diff --git a/plugins/lookup/gcp_secret_access.py b/plugins/lookup/gcp_secret_access.py index c481c71..8a8f9c1 100644 --- a/plugins/lookup/gcp_secret_access.py +++ b/plugins/lookup/gcp_secret_access.py @@ -69,7 +69,7 @@ _raw: from ansible.errors import AnsibleError from ansible.plugins.lookup import LookupBase -from ansible_collections.google.cloud.plugins.module_utils.gcp_utils import GcpSecretLookup +from ansible_collections.google.cloud.plugins.plugin_utils.gcp_utils import GcpSecretLookup try: from google.cloud import secretmanager diff --git a/plugins/lookup/gcp_secret_resource_id.py b/plugins/lookup/gcp_secret_resource_id.py index 5b06b9a..2993335 100644 --- a/plugins/lookup/gcp_secret_resource_id.py +++ b/plugins/lookup/gcp_secret_resource_id.py @@ -57,7 +57,7 @@ _raw: from ansible.errors import AnsibleError from ansible.plugins.lookup import LookupBase -from ansible_collections.google.cloud.plugins.module_utils.gcp_utils import GcpSecretLookup +from ansible_collections.google.cloud.plugins.plugin_utils.gcp_utils import GcpSecretLookup try: from google.cloud import secretmanager diff --git a/plugins/module_utils/gcp_utils.py b/plugins/module_utils/gcp_utils.py index 655d2ba..2dc0668 100644 --- a/plugins/module_utils/gcp_utils.py +++ b/plugins/module_utils/gcp_utils.py @@ -8,7 +8,6 @@ __metaclass__ = type import ast import os import json -import re try: import requests @@ -25,7 +24,6 @@ try: except ImportError: HAS_GOOGLE_LIBRARIES = False -from ansible.errors import AnsibleError from ansible.module_utils.basic import AnsibleModule, env_fallback from ansible.module_utils.six import string_types from ansible.module_utils._text import to_text, to_native @@ -449,57 +447,3 @@ class GcpRequest(object): new_dict[key] = self._convert_value(value[key]) return new_dict return to_text(value) - - -# Handles all authentication and options for GCP Secrets Manager API calls in Lookup plugins. -class GcpSecretLookup(): - def __init__(self): - if not HAS_GOOGLE_LIBRARIES: - raise AnsibleError("Please install the google-auth library") - - self.plugin_name = '' - self.secret_id = None - self.version_id = None - self.project_id = None - self.service_account_file = None - self.scope = ["https://www.googleapis.com/auth/cloud-platform"] - - def set_plugin_name(self, name): - self.plugin_name = name - - def client(self, secretmanager): - if self.service_account_file is not None: - path = os.path.realpath(os.path.expanduser(self.service_account_file)) - credentials = service_account.Credentials.from_service_account_file(path).with_scopes(self.scope) - return secretmanager.SecretManagerServiceClient(credentials=credentials) - - return secretmanager.SecretManagerServiceClient() - - def process_options(self, terms, variables=None, **kwargs): - self.secret_id = kwargs.get('secret') - self.version_id = kwargs.get('version', 'latest') - self.project_id = kwargs.get('project', os.getenv('GCP_PROJECT')) - self.service_account_file = kwargs.get('service_account_file', os.getenv('GCP_SERVICE_ACCOUNT_FILE')) - - if len(terms) > 1: - raise AnsibleError("{0} lookup plugin can have only one secret name or resource id".format(self.plugin_name)) - - if self.secret_id is None and len(terms) == 1: - self.secret_id = terms[0] - - regex = r'^projects/([^/]+)/secrets/([^/]+)/versions/(.+)$' - match = re.match(regex, self.secret_id) - if match: - self.name = self.secret_id - self.project_id = match.group(1) - self.secret_id = match.group(2) - self.version_id = match.group(3) - return - - if self.project_id is None: - raise AnsibleError("{0} lookup plugin required option: project or resource id".format(self.plugin_name)) - - if self.secret_id is None: - raise AnsibleError("{0} lookup plugin required option: secret or resource id".format(self.plugin_name)) - - self.name = f"projects/{self.project_id}/secrets/{self.secret_id}/versions/{self.version_id}" diff --git a/plugins/plugin_utils/gcp_utils.py b/plugins/plugin_utils/gcp_utils.py new file mode 100644 index 0000000..95502f7 --- /dev/null +++ b/plugins/plugin_utils/gcp_utils.py @@ -0,0 +1,68 @@ +from __future__ import (absolute_import, division, print_function) + +__metaclass__ = type + +import os +import re + +try: + from google.oauth2 import service_account + HAS_GOOGLE_LIBRARIES = True +except ImportError: + HAS_GOOGLE_LIBRARIES = False + +from ansible.errors import AnsibleError + + +# Handles all authentication and options for GCP Secrets Manager API calls in Lookup plugins. +class GcpSecretLookup(): + def __init__(self): + if not HAS_GOOGLE_LIBRARIES: + raise AnsibleError("Please install the google-auth library") + + self.plugin_name = '' + self.secret_id = None + self.version_id = None + self.project_id = None + self.service_account_file = None + self.scope = ["https://www.googleapis.com/auth/cloud-platform"] + + def set_plugin_name(self, name): + self.plugin_name = name + + def client(self, secretmanager): + if self.service_account_file is not None: + path = os.path.realpath(os.path.expanduser(self.service_account_file)) + credentials = service_account.Credentials.from_service_account_file(path).with_scopes(self.scope) + return secretmanager.SecretManagerServiceClient(credentials=credentials) + + return secretmanager.SecretManagerServiceClient() + + def process_options(self, terms, variables=None, **kwargs): + self.secret_id = kwargs.get('secret') + self.version_id = kwargs.get('version', 'latest') + self.project_id = kwargs.get('project', os.getenv('GCP_PROJECT')) + self.service_account_file = kwargs.get('service_account_file', os.getenv('GOOGLE_APPLICATION_CREDENTIALS')) + + if len(terms) > 1: + raise AnsibleError("{0} lookup plugin can have only one secret name or resource id".format(self.plugin_name)) + + if self.secret_id is None and len(terms) == 1: + self.secret_id = terms[0] + + regex = r'^projects/([^/]+)/secrets/([^/]+)/versions/(.+)$' + match = re.match(regex, self.secret_id) + if match: + self.name = self.secret_id + self.project_id = match.group(1) + self.secret_id = match.group(2) + self.version_id = match.group(3) + return + + if self.project_id is None: + raise AnsibleError("{0} lookup plugin required option: project or resource id".format(self.plugin_name)) + + if self.secret_id is None: + raise AnsibleError("{0} lookup plugin required option: secret or resource id".format(self.plugin_name)) + + self.name = f"projects/{self.project_id}/secrets/{self.secret_id}/versions/{self.version_id}"