ansible-collections/google.cloud
1
0
Fork 0
mirror of https://github.com/ansible-collections/google.cloud.git synced 2025-04-09 04:10:27 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Move GcpSecretLookup to plugin_utils because may not be ansible module on the remote host

Browse source
This commit is contained in:
Pavlo Bashynskiy 2021-12-30 11:43:37 +02:00
parent 2b74f4878f
commit 2679d724c3
4 changed files with 70 additions and 58 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
plugins/lookup/gcp_secret_access.py
View file

@ -69,7 +69,7 @@ _raw:
from ansible.errors import AnsibleError from ansible.errors import AnsibleError
from ansible.plugins.lookup import LookupBase from ansible.plugins.lookup import LookupBase
from ansible_collections.google.cloud.plugins.module_utils.gcp_utils import GcpSecretLookup from ansible_collections.google.cloud.plugins.plugin_utils.gcp_utils import GcpSecretLookup
try: try:
from google.cloud import secretmanager from google.cloud import secretmanager

2
plugins/lookup/gcp_secret_resource_id.py
View file

@ -57,7 +57,7 @@ _raw:
from ansible.errors import AnsibleError from ansible.errors import AnsibleError
from ansible.plugins.lookup import LookupBase from ansible.plugins.lookup import LookupBase
from ansible_collections.google.cloud.plugins.module_utils.gcp_utils import GcpSecretLookup from ansible_collections.google.cloud.plugins.plugin_utils.gcp_utils import GcpSecretLookup
try: try:
from google.cloud import secretmanager from google.cloud import secretmanager

56
plugins/module_utils/gcp_utils.py
View file

@ -8,7 +8,6 @@ __metaclass__ = type
import ast import ast
import os import os
import json import json
import re
try: try:
import requests import requests
@ -25,7 +24,6 @@ try:
except ImportError: except ImportError:
HAS_GOOGLE_LIBRARIES = False HAS_GOOGLE_LIBRARIES = False
from ansible.errors import AnsibleError
from ansible.module_utils.basic import AnsibleModule, env_fallback from ansible.module_utils.basic import AnsibleModule, env_fallback
from ansible.module_utils.six import string_types from ansible.module_utils.six import string_types
from ansible.module_utils._text import to_text, to_native from ansible.module_utils._text import to_text, to_native
@ -449,57 +447,3 @@ class GcpRequest(object):
new_dict[key] = self._convert_value(value[key]) new_dict[key] = self._convert_value(value[key])
return new_dict return new_dict
return to_text(value) return to_text(value)
# Handles all authentication and options for GCP Secrets Manager API calls in Lookup plugins.
class GcpSecretLookup():
def __init__(self):
if not HAS_GOOGLE_LIBRARIES:
raise AnsibleError("Please install the google-auth library")
self.plugin_name = ''
self.secret_id = None
self.version_id = None
self.project_id = None
self.service_account_file = None
self.scope = ["https://www.googleapis.com/auth/cloud-platform"]
def set_plugin_name(self, name):
self.plugin_name = name
def client(self, secretmanager):
if self.service_account_file is not None:
path = os.path.realpath(os.path.expanduser(self.service_account_file))
credentials = service_account.Credentials.from_service_account_file(path).with_scopes(self.scope)
return secretmanager.SecretManagerServiceClient(credentials=credentials)
return secretmanager.SecretManagerServiceClient()
def process_options(self, terms, variables=None, **kwargs):
self.secret_id = kwargs.get('secret')
self.version_id = kwargs.get('version', 'latest')
self.project_id = kwargs.get('project', os.getenv('GCP_PROJECT'))
self.service_account_file = kwargs.get('service_account_file', os.getenv('GCP_SERVICE_ACCOUNT_FILE'))
if len(terms) > 1:
raise AnsibleError("{0} lookup plugin can have only one secret name or resource id".format(self.plugin_name))
if self.secret_id is None and len(terms) == 1:
self.secret_id = terms[0]
regex = r'^projects/([^/]+)/secrets/([^/]+)/versions/(.+)$'
match = re.match(regex, self.secret_id)
if match:
self.name = self.secret_id
self.project_id = match.group(1)
self.secret_id = match.group(2)
self.version_id = match.group(3)
return
if self.project_id is None:
raise AnsibleError("{0} lookup plugin required option: project or resource id".format(self.plugin_name))
if self.secret_id is None:
raise AnsibleError("{0} lookup plugin required option: secret or resource id".format(self.plugin_name))
self.name = f"projects/{self.project_id}/secrets/{self.secret_id}/versions/{self.version_id}"

68
plugins/plugin_utils/gcp_utils.py Normal file
View file

@ -0,0 +1,68 @@
from __future__ import (absolute_import, division, print_function)
__metaclass__ = type
import os
import re
try:
from google.oauth2 import service_account
HAS_GOOGLE_LIBRARIES = True
except ImportError:
HAS_GOOGLE_LIBRARIES = False
from ansible.errors import AnsibleError
# Handles all authentication and options for GCP Secrets Manager API calls in Lookup plugins.
class GcpSecretLookup():
def __init__(self):
if not HAS_GOOGLE_LIBRARIES:
raise AnsibleError("Please install the google-auth library")
self.plugin_name = ''
self.secret_id = None
self.version_id = None
self.project_id = None
self.service_account_file = None
self.scope = ["https://www.googleapis.com/auth/cloud-platform"]
def set_plugin_name(self, name):
self.plugin_name = name
def client(self, secretmanager):
if self.service_account_file is not None:
path = os.path.realpath(os.path.expanduser(self.service_account_file))
credentials = service_account.Credentials.from_service_account_file(path).with_scopes(self.scope)
return secretmanager.SecretManagerServiceClient(credentials=credentials)
return secretmanager.SecretManagerServiceClient()
def process_options(self, terms, variables=None, **kwargs):
self.secret_id = kwargs.get('secret')
self.version_id = kwargs.get('version', 'latest')
self.project_id = kwargs.get('project', os.getenv('GCP_PROJECT'))
self.service_account_file = kwargs.get('service_account_file', os.getenv('GOOGLE_APPLICATION_CREDENTIALS'))
if len(terms) > 1:
raise AnsibleError("{0} lookup plugin can have only one secret name or resource id".format(self.plugin_name))
if self.secret_id is None and len(terms) == 1:
self.secret_id = terms[0]
regex = r'^projects/([^/]+)/secrets/([^/]+)/versions/(.+)$'
match = re.match(regex, self.secret_id)
if match:
self.name = self.secret_id
self.project_id = match.group(1)
self.secret_id = match.group(2)
self.version_id = match.group(3)
return
if self.project_id is None:
raise AnsibleError("{0} lookup plugin required option: project or resource id".format(self.plugin_name))
if self.secret_id is None:
raise AnsibleError("{0} lookup plugin required option: secret or resource id".format(self.plugin_name))
self.name = f"projects/{self.project_id}/secrets/{self.secret_id}/versions/{self.version_id}"