Support Secret Manager

2025-04-23 03:11:22 -07:00 · 2020-12-31 01:46:38 +02:00 · 2020-12-31 01:46:38 +02:00 · 2b74f4878f
commit 2b74f4878f
parent ec093086ab
3 changed files with 240 additions and 0 deletions
--- a/plugins/module_utils/gcp_utils.py
+++ b/plugins/module_utils/gcp_utils.py
@ -8,6 +8,7 @@ __metaclass__ = type
 import ast
 import os
 import json
+import re

 try:
    import requests
@ -24,6 +25,7 @@ try:
 except ImportError:
    HAS_GOOGLE_LIBRARIES = False

+from ansible.errors import AnsibleError
 from ansible.module_utils.basic import AnsibleModule, env_fallback
 from ansible.module_utils.six import string_types
 from ansible.module_utils._text import to_text, to_native
@ -447,3 +449,57 @@ class GcpRequest(object):
                new_dict[key] = self._convert_value(value[key])
            return new_dict
        return to_text(value)
+
+
+# Handles all authentication and options for GCP Secrets Manager API calls in Lookup plugins.
+class GcpSecretLookup():
+    def __init__(self):
+        if not HAS_GOOGLE_LIBRARIES:
+            raise AnsibleError("Please install the google-auth library")
+
+        self.plugin_name = ''
+        self.secret_id = None
+        self.version_id = None
+        self.project_id = None
+        self.service_account_file = None
+        self.scope = ["https://www.googleapis.com/auth/cloud-platform"]
+
+    def set_plugin_name(self, name):
+        self.plugin_name = name
+
+    def client(self, secretmanager):
+        if self.service_account_file is not None:
+            path = os.path.realpath(os.path.expanduser(self.service_account_file))
+            credentials = service_account.Credentials.from_service_account_file(path).with_scopes(self.scope)
+            return secretmanager.SecretManagerServiceClient(credentials=credentials)
+
+        return secretmanager.SecretManagerServiceClient()
+
+    def process_options(self, terms, variables=None, **kwargs):
+        self.secret_id = kwargs.get('secret')
+        self.version_id = kwargs.get('version', 'latest')
+        self.project_id = kwargs.get('project', os.getenv('GCP_PROJECT'))
+        self.service_account_file = kwargs.get('service_account_file', os.getenv('GCP_SERVICE_ACCOUNT_FILE'))
+
+        if len(terms) > 1:
+            raise AnsibleError("{0} lookup plugin can have only one secret name or resource id".format(self.plugin_name))
+
+        if self.secret_id is None and len(terms) == 1:
+            self.secret_id = terms[0]
+
+        regex = r'^projects/([^/]+)/secrets/([^/]+)/versions/(.+)$'
+        match = re.match(regex, self.secret_id)
+        if match:
+            self.name = self.secret_id
+            self.project_id = match.group(1)
+            self.secret_id = match.group(2)
+            self.version_id = match.group(3)
+            return
+
+        if self.project_id is None:
+            raise AnsibleError("{0} lookup plugin required option: project or resource id".format(self.plugin_name))
+
+        if self.secret_id is None:
+            raise AnsibleError("{0} lookup plugin required option: secret or resource id".format(self.plugin_name))
+
+        self.name = f"projects/{self.project_id}/secrets/{self.secret_id}/versions/{self.version_id}"