ansible-collections/google.cloud
1
0
Fork 0
mirror of https://github.com/ansible-collections/google.cloud.git synced 2025-07-25 06:10:31 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Merge pull request #685 from durgesh-ninave-crest/add-support-for-regional-secret-manager
Some checks failed
Run integration tests for the cloud.google collection / integration (stable-2.16) (push) Has been cancelled
Details
Run integration tests for the cloud.google collection / integration (stable-2.17) (push) Has been cancelled
Details
Run integration tests for the cloud.google collection / integration (stable-2.18) (push) Has been cancelled
Details

Browse source 
feat(secretmanager): added support for regional secret manager
This commit is contained in:
Chris Hawk 2025-06-20 13:47:49 -07:00 committed by GitHub
commit 83c593d943
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
10 changed files with 565 additions and 17 deletions
Download patch file Download diff file Expand all files Collapse all files

35
plugins/lookup/gcp_secret_manager.py
View file

@ -5,8 +5,8 @@ from __future__ import (absolute_import, division, print_function)
__metaclass__ = type
DOCUMENTATION = '''
author: Google Inc. (@googlecloudplatform)
name: gcp_secret_manager
author: Dave Costakos (@davecostakos) <dcostako@redhat.com>
short_description: Get Secrets from Google Cloud as a Lookup plugin
description:
- retrieve secret keys in Secret Manager for use in playbooks
@ -14,6 +14,8 @@ DOCUMENTATION = '''
credentials for Google Cloud and the format of such credentials
- once a secret value is retreived, it is returned decoded. It is up to the developer
to maintain secrecy of this value once returned.
- if location option is defined, then it deals with the regional secrets of the
location
options:
key:
@ -30,6 +32,10 @@ DOCUMENTATION = '''
- The name of the google cloud project
- defaults to OS env variable GCP_PROJECT if not present
type: str
location:
description:
- If provided, it defines the location of the regional secret.
type: str
auth_kind:
description:
- the type of authentication to use with Google Cloud (i.e. serviceaccount or machineaccount)
@ -103,6 +109,23 @@ EXAMPLES = '''
- name: Test getting specific version of a secret (new version)
ansible.builtin.debug:
msg: "{{ lookup('google.cloud.gcp_secret_manager', key='secret_key', version='2') }}"
- name: Test regional secret using env variables for credentials
ansible.builtin.debug:
msg: "{{ lookup('google.cloud.gcp_secret_manager', key='secret_key', location='us-central1') }}"
- name: Test regional secret using explicit credentials
ansible.builtin.debug:
msg: "{{ lookup('google.cloud.gcp_secret_manager', key='secret_key', location='us-central1', project='project', auth_kind='serviceaccount',
service_account_file='file.json') }}"
- name: Test getting specific version of a regional secret (old version)
ansible.builtin.debug:
msg: "{{ lookup('google.cloud.gcp_secret_manager', key='secret_key', location='us-central1', version='1') }}"
- name: Test getting specific version of a regional secret (new version)
ansible.builtin.debug:
msg: "{{ lookup('google.cloud.gcp_secret_manager', key='secret_key', location='us-central1', version='2') }}"
'''
RETURN = '''
@ -168,6 +191,7 @@ class LookupModule(LookupBase):
self.set_options(var_options=variables, direct=kwargs)
params = {
"key": self.get_option("key"),
"location": self.get_option("location"),
"version": self.get_option("version"),
"access_token": self.get_option("access_token"),
"scopes": self.get_option("scopes"),
@ -199,7 +223,7 @@ class LookupModule(LookupBase):
# to be set if secret versions get disabled
# see https://issuetracker.google.com/issues/286489671
def get_latest_version(self, module, auth):
url = "https://secretmanager.googleapis.com/v1/projects/{project}/secrets/{name}/versions?filter=state:ENABLED".format(
url = (self.make_url_prefix(module) + "secrets/{name}/versions?filter=state:ENABLED").format(
**module.params
)
response = auth.get(url)
@ -249,7 +273,7 @@ class LookupModule(LookupBase):
if module.params['calc_version'] is None:
return ''
url = "https://secretmanager.googleapis.com/v1/projects/{project}/secrets/{name}/versions/{calc_version}:access".format(
url = (self.make_url_prefix(module) + "secrets/{name}/versions/{calc_version}:access").format(
**module.params
)
response = auth.get(url)
@ -259,3 +283,8 @@ class LookupModule(LookupBase):
return ''
return response.json()['payload']['data']
def make_url_prefix(self, module):
if module.params['location']:
return "https://secretmanager.{location}.rep.googleapis.com/v1/projects/{project}/locations/{location}/"
return "https://secretmanager.googleapis.com/v1/projects/{project}/"

