diff --git a/.github/workflows/distribute.yaml b/.github/workflows/distribute.yaml new file mode 100644 index 0000000..6639efd --- /dev/null +++ b/.github/workflows/distribute.yaml @@ -0,0 +1,21 @@ +--- +name: Deploy Collection + +# Trigger the workflow however you prefer +on: + release: + types: + - published + +jobs: + deploy: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - name: Get the version name from the tags + run: echo "RELEASE_VERSION=${GITHUB_REF/refs\/tags\//}" >> $GITHUB_ENV + - name: Build and Deploy Collection + uses: artis3n/ansible_galaxy_collection@v2 + with: + api_key: "${{ secrets.GALAXY_API_KEY }}" + galaxy_version: "${{ env.RELEASE_VERSION }}" diff --git a/README.md b/README.md index 9e55d2c..0a0520d 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,38 @@ -# Ansible Collection - maidul98.infisical +# Infisical Collection +This Ansible Infisical collection includes a variety of Ansible content to help automate the management of Infisical services. This collection is maintained by the Infisical team. + +## Ansible version compatibility + +Tested with the Ansible Core >= 2.12.0 versions, and the current development version of Ansible. Ansible Core versions prior to 2.12.0 have not been tested. + +## Python version compatibility + +This collection depends on the Infisical SDK for Python. + +Requires Python 3.7 or greater. + +## Installing this collection + +You can install the Infisical collection with the Ansible Galaxy CLI: + + ansible-galaxy collection install maidul98.infisical_vault + +The python module dependencies are not installed by `ansible-galaxy`. They can +be manually installed using pip: + + pip install infisical + +## Using this collection + +You can either call modules by their Fully Qualified Collection Name (FQCN), such as `infisical.vault.read_secrets`, or you can call modules by their short name if you list the `infisical.vault` collection in the playbook's `collections` keyword: + +```yaml +--- +vars: + read_all_secrets_within_scope: "{{ lookup('infisical.vault.read_secrets', token='<>', path='/', env_slug='dev', url='https://spotify.infisical.com') }}" + # [{ "key": "HOST", "value": "google.com" }, { "key": "SMTP", "value": "gmail.smtp.edu" }] + + read_secret_by_name_within_scope: "{{ lookup('infisical.vault.read_secrets', token='<>', path='/', env_slug='dev', name='HOST', url='https://spotify.infisical.com') }}" + # [{ "key": "HOST", "value": "google.com" }] +``` -Documentation for the collection. diff --git a/galaxy.yml b/galaxy.yml index aabc616..d90bd29 100644 --- a/galaxy.yml +++ b/galaxy.yml @@ -5,7 +5,7 @@ namespace: maidul98 # The name of the collection. Has the same character restrictions as 'namespace' -name: infisical +name: vault # The version of the collection. Must be compatible with semantic versioning version: 1.0.0 diff --git a/plugins/README.md b/plugins/README.md deleted file mode 100644 index 52ad9e7..0000000 --- a/plugins/README.md +++ /dev/null @@ -1,10 +0,0 @@ -# Collections Plugins Directory - -This directory can be used to ship various plugins inside an Ansible collection. Each plugin is placed in a folder that -is named after the type of plugin it is in. It can also include the `module_utils` and `modules` directory that -would contain module utils and modules respectively. - -``` -└── plugins - ├── lookup -``` diff --git a/plugins/lookup/fetch_data.py b/plugins/lookup/fetch_data.py deleted file mode 100644 index 3adbb66..0000000 --- a/plugins/lookup/fetch_data.py +++ /dev/null @@ -1,17 +0,0 @@ -from ansible.errors import AnsibleError -from ansible.plugins.lookup import LookupBase -import requests - -class LookupModule(LookupBase): - - def run(self, terms, variables=None, **kwargs): - # URL from the terms or you can define it within the plugin - url = terms[0] - - try: - response = requests.get(url) - response.raise_for_status() # Raise HTTPError for bad responses (4xx and 5xx) - return [response.json()] - except requests.RequestException as e: - raise AnsibleError("Error fetching data from {}: {}".format(url, e)) - diff --git a/plugins/lookup/read_secrets.py b/plugins/lookup/read_secrets.py new file mode 100644 index 0000000..3e30077 --- /dev/null +++ b/plugins/lookup/read_secrets.py @@ -0,0 +1,103 @@ +from ansible.errors import AnsibleError +from ansible.plugins.lookup import LookupBase + +HAS_INFISICAL = False +try: + from infisical import InfisicalClient + HAS_INFISICAL = True +except ImportError: + HAS_INFISICAL = False + +DOCUMENTATION = r""" +name: read_secrets +author: + - Infisical Inc. + +short_description: Look up secrets stored in Infisical +description: + - Retrieve secrets from Infisical, granted the caller has the right permissions to access the secret. + - Secrets can be located either by their name for individual secret loopups or by environment/folder path to return all secrets within the given scope. + +options: + token: + description: The Infisical token used to authenticate + env: + - name: INFISICAL_TOKEN + required: True + type: string + version_added: 1.0.0 + url: + description: Point to your self hosted instance of Infisical + default: "https://app.infisical.com" + env: + - name: INFISICAL_URL + required: False + type: string + version_added: 1.0.0 + path: + description: "The folder path where the requested secret resides. For example: /services/backend" + required: True + type: string + version_added: 1.0.0 + env_slug: + description: "Used to select from which environment (environment slug) secrets should be fetched from. Environment slug is the short name of a given environment" + required: True + type: string + version_added: 1.0.0 + secret_name: + description: The name of the secret that should be fetched. The name should be exactly as it appears in Infisical + required: False + type: string + version_added: 1.0.0 +""" + +EXAMPLES = r""" +vars: + read_all_secrets_within_scope: "{{ lookup('infisical_vault', token='<>', path='/', env_slug='dev', url='https://spotify.infisical.com') }}" + # [{ "key": "HOST", "value": "google.com" }, { "key": "SMTP", "value": "gmail.smtp.edu" }] + + read_secret_by_name_within_scope: "{{ lookup('infisical_vault', token='<>', path='/', env_slug='dev', name='HOST', url='https://spotify.infisical.com') }}" + # [{ "key": "HOST", "value": "google.com" }] +""" + +class LookupModule(LookupBase): + def run(self, terms, variables=None, **kwargs): + self.set_options(var_options=variables, direct=kwargs) + + if not HAS_INFISICAL: + raise AnsibleError("Please pip install infisical to use the infisical_vault lookup module.") + + infisical_token = self.get_option("token") + url = self.get_option("url") + + if not infisical_token: + raise AnsibleError("Infisical token is required") + + # Initialize the Infisical client + client = InfisicalClient(token=infisical_token, site_url=url) + + secretName = kwargs.get('secret_name') + envSlug = kwargs.get('env_slug') + path = kwargs.get('path') + + if secretName: + return self.get_single_secret(client, secretName, envSlug, path) + else: + return self.get_all_secrets(client, envSlug, path) + + def get_single_secret(self, client, secret_name, environment, path): + try: + print(secret_name, environment, path) + secret = client.get_secret(secret_name=secret_name, environment=environment, path=path) + return [{"value": s.secret_value, "key": s.secret_name}] + except Exception as e: + print(e) + raise AnsibleError(f"Error fetching all secrets {e}") + + def get_all_secrets(self, client, environment="dev", path="/"): + try: + secrets = client.get_all_secrets(environment=environment, path=path) + return [{"value": s.secret_value, "key": s.secret_name} for s in secrets] + except Exception as e: + raise AnsibleError(f"Error fetching all secrets {e}") +