mirror of
https://github.com/ansible-collections/community.general.git
synced 2024-09-14 20:13:21 +02:00
Az mod keyvault key (#33607)
* key module init * Create/Delete pass sanity * Integration tests passed * Added check_mode * Updated to support tags * updated key tests * fixed sanity * added things that went missing during rebase * fixed sanity * fixed doc * fix copyright
This commit is contained in:
parent
c9e0ce1d7d
commit
11382fac7a
4 changed files with 352 additions and 0 deletions
278
lib/ansible/modules/cloud/azure/azure_rm_keyvaultkey.py
Normal file
278
lib/ansible/modules/cloud/azure/azure_rm_keyvaultkey.py
Normal file
|
@ -0,0 +1,278 @@
|
|||
#!/usr/bin/python
|
||||
# Copyright: Ansible Project
|
||||
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
|
||||
|
||||
from __future__ import absolute_import, division, print_function
|
||||
__metaclass__ = type
|
||||
|
||||
|
||||
ANSIBLE_METADATA = {'metadata_version': '1.1',
|
||||
'status': ['preview'],
|
||||
'supported_by': 'community'}
|
||||
|
||||
|
||||
DOCUMENTATION = '''
|
||||
---
|
||||
module: azure_rm_keyvaultkey
|
||||
version_added: 2.5
|
||||
short_description: Use Azure KeyVault keys.
|
||||
description:
|
||||
- Create or delete a key within a given keyvault. By using Key Vault, you can encrypt
|
||||
keys and secrets (such as authentication keys, storage account keys, data encryption keys, .PFX files, and passwords).
|
||||
options:
|
||||
keyvault_uri:
|
||||
description:
|
||||
- URI of the keyvault endpoint.
|
||||
required: true
|
||||
key_name:
|
||||
description:
|
||||
- Name of the keyvault key.
|
||||
required: true
|
||||
byok_file:
|
||||
description:
|
||||
- BYOK file.
|
||||
pem_file:
|
||||
description:
|
||||
- PEM file.
|
||||
pem_password:
|
||||
description:
|
||||
- PEM password.
|
||||
state:
|
||||
description:
|
||||
- Assert the state of the key. Use 'present' to create a key and
|
||||
'absent' to delete a key.
|
||||
required: false
|
||||
default: present
|
||||
choices:
|
||||
- absent
|
||||
- present
|
||||
|
||||
extends_documentation_fragment:
|
||||
- azure
|
||||
- azure_tags
|
||||
|
||||
author:
|
||||
- "Ian Philpot (@tripdubroot)"
|
||||
|
||||
'''
|
||||
|
||||
EXAMPLES = '''
|
||||
- name: Create a key
|
||||
azure_rm_keyvaultkey:
|
||||
key_name: MyKey
|
||||
keyvault_uri: https://contoso.vault.azure.net/
|
||||
|
||||
- name: Delete a key
|
||||
azure_rm_keyvaultkey:
|
||||
key_name: MyKey
|
||||
keyvault_uri: https://contoso.vault.azure.net/
|
||||
state: absent
|
||||
'''
|
||||
|
||||
RETURN = '''
|
||||
state:
|
||||
description: Current state of the key.
|
||||
returned: success
|
||||
type: complex
|
||||
contains:
|
||||
key_id:
|
||||
description: key resource path.
|
||||
type: str
|
||||
example: https://contoso.vault.azure.net/keys/hello/e924f053839f4431b35bc54393f98423
|
||||
'''
|
||||
|
||||
from ansible.module_utils.azure_rm_common import AzureRMModuleBase
|
||||
|
||||
try:
|
||||
import re
|
||||
import codecs
|
||||
from azure.keyvault import KeyVaultClient, KeyVaultId
|
||||
from azure.keyvault.models import KeyAttributes, JsonWebKey
|
||||
from azure.common.credentials import ServicePrincipalCredentials
|
||||
from azure.keyvault.models.key_vault_error import KeyVaultErrorException
|
||||
from OpenSSL import crypto
|
||||
except ImportError:
|
||||
# This is handled in azure_rm_common
|
||||
pass
|
||||
|
||||
|
||||
class AzureRMKeyVaultKey(AzureRMModuleBase):
|
||||
''' Module that creates or deletes keys in Azure KeyVault '''
|
||||
|
||||
def __init__(self):
|
||||
|
||||
self.module_arg_spec = dict(
|
||||
key_name=dict(type='str', required=True),
|
||||
keyvault_uri=dict(type='str', required=True),
|
||||
pem_file=dict(type='str'),
|
||||
pem_password=dict(type='str'),
|
||||
byok_file=dict(type='str'),
|
||||
state=dict(type='str', default='present', choices=['present', 'absent'])
|
||||
)
|
||||
|
||||
self.results = dict(
|
||||
changed=False,
|
||||
state=dict()
|
||||
)
|
||||
|
||||
self.key_name = None
|
