diff --git a/plugins/lookup/gcp_secret_manager.py b/plugins/lookup/gcp_secret_manager.py index c7ef20d4..8537eff4 100644 --- a/plugins/lookup/gcp_secret_manager.py +++ b/plugins/lookup/gcp_secret_manager.py @@ -5,8 +5,8 @@ from __future__ import (absolute_import, division, print_function) __metaclass__ = type DOCUMENTATION = ''' + author: Google Inc. (@googlecloudplatform) name: gcp_secret_manager - author: Dave Costakos (@davecostakos) short_description: Get Secrets from Google Cloud as a Lookup plugin description: - retrieve secret keys in Secret Manager for use in playbooks @@ -14,6 +14,8 @@ DOCUMENTATION = ''' credentials for Google Cloud and the format of such credentials - once a secret value is retreived, it is returned decoded. It is up to the developer to maintain secrecy of this value once returned. + - if location option is defined, then it deals with the regional secrets of the + location options: key: @@ -30,6 +32,10 @@ DOCUMENTATION = ''' - The name of the google cloud project - defaults to OS env variable GCP_PROJECT if not present type: str + location: + description: + - If provided, it defines the location of the regional secret. + type: str auth_kind: description: - the type of authentication to use with Google Cloud (i.e. serviceaccount or machineaccount) @@ -103,6 +109,23 @@ EXAMPLES = ''' - name: Test getting specific version of a secret (new version) ansible.builtin.debug: msg: "{{ lookup('google.cloud.gcp_secret_manager', key='secret_key', version='2') }}" + +- name: Test regional secret using env variables for credentials + ansible.builtin.debug: + msg: "{{ lookup('google.cloud.gcp_secret_manager', key='secret_key', location='us-central1') }}" + +- name: Test regional secret using explicit credentials + ansible.builtin.debug: + msg: "{{ lookup('google.cloud.gcp_secret_manager', key='secret_key', location='us-central1', project='project', auth_kind='serviceaccount', + service_account_file='file.json') }}" + +- name: Test getting specific version of a regional secret (old version) + ansible.builtin.debug: + msg: "{{ lookup('google.cloud.gcp_secret_manager', key='secret_key', location='us-central1', version='1') }}" + +- name: Test getting specific version of a regional secret (new version) + ansible.builtin.debug: + msg: "{{ lookup('google.cloud.gcp_secret_manager', key='secret_key', location='us-central1', version='2') }}" ''' RETURN = ''' @@ -168,6 +191,7 @@ class LookupModule(LookupBase): self.set_options(var_options=variables, direct=kwargs) params = { "key": self.get_option("key"), + "location": self.get_option("location"), "version": self.get_option("version"), "access_token": self.get_option("access_token"), "scopes": self.get_option("scopes"), @@ -199,7 +223,7 @@ class LookupModule(LookupBase): # to be set if secret versions get disabled # see https://issuetracker.google.com/issues/286489671 def get_latest_version(self, module, auth): - url = "https://secretmanager.googleapis.com/v1/projects/{project}/secrets/{name}/versions?filter=state:ENABLED".format( + url = (self.make_url_prefix(module) + "secrets/{name}/versions?filter=state:ENABLED").format( **module.params ) response = auth.get(url) @@ -249,7 +273,7 @@ class LookupModule(LookupBase): if module.params['calc_version'] is None: return '' - url = "https://secretmanager.googleapis.com/v1/projects/{project}/secrets/{name}/versions/{calc_version}:access".format( + url = (self.make_url_prefix(module) + "secrets/{name}/versions/{calc_version}:access").format( **module.params ) response = auth.get(url) @@ -259,3 +283,8 @@ class LookupModule(LookupBase): return '' return response.json()['payload']['data'] + + def make_url_prefix(self, module): + if module.params['location']: + return "https://secretmanager.{location}.rep.googleapis.com/v1/projects/{project}/locations/{location}/" + return "https://secretmanager.googleapis.com/v1/projects/{project}/" diff --git a/plugins/modules/gcp_secret_manager.py b/plugins/modules/gcp_secret_manager.py index a1e325e4..bff1d07d 100644 --- a/plugins/modules/gcp_secret_manager.py +++ b/plugins/modules/gcp_secret_manager.py @@ -1,4 +1,5 @@ #!/usr/bin/python +# -*- coding: utf-8 -*- # GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt # or https://www.gnu.org/licenses/gpl-3.0.txt) @@ -24,8 +25,9 @@ description: - Create new secret values. - Add/remove versions of secrets. - Please note that other features like etags, replication, annontation expected to be managed outside of Ansible. +- Deals with regional secrets if location option is defined. short_description: Access and Update Google Cloud Secrets Manager objects -author: Dave Costakos (@davecostakos) +author: Google Inc. (@googlecloudplatform) requirements: - python >= 2.6 - requests >= 2.18.4 @@ -83,6 +85,10 @@ options: - key - secret - secret_id + location: + description: + - If provided, it defines the location of the regional secret. + type: str value: description: - The secret value that the secret should have @@ -132,7 +138,7 @@ notes: - The I(service_account_email) and I(service_account_file) options are mutually exclusive. ''' -EXAMPLES = r''' +EXAMPLES = ''' - name: Create a new secret google.cloud.gcp_secret_manager: name: secret_key @@ -176,9 +182,60 @@ EXAMPLES = r''' value: super_secret labels: key_name: "ansible_rox" + +- name: Create a new regional secret + google.cloud.gcp_secret_manager: + name: secret_key + location: us-central1 + value: super_secret + state: present + auth_kind: serviceaccount + service_account_file: service_account_creds.json + +- name: Ensure the regional secret exists, fail otherwise and return the value + google.cloud.gcp_secret_manager: + name: secret_key + location: us-central1 + state: present + +- name: Ensure regional secret exists but don't return the value + google.cloud.gcp_secret_manager: + name: secret_key + location: us-central1 + state: present + return_value: false + +- name: Add a new version of a regional secret + google.cloud.gcp_secret_manager: + name: secret_key + location: us-central1 + value: updated super secret + state: present + +- name: Delete version 1 of a regional secret (but not the secret itself) + google.cloud.gcp_secret_manager: + name: secret_key + location: us-central1 + version: 1 + state: absent + +- name: Delete all versions of a regional secret + google.cloud.gcp_secret_manager: + name: secret_key + location: us-central1 + version: all + state: absent + +- name: Create a regional secret with labels + google.cloud.gcp_secret_manager: + name: secret_key + location: us-central1 + value: super_secret + labels: + key_name: "ansible_rox" ''' -RETURN = r''' +RETURN = ''' resources: description: List of resources returned: always @@ -189,19 +246,24 @@ resources: - The name of the secret returned: success type: str + location: + description: + - The location of the regional secret. + returned: success + type: str version: description: - - the version number of the secret returned + - The version number of the secret returned returned: success type: str url: description: - - the Google Cloud URL used to make the request + - The Google Cloud URL used to make the request returned: success type: str status_code: description: - - the HTTP status code of the response to Google Cloud + - The HTTP status code of the response to Google Cloud returned: success type: str msg: @@ -241,24 +303,30 @@ def get_auth(module): return GcpSession(module, 'secret-manager') +def make_url_prefix(module): + if module.params['location']: + return "https://secretmanager.{location}.rep.googleapis.com/v1/projects/{project}/locations/{location}/" + return "https://secretmanager.googleapis.com/v1/projects/{project}/" + + def self_access_link(module): - return "https://secretmanager.googleapis.com/v1/projects/{project}/secrets/{name}/versions/{calc_version}:access".format(**module.params) + return (make_url_prefix(module) + "secrets/{name}/versions/{calc_version}:access").format(**module.params) def self_get_link(module): - return "https://secretmanager.googleapis.com/v1/projects/{project}/secrets/{name}/versions/{calc_version}".format(**module.params) + return (make_url_prefix(module) + "secrets/{name}/versions/{calc_version}").format(**module.params) def self_update_link(module): - return "https://secretmanager.googleapis.com/v1/projects/{project}/secrets/{name}/versions/{calc_version:version}".format(**module.params) + return (make_url_prefix(module) + "secrets/{name}/versions/{calc_version:version}").format(**module.params) def self_list_link(module): - return "https://secretmanager.googleapis.com/v1/projects/{project}/secrets/{name}/versions?filter=state:ENABLED".format(**module.params) + return (make_url_prefix(module) + "secrets/{name}/versions?filter=state:ENABLED").format(**module.params) def self_delete_link(module): - return "https://secretmanager.googleapis.com/v1/projects/{project}/secrets/{name}".format(**module.params) + return (make_url_prefix(module) + "secrets/{name}").format(**module.params) def fetch_resource(module, allow_not_found=True): @@ -307,10 +375,12 @@ def merge_dicts(x, y): def create_secret(module): # build the payload payload = {"replication": {"automatic": {}}} + if module.params['location']: + payload = dict() if module.params['labels']: payload['labels'] = module.params['labels'] - url = "https://secretmanager.googleapis.com/v1/projects/{project}/secrets".format(**module.params) + url = (make_url_prefix(module) + "secrets").format(**module.params) auth = get_auth(module) post_response = auth.post(url, body=payload, params={'secretId': module.params['name']}) # validate create @@ -327,7 +397,7 @@ def update_secret(module): } } auth = get_auth(module) - url = "https://secretmanager.googleapis.com/v1/projects/{project}/secrets/{name}:addVersion".format(**module.params) + url = (make_url_prefix(module) + "secrets/{name}:addVersion").format(**module.params) return return_if_object(module, auth.post(url, payload), False) @@ -376,7 +446,11 @@ def return_if_object(module, response, allow_not_found=False): result['status_code'] = response.status_code if "name" in result: result['version'] = result['name'].split("/")[-1] - result['name'] = result['name'].split("/")[3] + if 'locations' in result['name'].split("/"): + result['location'] = result['name'].split("/")[3] + result['name'] = result['name'].split("/")[5] + else: + result['name'] = result['name'].split("/")[3] # base64 decode the value if "payload" in result and "data" in result['payload']: @@ -401,6 +475,7 @@ def main(): argument_spec=dict( state=dict(default='present', choices=['present', 'absent'], type='str'), name=dict(required=True, type='str', aliases=['key', 'secret', 'secret_id']), + location=dict(required=False, type='str'), value=dict(required=False, type='str'), version=dict(required=False, type='str', default='latest'), return_value=dict(required=False, type='bool', default=True), diff --git a/tests/integration/targets/gcp_secret_manager/aliases b/tests/integration/targets/gcp_secret_manager/aliases new file mode 100644 index 00000000..0e4419e3 --- /dev/null +++ b/tests/integration/targets/gcp_secret_manager/aliases @@ -0,0 +1 @@ +cloud/gcp \ No newline at end of file diff --git a/tests/integration/targets/gcp_secret_manager/defaults/main.yml b/tests/integration/targets/gcp_secret_manager/defaults/main.yml new file mode 100644 index 00000000..61fa8b04 --- /dev/null +++ b/tests/integration/targets/gcp_secret_manager/defaults/main.yml @@ -0,0 +1,3 @@ +--- +resource_name: "{{ resource_prefix }}" +lookup_resource_name: "{{ resource_prefix }}_lookup" diff --git a/tests/integration/targets/gcp_secret_manager/meta/main.yml b/tests/integration/targets/gcp_secret_manager/meta/main.yml new file mode 100644 index 00000000..e69de29b diff --git a/tests/integration/targets/gcp_secret_manager/tasks/main.yml b/tests/integration/targets/gcp_secret_manager/tasks/main.yml new file mode 100644 index 00000000..37aace00 --- /dev/null +++ b/tests/integration/targets/gcp_secret_manager/tasks/main.yml @@ -0,0 +1,9 @@ +--- +- name: Secrets tests + ansible.builtin.include_tasks: secrets.yml +- name: Secrets lookup tests + ansible.builtin.include_tasks: secretslookup.yml +- name: Regional Secrets tests + ansible.builtin.include_tasks: regionalsecrets.yml +- name: Regional Secrets lookup tests + ansible.builtin.include_tasks: regionalsecretslookup.yml diff --git a/tests/integration/targets/gcp_secret_manager/tasks/regionalsecrets.yml b/tests/integration/targets/gcp_secret_manager/tasks/regionalsecrets.yml new file mode 100644 index 00000000..02abbe35 --- /dev/null +++ b/tests/integration/targets/gcp_secret_manager/tasks/regionalsecrets.yml @@ -0,0 +1,146 @@ +# Copyright 2024 Google Inc. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +--- +# Pre-test setup +- name: Delete the regional test secret if it exists + google.cloud.gcp_secret_manager: + name: "{{ resource_name }}" + version: "all" + location: "us-central1" + project: "{{ gcp_project }}" + auth_kind: "{{ gcp_cred_kind }}" + service_account_file: "{{ gcp_cred_file | default(omit) }}" + state: absent +# ---------------------------------------------------------- +- name: Create a regional secret + google.cloud.gcp_secret_manager: + name: "{{ resource_name }}" + location: "us-central1" + value: "ansible-test-regional-secret-value" + labels: + key1: "val1" + key2: "val2" + project: "{{ gcp_project }}" + auth_kind: "{{ gcp_cred_kind }}" + service_account_file: "{{ gcp_cred_file | default(omit) }}" + state: present + register: result +- name: Assert changed is true + ansible.builtin.assert: + that: + - result.changed == true +# ---------------------------------------------------------- +- name: Create a regional secret that already exists + google.cloud.gcp_secret_manager: + name: "{{ resource_name }}" + location: "us-central1" + value: "ansible-test-regional-secret-value" + project: "{{ gcp_project }}" + auth_kind: "{{ gcp_cred_kind }}" + service_account_file: "{{ gcp_cred_file | default(omit) }}" + state: present + register: result +- name: Assert changed is false + ansible.builtin.assert: + that: + - result.changed == false +# ---------------------------------------------------------- +- name: Add a new version to a regional secret + google.cloud.gcp_secret_manager: + name: "{{ resource_name }}" + location: "us-central1" + value: "ansible-test-regional-secret-value-updated" + project: "{{ gcp_project }}" + auth_kind: "{{ gcp_cred_kind }}" + service_account_file: "{{ gcp_cred_file | default(omit) }}" + state: present + register: result +- name: Assert changed is true + ansible.builtin.assert: + that: + - result.changed == true +# ---------------------------------------------------------- +- name: Add a version that exists to a regional secret + google.cloud.gcp_secret_manager: + name: "{{ resource_name }}" + location: "us-central1" + value: "ansible-test-regional-secret-value-updated" + project: "{{ gcp_project }}" + auth_kind: "{{ gcp_cred_kind }}" + service_account_file: "{{ gcp_cred_file | default(omit) }}" + state: present + register: result +- name: Assert changed is false + ansible.builtin.assert: + that: + - result.changed == false +# ---------------------------------------------------------- +- name: Ensure the regional secret exists + google.cloud.gcp_secret_manager: + name: "{{ resource_name }}" + location: "us-central1" + project: "{{ gcp_project }}" + auth_kind: "{{ gcp_cred_kind }}" + service_account_file: "{{ gcp_cred_file | default(omit) }}" + state: present + register: result +- name: Assert changed is false + ansible.builtin.assert: + that: + - result.changed == false +# ---------------------------------------------------------- +- name: Delete the regional secret version + google.cloud.gcp_secret_manager: + name: "{{ resource_name }}" + location: "us-central1" + version: "1" + project: "{{ gcp_project }}" + auth_kind: "{{ gcp_cred_kind }}" + service_account_file: "{{ gcp_cred_file | default(omit) }}" + state: absent + register: result +- name: Assert changed is true + ansible.builtin.assert: + that: + - result.changed == true +# ---------------------------------------------------------- +- name: Delete the regional secret + google.cloud.gcp_secret_manager: + name: "{{ resource_name }}" + location: "us-central1" + version: "all" + project: "{{ gcp_project }}" + auth_kind: "{{ gcp_cred_kind }}" + service_account_file: "{{ gcp_cred_file | default(omit) }}" + state: absent + register: result +- name: Assert changed is true + ansible.builtin.assert: + that: + - result.changed == true +# ---------------------------------------------------------- +- name: Delete the regional secret that does not exist + google.cloud.gcp_secret_manager: + name: "{{ resource_name }}" + location: "us-central1" + version: "all" + project: "{{ gcp_project }}" + auth_kind: "{{ gcp_cred_kind }}" + service_account_file: "{{ gcp_cred_file | default(omit) }}" + state: absent + register: result +- name: Assert changed is false + ansible.builtin.assert: + that: + - result.changed == false diff --git a/tests/integration/targets/gcp_secret_manager/tasks/regionalsecretslookup.yml b/tests/integration/targets/gcp_secret_manager/tasks/regionalsecretslookup.yml new file mode 100644 index 00000000..1a9c3a52 --- /dev/null +++ b/tests/integration/targets/gcp_secret_manager/tasks/regionalsecretslookup.yml @@ -0,0 +1,76 @@ +# Copyright 2024 Google Inc. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +--- +# Pre-test setup +- name: Delete the regional test secret if it exists + google.cloud.gcp_secret_manager: + name: "{{ lookup_resource_name }}" + version: "all" + location: "us-central1" + project: "{{ gcp_project }}" + auth_kind: "{{ gcp_cred_kind }}" + service_account_file: "{{ gcp_cred_file | default(omit) }}" + state: absent +- name: Create a regional secret + google.cloud.gcp_secret_manager: + name: "{{ lookup_resource_name }}" + location: "us-central1" + value: "ansible lookup test regional secret value" + labels: + key1: "val1" + key2: "val2" + project: "{{ gcp_project }}" + auth_kind: "{{ gcp_cred_kind }}" + service_account_file: "{{ gcp_cred_file | default(omit) }}" + state: present +- name: Add a new version to a regional secret + google.cloud.gcp_secret_manager: + name: "{{ lookup_resource_name }}" + location: "us-central1" + value: "ansible lookup test regional secret value updated" + project: "{{ gcp_project }}" + auth_kind: "{{ gcp_cred_kind }}" + service_account_file: "{{ gcp_cred_file | default(omit) }}" + state: present +# ---------------------------------------------------------- +- name: Retrieve the latest secret version of a regional secret + ansible.builtin.debug: + msg: "{{ lookup('google.cloud.gcp_secret_manager', key=lookup_resource_name, location='us-central1', project=gcp_project, auth_kind=gcp_cred_kind, service_account_file=gcp_cred_file | default(omit)) }}" + register: result +- name: Assert secret value + ansible.builtin.assert: + that: + - result.msg == "ansible lookup test regional secret value updated" +# ---------------------------------------------------------- +- name: Retrieve the specified secret version of a regional secret + ansible.builtin.debug: + msg: "{{ lookup('google.cloud.gcp_secret_manager', key=lookup_resource_name, location='us-central1', version='1', project=gcp_project, auth_kind=gcp_cred_kind, service_account_file=gcp_cred_file | default(omit)) }}" + register: result +- name: Assert secret value + ansible.builtin.assert: + that: + - result.msg == "ansible lookup test regional secret value" +# --------------------------------------------------------- +# Post-test teardown +# If errors happen, don't crash the playbook! +- name: Delete the regional test secret + google.cloud.gcp_secret_manager: + name: "{{ lookup_resource_name }}" + location: "us-central1" + version: "all" + project: "{{ gcp_project }}" + auth_kind: "{{ gcp_cred_kind }}" + service_account_file: "{{ gcp_cred_file | default(omit) }}" + state: absent + ignore_errors: true diff --git a/tests/integration/targets/gcp_secret_manager/tasks/secrets.yml b/tests/integration/targets/gcp_secret_manager/tasks/secrets.yml new file mode 100644 index 00000000..16d656db --- /dev/null +++ b/tests/integration/targets/gcp_secret_manager/tasks/secrets.yml @@ -0,0 +1,137 @@ +# Copyright 2024 Google Inc. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +--- +# Pre-test setup +- name: Delete the test secret if it exists + google.cloud.gcp_secret_manager: + name: "{{ resource_name }}" + version: "all" + project: "{{ gcp_project }}" + auth_kind: "{{ gcp_cred_kind }}" + service_account_file: "{{ gcp_cred_file | default(omit) }}" + state: absent +# ---------------------------------------------------------- +- name: Create a secret + google.cloud.gcp_secret_manager: + name: "{{ resource_name }}" + value: "ansible-test-secret-value" + labels: + key1: "val1" + key2: "val2" + project: "{{ gcp_project }}" + auth_kind: "{{ gcp_cred_kind }}" + service_account_file: "{{ gcp_cred_file | default(omit) }}" + state: present + register: result +- name: Assert changed is true + ansible.builtin.assert: + that: + - result.changed == true +# ---------------------------------------------------------- +- name: Create a secret that already exists + google.cloud.gcp_secret_manager: + name: "{{ resource_name }}" + value: "ansible-test-secret-value" + project: "{{ gcp_project }}" + auth_kind: "{{ gcp_cred_kind }}" + service_account_file: "{{ gcp_cred_file | default(omit) }}" + state: present + register: result +- name: Assert changed is false + ansible.builtin.assert: + that: + - result.changed == false +# ---------------------------------------------------------- +- name: Add a new version to a secret + google.cloud.gcp_secret_manager: + name: "{{ resource_name }}" + value: "ansible-test-secret-value-updated" + project: "{{ gcp_project }}" + auth_kind: "{{ gcp_cred_kind }}" + service_account_file: "{{ gcp_cred_file | default(omit) }}" + state: present + register: result +- name: Assert changed is true + ansible.builtin.assert: + that: + - result.changed == true +# ---------------------------------------------------------- +- name: Add a version that exists to a secret + google.cloud.gcp_secret_manager: + name: "{{ resource_name }}" + value: "ansible-test-secret-value-updated" + project: "{{ gcp_project }}" + auth_kind: "{{ gcp_cred_kind }}" + service_account_file: "{{ gcp_cred_file | default(omit) }}" + state: present + register: result +- name: Assert changed is false + ansible.builtin.assert: + that: + - result.changed == false +# ---------------------------------------------------------- +- name: Ensure the secret exists + google.cloud.gcp_secret_manager: + name: "{{ resource_name }}" + project: "{{ gcp_project }}" + auth_kind: "{{ gcp_cred_kind }}" + service_account_file: "{{ gcp_cred_file | default(omit) }}" + state: present + register: result +- name: Assert changed is false + ansible.builtin.assert: + that: + - result.changed == false +# ---------------------------------------------------------- +- name: Delete the secret version + google.cloud.gcp_secret_manager: + name: "{{ resource_name }}" + version: "1" + project: "{{ gcp_project }}" + auth_kind: "{{ gcp_cred_kind }}" + service_account_file: "{{ gcp_cred_file | default(omit) }}" + state: absent + register: result +- name: Assert changed is true + ansible.builtin.assert: + that: + - result.changed == true +# ---------------------------------------------------------- +- name: Delete the secret + google.cloud.gcp_secret_manager: + name: "{{ resource_name }}" + version: "all" + project: "{{ gcp_project }}" + auth_kind: "{{ gcp_cred_kind }}" + service_account_file: "{{ gcp_cred_file | default(omit) }}" + state: absent + register: result +- name: Assert changed is true + ansible.builtin.assert: + that: + - result.changed == true +# ---------------------------------------------------------- +- name: Delete the secret that does not exist + google.cloud.gcp_secret_manager: + name: "{{ resource_name }}" + version: "all" + project: "{{ gcp_project }}" + auth_kind: "{{ gcp_cred_kind }}" + service_account_file: "{{ gcp_cred_file | default(omit) }}" + state: absent + register: result +- name: Assert changed is false + ansible.builtin.assert: + that: + - result.changed == false diff --git a/tests/integration/targets/gcp_secret_manager/tasks/secretslookup.yml b/tests/integration/targets/gcp_secret_manager/tasks/secretslookup.yml new file mode 100644 index 00000000..2ba9c2f3 --- /dev/null +++ b/tests/integration/targets/gcp_secret_manager/tasks/secretslookup.yml @@ -0,0 +1,72 @@ +# Copyright 2024 Google Inc. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +--- +# Pre-test setup +- name: Delete the test secret if it exists + google.cloud.gcp_secret_manager: + name: "{{ lookup_resource_name }}" + version: "all" + project: "{{ gcp_project }}" + auth_kind: "{{ gcp_cred_kind }}" + service_account_file: "{{ gcp_cred_file | default(omit) }}" + state: absent +- name: Create a secret + google.cloud.gcp_secret_manager: + name: "{{ lookup_resource_name }}" + value: "ansible lookup test secret value" + labels: + key1: "val1" + key2: "val2" + project: "{{ gcp_project }}" + auth_kind: "{{ gcp_cred_kind }}" + service_account_file: "{{ gcp_cred_file | default(omit) }}" + state: present +- name: Add a new version to a secret + google.cloud.gcp_secret_manager: + name: "{{ lookup_resource_name }}" + value: "ansible lookup test secret value updated" + project: "{{ gcp_project }}" + auth_kind: "{{ gcp_cred_kind }}" + service_account_file: "{{ gcp_cred_file | default(omit) }}" + state: present +# ---------------------------------------------------------- +- name: Retrieve the latest secret version of a secret + ansible.builtin.debug: + msg: "{{ lookup('google.cloud.gcp_secret_manager', key=lookup_resource_name, project=gcp_project, auth_kind=gcp_cred_kind, service_account_file=gcp_cred_file | default(omit)) }}" + register: result +- name: Assert secret value + ansible.builtin.assert: + that: + - result.msg == "ansible lookup test secret value updated" +# ---------------------------------------------------------- +- name: Retrieve the specified secret version of a secret + ansible.builtin.debug: + msg: "{{ lookup('google.cloud.gcp_secret_manager', key=lookup_resource_name, version='1', project=gcp_project, auth_kind=gcp_cred_kind, service_account_file=gcp_cred_file | default(omit)) }}" + register: result +- name: Assert secret value + ansible.builtin.assert: + that: + - result.msg == "ansible lookup test secret value" +# --------------------------------------------------------- +# Post-test teardown +# If errors happen, don't crash the playbook! +- name: Delete the test secret + google.cloud.gcp_secret_manager: + name: "{{ lookup_resource_name }}" + version: "all" + project: "{{ gcp_project }}" + auth_kind: "{{ gcp_cred_kind }}" + service_account_file: "{{ gcp_cred_file | default(omit) }}" + state: absent + ignore_errors: true