if set, do not verify presented TLS certificate before communicating with Vault server : setting this
variable is not recommended except during testing"
default: to environment variable VAULT_SKIP_VERIFY
authtype:
description:
@ -59,7 +61,8 @@ options:
default: to authentication token
increment:
description:
- Request a specific increment for renewal. Vault is not required to honor this request. If not supplied, Vault will use the default TTL.
- "Request a specific increment for renewal. Vault is not required to honor this request. If not supplied,\
Vault will use the default TTL."
wrap_ttl:
description:
- Indicates that the response should be wrapped in a cubbyhole token with the requested TTL.

6
ansible/modules/hashivault/hashivault_token_revoke.py
View File

@ -23,7 +23,8 @@ options:
default: to environment variable VAULT_CACERT
ca_path:
description:
- "path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate : if ca_cert is specified, its value will take precedence"
- "path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate : if ca_cert
is specified, its value will take precedence"
default: to environment variable VAULT_CAPATH
client_cert:
description:
@ -35,7 +36,8 @@ options:
default: to environment variable VAULT_CLIENT_KEY
verify:
description:
- "if set, do not verify presented TLS certificate before communicating with Vault server : setting this variable is not recommended except during testing"
- "if set, do not verify presented TLS certificate before communicating with Vault server : setting this
variable is not recommended except during testing"
default: to environment variable VAULT_SKIP_VERIFY
authtype:
description:

6
ansible/modules/hashivault/hashivault_unseal.py
View File

@ -23,7 +23,8 @@ options:
default: to environment variable VAULT_CACERT
ca_path:
description:
- "path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate : if ca_cert is specified, its value will take precedence"
- "path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate : if ca_cert
is specified, its value will take precedence"
default: to environment variable VAULT_CAPATH
client_cert:
description:
@ -35,7 +36,8 @@ options:
default: to environment variable VAULT_CLIENT_KEY
verify:
description:
- "if set, do not verify presented TLS certificate before communicating with Vault server : setting this variable is not recommended except during testing"
- "if set, do not verify presented TLS certificate before communicating with Vault server : setting this
variable is not recommended except during testing"
default: to environment variable VAULT_SKIP_VERIFY
authtype:
description:

31
ansible/modules/hashivault/hashivault_userpass.py
View File

@ -23,7 +23,8 @@ options:
default: to environment variable VAULT_CACERT
ca_path:
description:
- "path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate : if ca_cert is specified, its value will take precedence"
- "path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate : if ca_cert
is specified, its value will take precedence"
default: to environment variable VAULT_CAPATH
client_cert:
description:
@ -35,7 +36,8 @@ options:
default: to environment variable VAULT_CLIENT_KEY
verify:
description:
- "if set, do not verify presented TLS certificate before communicating with Vault server : setting this variable is not recommended except during testing"
- "if set, do not verify presented TLS certificate before communicating with Vault server : setting this
variable is not recommended except during testing"
default: to environment variable VAULT_SKIP_VERIFY
authtype:
description:
@ -102,12 +104,8 @@ def main():
module.exit_json(**result)
def hashivault_userpass_update(client, user_details,
user_name,
user_pass,
user_pass_update,
user_policies,
mount_point):
def hashivault_userpass_update(client, user_details, user_name, user_pass, user_pass_update, user_policies,
mount_point):
if set(user_details['data']['policies']) != set(user_policies):
if user_pass_update and user_pass is not None:
client.create_userpass(user_name, user_pass, user_policies, mount_point=mount_point)
@ -133,23 +131,20 @@ def hashivault_userpass(params):
if state == 'present':
try:
user_details = client.read_userpass(name, mount_point=mount_point)
except Exception as e:
except Exception:
if password is not None:
client.create_userpass(name, password, policies)
return {'changed': True}
else:
return {'failed': True, 'msg': 'pass must be provided for new users'}
else:
return hashivault_userpass_update(client, user_details,
user_name=name,
user_pass=password,
user_pass_update=password_update,
user_policies=policies,
mount_point=mount_point)
return hashivault_userpass_update(client, user_details, user_name=name, user_pass=password,
user_pass_update=password_update, user_policies=policies,
mount_point=mount_point)
elif state == 'absent':
try:
user_details = client.read_userpass(name, mount_point=mount_point)
except Exception as e:
client.read_userpass(name, mount_point=mount_point)
except Exception:
return {'changed': False}
else:
client.delete_userpass(name, mount_point=mount_point)
@ -159,4 +154,4 @@ def hashivault_userpass(params):
if __name__ == '__main__':
main()
main()

6
ansible/modules/hashivault/hashivault_userpass_create.py
View File

@ -23,7 +23,8 @@ options:
default: to environment variable VAULT_CACERT
ca_path:
description:
- "path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate : if ca_cert is specified, its value will take precedence"
- "path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate : if ca_cert
is specified, its value will take precedence"
default: to environment variable VAULT_CAPATH
client_cert:
description:
@ -35,7 +36,8 @@ options:
default: to environment variable VAULT_CLIENT_KEY
verify:
description:
- "if set, do not verify presented TLS certificate before communicating with Vault server : setting this variable is not recommended except during testing"
- "if set, do not verify presented TLS certificate before communicating with Vault server : setting this
variable is not recommended except during testing"
default: to environment variable VAULT_SKIP_VERIFY
authtype:
description:

