Merge pull request #685 from durgesh-ninave-crest/add-support-for-regional-secret-manager

feat(secretmanager): added support for regional secret manager
2025-09-29 21:13:30 -07:00 · 2025-06-20 13:47:49 -07:00 · 2025-06-20 13:47:49 -07:00 · 83c593d943
commit 83c593d943
parent af3498daff ac08c81321
10 changed files with 565 additions and 17 deletions
--- a/plugins/modules/gcp_secret_manager.py
+++ b/plugins/modules/gcp_secret_manager.py
@ -1,4 +1,5 @@
 #!/usr/bin/python
+# -*- coding: utf-8 -*-

 # GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt
 # or https://www.gnu.org/licenses/gpl-3.0.txt)
@ -24,8 +25,9 @@ description:
 - Create new secret values.
 - Add/remove versions of secrets.
 - Please note that other features like etags, replication, annontation expected to be managed outside of Ansible.
+- Deals with regional secrets if location option is defined.
 short_description: Access and Update Google Cloud Secrets Manager objects
-author: Dave Costakos (@davecostakos) <dcostako@redhat.com>
+author: Google Inc. (@googlecloudplatform)
 requirements:
 - python >= 2.6
 - requests >= 2.18.4
@ -83,6 +85,10 @@ options:
    - key
    - secret
    - secret_id
+  location:
+    description:
+    - If provided, it defines the location of the regional secret.
+    type: str
  value:
    description:
    - The secret value that the secret should have
@ -132,7 +138,7 @@ notes:
 - The I(service_account_email) and I(service_account_file) options are mutually exclusive.
 '''

-EXAMPLES = r'''
+EXAMPLES = '''
 - name: Create a new secret
  google.cloud.gcp_secret_manager:
    name: secret_key
@ -176,9 +182,60 @@ EXAMPLES = r'''
    value: super_secret
    labels:
      key_name: "ansible_rox"
+
+- name: Create a new regional secret
+  google.cloud.gcp_secret_manager:
+    name: secret_key
+    location: us-central1
+    value: super_secret
+    state: present
+    auth_kind: serviceaccount
+    service_account_file: service_account_creds.json
+
+- name: Ensure the regional secret exists, fail otherwise and return the value
+  google.cloud.gcp_secret_manager:
+    name: secret_key
+    location: us-central1
+    state: present
+
+- name: Ensure regional secret exists but don't return the value
+  google.cloud.gcp_secret_manager:
+    name: secret_key
+    location: us-central1
+    state: present
+    return_value: false
+
+- name: Add a new version of a regional secret
+  google.cloud.gcp_secret_manager:
+    name: secret_key
+    location: us-central1
+    value: updated super secret
+    state: present
+
+- name: Delete version 1 of a regional secret (but not the secret itself)
+  google.cloud.gcp_secret_manager:
+    name: secret_key
+    location: us-central1
+    version: 1
+    state: absent
+
+- name: Delete all versions of a regional secret
+  google.cloud.gcp_secret_manager:
+    name: secret_key
+    location: us-central1
+    version: all
+    state: absent
+
+- name: Create a regional secret with labels
+  google.cloud.gcp_secret_manager:
+    name: secret_key
+    location: us-central1
+    value: super_secret
+    labels:
+      key_name: "ansible_rox"
 '''

-RETURN = r'''
+RETURN = '''
 resources:
  description: List of resources
  returned: always
@ -189,19 +246,24 @@ resources:
      - The name of the secret
      returned: success
      type: str
+    location:
+      description:
+      - The location of the regional secret.
+      returned: success
+      type: str
    version:
      description:
-      - the version number of the secret returned
+      - The version number of the secret returned
      returned: success
      type: str
    url:
      description:
-      - the Google Cloud URL used to make the request
+      - The Google Cloud URL used to make the request
      returned: success
      type: str
    status_code:
      description:
-      - the HTTP status code of the response to Google Cloud
+      - The HTTP status code of the response to Google Cloud
      returned: success
      type: str
    msg:
@ -241,24 +303,30 @@ def get_auth(module):
    return GcpSession(module, 'secret-manager')


+def make_url_prefix(module):
+    if module.params['location']:
+        return "https://secretmanager.{location}.rep.googleapis.com/v1/projects/{project}/locations/{location}/"
+    return "https://secretmanager.googleapis.com/v1/projects/{project}/"
+
+
 def self_access_link(module):
-    return "https://secretmanager.googleapis.com/v1/projects/{project}/secrets/{name}/versions/{calc_version}:access".format(**module.params)
+    return (make_url_prefix(module) + "secrets/{name}/versions/{calc_version}:access").format(**module.params)


 def self_get_link(module):
-    return "https://secretmanager.googleapis.com/v1/projects/{project}/secrets/{name}/versions/{calc_version}".format(**module.params)
+    return (make_url_prefix(module) + "secrets/{name}/versions/{calc_version}").format(**module.params)


 def self_update_link(module):
-    return "https://secretmanager.googleapis.com/v1/projects/{project}/secrets/{name}/versions/{calc_version:version}".format(**module.params)
+    return (make_url_prefix(module) + "secrets/{name}/versions/{calc_version:version}").format(**module.params)


 def self_list_link(module):
-    return "https://secretmanager.googleapis.com/v1/projects/{project}/secrets/{name}/versions?filter=state:ENABLED".format(**module.params)
+    return (make_url_prefix(module) + "secrets/{name}/versions?filter=state:ENABLED").format(**module.params)


 def self_delete_link(module):
-    return "https://secretmanager.googleapis.com/v1/projects/{project}/secrets/{name}".format(**module.params)
+    return (make_url_prefix(module) + "secrets/{name}").format(**module.params)


 def fetch_resource(module, allow_not_found=True):
@ -307,10 +375,12 @@ def merge_dicts(x, y):
 def create_secret(module):
    # build the payload
    payload = {"replication": {"automatic": {}}}
+    if module.params['location']:
+        payload = dict()
    if module.params['labels']:
        payload['labels'] = module.params['labels']

-    url = "https://secretmanager.googleapis.com/v1/projects/{project}/secrets".format(**module.params)
+    url = (make_url_prefix(module) + "secrets").format(**module.params)
    auth = get_auth(module)
    post_response = auth.post(url, body=payload, params={'secretId': module.params['name']})
    # validate create
@ -327,7 +397,7 @@ def update_secret(module):
        }
    }
    auth = get_auth(module)
-    url = "https://secretmanager.googleapis.com/v1/projects/{project}/secrets/{name}:addVersion".format(**module.params)
+    url = (make_url_prefix(module) + "secrets/{name}:addVersion").format(**module.params)
    return return_if_object(module, auth.post(url, payload), False)


@ -376,7 +446,11 @@ def return_if_object(module, response, allow_not_found=False):
        result['status_code'] = response.status_code
        if "name" in result:
            result['version'] = result['name'].split("/")[-1]
-            result['name'] = result['name'].split("/")[3]
+            if 'locations' in result['name'].split("/"):
+                result['location'] = result['name'].split("/")[3]
+                result['name'] = result['name'].split("/")[5]
+            else:
+                result['name'] = result['name'].split("/")[3]

        # base64 decode the value
        if "payload" in result and "data" in result['payload']:
@ -401,6 +475,7 @@ def main():
        argument_spec=dict(
            state=dict(default='present', choices=['present', 'absent'], type='str'),
            name=dict(required=True, type='str', aliases=['key', 'secret', 'secret_id']),
+            location=dict(required=False, type='str'),
            value=dict(required=False, type='str'),
            version=dict(required=False, type='str', default='latest'),
            return_value=dict(required=False, type='bool', default=True),