||||
self.keyvault_uri = None
|
||||
self.pem_file = None
|
||||
self.pem_password = None
|
||||
self.state = None
|
||||
self.client = None
|
||||
self.tags = None
|
||||
|
||||
required_if = [
|
||||
('pem_password', 'present', ['pem_file'])
|
||||
]
|
||||
|
||||
super(AzureRMKeyVaultKey, self).__init__(self.module_arg_spec,
|
||||
supports_check_mode=True,
|
||||
required_if=required_if,
|
||||
supports_tags=True)
|
||||
|
||||
def exec_module(self, **kwargs):
|
||||
|
||||
for key in list(self.module_arg_spec.keys()) + ['tags']:
|
||||
setattr(self, key, kwargs[key])
|
||||
|
||||
# Create KeyVaultClient
|
||||
self.client = KeyVaultClient(self.azure_credentials)
|
||||
|
||||
results = dict()
|
||||
changed = False
|
||||
|
||||
try:
|
||||
results['key_id'] = self.get_key(self.key_name)
|
||||
|
||||
# Key exists and will be deleted
|
||||
if self.state == 'absent':
|
||||
changed = True
|
||||
|
||||
except KeyVaultErrorException:
|
||||
# Key doesn't exist
|
||||
if self.state == 'present':
|
||||
changed = True
|
||||
|
||||
self.results['changed'] = changed
|
||||
self.results['state'] = results
|
||||
|
||||
if not self.check_mode:
|
||||
|
||||
# Create key
|
||||
if self.state == 'present' and changed:
|
||||
results['key_id'] = self.create_key(self.key_name, self.tags)
|
||||
self.results['state'] = results
|
||||
self.results['state']['status'] = 'Created'
|
||||
# Delete key
|
||||
elif self.state == 'absent' and changed:
|
||||
results['key_id'] = self.delete_key(self.key_name)
|
||||
self.results['state'] = results
|
||||
self.results['state']['status'] = 'Deleted'
|
||||
else:
|
||||
if self.state == 'present' and changed:
|
||||
self.results['state']['status'] = 'Created'
|
||||
elif self.state == 'absent' and changed:
|
||||
self.results['state']['status'] = 'Deleted'
|
||||
|
||||
return self.results
|
||||
|
||||
def get_key(self, name, version=''):
|
||||
''' Gets an existing key '''
|
||||
key_bundle = self.client.get_key(self.keyvault_uri, name, version)
|
||||
if key_bundle:
|
||||
key_id = KeyVaultId.parse_key_id(key_bundle.key.kid)
|
||||
return key_id.id
|
||||
|
||||
def create_key(self, name, tags, kty='RSA'):
|
||||
''' Creates a key '''
|
||||
key_bundle = self.client.create_key(self.keyvault_uri, name, kty, tags=tags)
|
||||
key_id = KeyVaultId.parse_key_id(key_bundle.key.kid)
|
||||
return key_id.id
|
||||
|
||||
def delete_key(self, name):
|
||||
''' Deletes a key '''
|
||||
deleted_key = self.client.delete_key(self.keyvault_uri, name)
|
||||
key_id = KeyVaultId.parse_key_id(deleted_key.key.kid)
|
||||
return key_id.id
|
||||
|
||||
def import_key(self, key_name, destination=None, key_ops=None, disabled=False, expires=None,
|
||||
not_before=None, tags=None, pem_file=None, pem_password=None, byok_file=None):
|
||||
""" Import a private key. Supports importing base64 encoded private keys from PEM files.
|
||||
Supports importing BYOK keys into HSM for premium KeyVaults. """
|
||||
|
||||
def _to_bytes(hex_string):
|
||||
# zero pads and decodes a hex string
|
||||
if len(hex_string) % 2:
|
||||
hex_string = '{0}'.format(hex_string)
|
||||
return codecs.decode(hex_string, 'hex_codec')
|
||||
|
||||
def _set_rsa_parameters(dest, src):
|
||||
# map OpenSSL parameter names to JsonWebKey property names
|
||||
conversion_dict = {
|
||||
'modulus': 'n',
|
||||
'publicExponent': 'e',
|
||||
'privateExponent': 'd',
|
||||
'prime1': 'p',
|
||||
'prime2': 'q',
|
||||
'exponent1': 'dp',
|
||||
'exponent2': 'dq',
|
||||
'coefficient': 'qi'
|
||||
}
|
||||
# regex: looks for matches that fit the following patterns:
|
||||
# integerPattern: 65537 (0x10001)
|
||||
# hexPattern:
|
||||
# 00:a0:91:4d:00:23:4a:c6:83:b2:1b:4c:15:d5:be:
|
||||
# d8:87:bd:c9:59:c2:e5:7a:f5:4a:e7:34:e8:f0:07:
|
||||
# The desired match should always be the first component of the match
|
||||
regex = re.compile(r'([^:\s]*(:[^\:)]+\))|([^:\s]*(:\s*[0-9A-Fa-f]{2})+))')
|
||||
# regex2: extracts the hex string from a format like: 65537 (0x10001)
|
||||
