mirror of
https://github.com/ansible-collections/community.general.git
synced 2024-09-14 20:13:21 +02:00
59b1329337
Add onepassword_doc lookup plugin (#7490)
* Add onepassword_doc lookup plugin
* Switch to a doc fragment
* Add unit test
* Update docs
* Move parameter validation to the OnePass object
This makes it built in for other lookup plugins using this class.
* Use kwargs for OnePass instantiation
There are enough parameters now that using them positionally can result in
odd behavior.
* Update tests
Correct conftest file name so fixtures are discovered and loaded correctly
Move constant so it doesn’t need to be imported
Add a patch since the parameter validation moved to part of the class init
* Use a lookup docs fragment
* Correct plugin description
(cherry picked from commit e0346d400f
)
Co-authored-by: Sam Doran <sdoran@redhat.com>
75 lines
2.9 KiB
Python
75 lines
2.9 KiB
Python
# -*- coding: utf-8 -*-
|
|
|
|
# Copyright (c) 2023, Ansible Project
|
|
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
|
|
# SPDX-License-Identifier: GPL-3.0-or-later
|
|
|
|
from __future__ import (absolute_import, division, print_function)
|
|
__metaclass__ = type
|
|
|
|
|
|
class ModuleDocFragment(object):
|
|
DOCUMENTATION = r'''
|
|
requirements:
|
|
- See U(https://support.1password.com/command-line/)
|
|
options:
|
|
master_password:
|
|
description: The password used to unlock the specified vault.
|
|
aliases: ['vault_password']
|
|
type: str
|
|
section:
|
|
description: Item section containing the field to retrieve (case-insensitive). If absent will return first match from any section.
|
|
domain:
|
|
description: Domain of 1Password.
|
|
default: '1password.com'
|
|
type: str
|
|
subdomain:
|
|
description: The 1Password subdomain to authenticate against.
|
|
type: str
|
|
account_id:
|
|
description: The account ID to target.
|
|
type: str
|
|
username:
|
|
description: The username used to sign in.
|
|
type: str
|
|
secret_key:
|
|
description: The secret key used when performing an initial sign in.
|
|
type: str
|
|
service_account_token:
|
|
description:
|
|
- The access key for a service account.
|
|
- Only works with 1Password CLI version 2 or later.
|
|
type: str
|
|
vault:
|
|
description: Vault containing the item to retrieve (case-insensitive). If absent will search all vaults.
|
|
type: str
|
|
connect_host:
|
|
description: The host for 1Password Connect. Must be used in combination with O(connect_token).
|
|
type: str
|
|
env:
|
|
- name: OP_CONNECT_HOST
|
|
version_added: 8.1.0
|
|
connect_token:
|
|
description: The token for 1Password Connect. Must be used in combination with O(connect_host).
|
|
type: str
|
|
env:
|
|
- name: OP_CONNECT_TOKEN
|
|
version_added: 8.1.0
|
|
'''
|
|
|
|
LOOKUP = r'''
|
|
options: {}
|
|
notes:
|
|
- This lookup will use an existing 1Password session if one exists. If not, and you have already
|
|
performed an initial sign in (meaning C(~/.op/config), C(~/.config/op/config) or C(~/.config/.op/config) exists), then only the
|
|
O(master_password) is required. You may optionally specify O(subdomain) in this scenario, otherwise the last used subdomain will be used by C(op).
|
|
- This lookup can perform an initial login by providing O(subdomain), O(username), O(secret_key), and O(master_password).
|
|
- Can target a specific account by providing the O(account_id).
|
|
- Due to the B(very) sensitive nature of these credentials, it is B(highly) recommended that you only pass in the minimal credentials
|
|
needed at any given time. Also, store these credentials in an Ansible Vault using a key that is equal to or greater in strength
|
|
to the 1Password master password.
|
|
- This lookup stores potentially sensitive data from 1Password as Ansible facts.
|
|
Facts are subject to caching if enabled, which means this data could be stored in clear text
|
|
on disk or in a database.
|
|
- Tested with C(op) version 2.7.2.
|
|
'''
|