8
ansible/modules/hashivault/hashivault_userpass_delete.py
View File

@ -23,7 +23,8 @@ options:
default: to environment variable VAULT_CACERT
ca_path:
description:
- "path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate : if ca_cert is specified, its value will take precedence"
- "path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate : if ca_cert
is specified, its value will take precedence"
default: to environment variable VAULT_CAPATH
client_cert:
description:
@ -35,7 +36,8 @@ options:
default: to environment variable VAULT_CLIENT_KEY
verify:
description:
- "if set, do not verify presented TLS certificate before communicating with Vault server : setting this variable is not recommended except during testing"
- "if set, do not verify presented TLS certificate before communicating with Vault server : setting this
variable is not recommended except during testing"
default: to environment variable VAULT_SKIP_VERIFY
authtype:
description:
@ -87,7 +89,7 @@ def hashivault_userpass_delete(params):
client = hashivault_auth_client(params)
username = params.get('name')
mount_point = params.get('mount_point')
client.delete_userpass(username, mount_point = mount_point)
client.delete_userpass(username, mount_point=mount_point)
return {'changed': True}

11
ansible/modules/hashivault/hashivault_write.py
View File

@ -27,7 +27,8 @@ options:
default: to environment variable VAULT_CACERT
ca_path:
description:
- "path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate : if ca_cert is specified, its value will take precedence"
- "path to a directory of PEM-encoded CA cert files to verify the Vault server TLS certificate : if ca_cert
is specified, its value will take precedence"
default: to environment variable VAULT_CAPATH
client_cert:
description:
@ -39,7 +40,8 @@ options:
default: to environment variable VAULT_CLIENT_KEY
verify:
description:
- "if set, do not verify presented TLS certificate before communicating with Vault server : setting this variable is not recommended except during testing"
- "if set, do not verify presented TLS certificate before communicating with Vault server : setting this
variable is not recommended except during testing"
default: to environment variable VAULT_SKIP_VERIFY
authtype:
description:
@ -195,7 +197,8 @@ def hashivault_write(module):
if not module.check_mode:
try:
if version == 2:
returned_data = client.secrets.kv.v2.create_or_update_secret(mount_point=mount_point, path=secret, secret=write_data)
returned_data = client.secrets.kv.v2.create_or_update_secret(mount_point=mount_point,
path=secret, secret=write_data)
else:
returned_data = client.write(secret_path, **write_data)
if returned_data:
@ -215,4 +218,4 @@ def hashivault_write(module):
if __name__ == '__main__':
main()
main()

3
ansible/modules/hashivault/hashivault_write_from_file.py
View File

@ -7,7 +7,8 @@ module: hashivault_write_from_file
version_added: "3.8.3"
short_description: Hashicorp Vault write file module
description:
- Writes a file encoded in base64 to Hashicorp Vault. Implementation in `/plugins/action/hashivault_write_from_file.py`.
- "Writes a file encoded in base64 to Hashicorp Vault. Implementation in
`/plugins/action/hashivault_write_from_file.py`."
options:
url:
description:

51
ansible/plugins/action/hashivault_read_to_file.py
View File

@ -10,16 +10,19 @@
########################################################################
import base64
import tempfile, os
import os
import tempfile
from ansible.playbook.play_context import PlayContext
from ansible.plugins.action import ActionBase
from ansible.utils.vars import merge_hash
from ansible.playbook.play_context import PlayContext
class ActionModule(ActionBase):
# load and return ansible copy action plugin
# copied from `ansible/plugins/action/template.py`
def _get_copy_action_plugin(self,connection):
def _get_copy_action_plugin(self, connection):
return (self._shared_loader_obj.action_loader.get(
'copy',
task=self._task.copy(),
@ -29,7 +32,6 @@ class ActionModule(ActionBase):
templar=self._templar,
shared_loader_obj=self._shared_loader_obj))
def run(self, tmp=None, task_vars=None):
if task_vars is None:
@ -39,15 +41,15 @@ class ActionModule(ActionBase):
args = self._task.args.copy()
dest = args.pop('dest',None)
mode = args.pop('mode',None)
force = args.pop('force',True)
dest = args.pop('dest', None)
mode = args.pop('mode', None)
force = args.pop('force', True)
become = self._play_context.become
become_method = self._play_context.become_method
old_connection = self._connection
self._connection = self._shared_loader_obj.connection_loader.get('local',PlayContext(),old_connection._new_stdin)
self._connection = self._shared_loader_obj.connection_loader.get('local', PlayContext(),
old_connection._new_stdin)
self._play_context.become = False
self._play_context.become_method = None
@ -57,30 +59,29 @@ class ActionModule(ActionBase):
self._execute_module(module_name='hashivault_read', tmp=tmp, task_vars=task_vars, module_args=args)
)
if 'failed' in results and results['failed'] == True:
if 'failed' in results and results['failed'] is True:
return results
content = results.pop('value',None)
content = results.pop('value', None)
if content == None:
if content is None:
results['failed'] = True
results['msg'] = u'Could not find file `%s` in secret `%s`'%(args['key'],args['secret'])
return(results)
results['msg'] = u'Could not find file `%s` in secret `%s`' % (args['key'], args['secret'])
return results
#write to temp file on ansible host to copy to remote host
# write to temp file on ansible host to copy to remote host
local_tmp = tempfile.NamedTemporaryFile(delete=False)
local_tmp.write(base64.b64decode(content))
local_tmp.close()
new_module_args = {
'dest':dest,
'src':local_tmp.name,
'force':force,
'mode':mode
'dest': dest,
'src': local_tmp.name,
'force': force,
'mode': mode,
}
self._update_module_args('copy',new_module_args,task_vars)
self._update_module_args('copy', new_module_args, task_vars)
# `copy` module uses an action plugin, so we have to execute
# the plugin instead of directly executing the module
@ -95,11 +96,11 @@ class ActionModule(ActionBase):
copy_action.run(task_vars=task_vars)
)
#remove temp file
# remove temp file
os.unlink(local_tmp.name)
if force == False and results['changed'] == False:
if force is False and results['changed'] is False:
results['failed'] = True
results['msg'] = u'File %s already exists. Use `force: true` to overwrite'%dest
results['msg'] = u'File %s already exists. Use `force: true` to overwrite' % dest
return(results)
return results