regex2 = re.compile(r'(?<=\(0x{1})([0-9A-Fa-f]*)(?=\))')
|
||||
|
||||
key_params = crypto.dump_privatekey(crypto.FILETYPE_TEXT, src).decode('utf-8')
|
||||
for match in regex.findall(key_params):
|
||||
comps = match[0].split(':', 1)
|
||||
name = conversion_dict.get(comps[0], None)
|
||||
if name:
|
||||
value = comps[1].replace(' ', '').replace('\n', '').replace(':', '')
|
||||
try:
|
||||
value = _to_bytes(value)
|
||||
except Exception: # pylint:disable=broad-except
|
||||
# if decoding fails it is because of an integer pattern. Extract the hex
|
||||
# string and retry
|
||||
value = _to_bytes(regex2.findall(value)[0])
|
||||
setattr(dest, name, value)
|
||||
|
||||
key_attrs = KeyAttributes(not disabled, not_before, expires)
|
||||
key_obj = JsonWebKey(key_ops=key_ops)
|
||||
if pem_file:
|
||||
key_obj.kty = 'RSA'
|
||||
with open(pem_file, 'r') as f:
|
||||
pem_data = f.read()
|
||||
# load private key and prompt for password if encrypted
|
||||
try:
|
||||
pem_password = str(pem_password).encode() if pem_password else None
|
||||
# despite documentation saying password should be a string, it needs to actually
|
||||
# be UTF-8 encoded bytes
|
||||
pkey = crypto.load_privatekey(crypto.FILETYPE_PEM, pem_data, pem_password)
|
||||
except crypto.Error:
|
||||
pass # wrong password
|
||||
except TypeError:
|
||||
pass # no pass provided
|
||||
_set_rsa_parameters(key_obj, pkey)
|
||||
elif byok_file:
|
||||
with open(byok_file, 'rb') as f:
|
||||
byok_data = f.read()
|
||||
key_obj.kty = 'RSA-HSM'
|
||||
key_obj.t = byok_data
|
||||
|
||||
return self.client.import_key(
|
||||
self.keyvault_uri, key_name, key_obj, destination == 'hsm', key_attrs, tags)
|
||||
|
||||
|
||||
def main():
|
||||
AzureRMKeyVaultKey()
|
||||
|
||||
if __name__ == '__main__':
|
||||
main()
|
3
test/integration/targets/azure_rm_keyvaultkey/aliases
Normal file
3
test/integration/targets/azure_rm_keyvaultkey/aliases
Normal file
|
@ -0,0 +1,3 @@
|
|||
cloud/azure
|
||||
posix/ci/cloud/azure
|
||||
destructive
|
|
@ -0,0 +1,2 @@
|
|||
dependencies:
|
||||
- setup_azure
|
69
test/integration/targets/azure_rm_keyvaultkey/tasks/main.yml
Normal file
69
test/integration/targets/azure_rm_keyvaultkey/tasks/main.yml
Normal file
|
@ -0,0 +1,69 @@
|
|||
- name: Prepare random number
|
||||
set_fact:
|
||||
rpfx: "{{ resource_group | hash('md5') | truncate(7, True, '') }}{{ 1000 | random }}"
|
||||
run_once: yes
|
||||
|
||||
- name: Create instance of Key Vault
|
||||
azure_rm_keyvault:
|
||||
resource_group: "{{ resource_group }}"
|
||||
vault_name: "vault{{ rpfx }}"
|
||||
enabled_for_deployment: yes
|
||||
vault_tenant: "{{ azure_tenant }}"
|
||||
sku:
|
||||
name: standard
|
||||
family: A
|
||||
access_policies:
|
||||
- tenant_id: "{{ azure_tenant }}"
|
||||
object_id: 97567bfa-cf13-4217-8fa3-cc56bc1867fe
|
||||
keys:
|
||||
- get
|
||||
- list
|
||||
- update
|
||||
- create
|
||||
- import
|
||||
- delete
|
||||
- recover
|
||||
- backup
|
||||
- restore
|
||||
secrets:
|
||||
- get
|
||||
- list
|
||||
- set
|
||||
- delete
|
||||
- recover
|
||||
- backup
|
||||
- restore
|
||||
register: output
|
||||
|
||||
- name: create a kevyault key
|
||||
block:
|
||||
- azure_rm_keyvaultkey:
|
||||
keyvault_uri: https://vault{{ rpfx }}.vault.azure.net
|
||||
key_name: testkey
|
||||
tags:
|
||||
testing: test
|
||||
delete: on-exit
|
||||
register: output
|
||||
- assert:
|
||||
that: output.changed
|
||||
rescue:
|
||||
- azure_rm_keyvaultkey:
|
||||
keyvault_uri: https://vault{{ rpfx }}.vault.azure.net
|
||||
state: absent
|
||||
key_name: testkey
|
||||
|
||||
- name: delete a kevyault key
|
||||
azure_rm_keyvaultkey:
|
||||
keyvault_uri: https://vault{{ rpfx }}.vault.azure.net
|
||||
state: absent
|
||||
key_name: testkey
|
||||
register: output
|
||||
|
||||
- assert:
|
||||
that: output.changed
|
||||
|
||||
- name: Delete instance of Key Vault
|
||||
azure_rm_keyvault:
|
||||
resource_group: "{{ resource_group }}"
|
||||
vault_name: "vault{{ rpfx }}"
|
||||
state: absent
|
Loading…
Reference in a new issue