From 175068fdae90ba13aae0d8f6690064bc968ed16f Mon Sep 17 00:00:00 2001 From: Jonathan Davila Date: Tue, 21 Jul 2015 09:39:24 -0400 Subject: [PATCH] Hashicorp Vault lookup Plugin --- lib/ansible/plugins/lookup/hashi_vault.py | 93 +++++++++++++++++++++++ 1 file changed, 93 insertions(+) create mode 100644 lib/ansible/plugins/lookup/hashi_vault.py diff --git a/lib/ansible/plugins/lookup/hashi_vault.py b/lib/ansible/plugins/lookup/hashi_vault.py new file mode 100644 index 0000000000..16d2625b67 --- /dev/null +++ b/lib/ansible/plugins/lookup/hashi_vault.py @@ -0,0 +1,93 @@ +# (c) 2015, Jonathan Davila +# +# This file is part of Ansible +# +# Ansible is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# Ansible is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with Ansible. If not, see . +# +# USAGE: {{ lookup('hashi_vault', 'secret=secret/hello token=c975b780-d1be-8016-866b-01d0f9b688a5 url=http://myvault:8200')}} +# +# You can skip setting the url if you set the VAULT_ADDR environment variable +# or if you want it to default to localhost:8200 +# +# NOTE: Due to a current limitation in the HVAC library there won't +# necessarily be an error if a bad endpoint is specified. +# +# Requires hvac library. Install with pip. +# + +from __future__ import (absolute_import, division, print_function) +__metaclass__ = type + +import os + +from ansible.errors import * +from ansible.plugins.lookup import LookupBase + + +ANSIBLE_HASHI_VAULT_ADDR = 'http://127.0.0.1:8200' + +if os.getenv('VAULT_ADDR') is not None: + ANSIBLE_HASHI_VAULT_ADDR = os.environ['VAULT_ADDR'] + +class HashiVault: + def __init__(self, **kwargs): + try: + import hvac + except ImportError: + AnsibleError("Please pip install hvac to use this module") + + self.url = kwargs.pop('url') + self.secret = kwargs.pop('secret') + self.token = kwargs.pop('token') + + self.client = hvac.Client(url=self.url, token=self.token) + + if self.client.is_authenticated(): + pass + else: + raise AnsibleError("Invalid Hashicorp Vault Token Specified") + + def get(self): + value = "" + + data = self.client.read(self.secret) + if data == None: + raise AnsibleError("The secret %s doesn't seem to exist" % self.secret) + else: + return data['data']['value'] + + + +class LookupModule(LookupBase): + + def run(self, terms, variables, **kwargs): + + if isinstance(terms, basestring): + terms = [ terms ] + + vault_args = terms[0].split(' ') + vault_dict = {} + ret = [] + + for param in vault_args: + key, value = param.split('=') + vault_dict[key] = value + + vault_conn = HashiVault(**vault_dict) + + for term in terms: + key = term.split()[0] + value = vault_conn.get() + ret.append(value) + return ret