27
ansible/plugins/action/hashivault_write_from_file.py
View File

@ -12,6 +12,7 @@
from ansible.plugins.action import ActionBase
from ansible.utils.vars import merge_hash
class ActionModule(ActionBase):
def run(self, tmp=None, task_vars=None):
@ -23,13 +24,13 @@ class ActionModule(ActionBase):
args = self._task.args.copy()
key = args.pop('key',None)
path = args.pop('path',None)
key = args.pop('key', None)
path = args.pop('path', None)
new_module_args = {
'src':path
'src': path
}
self._update_module_args('slurp',new_module_args,task_vars)
self._update_module_args('slurp', new_module_args, task_vars)
results = merge_hash(
results,
@ -37,19 +38,19 @@ class ActionModule(ActionBase):
self._execute_module(module_name='slurp', tmp=tmp, task_vars=task_vars, module_args=new_module_args)
)
if 'failed' in results and results['failed'] == True:
return(results)
if 'failed' in results and results['failed'] is True:
return results
# already base64 encoded from slurp
content = results.pop('content',None)
content = results.pop('content', None)
self._play_context.become = False
self._play_context.become_method = None
self._connection = self._shared_loader_obj.connection_loader.get('local',self._play_context,self._connection._new_stdin)
args['data'] = { key:content }
self._connection = self._shared_loader_obj.connection_loader.get('local', self._play_context,
self._connection._new_stdin)
args['data'] = {key: content}
if 'update' not in args:
args['update'] = True
@ -61,4 +62,4 @@ class ActionModule(ActionBase):
results['invocation']['module_args']['data'] = 'VALUE_SPECIFIED_IN_NO_LOG_PARAMETER'
return(results)
return results

8
ansible/plugins/lookup/hashivault.py
View File

@ -12,14 +12,12 @@
# The plugin can be run manually for testing:
# python ansible/plugins/lookup/hashivault.py ldapadmin password
#
import json
import os
import requests
import sys
import warnings
from ansible.errors import AnsibleError
from ansible.plugins.lookup import LookupBase
from ansible.module_utils.hashivault import (
hashivault_default_token,
hashivault_read,
@ -27,8 +25,8 @@ from ansible.module_utils.hashivault import (
class LookupModule(LookupBase):
def _get_environment(self, environments, name, default_value=None):
@staticmethod
def _get_environment(environments, name, default_value=None):
for env in environments:
if name in env:
return env.get(name)

3
setup.cfg
View File

@ -1,2 +1,5 @@
[metadata]
description-file = README.rst
[tool:pytest]
pep8maxlinelength = 120

5
setup.py
View File

@ -11,7 +11,7 @@ files = [
"ansible/modules/hashivault",
]
long_description=open('README.rst', 'r').read()
long_description = open('README.rst', 'r').read()
setup(
name='ansible-modules-hashivault',
@ -23,8 +23,9 @@ setup(
url='https://github.com/TerryHowe/ansible-modules-hashivault',
py_modules=py_files,
packages=files,
install_requires = [
install_requires=[
'ansible>=2.0.0',
'hvac>=0.7.0',
'requests',
],
)

1
test-requirements.txt
View File

@ -1,2 +1,3 @@
pep8==1.7.1
pytest-pep8==1.0.6
tox==3.7.0

10
tox.ini
View File

@ -13,3 +13,13 @@ commands = bash -ex {toxinidir}/functional/run.sh
[testenv:venv]
commands = {posargs}
[testenv:pep8]
install_command = pip install {opts} {packages}
setenv =
VIRTUAL_ENV={envdir}
LANG=en_US.UTF-8
LANGUAGE=en_US:en
LC_ALL=C
whitelist_externals = bash
commands = pytest --pep8