2024-09-05 09:13:01 +00:00
|
|
|
#!/usr/bin/env python
|
|
|
|
|
|
|
|
import json
|
|
|
|
import sys
|
|
|
|
import os
|
|
|
|
import hvac
|
|
|
|
|
|
|
|
from ansible.errors import AnsibleError
|
|
|
|
from ansible.plugins.lookup import LookupBase
|
2024-09-26 09:05:36 +00:00
|
|
|
from ansible.utils.display import Display
|
2024-09-05 09:13:01 +00:00
|
|
|
|
2024-09-26 09:05:36 +00:00
|
|
|
display = Display()
|
2024-09-05 09:13:01 +00:00
|
|
|
|
|
|
|
|
|
|
|
DOCUMENTATION = """
|
|
|
|
lookup: vault
|
|
|
|
auth:
|
|
|
|
- Alexis Pentori <alexis@status.im>
|
|
|
|
requirements:
|
|
|
|
- hvac library
|
|
|
|
- VAULT_ADDR environment var
|
|
|
|
- VAULT_TOKEN environment var
|
|
|
|
short_description: look up data from a Hashicorp vault
|
|
|
|
decription:
|
2024-09-26 09:05:36 +00:00
|
|
|
- Use the hvac library to grab one or more items stored in a Hashicorp Vault
|
|
|
|
- The plugin use the variable <env> and <stage> form ansible to determined the path to query
|
2024-09-05 09:13:01 +00:00
|
|
|
options:
|
|
|
|
path:
|
2024-09-26 09:05:36 +00:00
|
|
|
description: Path of the secret in the Vault, by default the Path will be prefixed by the <env>/<stage>/<path>
|
2024-09-05 09:13:01 +00:00
|
|
|
required: true
|
|
|
|
field:
|
2024-09-26 09:05:36 +00:00
|
|
|
description: Field to return from vault
|
2024-09-05 09:13:01 +00:00
|
|
|
required: true
|
2024-09-26 09:05:36 +00:00
|
|
|
stage:
|
|
|
|
description: Override the value of stage used in the path
|
|
|
|
required: false
|
|
|
|
env:
|
|
|
|
description: Override the value of the env used in the path
|
|
|
|
required: false
|
|
|
|
override:
|
|
|
|
description: Search only for the path specifed
|
|
|
|
required: false
|
2024-09-05 09:13:01 +00:00
|
|
|
"""
|
|
|
|
|
|
|
|
Examples = """
|
2024-09-26 09:05:36 +00:00
|
|
|
- name: Get 'username' from Vault entry 'config' to fetch secret from 'example/test/config'
|
|
|
|
debug:
|
|
|
|
msg: "{{ lookup('vault, 'config', field='username' )}}"
|
|
|
|
vars:
|
|
|
|
env: 'example'
|
|
|
|
stage: 'test'
|
|
|
|
- name: Get 'username' from Vault entry 'config' to fetch secret from 'example-2/prod/config'
|
2024-09-05 09:13:01 +00:00
|
|
|
debug:
|
2024-09-26 09:05:36 +00:00
|
|
|
msg: "{{ lookup('vault, 'test', field='username', stage='prod', env='example-2' )}}"
|
|
|
|
vars:
|
|
|
|
env: 'example'
|
|
|
|
stage: 'test'
|
|
|
|
- name: Get 'username' from Vault entry 'config' to fetch secret from 'other/path/to/config'
|
|
|
|
debug:
|
|
|
|
msg: "{{ lookup('vault, 'other/path/to/config', field='username', override=True)}}"
|
|
|
|
vars:
|
|
|
|
env: 'example'
|
|
|
|
stage: 'test'
|
2024-09-05 09:13:01 +00:00
|
|
|
"""
|
|
|
|
|
|
|
|
RETURN = """
|
|
|
|
_raw:
|
|
|
|
description:
|
|
|
|
- Items for Hashicorp Vault
|
|
|
|
"""
|
2024-09-26 09:05:36 +00:00
|
|
|
VAULT_CACERT = os.environ.get('VAULT_CACERT', './ansible/files/vault-ca.crt')
|
|
|
|
VAULT_CLIENT_CERT = os.environ.get('VAULT_CLIENT_CERT', './ansible/files/vault-client-user.crt')
|
|
|
|
VAULT_CLIENT_KEY = os.environ.get('VAULT_CLIENT_KEY', './ansible/files/vault-client-user.key')
|
|
|
|
|
2024-09-05 09:13:01 +00:00
|
|
|
class LookupModule(LookupBase):
|
|
|
|
|
2024-09-26 09:05:36 +00:00
|
|
|
def run(self, terms, field: str, variables=None, override: str = False, **kwargs):
|
|
|
|
self.vault = hvac.Client(cert=(VAULT_CLIENT_CERT, VAULT_CLIENT_KEY),verify=VAULT_CACERT)
|
|
|
|
values = []
|
|
|
|
env = kwargs.get("env", variables["env"])
|
|
|
|
stage = kwargs.get("stage", variables["stage"])
|
|
|
|
prefix = ""
|
|
|
|
if override:
|
|
|
|
display.debug("Overriding the env/stage behavior and using only the path provided: %s" % terms)
|
|
|
|
else:
|
|
|
|
display.debug("Using the env : %s and the stage : %s" % (env, stage))
|
|
|
|
prefix=f"{env}/{stage}/"
|
2024-09-05 09:13:01 +00:00
|
|
|
for term in terms:
|
2024-09-26 09:05:36 +00:00
|
|
|
rval = self.lookup(f"{prefix}{term}", field=field)
|
2024-09-05 09:13:01 +00:00
|
|
|
if rval is None:
|
2024-09-26 09:05:36 +00:00
|
|
|
raise AnsibleError("No matching term, field not found!")
|
2024-09-05 09:13:01 +00:00
|
|
|
values.append(rval)
|
|
|
|
|
|
|
|
return values
|
|
|
|
|
2024-09-26 09:05:36 +00:00
|
|
|
def lookup(self, term, **kwargs):
|
2024-09-05 09:13:01 +00:00
|
|
|
field = kwargs.get('field')
|
2024-09-26 09:05:36 +00:00
|
|
|
display.v("Querying Vault field %s at path %s" % (field,term))
|
|
|
|
val = self.vault.secrets.kv.read_secret_version(term)
|
|
|
|
if val:
|
|
|
|
return str(val['data']['data'][field])
|
|
|
|
|