mirror of
				https://github.com/ansible-collections/community.general.git
				synced 2025-10-25 05:23:58 -07:00 
			
		
		
		
	* Remove unneccessary imports. * Keep unnecessary imports in module_utils - for now. * Make older sanity tests shut up. * Also make flake8 happier.
		
			
				
	
	
		
			144 lines
		
	
	
	
		
			4.8 KiB
		
	
	
	
		
			Python
		
	
	
	
	
	
			
		
		
	
	
			144 lines
		
	
	
	
		
			4.8 KiB
		
	
	
	
		
			Python
		
	
	
	
	
	
| # -*- coding: utf-8 -*-
 | |
| # Copyright (c) 2015, Ensighten <infra@ensighten.com>
 | |
| # Copyright (c) 2017 Ansible Project
 | |
| # GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
 | |
| # SPDX-License-Identifier: GPL-3.0-or-later
 | |
| from __future__ import (absolute_import, division, print_function)
 | |
| __metaclass__ = type
 | |
| 
 | |
| DOCUMENTATION = '''
 | |
|     author: Unknown (!UNKNOWN)
 | |
|     name: credstash
 | |
|     short_description: retrieve secrets from Credstash on AWS
 | |
|     requirements:
 | |
|       - credstash (python library)
 | |
|     description:
 | |
|       - "Credstash is a small utility for managing secrets using AWS's KMS and DynamoDB: https://github.com/fugue/credstash"
 | |
|     options:
 | |
|       _terms:
 | |
|         description: term or list of terms to lookup in the credit store
 | |
|         type: list
 | |
|         elements: string
 | |
|         required: true
 | |
|       table:
 | |
|         description: name of the credstash table to query
 | |
|         type: str
 | |
|         default: 'credential-store'
 | |
|       version:
 | |
|         description: Credstash version
 | |
|         type: str
 | |
|         default: ''
 | |
|       region:
 | |
|         description: AWS region
 | |
|         type: str
 | |
|       profile_name:
 | |
|         description: AWS profile to use for authentication
 | |
|         type: str
 | |
|         env:
 | |
|           - name: AWS_PROFILE
 | |
|       aws_access_key_id:
 | |
|         description: AWS access key ID
 | |
|         type: str
 | |
|         env:
 | |
|           - name: AWS_ACCESS_KEY_ID
 | |
|       aws_secret_access_key:
 | |
|         description: AWS access key
 | |
|         type: str
 | |
|         env:
 | |
|           - name: AWS_SECRET_ACCESS_KEY
 | |
|       aws_session_token:
 | |
|         description: AWS session token
 | |
|         type: str
 | |
|         env:
 | |
|           - name: AWS_SESSION_TOKEN
 | |
| '''
 | |
| 
 | |
| EXAMPLES = """
 | |
| - name: first use credstash to store your secrets
 | |
|   ansible.builtin.shell: credstash put my-github-password secure123
 | |
| 
 | |
| - name: "Test credstash lookup plugin -- get my github password"
 | |
|   ansible.builtin.debug:
 | |
|     msg: "Credstash lookup! {{ lookup('community.general.credstash', 'my-github-password') }}"
 | |
| 
 | |
| - name: "Test credstash lookup plugin -- get my other password from us-west-1"
 | |
|   ansible.builtin.debug:
 | |
|     msg: "Credstash lookup! {{ lookup('community.general.credstash', 'my-other-password', region='us-west-1') }}"
 | |
| 
 | |
| - name: "Test credstash lookup plugin -- get the company's github password"
 | |
|   ansible.builtin.debug:
 | |
|     msg: "Credstash lookup! {{ lookup('community.general.credstash', 'company-github-password', table='company-passwords') }}"
 | |
| 
 | |
| - name: Example play using the 'context' feature
 | |
|   hosts: localhost
 | |
|   vars:
 | |
|     context:
 | |
|       app: my_app
 | |
|       environment: production
 | |
|   tasks:
 | |
| 
 | |
|   - name: "Test credstash lookup plugin -- get the password with a context passed as a variable"
 | |
|     ansible.builtin.debug:
 | |
|       msg: "{{ lookup('community.general.credstash', 'some-password', context=context) }}"
 | |
| 
 | |
|   - name: "Test credstash lookup plugin -- get the password with a context defined here"
 | |
|     ansible.builtin.debug:
 | |
|       msg: "{{ lookup('community.general.credstash', 'some-password', context=dict(app='my_app', environment='production')) }}"
 | |
| """
 | |
| 
 | |
| RETURN = """
 | |
|   _raw:
 | |
|     description:
 | |
|       - Value(s) stored in Credstash.
 | |
|     type: str
 | |
| """
 | |
| 
 | |
| from ansible.errors import AnsibleError
 | |
| from ansible.plugins.lookup import LookupBase
 | |
| 
 | |
| CREDSTASH_INSTALLED = False
 | |
| 
 | |
| try:
 | |
|     import credstash
 | |
|     CREDSTASH_INSTALLED = True
 | |
| except ImportError:
 | |
|     CREDSTASH_INSTALLED = False
 | |
| 
 | |
| 
 | |
| class LookupModule(LookupBase):
 | |
|     def run(self, terms, variables=None, **kwargs):
 | |
|         if not CREDSTASH_INSTALLED:
 | |
|             raise AnsibleError('The credstash lookup plugin requires credstash to be installed.')
 | |
| 
 | |
|         self.set_options(var_options=variables, direct=kwargs)
 | |
| 
 | |
|         version = self.get_option('version')
 | |
|         region = self.get_option('region')
 | |
|         table = self.get_option('table')
 | |
|         profile_name = self.get_option('profile_name')
 | |
|         aws_access_key_id = self.get_option('aws_access_key_id')
 | |
|         aws_secret_access_key = self.get_option('aws_secret_access_key')
 | |
|         aws_session_token = self.get_option('aws_session_token')
 | |
| 
 | |
|         context = dict(
 | |
|             (k, v) for k, v in kwargs.items()
 | |
|             if k not in ('version', 'region', 'table', 'profile_name', 'aws_access_key_id', 'aws_secret_access_key', 'aws_session_token')
 | |
|         )
 | |
| 
 | |
|         kwargs_pass = {
 | |
|             'profile_name': profile_name,
 | |
|             'aws_access_key_id': aws_access_key_id,
 | |
|             'aws_secret_access_key': aws_secret_access_key,
 | |
|             'aws_session_token': aws_session_token,
 | |
|         }
 | |
| 
 | |
|         ret = []
 | |
|         for term in terms:
 | |
|             try:
 | |
|                 ret.append(credstash.getSecret(term, version, region, table, context=context, **kwargs_pass))
 | |
|             except credstash.ItemNotFound:
 | |
|                 raise AnsibleError('Key {0} not found'.format(term))
 | |
|             except Exception as e:
 | |
|                 raise AnsibleError('Encountered exception while fetching {0}: {1}'.format(term, e))
 | |
| 
 | |
|         return ret
 |