ansible-collections/infisical.vault
1
0
Fork 0
mirror of https://github.com/Infisical/ansible-collection.git synced 2025-08-11 08:34:26 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge ca12198b8b into 7f992d3e59

Browse source
This commit is contained in:
Alex Fomenko 2025-07-31 22:40:33 +00:00 committed by GitHub
commit 9bb3da07b4
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 31 additions and 15 deletions
Download patch file Download diff file Expand all files Collapse all files

7
README.md
View file

@ -9,7 +9,7 @@ Tested with the Ansible Core >= 2.12.0 versions, and the current development ver
## Python version compatibility ## Python version compatibility
This collection depends on the Infisical SDK for Python. This collection depends on the [Infisical SDK for Python](https://github.com/Infisical/python-sdk-official).
Requires Python 3.7 or greater. Requires Python 3.7 or greater.
@ -22,7 +22,7 @@ You can install the Infisical collection with the Ansible Galaxy CLI:
The python module dependencies are not installed by `ansible-galaxy`. They can The python module dependencies are not installed by `ansible-galaxy`. They can
be manually installed using pip: be manually installed using pip:
pip install infisical-python pip install infisicalsdk
## Using this collection ## Using this collection
@ -34,6 +34,9 @@ vars:
read_all_secrets_within_scope: "{{ lookup('infisical.vault.read_secrets', universal_auth_client_id='<>', universal_auth_client_secret='<>', project_id='<>', path='/', env_slug='dev', url='https://spotify.infisical.com') }}" read_all_secrets_within_scope: "{{ lookup('infisical.vault.read_secrets', universal_auth_client_id='<>', universal_auth_client_secret='<>', project_id='<>', path='/', env_slug='dev', url='https://spotify.infisical.com') }}"
# [{ "key": "HOST", "value": "google.com" }, { "key": "SMTP", "value": "gmail.smtp.edu" }] # [{ "key": "HOST", "value": "google.com" }, { "key": "SMTP", "value": "gmail.smtp.edu" }]
read_all_secrets_within_scope_filtred_by_tags: "{{ lookup('infisical_vault', universal_auth_client_id='<>', universal_auth_client_secret='<>', project_id='<>', path='/', env_slug='dev', url='https://spotify.infisical.com', tags=['smtp']) }}"
# [{ "key": "SMTP", "value": "gmail.smtp.edu" }]
read_secret_by_name_within_scope: "{{ lookup('infisical.vault.read_secrets', universal_auth_client_id='<>', universal_auth_client_secret='<>', project_id='<>', path='/', env_slug='dev', secret_name='HOST', url='https://spotify.infisical.com') }}" read_secret_by_name_within_scope: "{{ lookup('infisical.vault.read_secrets', universal_auth_client_id='<>', universal_auth_client_secret='<>', project_id='<>', path='/', env_slug='dev', secret_name='HOST', url='https://spotify.infisical.com') }}"
# [{ "key": "HOST", "value": "google.com" }] # [{ "key": "HOST", "value": "google.com" }]
``` ```

2
galaxy.yml
View file

@ -8,7 +8,7 @@ namespace: infisical
name: vault name: vault
# The version of the collection. Must be compatible with semantic versioning # The version of the collection. Must be compatible with semantic versioning
version: 1.0.0 version: 1.1.0
# The path to the Markdown (.md) readme file. This path is relative to the root of the collection # The path to the Markdown (.md) readme file. This path is relative to the root of the collection
readme: README.md readme: README.md

37
plugins/lookup/read_secrets.py
View file

@ -61,6 +61,11 @@ options:
required: False required: False
type: string type: string
version_added: 1.0.0 version_added: 1.0.0
tags:
description: The list of tags that filtering secrets
required: False
type: list[string]
version_added: 1.1.0
""" """
EXAMPLES = r""" EXAMPLES = r"""
@ -68,6 +73,9 @@ vars:
read_all_secrets_within_scope: "{{ lookup('infisical_vault', universal_auth_client_id='<>', universal_auth_client_secret='<>', project_id='<>', path='/', env_slug='dev', url='https://spotify.infisical.com') }}" read_all_secrets_within_scope: "{{ lookup('infisical_vault', universal_auth_client_id='<>', universal_auth_client_secret='<>', project_id='<>', path='/', env_slug='dev', url='https://spotify.infisical.com') }}"
# [{ "key": "HOST", "value": "google.com" }, { "key": "SMTP", "value": "gmail.smtp.edu" }] # [{ "key": "HOST", "value": "google.com" }, { "key": "SMTP", "value": "gmail.smtp.edu" }]
read_all_secrets_within_scope_filtred_by_tags: "{{ lookup('infisical_vault', universal_auth_client_id='<>', universal_auth_client_secret='<>', project_id='<>', path='/', env_slug='dev', url='https://spotify.infisical.com', tags=['smtp']) }}"
# [{ "key": "SMTP", "value": "gmail.smtp.edu" }]
read_secret_by_name_within_scope: "{{ lookup('infisical_vault', universal_auth_client_id='<>', universal_auth_client_secret='<>', project_id='<>', path='/', env_slug='dev', secret_name='HOST', url='https://spotify.infisical.com') }}" read_secret_by_name_within_scope: "{{ lookup('infisical_vault', universal_auth_client_id='<>', universal_auth_client_secret='<>', project_id='<>', path='/', env_slug='dev', secret_name='HOST', url='https://spotify.infisical.com') }}"
# [{ "key": "HOST", "value": "google.com" }] # [{ "key": "HOST", "value": "google.com" }]
""" """
@ -77,27 +85,32 @@ class LookupModule(LookupBase):
def run(self, terms, variables=None, **kwargs): def run(self, terms, variables=None, **kwargs):
self.set_options(var_options=variables, direct=kwargs) self.set_options(var_options=variables, direct=kwargs)
if not HAS_INFISICAL: if not HAS_INFISICAL:
raise AnsibleError("Please pip install infisicalsdk to use the infisical_vault lookup module.") raise AnsibleError(
"Please pip install infisicalsdk to use the infisical_vault lookup module.")
machine_identity_client_id = self.get_option("universal_auth_client_id") machine_identity_client_id = self.get_option(
machine_identity_client_secret = self.get_option("universal_auth_client_secret") "universal_auth_client_id")
machine_identity_client_secret = self.get_option(
"universal_auth_client_secret")
url = self.get_option("url") url = self.get_option("url")
# Check if the required environment variables are set # Check if the required environment variables are set
if not machine_identity_client_id or not machine_identity_client_secret: if not machine_identity_client_id or not machine_identity_client_secret:
raise AnsibleError("Please provide the universal_auth_client_id and universal_auth_client_secret") raise AnsibleError(
"Please provide the universal_auth_client_id and universal_auth_client_secret")
# Initialize the Infisical client
client = InfisicalSDKClient(host=url) client = InfisicalSDKClient(host=url)
client.auth.universal_auth.login( client.auth.universal_auth.login(
machine_identity_client_id, client_id=machine_identity_client_id,
machine_identity_client_secret client_secret=machine_identity_client_secret
) )
secretName = kwargs.get('secret_name') secretName = kwargs.get('secret_name')
envSlug = kwargs.get('env_slug') envSlug = kwargs.get('env_slug')
path = kwargs.get('path') path = kwargs.get('path')
project_id = kwargs.get('project_id') project_id = kwargs.get('project_id')
tags = kwargs.get('tags')
if secretName: if secretName:
return self.get_single_secret( return self.get_single_secret(
@ -108,7 +121,7 @@ class LookupModule(LookupBase):
path path
) )
else: else:
return self.get_all_secrets(client, project_id, envSlug, path) return self.get_all_secrets(client, project_id, envSlug, path, tags)
def get_single_secret( def get_single_secret(
self, self,
@ -128,18 +141,18 @@ class LookupModule(LookupBase):
return [{"value": secret.secretValue, "key": secret.secretKey}] return [{"value": secret.secretValue, "key": secret.secretKey}]
except Exception as e: except Exception as e:
print(e)
raise AnsibleError(f"Error fetching single secret {e}") raise AnsibleError(f"Error fetching single secret {e}")
def get_all_secrets(self, client, project_id, environment="dev", path="/"): def get_all_secrets(self, client, project_id, environment="dev", path="/", tags=[]):
try: try:
secrets = client.secrets.list_secrets( secrets = client.secrets.list_secrets(
project_id=project_id, project_id=project_id,
environment_slug=environment, environment_slug=environment,
secret_path=path secret_path=path,
tag_filters=tags
) )
return [{"value": s.secretValue, "key": s.secretKey} for s in secrets.secrets] return [[{"value": s.secretValue, "key": s.secretKey} for s in secrets.secrets]]
except Exception as e: except Exception as e:
raise AnsibleError(f"Error fetching all secrets {e}") raise AnsibleError(f"Error fetching all secrets {e}")