ansible/community.general
1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2024-09-14 20:13:21 +02:00
Code Releases Activity

Update hashi_vault.py

Browse source 
Add ability to lookup entire objects in HashiCorp Vault.
When used with auth_method allow skipping SSL verify.
This commit is contained in:
igor-pinchuk 2017-10-26 12:08:11 +03:00 committed by ansibot
parent 9322486ac3
commit 6b6746dcee
1 changed files with 6 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
lib/ansible/plugins/lookup/hashi_vault.py
View file

@ -49,6 +49,8 @@ DOCUMENTATION = """
EXAMPLES = """ EXAMPLES = """
- debug: msg="{{ lookup('hashi_vault', 'secret=secret/hello:value token=c975b780-d1be-8016-866b-01d0f9b688a5 url=http://myvault:8200')}}" - debug: msg="{{ lookup('hashi_vault', 'secret=secret/hello:value token=c975b780-d1be-8016-866b-01d0f9b688a5 url=http://myvault:8200')}}"
- debug: msg="{{ lookup('hashi_vault', 'secret=secret/hello-object token=c975b780-d1be-8016-866b-01d0f9b688a5 url=http://myvault:8200')}}"
- name: Vault that requires authentication via ldap - name: Vault that requires authentication via ldap
debug: msg="{{ lookup('hashi_vault', 'secret=secret/hello:value auth_method=ldap mount_point=ldap username=myuser password=mypas url=http://myvault:8200')}}" debug: msg="{{ lookup('hashi_vault', 'secret=secret/hello:value auth_method=ldap mount_point=ldap username=myuser password=mypas url=http://myvault:8200')}}"
@ -100,7 +102,7 @@ class HashiVault:
if len(s_f) >= 2: if len(s_f) >= 2:
self.secret_field = s_f[1] self.secret_field = s_f[1]
else: else:
self.secret_field = 'value' self.secret_field = 'ALL_OBJECT_ELEMENTS'
# if a particular backend is asked for (and its method exists) we call it, otherwise drop through to using # if a particular backend is asked for (and its method exists) we call it, otherwise drop through to using
# token auth. this means if a particular auth backend is requested and a token is also given, then we # token auth. this means if a particular auth backend is requested and a token is also given, then we
@ -109,9 +111,9 @@ class HashiVault:
# to enable a new auth backend, simply add a new 'def auth_<type>' method below. # to enable a new auth backend, simply add a new 'def auth_<type>' method below.
# #
self.auth_method = kwargs.get('auth_method') self.auth_method = kwargs.get('auth_method')
if self.auth_method: if self.auth_method and self.auth_method != 'token':
try: try:
self.client = hvac.Client(url=self.url) self.client = hvac.Client(url=self.url, verify=self.verify)
# prefixing with auth_ to limit which methods can be accessed # prefixing with auth_ to limit which methods can be accessed
getattr(self, 'auth_' + self.auth_method)(**kwargs) getattr(self, 'auth_' + self.auth_method)(**kwargs)
except AttributeError: except AttributeError:
@ -143,7 +145,7 @@ class HashiVault:
if data is None: if data is None:
raise AnsibleError("The secret %s doesn't seem to exist for hashi_vault lookup" % self.secret) raise AnsibleError("The secret %s doesn't seem to exist for hashi_vault lookup" % self.secret)
if self.secret_field == '': # secret was specified with trailing ':' if self.secret_field == 'ALL_OBJECT_ELEMENTS': # secret was specified without trailing ':'
return data['data'] return data['data']
if self.secret_field not in data['data']: if self.secret_field not in data['data']: