infra-nimbus/ansible/lookup_plugins/vault.py

103 lines
3.3 KiB
Python
Raw Normal View History

2024-09-05 09:13:01 +00:00
#!/usr/bin/env python
import json
import sys
import os
import hvac
from ansible.errors import AnsibleError
from ansible.plugins.lookup import LookupBase
from ansible.utils.display import Display
2024-09-05 09:13:01 +00:00
display = Display()
2024-09-05 09:13:01 +00:00
DOCUMENTATION = """
lookup: vault
auth:
- Alexis Pentori <alexis@status.im>
requirements:
- hvac library
- VAULT_ADDR environment var
- VAULT_TOKEN environment var
short_description: look up data from a Hashicorp vault
decription:
- Use the hvac library to grab one or more items stored in a Hashicorp Vault
- The plugin use the variable <env> and <stage> form ansible to determined the path to query
2024-09-05 09:13:01 +00:00
options:
path:
description: Path of the secret in the Vault, by default the Path will be prefixed by the <env>/<stage>/<path>
2024-09-05 09:13:01 +00:00
required: true
field:
description: Field to return from vault
2024-09-05 09:13:01 +00:00
required: true
stage:
description: Override the value of stage used in the path
required: false
env:
description: Override the value of the env used in the path
required: false
override:
description: Search only for the path specifed
required: false
2024-09-05 09:13:01 +00:00
"""
Examples = """
- name: Get 'username' from Vault entry 'config' to fetch secret from 'example/test/config'
debug:
msg: "{{ lookup('vault, 'config', field='username' )}}"
vars:
env: 'example'
stage: 'test'
- name: Get 'username' from Vault entry 'config' to fetch secret from 'example-2/prod/config'
2024-09-05 09:13:01 +00:00
debug:
msg: "{{ lookup('vault, 'test', field='username', stage='prod', env='example-2' )}}"
vars:
env: 'example'
stage: 'test'
- name: Get 'username' from Vault entry 'config' to fetch secret from 'other/path/to/config'
debug:
msg: "{{ lookup('vault, 'other/path/to/config', field='username', override=True)}}"
vars:
env: 'example'
stage: 'test'
2024-09-05 09:13:01 +00:00
"""
RETURN = """
_raw:
description:
- Items for Hashicorp Vault
"""
VAULT_CACERT = os.environ.get('VAULT_CACERT', './ansible/files/vault-ca.crt')
VAULT_CLIENT_CERT = os.environ.get('VAULT_CLIENT_CERT', './ansible/files/vault-client-user.crt')
VAULT_CLIENT_KEY = os.environ.get('VAULT_CLIENT_KEY', './ansible/files/vault-client-user.key')
2024-09-05 09:13:01 +00:00
class LookupModule(LookupBase):
def run(self, terms, field: str, variables=None, override: str = False, **kwargs):
self.vault = hvac.Client(cert=(VAULT_CLIENT_CERT, VAULT_CLIENT_KEY),verify=VAULT_CACERT)
values = []
env = kwargs.get("env", variables["env"])
stage = kwargs.get("stage", variables["stage"])
prefix = ""
if override:
display.debug("Overriding the env/stage behavior and using only the path provided: %s" % terms)
else:
display.debug("Using the env : %s and the stage : %s" % (env, stage))
prefix=f"{env}/{stage}/"
2024-09-05 09:13:01 +00:00
for term in terms:
rval = self.lookup(f"{prefix}{term}", field=field)
2024-09-05 09:13:01 +00:00
if rval is None:
raise AnsibleError("No matching term, field not found!")
2024-09-05 09:13:01 +00:00
values.append(rval)
return values
def lookup(self, term, **kwargs):
2024-09-05 09:13:01 +00:00
field = kwargs.get('field')
display.v("Querying Vault field %s at path %s" % (field,term))
val = self.vault.secrets.kv.read_secret_version(term)
if val:
return str(val['data']['data'][field])