From 9a7d66f6c419d11477913d469f17097e7ba97822 Mon Sep 17 00:00:00 2001 From: Daniel Hougaard Date: Mon, 25 Aug 2025 18:32:11 +0200 Subject: [PATCH 1/9] fix: better env vars --- .gitignore | 2 ++ plugins/lookup/read_secrets.py | 4 +++- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/.gitignore b/.gitignore index 2d2b4a1..d07af72 100644 --- a/.gitignore +++ b/.gitignore @@ -4,3 +4,5 @@ inventory test.yml __pycache__ infisical-vault-1.0.0.tar.gz + +.vscode \ No newline at end of file diff --git a/plugins/lookup/read_secrets.py b/plugins/lookup/read_secrets.py index e843530..00dc8f1 100644 --- a/plugins/lookup/read_secrets.py +++ b/plugins/lookup/read_secrets.py @@ -23,6 +23,7 @@ options: description: The Machine Identity Client ID used to authenticate env: - name: UNIVERSAL_AUTH_MACHINE_IDENTITY_CLIENT_ID + - name: INFISICAL_UNIVERSAL_AUTH_CLIENT_ID required: True type: string version_added: 1.0.0 @@ -30,6 +31,7 @@ options: description: The Machine Identity Client Secret used to authenticate env: - name: UNIVERSAL_AUTH_MACHINE_IDENTITY_CLIENT_SECRET + - name: INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET required: True type: string version_added: 1.0.0 @@ -75,6 +77,7 @@ vars: class LookupModule(LookupBase): def run(self, terms, variables=None, **kwargs): + self.set_options(var_options=variables, direct=kwargs) if not HAS_INFISICAL: raise AnsibleError("Please pip install infisicalsdk to use the infisical_vault lookup module.") @@ -128,7 +131,6 @@ class LookupModule(LookupBase): return [{"value": secret.secretValue, "key": secret.secretKey}] except Exception as e: - print(e) raise AnsibleError(f"Error fetching single secret {e}") def get_all_secrets(self, client, project_id, environment="dev", path="/"): From ea318c8bed51ecb2a250fa8984af40ffdeffbaaa Mon Sep 17 00:00:00 2001 From: Daniel Hougaard Date: Mon, 25 Aug 2025 18:53:20 +0200 Subject: [PATCH 2/9] Update read_secrets.py --- plugins/lookup/read_secrets.py | 22 +++++++++++++++++----- 1 file changed, 17 insertions(+), 5 deletions(-) diff --git a/plugins/lookup/read_secrets.py b/plugins/lookup/read_secrets.py index 00dc8f1..d0f6280 100644 --- a/plugins/lookup/read_secrets.py +++ b/plugins/lookup/read_secrets.py @@ -59,10 +59,15 @@ options: type: string version_added: 1.0.0 secret_name: - description: The name of the secret that should be fetched. The name should be exactly as it appears in Infisical + description: The name of the secret that should be fetched. The name should be exactly as it appears in Infisical. The returned value is a dictionary required: False type: string version_added: 1.0.0 + as_dict: + description: "Return the listed secrets as a dictionary within a list instead of a list of key-value pairs (defaults to False). When True, returns [{'SECRET_KEY': 'secret_value', ...}] instead of [{'key': 'SECRET_KEY', 'value': 'secret_value'}, ...]. This only applies when reading all secrets within a scope, not when reading a single secret by name." + required: False + type: bool + version_added: 1.0.0 """ EXAMPLES = r""" @@ -70,6 +75,9 @@ vars: read_all_secrets_within_scope: "{{ lookup('infisical_vault', universal_auth_client_id='<>', universal_auth_client_secret='<>', project_id='<>', path='/', env_slug='dev', url='https://spotify.infisical.com') }}" # [{ "key": "HOST", "value": "google.com" }, { "key": "SMTP", "value": "gmail.smtp.edu" }] + read_all_secrets_as_dict: "{{ lookup('infisical_vault', universal_auth_client_id='<>', universal_auth_client_secret='<>', project_id='<>', path='/', env_slug='dev', as_dict=True, url='https://spotify.infisical.com') }}" + # [{"HOST": "google.com", "SMTP": "gmail.smtp.edu"}] + read_secret_by_name_within_scope: "{{ lookup('infisical_vault', universal_auth_client_id='<>', universal_auth_client_secret='<>', project_id='<>', path='/', env_slug='dev', secret_name='HOST', url='https://spotify.infisical.com') }}" # [{ "key": "HOST", "value": "google.com" }] """ @@ -98,6 +106,7 @@ class LookupModule(LookupBase): ) secretName = kwargs.get('secret_name') + asDict = kwargs.get('as_dict') envSlug = kwargs.get('env_slug') path = kwargs.get('path') project_id = kwargs.get('project_id') @@ -108,10 +117,10 @@ class LookupModule(LookupBase): project_id, secretName, envSlug, - path + path, ) else: - return self.get_all_secrets(client, project_id, envSlug, path) + return self.get_all_secrets(client, project_id, envSlug, path, asDict) def get_single_secret( self, @@ -133,7 +142,7 @@ class LookupModule(LookupBase): except Exception as e: raise AnsibleError(f"Error fetching single secret {e}") - def get_all_secrets(self, client, project_id, environment="dev", path="/"): + def get_all_secrets(self, client, project_id, environment="dev", path="/", asDict=False): try: secrets = client.secrets.list_secrets( project_id=project_id, @@ -141,7 +150,10 @@ class LookupModule(LookupBase): secret_path=path ) - return [{"value": s.secretValue, "key": s.secretKey} for s in secrets.secrets] + if asDict: + return [{s.secretKey: s.secretValue for s in secrets.secrets}] + else: + return [{"value": s.secretValue, "key": s.secretKey} for s in secrets.secrets] except Exception as e: raise AnsibleError(f"Error fetching all secrets {e}") From ec6683dab76bf6fc33e877042c3b8c82ac6e02d1 Mon Sep 17 00:00:00 2001 From: Daniel Hougaard Date: Mon, 25 Aug 2025 19:16:48 +0200 Subject: [PATCH 3/9] Update README.md --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index aec7583..4f64858 100644 --- a/README.md +++ b/README.md @@ -22,7 +22,7 @@ You can install the Infisical collection with the Ansible Galaxy CLI: The python module dependencies are not installed by `ansible-galaxy`. They can be manually installed using pip: - pip install infisical-python + pip install infisicalsdk ## Using this collection @@ -35,6 +35,6 @@ vars: # [{ "key": "HOST", "value": "google.com" }, { "key": "SMTP", "value": "gmail.smtp.edu" }] read_secret_by_name_within_scope: "{{ lookup('infisical.vault.read_secrets', universal_auth_client_id='<>', universal_auth_client_secret='<>', project_id='<>', path='/', env_slug='dev', secret_name='HOST', url='https://spotify.infisical.com') }}" - # [{ "key": "HOST", "value": "google.com" }] + # { "key": "HOST", "value": "google.com" } ``` From 7d1f69d9f1be740c5183fa22f9b13753b3300a48 Mon Sep 17 00:00:00 2001 From: Daniel Hougaard Date: Mon, 25 Aug 2025 19:17:26 +0200 Subject: [PATCH 4/9] Update README.md --- README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/README.md b/README.md index 4f64858..b2552fc 100644 --- a/README.md +++ b/README.md @@ -34,6 +34,10 @@ vars: read_all_secrets_within_scope: "{{ lookup('infisical.vault.read_secrets', universal_auth_client_id='<>', universal_auth_client_secret='<>', project_id='<>', path='/', env_slug='dev', url='https://spotify.infisical.com') }}" # [{ "key": "HOST", "value": "google.com" }, { "key": "SMTP", "value": "gmail.smtp.edu" }] + read_all_secrets_as_dict: "{{ lookup('infisical_vault', universal_auth_client_id='<>', universal_auth_client_secret='<>', project_id='<>', path='/', env_slug='dev', as_dict=True, url='https://spotify.infisical.com') }}" + # [{"HOST": "google.com", "SMTP": "gmail.smtp.edu"}] + + read_secret_by_name_within_scope: "{{ lookup('infisical.vault.read_secrets', universal_auth_client_id='<>', universal_auth_client_secret='<>', project_id='<>', path='/', env_slug='dev', secret_name='HOST', url='https://spotify.infisical.com') }}" # { "key": "HOST", "value": "google.com" } ``` From 4ac1322f2f0ebd05ab84cb40ea02931010ae317a Mon Sep 17 00:00:00 2001 From: Daniel Hougaard Date: Mon, 25 Aug 2025 19:17:31 +0200 Subject: [PATCH 5/9] Update README.md --- README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/README.md b/README.md index b2552fc..4ed64e8 100644 --- a/README.md +++ b/README.md @@ -37,7 +37,6 @@ vars: read_all_secrets_as_dict: "{{ lookup('infisical_vault', universal_auth_client_id='<>', universal_auth_client_secret='<>', project_id='<>', path='/', env_slug='dev', as_dict=True, url='https://spotify.infisical.com') }}" # [{"HOST": "google.com", "SMTP": "gmail.smtp.edu"}] - read_secret_by_name_within_scope: "{{ lookup('infisical.vault.read_secrets', universal_auth_client_id='<>', universal_auth_client_secret='<>', project_id='<>', path='/', env_slug='dev', secret_name='HOST', url='https://spotify.infisical.com') }}" # { "key": "HOST", "value": "google.com" } ``` From 6870c070227f7c09dbc658f8b63097c1e61f9abf Mon Sep 17 00:00:00 2001 From: Daniel Hougaard Date: Mon, 25 Aug 2025 19:20:23 +0200 Subject: [PATCH 6/9] Update read_secrets.py --- plugins/lookup/read_secrets.