mirror of
https://github.com/ansible-collections/google.cloud.git
synced 2025-08-03 20:54:29 -07:00
Merge pull request #685 from durgesh-ninave-crest/add-support-for-regional-secret-manager
Some checks failed
Run integration tests for the cloud.google collection / integration (stable-2.16) (push) Has been cancelled
Run integration tests for the cloud.google collection / integration (stable-2.17) (push) Has been cancelled
Run integration tests for the cloud.google collection / integration (stable-2.18) (push) Has been cancelled
Some checks failed
Run integration tests for the cloud.google collection / integration (stable-2.16) (push) Has been cancelled
Run integration tests for the cloud.google collection / integration (stable-2.17) (push) Has been cancelled
Run integration tests for the cloud.google collection / integration (stable-2.18) (push) Has been cancelled
feat(secretmanager): added support for regional secret manager
This commit is contained in:
Chris Hawk
GitHub
commit
83c593d943
10 changed files with 565 additions and 17 deletions
|
|
@ -5,8 +5,8 @@ from __future__ import (absolute_import, division, print_function)
|
|||
__metaclass__ = type
|
||||
|
||||
DOCUMENTATION = '''
|
||||
author: Google Inc. (@googlecloudplatform)
|
||||
name: gcp_secret_manager
|
||||
author: Dave Costakos (@davecostakos) <dcostako@redhat.com>
|
||||
short_description: Get Secrets from Google Cloud as a Lookup plugin
|
||||
description:
|
||||
- retrieve secret keys in Secret Manager for use in playbooks
|
||||
|
|
@ -14,6 +14,8 @@ DOCUMENTATION = '''
|
|||
credentials for Google Cloud and the format of such credentials
|
||||
- once a secret value is retreived, it is returned decoded. It is up to the developer
|
||||
to maintain secrecy of this value once returned.
|
||||
- if location option is defined, then it deals with the regional secrets of the
|
||||
location
|
||||
|
||||
options:
|
||||
key:
|
||||
|
|
@ -30,6 +32,10 @@ DOCUMENTATION = '''
|
|||
- The name of the google cloud project
|
||||
- defaults to OS env variable GCP_PROJECT if not present
|
||||
type: str
|
||||
location:
|
||||
description:
|
||||
- If provided, it defines the location of the regional secret.
|
||||
type: str
|
||||
auth_kind:
|
||||
description:
|
||||
- the type of authentication to use with Google Cloud (i.e. serviceaccount or machineaccount)
|
||||
|
|
@ -103,6 +109,23 @@ EXAMPLES = '''
|
|||
- name: Test getting specific version of a secret (new version)
|
||||
ansible.builtin.debug:
|
||||
msg: "{{ lookup('google.cloud.gcp_secret_manager', key='secret_key', version='2') }}"
|
||||
|
||||
- name: Test regional secret using env variables for credentials
|
||||
ansible.builtin.debug:
|
||||
msg: "{{ lookup('google.cloud.gcp_secret_manager', key='secret_key', location='us-central1') }}"
|
||||
|
||||
- name: Test regional secret using explicit credentials
|
||||
ansible.builtin.debug:
|
||||
msg: "{{ lookup('google.cloud.gcp_secret_manager', key='secret_key', location='us-central1', project='project', auth_kind='serviceaccount',
|
||||
service_account_file='file.json') }}"
|
||||
|
||||
- name: Test getting specific version of a regional secret (old version)
|
||||
ansible.builtin.debug:
|
||||
msg: "{{ lookup('google.cloud.gcp_secret_manager', key='secret_key', location='us-central1', version='1') }}"
|
||||
|
||||
- name: Test getting specific version of a regional secret (new version)
|
||||
ansible.builtin.debug:
|
||||
msg: "{{ lookup('google.cloud.gcp_secret_manager', key='secret_key', location='us-central1', version='2') }}"
|
||||
'''
|
||||
|
||||
RETURN = '''
|
||||
|
|
@ -168,6 +191,7 @@ class LookupModule(LookupBase):
|
|||
self.set_options(var_options=variables, direct=kwargs)
|
||||
params = {
|
||||
"key": self.get_option("key"),
|
||||
"location": self.get_option("location"),
|
||||
"version": self.get_option("version"),
|
||||
"access_token": self.get_option("access_token"),
|
||||
"scopes": self.get_option("scopes"),
|
||||
|
|
@ -199,7 +223,7 @@ class LookupModule(LookupBase):
|
|||
# to be set if secret versions get disabled
|
||||
# see https://issuetracker.google.com/issues/286489671
|
||||
def get_latest_version(self, module, auth):
|
||||
url = "https://secretmanager.googleapis.com/v1/projects/{project}/secrets/{name}/versions?filter=state:ENABLED".format(
|
||||
url = (self.make_url_prefix(module) + "secrets/{name}/versions?filter=state:ENABLED").format(
|
||||
**module.params
|
||||
)
|
||||
response = auth.get(url)
|
||||
|
|
@ -249,7 +273,7 @@ class LookupModule(LookupBase):
|
|||
if module.params['calc_version'] is None:
|
||||
return ''
|
||||
|
||||
url = "https://secretmanager.googleapis.com/v1/projects/{project}/secrets/{name}/versions/{calc_version}:access".format(
|
||||
url = (self.make_url_prefix(module) + "secrets/{name}/versions/{calc_version}:access").format(
|
||||
**module.params
|
||||
)
|
||||
response = auth.get(url)
|
||||
|
|
@ -259,3 +283,8 @@ class LookupModule(LookupBase):
|
|||
return ''
|
||||
|
||||
return response.json()['payload']['data']
|
||||
|
||||
def make_url_prefix(self, module):
|
||||
if module.params['location']:
|
||||
return "https://secretmanager.{location}.rep.googleapis.com/v1/projects/{project}/locations/{location}/"
|
||||
return "https://secretmanager.googleapis.com/v1/projects/{project}/"
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue