diff --git a/README.md b/README.md index aec7583..658d89e 100644 --- a/README.md +++ b/README.md @@ -9,7 +9,7 @@ Tested with the Ansible Core >= 2.12.0 versions, and the current development ver ## Python version compatibility -This collection depends on the Infisical SDK for Python. +This collection depends on the [Infisical SDK for Python](https://github.com/Infisical/python-sdk-official). Requires Python 3.7 or greater. @@ -22,7 +22,7 @@ You can install the Infisical collection with the Ansible Galaxy CLI: The python module dependencies are not installed by `ansible-galaxy`. They can be manually installed using pip: - pip install infisical-python + pip install infisicalsdk ## Using this collection @@ -34,6 +34,9 @@ vars: read_all_secrets_within_scope: "{{ lookup('infisical.vault.read_secrets', universal_auth_client_id='<>', universal_auth_client_secret='<>', project_id='<>', path='/', env_slug='dev', url='https://spotify.infisical.com') }}" # [{ "key": "HOST", "value": "google.com" }, { "key": "SMTP", "value": "gmail.smtp.edu" }] + read_all_secrets_within_scope_filtred_by_tags: "{{ lookup('infisical_vault', universal_auth_client_id='<>', universal_auth_client_secret='<>', project_id='<>', path='/', env_slug='dev', url='https://spotify.infisical.com', tags=['smtp']) }}" + # [{ "key": "SMTP", "value": "gmail.smtp.edu" }] + read_secret_by_name_within_scope: "{{ lookup('infisical.vault.read_secrets', universal_auth_client_id='<>', universal_auth_client_secret='<>', project_id='<>', path='/', env_slug='dev', secret_name='HOST', url='https://spotify.infisical.com') }}" # [{ "key": "HOST", "value": "google.com" }] ``` diff --git a/galaxy.yml b/galaxy.yml index f912dc9..1a20e73 100644 --- a/galaxy.yml +++ b/galaxy.yml @@ -8,7 +8,7 @@ namespace: infisical name: vault # The version of the collection. Must be compatible with semantic versioning -version: 1.0.0 +version: 1.1.0 # The path to the Markdown (.md) readme file. This path is relative to the root of the collection readme: README.md diff --git a/plugins/lookup/read_secrets.py b/plugins/lookup/read_secrets.py index e843530..f45973b 100644 --- a/plugins/lookup/read_secrets.py +++ b/plugins/lookup/read_secrets.py @@ -61,6 +61,11 @@ options: required: False type: string version_added: 1.0.0 + tags: + description: The list of tags that filtering secrets + required: False + type: list[string] + version_added: 1.1.0 """ EXAMPLES = r""" @@ -68,6 +73,9 @@ vars: read_all_secrets_within_scope: "{{ lookup('infisical_vault', universal_auth_client_id='<>', universal_auth_client_secret='<>', project_id='<>', path='/', env_slug='dev', url='https://spotify.infisical.com') }}" # [{ "key": "HOST", "value": "google.com" }, { "key": "SMTP", "value": "gmail.smtp.edu" }] + read_all_secrets_within_scope_filtred_by_tags: "{{ lookup('infisical_vault', universal_auth_client_id='<>', universal_auth_client_secret='<>', project_id='<>', path='/', env_slug='dev', url='https://spotify.infisical.com', tags=['smtp']) }}" + # [{ "key": "SMTP", "value": "gmail.smtp.edu" }] + read_secret_by_name_within_scope: "{{ lookup('infisical_vault', universal_auth_client_id='<>', universal_auth_client_secret='<>', project_id='<>', path='/', env_slug='dev', secret_name='HOST', url='https://spotify.infisical.com') }}" # [{ "key": "HOST", "value": "google.com" }] """ @@ -77,27 +85,32 @@ class LookupModule(LookupBase): def run(self, terms, variables=None, **kwargs): self.set_options(var_options=variables, direct=kwargs) if not HAS_INFISICAL: - raise AnsibleError("Please pip install infisicalsdk to use the infisical_vault lookup module.") + raise AnsibleError( + "Please pip install infisicalsdk to use the infisical_vault lookup module.") - machine_identity_client_id = self.get_option("universal_auth_client_id") - machine_identity_client_secret = self.get_option("universal_auth_client_secret") + machine_identity_client_id = self.get_option( + "universal_auth_client_id") + machine_identity_client_secret = self.get_option( + "universal_auth_client_secret") url = self.get_option("url") # Check if the required environment variables are set if not machine_identity_client_id or not machine_identity_client_secret: - raise AnsibleError("Please provide the universal_auth_client_id and universal_auth_client_secret") + raise AnsibleError( + "Please provide the universal_auth_client_id and universal_auth_client_secret") + # Initialize the Infisical client client = InfisicalSDKClient(host=url) - client.auth.universal_auth.login( - machine_identity_client_id, - machine_identity_client_secret + client_id=machine_identity_client_id, + client_secret=machine_identity_client_secret ) secretName = kwargs.get('secret_name') envSlug = kwargs.get('env_slug') path = kwargs.get('path') project_id = kwargs.get('project_id') + tags = kwargs.get('tags') if secretName: return self.get_single_secret( @@ -108,7 +121,7 @@ class LookupModule(LookupBase): path ) else: - return self.get_all_secrets(client, project_id, envSlug, path) + return self.get_all_secrets(client, project_id, envSlug, path, tags) def get_single_secret( self, @@ -128,18 +141,18 @@ class LookupModule(LookupBase): return [{"value": secret.secretValue, "key": secret.secretKey}] except Exception as e: - print(e) raise AnsibleError(f"Error fetching single secret {e}") - def get_all_secrets(self, client, project_id, environment="dev", path="/"): + def get_all_secrets(self, client, project_id, environment="dev", path="/", tags=[]): try: secrets = client.secrets.list_secrets( project_id=project_id, environment_slug=environment, - secret_path=path + secret_path=path, + tag_filters=tags ) - return [{"value": s.secretValue, "key": s.secretKey} for s in secrets.secrets] + return [[{"value": s.secretValue, "key": s.secretKey} for s in secrets.secrets]] except Exception as e: raise AnsibleError(f"Error fetching all secrets {e}")