1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2024-09-14 20:13:21 +02:00
community.general/plugins/lookup/credstash.py

147 lines
4.8 KiB
Python
Raw Normal View History

2021-08-07 15:02:21 +02:00
# -*- coding: utf-8 -*-
# Copyright (c) 2015, Ensighten <infra@ensighten.com>
# Copyright (c) 2017 Ansible Project
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
2020-03-09 10:11:07 +01:00
from __future__ import (absolute_import, division, print_function)
__metaclass__ = type
DOCUMENTATION = '''
author: Unknown (!UNKNOWN)
2021-01-12 07:12:03 +01:00
name: credstash
2020-03-09 10:11:07 +01:00
short_description: retrieve secrets from Credstash on AWS
requirements:
- credstash (python library)
description:
- "Credstash is a small utility for managing secrets using AWS's KMS and DynamoDB: https://github.com/fugue/credstash"
options:
_terms:
description: term or list of terms to lookup in the credit store
type: list
2022-03-14 20:56:27 +01:00
elements: string
required: true
2020-03-09 10:11:07 +01:00
table:
description: name of the credstash table to query
type: str
2020-03-09 10:11:07 +01:00
default: 'credential-store'
version:
description: Credstash version
type: str
default: ''
2020-03-09 10:11:07 +01:00
region:
description: AWS region
type: str
2020-03-09 10:11:07 +01:00
profile_name:
description: AWS profile to use for authentication
type: str
2020-03-09 10:11:07 +01:00
env:
- name: AWS_PROFILE
aws_access_key_id:
description: AWS access key ID
type: str
2020-03-09 10:11:07 +01:00
env:
- name: AWS_ACCESS_KEY_ID
aws_secret_access_key:
description: AWS access key
type: str
2020-03-09 10:11:07 +01:00
env:
- name: AWS_SECRET_ACCESS_KEY
aws_session_token:
description: AWS session token
type: str
2020-03-09 10:11:07 +01:00
env:
- name: AWS_SESSION_TOKEN
'''
EXAMPLES = """
- name: first use credstash to store your secrets
ansible.builtin.shell: credstash put my-github-password secure123
2020-03-09 10:11:07 +01:00
- name: "Test credstash lookup plugin -- get my github password"
ansible.builtin.debug:
msg: "Credstash lookup! {{ lookup('community.general.credstash', 'my-github-password') }}"
2020-03-09 10:11:07 +01:00
- name: "Test credstash lookup plugin -- get my other password from us-west-1"
ansible.builtin.debug:
msg: "Credstash lookup! {{ lookup('community.general.credstash', 'my-other-password', region='us-west-1') }}"
2020-03-09 10:11:07 +01:00
- name: "Test credstash lookup plugin -- get the company's github password"
ansible.builtin.debug:
msg: "Credstash lookup! {{ lookup('community.general.credstash', 'company-github-password', table='company-passwords') }}"
2020-03-09 10:11:07 +01:00
- name: Example play using the 'context' feature
hosts: localhost
vars:
context:
app: my_app
environment: production
tasks:
- name: "Test credstash lookup plugin -- get the password with a context passed as a variable"
ansible.builtin.debug:
msg: "{{ lookup('community.general.credstash', 'some-password', context=context) }}"
2020-03-09 10:11:07 +01:00
- name: "Test credstash lookup plugin -- get the password with a context defined here"
ansible.builtin.debug:
msg: "{{ lookup('community.general.credstash', 'some-password', context=dict(app='my_app', environment='production')) }}"
2020-03-09 10:11:07 +01:00
"""
RETURN = """
_raw:
description:
- Value(s) stored in Credstash.
type: str
2020-03-09 10:11:07 +01:00
"""
import os
from ansible.errors import AnsibleError
from ansible.plugins.lookup import LookupBase
CREDSTASH_INSTALLED = False
try:
import credstash
CREDSTASH_INSTALLED = True
except ImportError:
CREDSTASH_INSTALLED = False
class LookupModule(LookupBase):
def run(self, terms, variables=None, **kwargs):
2020-03-09 10:11:07 +01:00
if not CREDSTASH_INSTALLED:
raise AnsibleError('The credstash lookup plugin requires credstash to be installed.')
self.set_options(var_options=variables, direct=kwargs)
version = self.get_option('version')
region = self.get_option('region')
table = self.get_option('table')
profile_name = self.get_option('profile_name')
aws_access_key_id = self.get_option('aws_access_key_id')
aws_secret_access_key = self.get_option('aws_secret_access_key')
aws_session_token = self.get_option('aws_session_token')
context = dict(
(k, v) for k, v in kwargs.items()
if k not in ('version', 'region', 'table', 'profile_name', 'aws_access_key_id', 'aws_secret_access_key', 'aws_session_token')
)
kwargs_pass = {
'profile_name': profile_name,
'aws_access_key_id': aws_access_key_id,
'aws_secret_access_key': aws_secret_access_key,
'aws_session_token': aws_session_token,
}
2020-03-09 10:11:07 +01:00
ret = []
for term in terms:
try:
ret.append(credstash.getSecret(term, version, region, table, context=context, **kwargs_pass))
2020-03-09 10:11:07 +01:00
except credstash.ItemNotFound:
raise AnsibleError('Key {0} not found'.format(term))
except Exception as e:
raise AnsibleError('Encountered exception while fetching {0}: {1}'.format(term, e))
return ret