103
plugins/modules/gcp_secret_manager.py
View file

@ -1,4 +1,5 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt
# or https://www.gnu.org/licenses/gpl-3.0.txt)
@ -24,8 +25,9 @@ description:
- Create new secret values.
- Add/remove versions of secrets.
- Please note that other features like etags, replication, annontation expected to be managed outside of Ansible.
- Deals with regional secrets if location option is defined.
short_description: Access and Update Google Cloud Secrets Manager objects
author: Dave Costakos (@davecostakos) <dcostako@redhat.com>
author: Google Inc. (@googlecloudplatform)
requirements:
- python >= 2.6
- requests >= 2.18.4
@ -83,6 +85,10 @@ options:
- key
- secret
- secret_id
location:
description:
- If provided, it defines the location of the regional secret.
type: str
value:
description:
- The secret value that the secret should have
@ -132,7 +138,7 @@ notes:
- The I(service_account_email) and I(service_account_file) options are mutually exclusive.
'''
EXAMPLES = r'''
EXAMPLES = '''
- name: Create a new secret
google.cloud.gcp_secret_manager:
name: secret_key
@ -176,9 +182,60 @@ EXAMPLES = r'''
value: super_secret
labels:
key_name: "ansible_rox"
- name: Create a new regional secret
google.cloud.gcp_secret_manager:
name: secret_key
location: us-central1
value: super_secret
state: present
auth_kind: serviceaccount
service_account_file: service_account_creds.json
- name: Ensure the regional secret exists, fail otherwise and return the value
google.cloud.gcp_secret_manager:
name: secret_key
location: us-central1
state: present
- name: Ensure regional secret exists but don't return the value
google.cloud.gcp_secret_manager:
name: secret_key
location: us-central1
state: present
return_value: false
- name: Add a new version of a regional secret
google.cloud.gcp_secret_manager:
name: secret_key
location: us-central1
value: updated super secret
state: present
- name: Delete version 1 of a regional secret (but not the secret itself)
google.cloud.gcp_secret_manager:
name: secret_key
location: us-central1
version: 1
state: absent
- name: Delete all versions of a regional secret
google.cloud.gcp_secret_manager:
name: secret_key
location: us-central1
version: all
state: absent
- name: Create a regional secret with labels
google.cloud.gcp_secret_manager:
name: secret_key
location: us-central1
value: super_secret
labels:
key_name: "ansible_rox"
'''
RETURN = r'''
RETURN = '''
resources:
description: List of resources
returned: always
@ -189,19 +246,24 @@ resources:
- The name of the secret
returned: success
type: str
location:
description:
- The location of the regional secret.
returned: success
type: str
version:
description:
- the version number of the secret returned
- The version number of the secret returned
returned: success
type: str
url:
description:
- the Google Cloud URL used to make the request
- The Google Cloud URL used to make the request
returned: success
type: str
status_code:
description:
- the HTTP status code of the response to Google Cloud
- The HTTP status code of the response to Google Cloud
returned: success
type: str
msg:
@ -241,24 +303,30 @@ def get_auth(module):
return GcpSession(module, 'secret-manager')
def make_url_prefix(module):
if module.params['location']:
return "https://secretmanager.{location}.rep.googleapis.com/v1/projects/{project}/locations/{location}/"
return "https://secretmanager.googleapis.com/v1/projects/{project}/"
def self_access_link(module):
return "https://secretmanager.googleapis.com/v1/projects/{project}/secrets/{name}/versions/{calc_version}:access".format(**module.params)
return (make_url_prefix(module) + "secrets/{name}/versions/{calc_version}:access").format(**module.params)
def self_get_link(module):
return "https://secretmanager.googleapis.com/v1/projects/{project}/secrets/{name}/versions/{calc_version}".format(**module.params)
return (make_url_prefix(module) + "secrets/{name}/versions/{calc_version}").format(**module.params)
def self_update_link(module):
return "https://secretmanager.googleapis.com/v1/projects/{project}/secrets/{name}/versions/{calc_version:version}".format(**module.params)
return (make_url_prefix(module) + "secrets/{name}/versions/{calc_version:version}").format(**module.params)
def self_list_link(module):
return "https://secretmanager.googleapis.com/v1/projects/{project}/secrets/{name}/versions?filter=state:ENABLED".format(**module.params)
return (make_url_prefix(module) + "secrets/{name}/versions?filter=state:ENABLED").format(**module.params)
def self_delete_link(module):
return "https://secretmanager.googleapis.com/v1/projects/{project}/secrets/{name}".format(**module.params)
return (make_url_prefix(module) + "secrets/{name}").format(**module.params)
def fetch_resource(module, allow_not_found=True):
@ -307,10 +375,12 @@ def merge_dicts(x, y):
def create_secret(module):
# build the payload
payload = {"replication": {"automatic": {}}}
if module.params['location']:
payload = dict()
if module.params['labels']:
payload['labels'] = module.params['labels']
url = "https://secretmanager.googleapis.com/v1/projects/{project}/secrets".format(**module.params)
url = (make_url_prefix(module) + "secrets").format(**module.params)
auth = get_auth(module)
post_response = auth.post(url, body=payload, params={'secretId': module.params['name']})
# validate create
@ -327,7 +397,7 @@ def update_secret(module):
}
}
auth = get_auth(module)
url = "https://secretmanager.googleapis.com/v1/projects/{project}/secrets/{name}:addVersion".format(**module.params)
url = (make_url_prefix(module) + "secrets/{name}:addVersion").format(**module.params)
return return_if_object(module, auth.post(url, payload), False)
@ -376,7 +446,11 @@ def return_if_object(module, response, allow_not_found=False):
result['status_code'] = response.status_code
if "name" in result:
result['version'] = result['name'].split("/")[-1]
result['name'] = result['name'].split("/")[3]
if 'locations' in result['name'].split("/"):
result['location'] = result['name'].split("/")[3]
result['name'] = result['name'].split("/")[5]
else:
result['name'] = result['name'].split("/")[3]
# base64 decode the value
if "payload" in result and "data" in result['payload']:
@ -401,6 +475,7 @@ def main():
argument_spec=dict(
state=dict(default='present', choices=['present', 'absent'], type='str'),
name=dict(required=True, type='str', aliases=['key', 'secret', 'secret_id']),
location=dict(required=False, type='str'),
value=dict(required=False, type='str'),
version=dict(required=False, type='str', default='latest'),
return_value=dict(required=False, type='bool', default=True),

1
tests/integration/targets/gcp_secret_manager/aliases Normal file
View file

@ -0,0 +1 @@
cloud/gcp

3
tests/integration/targets/gcp_secret_manager/defaults/main.yml Normal file
View file

@ -0,0 +1,3 @@
---
resource_name: "{{ resource_prefix }}"
lookup_resource_name: "{{ resource_prefix }}_lookup"

0
tests/integration/targets/gcp_secret_manager/meta/main.yml Normal file
View file

9
tests/integration/targets/gcp_secret_manager/tasks/main.yml Normal file
View file

@ -0,0 +1,9 @@
---
- name: Secrets tests
ansible.builtin.include_tasks: secrets.yml
- name: Secrets lookup tests
ansible.builtin.include_tasks: secretslookup.yml
- name: Regional Secrets tests
ansible.builtin.include_tasks: regionalsecrets.yml
- name: Regional Secrets lookup tests
ansible.builtin.include_tasks: regionalsecretslookup.yml

146
tests/integration/targets/gcp_secret_manager/tasks/regionalsecrets.yml Normal file
View file

@ -0,0 +1,146 @@
# Copyright 2024 Google Inc.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
# Pre-test setup
- name: Delete the regional test secret if it exists
google.cloud.gcp_secret_manager:
name: "{{ resource_name }}"
version: "all"
location: "us-central1"
project: "{{ gcp_project }}"
auth_kind: "{{ gcp_cred_kind }}"
service_account_file: "{{ gcp_cred_file | default(omit) }}"
state: absent
# ----------------------------------------------------------
- name: Create a regional secret
google.cloud.gcp_secret_manager:
name: "{{ resource_name }}"
location: "us-central1"
value: "ansible-test-regional-secret-value"
labels:
key1: "val1"
key2: "val2"
project: "{{ gcp_project }}"
auth_kind: "{{ gcp_cred_kind }}"
service_account_file: "{{ gcp_cred_file | default(omit) }}"
state: present
register: result
- name: Assert changed is true
ansible.builtin.assert:
that:
- result.changed == true
# ----------------------------------------------------------
- name: Create a regional secret that already exists
google.cloud.gcp_secret_manager:
name: "{{ resource_name }}"
location: "us-central1"
value: "ansible-test-regional-secret-value"
project: "{{ gcp_project }}"
auth_kind: "{{ gcp_cred_kind }}"
service_account_file: "{{ gcp_cred_file | default(omit) }}"
state: present
register: result
- name: Assert changed is false
ansible.builtin.assert:
that:
- result.changed == false
# ----------------------------------------------------------
- name: Add a new version to a regional secret
google.cloud.gcp_secret_manager:
name: "{{ resource_name }}"
location: "us-central1"
value: "ansible-test-regional-secret-value-updated"
project: "{{ gcp_project }}"
auth_kind: "{{ gcp_cred_kind }}"
service_account_file: "{{ gcp_cred_file | default(omit) }}"
state: present
register: result
- name: Assert changed is true
ansible.builtin.assert:
that:
- result.changed == true
# ----------------------------------------------------------
- name: Add a version that exists to a regional secret
google.cloud.gcp_secret_manager:
name: "{{ resource_name }}"
location: "us-central1"
value: "ansible-test-regional-secret-value-updated"
project: "{{ gcp_project }}"
auth_kind: "{{ gcp_cred_kind }}"
service_account_file: "{{ gcp_cred_file | default(omit) }}"
state: present
register: result
- name: Assert changed is false
ansible.builtin.assert:
that:
- result.changed == false
# ----------------------------------------------------------
- name: Ensure the regional secret exists
google.cloud.gcp_secret_manager:
name: "{{ resource_name }}"
location: "us-central1"
project: "{{ gcp_project }}"
auth_kind: "{{ gcp_cred_kind }}"
service_account_file: "{{ gcp_cred_file | default(omit) }}"
state: present
register: result
- name: Assert changed is false
ansible.builtin.assert:
that:
- result.changed == false
# ----------------------------------------------------------
- name: Delete the regional secret version
google.cloud.gcp_secret_manager:
name: "{{ resource_name }}"
location: "us-central1"
version: "1"
project: "{{ gcp_project }}"
auth_kind: "{{ gcp_cred_kind }}"
service_account_file: "{{ gcp_cred_file | default(omit) }}"
state: absent
register: result
- name: Assert changed is true
ansible.builtin.assert:
that:
- result.changed == true
# ----------------------------------------------------------
- name: Delete the regional secret
google.cloud.gcp_secret_manager:
name: "{{ resource_name }}"
location: "us-central1"
version: "all"
project: "{{ gcp_project }}"
auth_kind: "{{ gcp_cred_kind }}"
service_account_file: "{{ gcp_cred_file | default(omit) }}"
state: absent
register: result
- name: Assert changed is true
ansible.builtin.assert:
that:
- result.changed == true
# ----------------------------------------------------------
- name: Delete the regional secret that does not exist
google.cloud.gcp_secret_manager:
name: "{{ resource_name }}"
location: "us-central1"
version: "all"
project: "{{ gcp_project }}"
auth_kind: "{{ gcp_cred_kind }}"
service_account_file: "{{ gcp_cred_file | default(omit) }}"
state: absent
register: result
- name: Assert changed is false
ansible.builtin.assert:
that:
- result.changed == false

76
tests/integration/targets/gcp_secret_manager/tasks/regionalsecretslookup.yml Normal file
View file

@ -0,0 +1,76 @@
# Copyright 2024 Google Inc.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
# Pre-test setup
- name: Delete the regional test secret if it exists
google.cloud.gcp_secret_manager:
name: "{{ lookup_resource_name }}"
version: "all"
location: "us-central1"
project: "{{ gcp_project }}"
auth_kind: "{{ gcp_cred_kind }}"
service_account_file: "{{ gcp_cred_file | default(omit) }}"
state: absent
- name: Create a regional secret
google.cloud.gcp_secret_manager:
name: "{{ lookup_resource_name }}"
location: "us-central1"
value: "ansible lookup test regional secret value"
labels:
key1: "val1"
key2: "val2"
project: "{{ gcp_project }}"
auth_kind: "{{ gcp_cred_kind }}"
service_account_file: "{{ gcp_cred_file | default(omit) }}"
state: present
- name: Add a new version to a regional secret
google.cloud.gcp_secret_manager:
name: "{{ lookup_resource_name }}"
location: "us-central1"
value: "ansible lookup test regional secret value updated"
project: "{{ gcp_project }}"
auth_kind: "{{ gcp_cred_kind }}"
service_account_file: "{{ gcp_cred_file | default(omit) }}"
state: present
# ----------------------------------------------------------
- name: Retrieve the latest secret version of a regional secret
ansible.builtin.debug:
msg: "{{ lookup('google.cloud.gcp_secret_manager', key=lookup_resource_name, location='us-central1', project=gcp_project, auth_kind=gcp_cred_kind, service_account_file=gcp_cred_file | default(omit)) }}"
register: result
- name: Assert secret value
ansible.builtin.assert:
that:
- result.msg == "ansible lookup test regional secret value updated"
# ----------------------------------------------------------
- name: Retrieve the specified secret version of a regional secret
ansible.builtin.debug:
msg: "{{ lookup('google.cloud.gcp_secret_manager', key=lookup_resource_name, location='us-central1', version='1', project=gcp_project, auth_kind=gcp_cred_kind, service_account_file=gcp_cred_file | default(omit)) }}"
register: result
- name: Assert secret value
ansible.builtin.assert:
that:
- result.msg == "ansible lookup test regional secret value"
# ---------------------------------------------------------
# Post-test teardown
# If errors happen, don't crash the playbook!
- name: Delete the regional test secret
google.cloud.gcp_secret_manager:
name: "{{ lookup_resource_name }}"
location: "us-central1"
version: "all"
project: "{{ gcp_project }}"
auth_kind: "{{ gcp_cred_kind }}"
service_account_file: "{{ gcp_cred_file | default(omit) }}"
state: absent
ignore_errors: true

137
tests/integration/targets/gcp_secret_manager/tasks/secrets.yml Normal file
View file

@ -0,0 +1,137 @@
# Copyright 2024 Google Inc.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
# Pre-test setup
- name: Delete the test secret if it exists
google.cloud.gcp_secret_manager:
name: "{{ resource_name }}"
version: "all"
project: "{{ gcp_project }}"
auth_kind: "{{ gcp_cred_kind }}"
service_account_file: "{{ gcp_cred_file | default(omit) }}"
state: absent
# ----------------------------------------------------------
- name: Create a secret
google.cloud.gcp_secret_manager:
name: "{{ resource_name }}"
value: "ansible-test-secret-value"
labels:
key1: "val1"
key2: "val2"
project: "{{ gcp_project }}"
auth_kind: "{{ gcp_cred_kind }}"
service_account_file: "{{ gcp_cred_file | default(omit) }}"
state: present
register: result
- name: Assert changed is true
ansible.builtin.assert:
that:
- result.changed == true
# ----------------------------------------------------------
- name: Create a secret that already exists
google.cloud.gcp_secret_manager:
name: "{{ resource_name }}"
value: "ansible-test-secret-value"
project: "{{ gcp_project }}"
auth_kind: "{{ gcp_cred_kind }}"
service_account_file: "{{ gcp_cred_file | default(omit) }}"
state: present
register: result
- name: Assert changed is false
ansible.builtin.assert:
that:
- result.changed == false
# ----------------------------------------------------------
- name: Add a new version to a secret
google.cloud.gcp_secret_manager:
name: "{{ resource_name }}"
value: "ansible-test-secret-value-updated"
project: "{{ gcp_project }}"
auth_kind: "{{ gcp_cred_kind }}"
service_account_file: "{{ gcp_cred_file | default(omit) }}"
state: present
register: result
- name: Assert changed is true
ansible.builtin.assert:
that:
- result.changed == true
# ----------------------------------------------------------
- name: Add a version that exists to a secret
google.cloud.gcp_secret_manager:
name: "{{ resource_name }}"
value: "ansible-test-secret-value-updated"
project: "{{ gcp_project }}"
auth_kind: "{{ gcp_cred_kind }}"
service_account_file: "{{ gcp_cred_file | default(omit) }}"
state: present
register: result
- name: Assert changed is false
ansible.builtin.assert:
that:
- result.changed == false
# ----------------------------------------------------------
- name: Ensure the secret exists
google.cloud.gcp_secret_manager:
name: "{{ resource_name }}"
project: "{{ gcp_project }}"
auth_kind: "{{ gcp_cred_kind }}"
service_account_file: "{{ gcp_cred_file | default(omit) }}"
state: present
register: result
- name: Assert changed is false
ansible.builtin.assert:
that:
- result.changed == false
# ----------------------------------------------------------
- name: Delete the secret version
google.cloud.gcp_secret_manager:
name: "{{ resource_name }}"
version: "1"
project: "{{ gcp_project }}"
auth_kind: "{{ gcp_cred_kind }}"
service_account_file: "{{ gcp_cred_file | default(omit) }}"
state: absent
register: result
- name: Assert changed is true
ansible.builtin.assert:
that:
- result.changed == true
# ----------------------------------------------------------
- name: Delete the secret
google.cloud.gcp_secret_manager:
name: "{{ resource_name }}"
version: "all"
project: "{{ gcp_project }}"
auth_kind: "{{ gcp_cred_kind }}"
service_account_file: "{{ gcp_cred_file | default(omit) }}"
state: absent
register: result
- name: Assert changed is true
ansible.builtin.assert:
that:
- result.changed == true
# ----------------------------------------------------------
- name: Delete the secret that does not exist
google.cloud.gcp_secret_manager:
name: "{{ resource_name }}"
version: "all"
project: "{{ gcp_project }}"
auth_kind: "{{ gcp_cred_kind }}"
service_account_file: "{{ gcp_cred_file | default(omit) }}"
state: absent
register: result
- name: Assert changed is false
ansible.builtin.assert:
that:
- result.changed == false

