From 695e456cb045a875dd641283dad5d2d26b435264 Mon Sep 17 00:00:00 2001 From: Scott Cunningham Date: Wed, 29 Jul 2015 10:46:40 +0100 Subject: [PATCH 1/6] add credstash lookup plugin --- lib/ansible/plugins/lookup/credstash.py | 42 +++++++++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 lib/ansible/plugins/lookup/credstash.py diff --git a/lib/ansible/plugins/lookup/credstash.py b/lib/ansible/plugins/lookup/credstash.py new file mode 100644 index 0000000000..1e9f3ef722 --- /dev/null +++ b/lib/ansible/plugins/lookup/credstash.py @@ -0,0 +1,42 @@ +# (c) 2015, Ensighten +# +# This file is part of Ansible +# +# Ansible is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# Ansible is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with Ansible. If not, see . +from __future__ import (absolute_import, division, print_function) +__metaclass__ = type + +from ansible.errors import AnsibleError +from ansible.plugins.lookup import LookupBase + +import credstash + + +class LookupModule(LookupBase): + def run(self, terms, variables, **kwargs): + + if isinstance(terms, basestring): + terms = [terms] + + ret = [] + for term in terms: + try: + val = credstash.getSecret(term, **kwargs) + except credstash.ItemNotFound: + raise AnsibleError('Key {} not found'.format(term)) + except Exception as e: + raise AnsibleError('Encountered exception while fetching {}: {}'.format(term, e.message)) + ret.append(val) + + return ret From 193e857bc4535258d06a0a7cd39072f1f0a146c3 Mon Sep 17 00:00:00 2001 From: Scott Cunningham Date: Thu, 30 Jul 2015 21:04:26 +0100 Subject: [PATCH 2/6] credstash lookup plugin: raise AnsibleError when credstash library not installed --- lib/ansible/plugins/lookup/credstash.py | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/lib/ansible/plugins/lookup/credstash.py b/lib/ansible/plugins/lookup/credstash.py index 1e9f3ef722..5ff585f0e3 100644 --- a/lib/ansible/plugins/lookup/credstash.py +++ b/lib/ansible/plugins/lookup/credstash.py @@ -20,7 +20,17 @@ __metaclass__ = type from ansible.errors import AnsibleError from ansible.plugins.lookup import LookupBase -import credstash +CREDSTASH_INSTALLED = False + +try: + import credstash + CREDSTASH_INSTALLED = True +except ImportError: + CREDSTASH_INSTALLED = False + + +if not CREDSTASH_INSTALLED: + raise AnsibleError('The credstash lookup plugin requires credstash to be installed.') class LookupModule(LookupBase): From 92327ba11f50ecd61ff3a302e98f6ee809d2de07 Mon Sep 17 00:00:00 2001 From: Scott Cunningham Date: Thu, 30 Jul 2015 21:24:11 +0100 Subject: [PATCH 3/6] add credstash lookup plugin docs --- docsite/rst/playbooks_lookups.rst | 36 +++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/docsite/rst/playbooks_lookups.rst b/docsite/rst/playbooks_lookups.rst index a7d459c800..386230873c 100644 --- a/docsite/rst/playbooks_lookups.rst +++ b/docsite/rst/playbooks_lookups.rst @@ -140,6 +140,42 @@ default empty string return value if the key is not in the csv file .. note:: The default delimiter is TAB, *not* comma. +.. _credstash_lookup: + +The Credstash Lookup +```````````````````` + +Credstash is a small utility for managing secrets using AWS's KMS and DynamoDB: https://github.com/LuminalOSS/credstash + +First, you need to store your secrets with credstash:: + + + $ credstash put my-github-password secure123 + + my-github-password has been stored + + +Example usage:: + + + --- + - name: "Test credstash lookup plugin -- get my github password" + debug: msg="Credstash lookup! {{ lookup('credstash', 'my-github-password') }}" + + +You can specify regions or tables to fetch secrets from:: + + + --- + - name: "Test credstash lookup plugin -- get my other password from us-west-1" + debug: msg="Credstash lookup! {{ lookup('credstash', 'my-other-password', region='us-west-1') }}" + + + - name: "Test credstash lookup plugin -- get the company's github password" + debug: msg="Credstash lookup! {{ lookup('credstash', 'company-github-password', table='company-passwords') }}" + + + .. _more_lookups: More Lookups From 934ce86d35fe1881276512735dd86607fde2d05a Mon Sep 17 00:00:00 2001 From: Scott Cunningham Date: Tue, 4 Aug 2015 18:29:37 -0700 Subject: [PATCH 4/6] update credstash lookup plugin to use Python 2.4-compatible exception catching --- lib/ansible/plugins/lookup/credstash.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/ansible/plugins/lookup/credstash.py b/lib/ansible/plugins/lookup/credstash.py index 5ff585f0e3..febccfa5c6 100644 --- a/lib/ansible/plugins/lookup/credstash.py +++ b/lib/ansible/plugins/lookup/credstash.py @@ -45,7 +45,7 @@ class LookupModule(LookupBase): val = credstash.getSecret(term, **kwargs) except credstash.ItemNotFound: raise AnsibleError('Key {} not found'.format(term)) - except Exception as e: + except Exception, e: raise AnsibleError('Encountered exception while fetching {}: {}'.format(term, e.message)) ret.append(val) From c4629b72e065929dfabf2a1a8df07c622b4dd38f Mon Sep 17 00:00:00 2001 From: Scott Cunningham Date: Wed, 5 Aug 2015 23:37:10 -0700 Subject: [PATCH 5/6] credstash lookup plugin: error out in run function when credstash not installed, not at module scope --- lib/ansible/plugins/lookup/credstash.py | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/lib/ansible/plugins/lookup/credstash.py b/lib/ansible/plugins/lookup/credstash.py index febccfa5c6..5b4a0c0c40 100644 --- a/lib/ansible/plugins/lookup/credstash.py +++ b/lib/ansible/plugins/lookup/credstash.py @@ -29,13 +29,12 @@ except ImportError: CREDSTASH_INSTALLED = False -if not CREDSTASH_INSTALLED: - raise AnsibleError('The credstash lookup plugin requires credstash to be installed.') - - class LookupModule(LookupBase): def run(self, terms, variables, **kwargs): + if not CREDSTASH_INSTALLED: + raise AnsibleError('The credstash lookup plugin requires credstash to be installed.') + if isinstance(terms, basestring): terms = [terms] From 87ef53c9629d7e2706895966d6385080fcfaa2b0 Mon Sep 17 00:00:00 2001 From: Scott Cunningham Date: Wed, 5 Aug 2015 23:40:43 -0700 Subject: [PATCH 6/6] credstash lookup plugin: python 2.6-compatible string.format() --- lib/ansible/plugins/lookup/credstash.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/ansible/plugins/lookup/credstash.py b/lib/ansible/plugins/lookup/credstash.py index 5b4a0c0c40..6587d525ff 100644 --- a/lib/ansible/plugins/lookup/credstash.py +++ b/lib/ansible/plugins/lookup/credstash.py @@ -43,9 +43,9 @@ class LookupModule(LookupBase): try: val = credstash.getSecret(term, **kwargs) except credstash.ItemNotFound: - raise AnsibleError('Key {} not found'.format(term)) + raise AnsibleError('Key {0} not found'.format(term)) except Exception, e: - raise AnsibleError('Encountered exception while fetching {}: {}'.format(term, e.message)) + raise AnsibleError('Encountered exception while fetching {0}: {1}'.format(term, e.message)) ret.append(val) return ret