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/lookup/read_secrets.py b/plugins/lookup/read_secrets.py index d0f6280..3585ada 100644 --- a/plugins/lookup/read_secrets.py +++ b/plugins/lookup/read_secrets.py @@ -59,7 +59,7 @@ options: type: string version_added: 1.0.0 secret_name: - description: The name of the secret that should be fetched. The name should be exactly as it appears in Infisical. The returned value is a dictionary + description: The name of the secret that should be fetched. The name should be exactly as it appears in Infisical. required: False type: string version_added: 1.0.0 From e82de92b03550d380f4b8628269efbeb3902958e Mon Sep 17 00:00:00 2001 From: Daniel Hougaard Date: Mon, 25 Aug 2025 19:21:50 +0200 Subject: [PATCH 7/9] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 4ed64e8..192f1e3 100644 --- a/README.md +++ b/README.md @@ -35,7 +35,7 @@ vars: # [{ "key": "HOST", "value": "google.com" }, { "key": "SMTP", "value": "gmail.smtp.edu" }] read_all_secrets_as_dict: "{{ lookup('infisical_vault', universal_auth_client_id='<>', universal_auth_client_secret='<>', project_id='<>', path='/', env_slug='dev', as_dict=True, url='https://spotify.infisical.com') }}" - # [{"HOST": "google.com", "SMTP": "gmail.smtp.edu"}] + # {"HOST": "google.com", "SMTP": "gmail.smtp.edu"} read_secret_by_name_within_scope: "{{ lookup('infisical.vault.read_secrets', universal_auth_client_id='<>', universal_auth_client_secret='<>', project_id='<>', path='/', env_slug='dev', secret_name='HOST', url='https://spotify.infisical.com') }}" # { "key": "HOST", "value": "google.com" } From 707f8653292a48d068fc382b2fdbc444a7703de8 Mon Sep 17 00:00:00 2001 From: Daniel Hougaard Date: Mon, 25 Aug 2025 19:22:43 +0200 Subject: [PATCH 8/9] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 192f1e3..5a5361f 100644 --- a/README.md +++ b/README.md @@ -35,7 +35,7 @@ vars: # [{ "key": "HOST", "value": "google.com" }, { "key": "SMTP", "value": "gmail.smtp.edu" }] read_all_secrets_as_dict: "{{ lookup('infisical_vault', universal_auth_client_id='<>', universal_auth_client_secret='<>', project_id='<>', path='/', env_slug='dev', as_dict=True, url='https://spotify.infisical.com') }}" - # {"HOST": "google.com", "SMTP": "gmail.smtp.edu"} + # {"SECRET_KEY_1": "secret-value-1", "SECRET_KEY_2": "secret-value-2"} -> Can be accessed as secrets.SECRET_KEY_1 read_secret_by_name_within_scope: "{{ lookup('infisical.vault.read_secrets', universal_auth_client_id='<>', universal_auth_client_secret='<>', project_id='<>', path='/', env_slug='dev', secret_name='HOST', url='https://spotify.infisical.com') }}" # { "key": "HOST", "value": "google.com" } From 6a88c15df00547b642624afed9271a27117b2599 Mon Sep 17 00:00:00 2001 From: Daniel Hougaard Date: Mon, 25 Aug 2025 19:23:06 +0200 Subject: [PATCH 9/9] Update read_secrets.py --- plugins/lookup/read_secrets.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/lookup/read_secrets.py b/plugins/lookup/read_secrets.py index 3585ada..080c26b 100644 --- a/plugins/lookup/read_secrets.py +++ b/plugins/lookup/read_secrets.py @@ -76,7 +76,7 @@ vars: # [{ "key": "HOST", "value": "google.com" }, { "key": "SMTP", "value": "gmail.smtp.edu" }] read_all_secrets_as_dict: "{{ lookup('infisical_vault', universal_auth_client_id='<>', universal_auth_client_secret='<>', project_id='<>', path='/', env_slug='dev', as_dict=True, url='https://spotify.infisical.com') }}" - # [{"HOST": "google.com", "SMTP": "gmail.smtp.edu"}] + # {"HOST": "google.com", "SMTP": "gmail.smtp.edu"} read_secret_by_name_within_scope: "{{ lookup('infisical_vault', universal_auth_client_id='<>', universal_auth_client_secret='<>', project_id='<>', path='/', env_slug='dev', secret_name='HOST', url='https://spotify.infisical.com') }}" # [{ "key": "HOST", "value": "google.com" }]