72
tests/integration/targets/gcp_secret_manager/tasks/secretslookup.yml Normal file
View file

@ -0,0 +1,72 @@
# Copyright 2024 Google Inc.
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
# Pre-test setup
- name: Delete the test secret if it exists
google.cloud.gcp_secret_manager:
name: "{{ lookup_resource_name }}"
version: "all"
project: "{{ gcp_project }}"
auth_kind: "{{ gcp_cred_kind }}"
service_account_file: "{{ gcp_cred_file | default(omit) }}"
state: absent
- name: Create a secret
google.cloud.gcp_secret_manager:
name: "{{ lookup_resource_name }}"
value: "ansible lookup test secret value"
labels:
key1: "val1"
key2: "val2"
project: "{{ gcp_project }}"
auth_kind: "{{ gcp_cred_kind }}"
service_account_file: "{{ gcp_cred_file | default(omit) }}"
state: present
- name: Add a new version to a secret
google.cloud.gcp_secret_manager:
name: "{{ lookup_resource_name }}"
value: "ansible lookup test secret value updated"
project: "{{ gcp_project }}"
auth_kind: "{{ gcp_cred_kind }}"
service_account_file: "{{ gcp_cred_file | default(omit) }}"
state: present
# ----------------------------------------------------------
- name: Retrieve the latest secret version of a secret
ansible.builtin.debug:
msg: "{{ lookup('google.cloud.gcp_secret_manager', key=lookup_resource_name, project=gcp_project, auth_kind=gcp_cred_kind, service_account_file=gcp_cred_file | default(omit)) }}"
register: result
- name: Assert secret value
ansible.builtin.assert:
that:
- result.msg == "ansible lookup test secret value updated"
# ----------------------------------------------------------
- name: Retrieve the specified secret version of a secret
ansible.builtin.debug:
msg: "{{ lookup('google.cloud.gcp_secret_manager', key=lookup_resource_name, version='1', project=gcp_project, auth_kind=gcp_cred_kind, service_account_file=gcp_cred_file | default(omit)) }}"
register: result
- name: Assert secret value
ansible.builtin.assert:
that:
- result.msg == "ansible lookup test secret value"
# ---------------------------------------------------------
# Post-test teardown
# If errors happen, don't crash the playbook!
- name: Delete the test secret
google.cloud.gcp_secret_manager:
name: "{{ lookup_resource_name }}"
version: "all"
project: "{{ gcp_project }}"
auth_kind: "{{ gcp_cred_kind }}"
service_account_file: "{{ gcp_cred_file | default(omit) }}"
state: absent
ignore_errors: true