From b7ee6b3afd5b0fe01010df7b48d03e0cbc5faaf3 Mon Sep 17 00:00:00 2001 From: Jarno Antikainen Date: Thu, 31 Mar 2022 14:41:46 +0300 Subject: [PATCH 01/65] Fix state comparison of lists Fixes #401 --- ansible/module_utils/hashivault.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/ansible/module_utils/hashivault.py b/ansible/module_utils/hashivault.py index 4267c15f..54ce0c7a 100644 --- a/ansible/module_utils/hashivault.py +++ b/ansible/module_utils/hashivault.py @@ -274,7 +274,10 @@ def _compare_state(desired_state, current_state, ignore=None): if (type(desired_state) is list): if ((type(current_state) != list) or (len(desired_state) != len(current_state))): return False - return set(desired_state) == set(current_state) + for i in range(len(desired_state)): + if (not _compare_state(desired_state[i], current_state[i])): + return False + return True if (type(desired_state) is dict): if (type(current_state) != dict): From 08ad34c2d776f3e66f704a690d452d4cca93f6c4 Mon Sep 17 00:00:00 2001 From: Jarno Antikainen Date: Fri, 1 Apr 2022 15:52:11 +0300 Subject: [PATCH 02/65] Add some tests for #401 --- functional/test_write.yml | 23 ++++++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/functional/test_write.yml b/functional/test_write.yml index ae06df27..04db8a92 100644 --- a/functional/test_write.yml +++ b/functional/test_write.yml @@ -10,7 +10,7 @@ name_ttls: '{{namespace}}_ttls' dict_value: foo: 'bar' - baz: 'stuff' + baz: 'grunt' array_value: - 'one' - 'two' @@ -80,9 +80,30 @@ - name: Write secret dictionary hashivault_write: + update: True + secret: '{{name_dict}}' + data: "{{ dict_value }}" + - assert: { that: "{{vault_write.changed}} == True" } + - assert: { that: "{{vault_write.rc}} == 0" } + + - name: Update again secret dictionary and verify no change + hashivault_write: + update: True secret: '{{name_dict}}' data: "{{ dict_value }}" + register: vault_write + - assert: { that: "{{vault_write.changed}} == False" } + - assert: { that: "{{vault_write.rc}} == 0" } + + - name: Update new value in dictionary and detect change + hashivault_write: + secret: '{{name_dict}}' + data: + foo: 'bar' + baz: 'stuff' + register: vault_write - assert: { that: "{{vault_write.changed}} == True" } + - assert: { that: "'{{vault_write.msg}}' == 'Secret secret/{{name_dict}} written'" } - assert: { that: "{{vault_write.rc}} == 0" } - name: Write array type secret From a89dffd13e25b4c6e8ccc5a195fa530240a0d367 Mon Sep 17 00:00:00 2001 From: Jarno Antikainen Date: Sat, 2 Apr 2022 16:39:46 +0300 Subject: [PATCH 03/65] Add some tests for #401, take 2 This time testing the actual change. Also added a missing update:true to earlier tests. --- functional/test_write.yml | 41 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/functional/test_write.yml b/functional/test_write.yml index 04db8a92..1fd33831 100644 --- a/functional/test_write.yml +++ b/functional/test_write.yml @@ -7,6 +7,7 @@ name_folder: '{{namespace}}stalks/bean' name_dict: '{{namespace}}_dict' name_array: '{{namespace}}_array' + name_array_of_dicts: '{{namespace}}_array_of_dicts' name_ttls: '{{namespace}}_ttls' dict_value: foo: 'bar' @@ -15,6 +16,11 @@ - 'one' - 'two' - 'three' + array_of_dicts_value: + - name: item-one + - name: item-two + - name: item-three + tasks: - hashivault_delete: secret: '{{name_root}}' @@ -97,6 +103,7 @@ - name: Update new value in dictionary and detect change hashivault_write: + update: True secret: '{{name_dict}}' data: foo: 'bar' @@ -112,6 +119,40 @@ data: value: "{{array_value}}" + - name: Write array of dicts secret + hashivault_write: + update: True + secret: '{{name_array_of_dicts}}' + data: + value: "{{ array_of_dicts_value }}" + register: vault_write + - assert: { that: "{{vault_write.changed}} == True" } + - assert: { that: "{{vault_write.rc}} == 0" } + + - name: Update again array of dicts secret and verify no change + hashivault_write: + update: True + secret: '{{name_array_of_dicts}}' + data: + value: "{{ array_of_dicts_value }}" + register: vault_write + - assert: { that: "{{vault_write.changed}} == False" } + - assert: { that: "{{vault_write.rc}} == 0" } + + - name: Update new value in array of dicts and detect change + hashivault_write: + update: True + secret: '{{name_array_of_dicts}}' + data: + value: + - name: item-one + - name: item-two + - name: item-new + register: vault_write + - assert: { that: "{{vault_write.changed}} == True" } + - assert: { that: "'{{vault_write.msg}}' == 'Secret secret/{{name_array_of_dicts}} written'" } + - assert: { that: "{{vault_write.rc}} == 0" } + - name: Initial ttl values hashivault_write: update: True From de1ac6bfa94772c0efe3a6b9fd922db453b50e9f Mon Sep 17 00:00:00 2001 From: ayav09 <68033772+ayav09@users.noreply.github.com> Date: Mon, 18 Apr 2022 20:44:28 -0400 Subject: [PATCH 04/65] Fix auth_method idempotency --- ansible/modules/hashivault/hashivault_auth_method.py | 8 ++------ functional/test_auth_method.yml | 12 ++++++++++++ 2 files changed, 14 insertions(+), 6 deletions(-) diff --git a/ansible/modules/hashivault/hashivault_auth_method.py b/ansible/modules/hashivault/hashivault_auth_method.py index f2bc5475..408c5837 100644 --- a/ansible/modules/hashivault/hashivault_auth_method.py +++ b/ansible/modules/hashivault/hashivault_auth_method.py @@ -101,12 +101,8 @@ def hashivault_auth_method(module): elif state == 'disabled' and exists: changed = True elif exists and state == 'enabled': - current_state = client.sys.read_auth_method_tuning(path=mount_point)['data'] - if 'description' in current_state: - if description != current_state['description']: - changed = True - if not changed: - changed = is_state_changed(config, current_state) + current_state = auth_methods[mount_point + u"/"] + changed = description != current_state['description'] or is_state_changed(config, current_state['config']) if module.check_mode: return {'changed': changed, 'created': create, 'state': state} diff --git a/functional/test_auth_method.yml b/functional/test_auth_method.yml index bfd82807..04c33542 100644 --- a/functional/test_auth_method.yml +++ b/functional/test_auth_method.yml @@ -34,6 +34,9 @@ hashivault_auth_method: method_type: oidc state: enabled + config: + default_lease_ttl: 0 + max_lease_ttl: 0 register: oidc_idempotent - assert: { that: "{{ oidc_idempotent.rc }} == 0" } - assert: { that: "{{ oidc_idempotent.changed }} == True" } @@ -42,6 +45,9 @@ hashivault_auth_method: method_type: oidc state: enabled + config: + default_lease_ttl: 0 + max_lease_ttl: 0 register: oidc_idempotent - assert: { that: "{{ oidc_idempotent.rc }} == 0" } - assert: { that: "{{ oidc_idempotent.changed }} == False" } @@ -50,6 +56,9 @@ hashivault_auth_method: method_type: oidc state: enabled + config: + default_lease_ttl: 0 + max_lease_ttl: 0 description: 'my oidc' register: oidc_idempotent - assert: { that: "{{ oidc_idempotent.rc }} == 0" } @@ -59,6 +68,9 @@ hashivault_auth_method: method_type: oidc state: enabled + config: + default_lease_ttl: 0 + max_lease_ttl: 0 description: 'my oidc' register: oidc_idempotent - assert: { that: "{{ oidc_idempotent.rc }} == 0" } From 7f1c164dd2b55386e96b9eca1078310de9c6c3dc Mon Sep 17 00:00:00 2001 From: Terry Howe Date: Sat, 30 Apr 2022 11:01:15 -0600 Subject: [PATCH 05/65] Fix docs build --- makedocs.sh | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/makedocs.sh b/makedocs.sh index 3ada103f..d0e7f6a6 100755 --- a/makedocs.sh +++ b/makedocs.sh @@ -4,16 +4,20 @@ export PLUGINS='' rm -rf ansible-repo mkdir -p ansible-repo cd ansible-repo -git clone --branch 'v2.9.26' https://github.com/ansible/ansible.git +VERSION='v2.9.26' +git clone --branch ${VERSION} https://github.com/ansible/ansible.git pip install -r ansible/requirements.txt -rm -rf ansible/lib/ansible/modules/ && mkdir -p ansible/lib/ansible/modules/hashivault +pip install -r ansible/docs/docsite/requirements.txt +# rm -rf ansible/lib/ansible/modules/ +mkdir -p ansible/lib/ansible/modules/hashivault cp -r ../ansible/modules/hashivault/hashivault*.py ansible/lib/ansible/modules/hashivault/ rm -f ansible/lib/ansible/plugins/doc_fragments/hashivault.py -cp {..,ansible/lib}/ansible/plugins/doc_fragments/hashivault.py +cp ../ansible/plugins/doc_fragments/hashivault.py ansible/lib/ansible/plugins/doc_fragments/hashivault.py ls ansible/lib/ansible/modules/hashivault export MODULES=$(ls -m ansible/lib/ansible/modules/hashivault/ | grep -v '^_' | tr -d '[:space:]' | sed 's/.py//g') cd ansible/docs/docsite/ -pip install -r requirements.txt rm -f $(find . -name developing_modules_general_windows.rst) -make webdocs || true +set -x +MODULES=$MODULES make config cli keywords modules +sphinx-build -M html "rst" "_build" -n -w rst_warnings touch _build/html/.nojekyll From d1161ccd1b8beb9175806d819a50c39065c0c0e8 Mon Sep 17 00:00:00 2001 From: Terry Howe Date: Sat, 30 Apr 2022 11:05:24 -0600 Subject: [PATCH 06/65] fix tests --- makedocs.sh | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/makedocs.sh b/makedocs.sh index d0e7f6a6..22e4d50d 100755 --- a/makedocs.sh +++ b/makedocs.sh @@ -6,18 +6,28 @@ mkdir -p ansible-repo cd ansible-repo VERSION='v2.9.26' git clone --branch ${VERSION} https://github.com/ansible/ansible.git -pip install -r ansible/requirements.txt -pip install -r ansible/docs/docsite/requirements.txt -# rm -rf ansible/lib/ansible/modules/ + +# Copy +rm -rf ansible/lib/ansible/modules/ mkdir -p ansible/lib/ansible/modules/hashivault cp -r ../ansible/modules/hashivault/hashivault*.py ansible/lib/ansible/modules/hashivault/ rm -f ansible/lib/ansible/plugins/doc_fragments/hashivault.py cp ../ansible/plugins/doc_fragments/hashivault.py ansible/lib/ansible/plugins/doc_fragments/hashivault.py ls ansible/lib/ansible/modules/hashivault export MODULES=$(ls -m ansible/lib/ansible/modules/hashivault/ | grep -v '^_' | tr -d '[:space:]' | sed 's/.py//g') + +# Install +pip install -r ansible/requirements.txt +pip install -r ansible/docs/docsite/requirements.txt +# hacky newer jinja broken +pip install jinja2==3.0.3 + +# Build cd ansible/docs/docsite/ rm -f $(find . -name developing_modules_general_windows.rst) set -x +# hacky test build broken MODULES=$MODULES make config cli keywords modules +# hacky -j $CPUS option not working right on mac sphinx-build -M html "rst" "_build" -n -w rst_warnings touch _build/html/.nojekyll From c84abb3059502c45e53b9ebf5d47c22b6945cd51 Mon Sep 17 00:00:00 2001 From: Terry Howe Date: Sun, 1 May 2022 06:02:23 -0600 Subject: [PATCH 07/65] Get better auth method tests --- functional/test_auth.yml | 78 ++++++++++++++++++++-------------------- 1 file changed, 38 insertions(+), 40 deletions(-) diff --git a/functional/test_auth.yml b/functional/test_auth.yml index b748a4d2..678a1439 100644 --- a/functional/test_auth.yml +++ b/functional/test_auth.yml @@ -2,44 +2,42 @@ - hosts: localhost gather_facts: no tasks: - - name: List the authentications backends - hashivault_auth_list: - register: 'vault_auth_list' - - block: - - name: Enable userpass when it is already enabled - hashivault_auth_method: - method_type: "userpass" - failed_when: False - register: 'vault_auth' - - assert: { that: "{{vault_auth.changed}} == False" } - - assert: { that: "{{vault_auth.failed}} == False" } - - assert: { that: "'{{vault_auth.msg}}' == 'Exception: path is already in use'" } - - assert: { that: "{{vault_auth.rc}} == 1" } - when: "'userpass/' in vault_auth_list.backends" - - block: - - name: Enable userpass auth for the first time - hashivault_auth_method: - method_type: "userpass" - register: 'vault_auth' - - assert: { that: "{{vault_auth.changed}} == True" } - - assert: { that: "{{vault_auth.rc}} == 0" } - when: "'userpass/' not in vault_auth_list.backends" - - block: - - name: Enable userpass auth for the second time - hashivault_auth_method: - method_type: "userpass" - failed_when: False - register: 'vault_auth' - - assert: { that: "{{vault_auth.changed}} == False" } - # Results from hvac/vault vary here - # - assert: { that: "{{vault_auth.rc}} == 0" } - # - assert: { that: "'{{vault_auth.msg}}' == 'Exception: path is already in use'" } - - block: - - name: Enable userpass at a different mount point - hashivault_auth_method: - method_type: "userpass" - mount_point: "another-userpass" - register: 'vault_auth_mount_point' - - assert: { that: "{{vault_auth_mount_point.changed}} == True" } - - assert: { that: "{{vault_auth_mount_point.rc}} == 0" } + - name: Delete any lingering userpass + hashivault_auth_method: + method_type: "userpass" + state: disable + failed_when: False + - name: Enable userpass first time for this test + hashivault_auth_method: + method_type: "userpass" + description: "my userpass" + register: 'vault_auth' + - assert: { that: "{{vault_auth.changed}} == True" } + - assert: { that: "{{vault_auth.created}} == True" } + - assert: { that: "{{vault_auth.failed}} == False" } + - assert: { that: "{{vault_auth.rc}} == 0" } + - name: Enable userpass when it is already enabled + hashivault_auth_method: + method_type: "userpass" + description: "my userpass" + register: 'vault_auth' + - assert: { that: "{{vault_auth.changed}} == False" } + - assert: { that: "{{vault_auth.created}} == False" } + - assert: { that: "{{vault_auth.failed}} == False" } + - assert: { that: "{{vault_auth.rc}} == 0" } + - name: Enable userpass auth for the third time with change + hashivault_auth_method: + method_type: "userpass" + description: "our userpass" + register: 'vault_auth' + - assert: { that: "{{vault_auth.changed}} == True" } + - assert: { that: "{{vault_auth.created}} == False" } + - assert: { that: "{{vault_auth.rc}} == 0" } + - name: Enable userpass at a different mount point + hashivault_auth_method: + method_type: "userpass" + mount_point: "another-userpass" + register: 'vault_auth_mount_point' + - assert: { that: "{{vault_auth_mount_point.changed}} == True" } + - assert: { that: "{{vault_auth_mount_point.rc}} == 0" } From 26340ad7ee354b6756661ca14e6842a5202aea24 Mon Sep 17 00:00:00 2001 From: Szymon Soloch Date: Wed, 4 May 2022 15:05:13 +0200 Subject: [PATCH 08/65] add a hashivault_token_role module This module facilitates creating, updating and deleting roles in a specified token auth engine. This module supports check and diff mode to allow verifying potential changes before actually applying them. The code in this commit has been formatted with `black`. --- .../hashivault/hashivault_token_role.py | 310 ++++++++++++++++++ functional/run.sh | 4 + functional/test_token_role.yml | 66 ++++ functional/test_token_role_check_mode.yml | 45 +++ 4 files changed, 425 insertions(+) create mode 100644 ansible/modules/hashivault/hashivault_token_role.py create mode 100644 functional/test_token_role.yml create mode 100644 functional/test_token_role_check_mode.yml diff --git a/ansible/modules/hashivault/hashivault_token_role.py b/ansible/modules/hashivault/hashivault_token_role.py new file mode 100644 index 00000000..b4b3cca5 --- /dev/null +++ b/ansible/modules/hashivault/hashivault_token_role.py @@ -0,0 +1,310 @@ +#!/usr/bin/env python + +import copy + +import yaml + +from ansible.module_utils.hashivault import hashivault_auth_client +from ansible.module_utils.hashivault import hashivault_argspec +from ansible.module_utils.hashivault import hashivault_init +from ansible.module_utils.hashivault import hashiwrapper + + +ANSIBLE_METADATA = { + "status": ["preview"], + "supported_by": "community", + "version": "1.1", +} +DOCUMENTATION = r""" +--- +module: hashivault_token_role +version_added: "4.7.0" +short_description: Hashicorp Vault Token Create/Update/Delete Role +description: + - This module creates or updates the token role definition. +options: + mount_point: + default: token + description: + - location where secrets engine is mounted. also known as path + name: + required: true + description: + - Specifies the name of the role to create. + role_file: + description: + - file with a json object containing play parameters. pass all params but name, state, mount_point which + stay in the ansible play + state: + description: + - Do you want for this config to be present or absent + choices: ["present", "absent"] + default: present + config: + type: dict + description: + - Collection of properties from token role + U(https://www.vaultproject.io/api-docs/auth/token#create-update-token-role) + suboptions: + allowed_policies: + type: list + description: + - If set, tokens can be created with any subset of the policies + in this list, rather than the normal semantics of tokens being + a subset of the calling token's policies. The parameter is a + comma-delimited string of policy names. If at creation time + `no_default_policy` is not set and `"default"` is not + contained in `disallowed_policies` or glob matched in + `disallowed_policies_glob`, the `"default"` policy will be + added to the created token automatically. + disallowed_policies: + type: list + description: + - If set, successful token creation via this role will require + that no policies in the given list are requested. The parameter + is a comma-delimited string of policy names. Adding `"default"` + to this list will prevent `"default"` from being added + automatically to created tokens. + allowed_policies_glob: + type: list + description: + - If set, tokens can be created with any subset of glob matched + policies in this list, rather than the normal semantics of + tokens being a subset of the calling token's policies. The + parameter is a comma-delimited string of policy name globs. + If at creation time `no_default_policy` is not set and + `"default"` is not contained in `disallowed_policies` or glob + matched in `disallowed_policies_glob`, the `"default"` policy + will be added to the created token automatically. If combined + with `allowed_policies` policies need to only match one of the + two lists to be permitted. Note that unlike `allowed_policies` + the policies listed in `allowed_policies_glob` will not be + added to the token when no policies are specified in the + call to `/auth/token/create/:role_name`. + disallowed_policies_glob: + type: list + description: + - If set, successful token creation via this role will require + that no requested policies glob match any of policies in this + list. The parameter is a comma-delimited string of policy + name globs. Adding any glob that matches `"default"` to this + list will prevent `"default"` from being added automatically + to created tokens. If combined with `disallowed_policies` + policies need to only match one of the two lists to be blocked. + orphan: + type: bool + default: false + description: + - If `true`, tokens created against this policy will be orphan + tokens (they will have no parent). As such, they will not be + automatically revoked by the revocation of any other token. + renewable: + type: bool + default: true + description: + - Set to `false` to disable the ability of the token to be + renewed past its initial TTL. Setting the value to `true` + will allow the token to be renewable up to the system/mount + maximum TTL. + path_suffix: + type: str + description: + - If set, tokens created against this role will have the given + suffix as part of their path in addition to the role name. + This can be useful in certain scenarios, such as keeping the + same role name in the future but revoking all tokens created + against it before some point in time. The suffix can be + changed, allowing new callers to have the new suffix as part + of their path, and then tokens with the old suffix can be + revoked via `/sys/leases/revoke-prefix`. + allowed_entity_aliases: + type: list + description: + - String or JSON list of allowed entity aliases. If set, + specifies the entity aliases which are allowed to be used + during token generation. This field supports globbing. + Note that `allowed_entity_aliases` is not case sensitive. + token_bound_cidrs: + type: list + description: + - List of CIDR blocks; if set, specifies blocks of IP + addresses which can authenticate successfully, and ties the + resulting token to these blocks as well. + token_explicit_max_ttl: + type: str + description: + - If set, will encode an explicit max TTL onto the token. + This is a hard cap even if token_ttl and token_max_ttl would + otherwise allow a renewal. + token_no_default_policy: + type: bool + default: false + description: + - If set, the `default` policy will not be set on generated + tokens; otherwise it will be added to the policies set in + `token_policies`. + token_num_uses: + type: int + default: 0 + description: + - The maximum number of times a generated token may be used + (within its lifetime); 0 means unlimited. If you require + the token to have the ability to create child tokens, you + will need to set this value to 0. + token_period: + type: str + default: "" + description: + - The period, if any, to set on the token. + token_type: + type: str + default: "" + description: + - |- + The type of token that should be generated. Can be `service`, + `batch`, or `default` to use the mount's tuned default (which + unless changed will be `service` tokens). For token store + roles, there are two additional possibilities: + `default-service` and `default-batch` which specify the type + to return unless the client requests a different type at + generation time. +extends_documentation_fragment: + - hashivault +""" +EXAMPLES = r""" +--- +- hosts: localhost + tasks: + - hashivault_token_role: + name: tester-bot + config: + allowed_policies: + - tester-bot + + - hashivault_token_role: + name: tester-bot + role_file: "/opt/vault/etc/roles/token-tester-bot.json" + state: "present" +""" +normalize = { + "list": list, + "str": str, + "dict": dict, + "bool": bool, + "int": int, + "duration": str, +} + + +def main(): + argspec = hashivault_argspec() + argspec["name"] = dict(required=True, type="str") + argspec["state"] = dict( + required=False, type="str", default="present", choices=["present", "absent"] + ) + argspec["mount_point"] = dict(required=False, type="str", default="token") + argspec["role_file"] = dict(required=False, type="str") + argspec["config"] = dict(required=False, type="dict") + + supports_check_mode = True + + module = hashivault_init(argspec, supports_check_mode) + result = hashivault_token_role(module) + + if result.get("failed"): + module.fail_json(**result) + else: + module.exit_json(**result) + + +@hashiwrapper +def hashivault_token_role(module): + params = module.params + client = hashivault_auth_client(params) + + name = params.get("name").strip("/") + mount_point = params.get("mount_point").strip("/") + state = params.get("state") + role_file = params.get("role_file") + config = params.get("config") + + desired_state = {} + exists = False + + if role_file: + with open(role_file, "rt") as fp: + desired_state = json.safe_load(fp.read()) + elif config: + desired_state = copy.deepcopy(config) + + changed = False + + try: + current_state = client.auth.token.read_role( + role_name=name, mount_point=mount_point + ).get("data") + except Exception: + current_state = {} + + if current_state: + exists = True + + if (exists and state == "absent") or (not exists and state == "present"): + changed = True + + # compare current_state to config (desired_state before normalization) + if exists and state == "present" and not changed: + # Update all keys not present in the desired_state with data from the + # current_state, to ensure a proper diff output. + for key in current_state: + if desired_state.get(key) is None: + desired_state[key] = current_state[key] + + changed = desired_state != current_state + + # make the changes! + if changed and state == "present": + if not module.check_mode: + # Before posting the desired state to the vault api we need to + # normalize some keys. This is a quirk of the vault api that it + # expects a different data format in the PUT/POST endpoint than + # it returns in the GET endpoint. + extra_params = {} + + doc = yaml.safe_load(DOCUMENTATION) + args = doc.get("options").get("config").get("suboptions").items() + for key, value in args: + arg = desired_state.get(key) + if arg is not None: + try: + extra_params[key] = normalize[value.get("type")](arg) + except Exception: + return { + "changed": False, + "failed": True, + "msg": "config item '{}' has wrong data format".format(key), + } + # create or update + api_path = f"/v1/auth/{mount_point}/roles/{name}" + client.auth.token._adapter.post(url=api_path, json=extra_params) + elif changed and state == "absent": + if not module.check_mode: + # delete + client.auth.token.delete_role( + role_name=name, + mount_point=mount_point, + ) + # after deleting it the item is no more + desired_state = {} + + return { + "changed": changed, + "diff": { + "before": current_state, + "after": desired_state, + }, + } + + +if __name__ == "__main__": + main() diff --git a/functional/run.sh b/functional/run.sh index fe4d72e3..864d3d9d 100755 --- a/functional/run.sh +++ b/functional/run.sh @@ -77,6 +77,10 @@ ansible-playbook -v --extra-vars='namespace=lightning/' test_write.yml test_read source ./vaultenv.sh ansible-playbook -v test_approle_old.yml +# tokenrole +ansible-playbook -v test_token_role.yml +ansible-playbook -v test_token_role_check_mode.yml + # userpass ansible-playbook -v test_userpass.yml ansible-playbook -v test_userpass_idempotent.yml diff --git a/functional/test_token_role.yml b/functional/test_token_role.yml new file mode 100644 index 00000000..f42add26 --- /dev/null +++ b/functional/test_token_role.yml @@ -0,0 +1,66 @@ +--- +- hosts: localhost + gather_facts: no + vars: + namespace: 'application' + rules: > + path "token/{{namespace}}/*" { + capabilities = ["create", "read", "update", "delete", "list"] + } + path "token/{{namespace}}" { + capabilities = ["list"] + } + tasks: + - name: Set token role policy + hashivault_policy: + name: "tokenrole_test_policy_original" + rules: "{{rules}}" + register: vault_policy + - assert: { that: "{{vault_policy.rc}} == 0" } + + - name: Set another token role policy + hashivault_policy: + name: "tokenrole_test_policy" + rules: "{{rules}}" + register: vault_policy + - assert: { that: "{{vault_policy.rc}} == 0" } + + - name: delete role + hashivault_token_role: + name: testrole + state: absent + failed_when: false + + - name: create role + hashivault_token_role: + name: testrole + config: + allowed_policies: + - tokenrole_test_policy_original + state: present + register: 'vault_role_create' + - assert: { that: "{{vault_role_create.changed}} == True" } + - assert: { that: "{{vault_role_create.rc}} == 0" } + + - name: update role + hashivault_token_role: + name: testrole + config: + allowed_policies: + - tokenrole_test_policy + state: present + register: 'vault_role_update' + - assert: { that: "{{vault_role_update.changed}} == True" } + - assert: { that: "{{vault_role_update.rc}} == 0" } + + - name: update role idempotent + hashivault_token_role: + name: testrole + config: + allowed_policies: + - tokenrole_test_policy + state: present + register: 'vault_role_update' + - assert: { that: "{{vault_role_update.changed}} == False" } + - assert: { that: "{{vault_role_update.rc}} == 0" } + diff --git a/functional/test_token_role_check_mode.yml b/functional/test_token_role_check_mode.yml new file mode 100644 index 00000000..ba6c5d13 --- /dev/null +++ b/functional/test_token_role_check_mode.yml @@ -0,0 +1,45 @@ +--- +- hosts: localhost + gather_facts: no + tasks: + - name: create token role check_mode exists + hashivault_token_role: + name: testrole + config: + allowed_policies: + - tokenrole_test_policy + state: present + check_mode: true + register: 'vault_role_create' + - assert: { that: "{{vault_role_create.changed}} == False" } + - assert: { that: "{{vault_role_create.rc}} == 0" } + + - name: create token role check_mode does not exist + hashivault_token_role: + name: testrole_two + config: + allowed_policies: + - tokenrole_test_policy + state: present + check_mode: true + register: 'vault_role_create' + - assert: { that: "{{vault_role_create.changed}} == True" } + - assert: { that: "{{vault_role_create.rc}} == 0" } + + - name: delete token role check_mode exists + hashivault_token_role: + name: testrole + state: absent + check_mode: true + register: 'vault_role_create' + - assert: { that: "{{vault_role_create.changed}} == True" } + - assert: { that: "{{vault_role_create.rc}} == 0" } + + - name: delete token role check_mode does not exist + hashivault_token_role: + name: testrole_two + state: absent + check_mode: true + register: 'vault_role_create' + - assert: { that: "{{vault_role_create.changed}} == False" } + - assert: { that: "{{vault_role_create.rc}} == 0" } From e216d4081bf0b938906e4f1f5dd804413e8ddb91 Mon Sep 17 00:00:00 2001 From: Szymon Soloch Date: Wed, 18 May 2022 12:05:09 +0200 Subject: [PATCH 09/65] add a hashivault_token_role_list module This module lists roles configured in a specified token auth engine. This module supports check mode (even though it does not perform any write operations) to ensure a whole playbook can run in check mode and proper data is still returned from this module for further tasks to use. The code in this commit has been formatted with `black`. --- .../hashivault/hashivault_token_role_list.py | 82 +++++++++++++++++++ functional/test_token_role.yml | 14 ++++ functional/test_token_role_check_mode.yml | 9 ++ 3 files changed, 105 insertions(+) create mode 100644 ansible/modules/hashivault/hashivault_token_role_list.py diff --git a/ansible/modules/hashivault/hashivault_token_role_list.py b/ansible/modules/hashivault/hashivault_token_role_list.py new file mode 100644 index 00000000..834493be --- /dev/null +++ b/ansible/modules/hashivault/hashivault_token_role_list.py @@ -0,0 +1,82 @@ +#!/usr/bin/env python +from ansible.module_utils.hashivault import hashivault_auth_client +from ansible.module_utils.hashivault import hashivault_argspec +from ansible.module_utils.hashivault import hashivault_init +from ansible.module_utils.hashivault import hashiwrapper +from hvac.exceptions import InvalidPath + +ANSIBLE_METADATA = { + "status": ["preview"], + "supported_by": "community", + "version": "1.1", +} +DOCUMENTATION = r""" +--- +module: hashivault_token_role_list +version_added: "4.7.0" +short_description: Hashicorp Vault Token List Roles +description: + - This module returns a list of available token roles. + - Only the role names are returned, not any values. +options: + mount_point: + default: token + description: + - location where the token auth engine is mounted. also known as path +extends_documentation_fragment: + - hashivault +""" +EXAMPLES = r""" +--- +- hosts: localhost + tasks: + - hashivault_token_role_list: + mount_point: token + register: roles_list + - debug: msg="{{ roles_list.data }}" +""" +RETURN = r""" +--- +data: + description: list of roles, if auth token engine has no roles will return empty list + returned: success + type: list +""" + + +def main(): + argspec = hashivault_argspec() + argspec["mount_point"] = dict(required=False, type="str", default="token") + + module = hashivault_init(argspec, supports_check_mode=True) + result = hashivault_token_role_list(module) + + if result.get("failed"): + module.fail_json(**result) + else: + module.exit_json(**result) + + +@hashiwrapper +def hashivault_token_role_list(module): + params = module.params + client = hashivault_auth_client(params) + + mount_point = params.get("mount_point").strip("/") + + try: + return { + "data": client.auth.token.list_roles(mount_point=mount_point) + .get("data") + .get("keys") + } + except InvalidPath as exc: + if len(exc.errors) == 0: # Path is valid but no roles exist. + return {"data": []} + return {"failed": True, "data": [], "msg": str(exc)} + except Exception as exc: + return {"failed": True, "data": [], "msg": str(exc)} + + +if __name__ == "__main__": + main() diff --git a/functional/test_token_role.yml b/functional/test_token_role.yml index f42add26..f5b9a025 100644 --- a/functional/test_token_role.yml +++ b/functional/test_token_role.yml @@ -31,6 +31,13 @@ state: absent failed_when: false + - name: list token roles empty + hashivault_token_role_list: + register: 'vault_role_list' + - assert: { that: "{{vault_role_list.changed}} == False" } + - assert: { that: "{{vault_role_list.rc}} == 0" } + - assert: { that: "{{vault_role_list.data|length}} == 0"} + - name: create role hashivault_token_role: name: testrole @@ -64,3 +71,10 @@ - assert: { that: "{{vault_role_update.changed}} == False" } - assert: { that: "{{vault_role_update.rc}} == 0" } + - name: list token roles + hashivault_token_role_list: + register: 'vault_role_list' + - assert: { that: "{{vault_role_list.changed}} == False" } + - assert: { that: "{{vault_role_list.rc}} == 0" } + - fail: msg="role testrole not in list {{vault_role_list.data}}" + when: '"testrole" not in vault_role_list.data' diff --git a/functional/test_token_role_check_mode.yml b/functional/test_token_role_check_mode.yml index ba6c5d13..d64e3f2e 100644 --- a/functional/test_token_role_check_mode.yml +++ b/functional/test_token_role_check_mode.yml @@ -43,3 +43,12 @@ register: 'vault_role_create' - assert: { that: "{{vault_role_create.changed}} == False" } - assert: { that: "{{vault_role_create.rc}} == 0" } + + - name: list token roles check_mode + hashivault_token_role_list: + register: 'vault_role_list' + check_mode: true + - assert: { that: "{{vault_role_list.changed}} == False" } + - assert: { that: "{{vault_role_list.rc}} == 0" } + - fail: msg="role testrole not in list {{vault_role_list.data}}" + when: '"testrole" not in vault_role_list.data' From 4fb73d4f0e2a99ececa42238f32c3b9bdccfb347 Mon Sep 17 00:00:00 2001 From: Szymon Soloch Date: Wed, 15 Jun 2022 15:08:59 +0200 Subject: [PATCH 10/65] add a hashivault_ssh_role module This module facilitates creating, updating and deleting roles in a specified ssh secrets engine. This module supports check and diff mode to allow verifying potential changes before actually applying them. The code in this commit has been formatted with `black`. --- .../modules/hashivault/hashivault_ssh_role.py | 438 ++++++++++++++++++ functional/run.sh | 4 + functional/test_ssh_role.yml | 70 +++ functional/test_ssh_role_check_mode.yml | 45 ++ 4 files changed, 557 insertions(+) create mode 100644 ansible/modules/hashivault/hashivault_ssh_role.py create mode 100644 functional/test_ssh_role.yml create mode 100644 functional/test_ssh_role_check_mode.yml diff --git a/ansible/modules/hashivault/hashivault_ssh_role.py b/ansible/modules/hashivault/hashivault_ssh_role.py new file mode 100644 index 00000000..e3bc0c80 --- /dev/null +++ b/ansible/modules/hashivault/hashivault_ssh_role.py @@ -0,0 +1,438 @@ +#!/usr/bin/env python + +import copy + +import yaml + +from ansible.module_utils.hashivault import hashivault_auth_client +from ansible.module_utils.hashivault import hashivault_argspec +from ansible.module_utils.hashivault import hashivault_init +from ansible.module_utils.hashivault import hashiwrapper + + +ANSIBLE_METADATA = { + "status": ["preview"], + "supported_by": "community", + "version": "1.1", +} +DOCUMENTATION = r""" +--- +module: hashivault_ssh_role +version_added: "4.7.0" +short_description: Hashicorp Vault SSH Create/Update/Delete Role +description: + - This module creates or updates the role definition. + - Note that the `allowed_domains`, `allow_subdomains`, `allow_glob_domains`, and `allow_any_name` attributes are + additive; between them nearly and across multiple roles nearly any issuing policy can be accommodated. + `server_flag`, `client_flag`, and `code_signing_flag` are additive as well. + - If a client requests a certificate that is not allowed by the CN policy in the role, the request is denied. +options: + mount_point: + default: ssh + description: + - location where secrets engine is mounted. also known as path + name: + required: true + description: + - Specifies the name of the role to create. + role_file: + description: + - file with a json object containing play parameters. pass all params but name, state, mount_point which + stay in the ansible play + state: + description: + - Do you want for this config to be present or absent + choices: ["present", "absent"] + default: present + config: + type: dict + description: + - Collection of properties from ssh role + U(https://www.vaultproject.io/api/secret/ssh#create-role) + suboptions: + key: + type: str + default: "" + description: + - Specifies the name of the registered key in Vault. Before + creating the role, use the `keys/` endpoint to create a + named key. This is required for "Dynamic Key" type. + admin_user: + type: str + default: "" + description: + - Specifies the admin user at remote host. The shared key + being registered should be for this user and should have + root or sudo privileges. Every time a dynamic credential + is generated for a client, Vault uses this admin username + to login to remote host and install the generated + credential. This is required for Dynamic Key type. + default_user: + type: str + default: "" + description: + - Specifies the default username for which a credential + will be generated. When the endpoint `creds/` is used + without a username, this value will be used as default + username. Its recommended to create individual roles for + each username to ensure absolute isolation between + usernames. This is required for Dynamic Key type and OTP + type. + - For the CA type, if you wish this to be a valid + principal, it must also be in `allowed_users`. + cidr_list: + type: str + default: "" + description: + - Specifies a comma separated list of CIDR blocks for which + the role is applicable for. It is possible that a same + set of CIDR blocks are part of multiple roles. This is a + required parameter, unless the role is registered under + the `/config/zeroaddress` endpoint. + exclude_cidr_list: + type: str + default: "" + description: + - Specifies a comma-separated list of CIDR blocks. IP + addresses belonging to these blocks are not accepted by + the role. This is particularly useful when big CIDR + blocks are being used by the role and certain parts need + to be kept out. + port: + type: int + default: 22 + description: + - Specifies the port number for SSH connection. Port number + does not play any role in OTP generation. For the `otp` + secrets engine type, this is just a way to inform the + client about the port number to use. The port number will + be returned to the client by Vault along with the OTP. + key_type: + type: str + choices: ["otp", "dynamic", "ca"] + required: true + description: + - Specifies the type of credentials generated by this role. + This can be either `otp`, `dynamic` or `ca`. + key_bits: + type: int + choices: [1024, 2048] + default: 1024 + description: + - Specifies the length of the RSA dynamic key in bits. This + can be either `1024` or `2048`. + install_script: + type: str + default: "" + description: + - Specifies the script used to install and uninstall public + keys in the target machine. Defaults to the built-in + script. + allowed_users: + type: str + default: "" + description: + - |- + If this option is not specified, or if it is `*`, the + client can request a credential for any valid user at the + remote host, including the admin user. If only certain + usernames are to be allowed, then this list enforces it. + If this field is set, then credentials can only be + created for `default_user` and usernames present in this + list. Setting this option will enable all the users with + access to this role to fetch credentials for all other + usernames in this list. When `allowed_users_template` is + set to `true`, this field can contain an identity template + with any prefix or suffix, like + `ssh-{{identity.entity.id}}-user`. Use with caution. N.B.: + if the type is `ca`, an empty list does not allow any + user; instead you must use `*` to enable this behavior. + allowed_users_template: + type: bool + default: false + description: + - If set, `allowed_users` can be specified using identity + template policies. Non-templated users are also + permitted. + allowed_domains: + type: str + default: "" + description: + - The list of domains for which a client can request a host + certificate. If this option is explicitly set to `"*"`, + then credentials can be created for any domain. See also + `allow_bare_domains` and `allow_subdomains`. + key_option_specs: + type: str + default: "" + description: + - |- + Specifies a comma separated option specification which + will be prefixed to RSA keys in the remote host's + authorized_keys file. N.B.: Vault does not check this + string for validity. + ttl: + type: str + default: "" + description: + - Specifies the Time To Live value provided as a string + duration with time suffix. Hour is the largest suffix. If + not set, uses the system default value or the value of + `max_ttl`, whichever is shorter. + max_ttl: + type: str + default: "" + description: + - Specifies the maximum Time To Live provided as a string + duration with time suffix. Hour is the largest suffix. If + not set, defaults to the system maximum lease TTL. + allowed_critical_options: + type: str + default: "" + description: + - Specifies a comma-separated list of critical options that + certificates can have when signed. To allow any critical + options, set this to an empty string. Will default to + allowing any critical options. + allowed_extensions: + type: str + default: "" + description: + - Specifies a comma-separated list of extensions that + certificates can have when signed. To allow a user to + specify any extension, set this to `"*"`. If not set, users + will not be allowed to specify extensions and will get + the extensions specified within `default_extensions`. For + the list of extensions, take a look at the sshd manual's + U(https://man.openbsd.org/sshd#AUTHORIZED_KEYS_FILE_FORMAT) + `AUTHORIZED_KEYS FILE FORMAT` section. You should add a + `permit-` before the name of extension to allow it. + default_critical_options: + type: dict + default: null + description: + - Specifies a map of critical options certificates should + have if none are provided when signing. This field takes + in key value pairs in JSON format. Note that these are + not restricted by `allowed_critical_options`. Defaults to + none. + default_extensions: + type: dict + default: null + description: + - Specifies a map of extensions certificates should have if + none are provided when signing. This field takes in key + value pairs in JSON format. Note that these are not + restricted by `allowed_extensions`. Defaults to none. + allow_user_certificates: + type: bool + default: false + description: + - Specifies if certificates are allowed to be signed for + use as a 'user'. + allow_host_certificates: + type: bool + default: false + description: + - Specifies if certificates are allowed to be signed for + use as a 'host'. + allow_bare_domains: + type: bool + default: false + description: + - Specifies if host certificates that are requested are + allowed to use the base domains listed in + `allowed_domains`, e.g. "example.com". This is a separate + option as in some cases this can be considered a security + threat. + allow_subdomains: + type: bool + default: false + description: + - Specifies if host certificates that are requested are + allowed to be subdomains of those listed in + `allowed_domains`, e.g. if "example.com" is part of + `allowed_domains`, this allows "foo.example.com". + allow_user_key_ids: + type: bool + default: false + description: + - Specifies if users can override the key ID for a signed + certificate with the "key_id" field. When false, the key + ID will always be the token display name. The key ID is + logged by the SSH server and can be useful for auditing. + key_id_format: + type: str + default: "" + description: + - |- + When supplied, this value specifies a custom format for + the key id of a signed certificate. The following + variables are available for use: '{{token_display_name}}' + - The display name of the token used to make the request. + '{{role_name}}' - The name of the role signing the + request. '{{public_key_hash}}' - A SHA256 checksum of + the public key that is being signed. e.g. + "custom-keyid-{{token_display_name}}" + allowed_user_key_lengths: + type: dict + default: null + description: + - Specifies a map of ssh key types and their expected sizes + which are allowed to be signed by the CA type. + algorithm_signer: + type: str + choices: ["", "ssh-rsa", "rsa-sha2-256", "rsa-sha2-512"] + default: "" + description: + - Algorithm to sign keys with. Valid values are `ssh-rsa`, + `rsa-sha2-256`, and `rsa-sha2-512`. This value may be left + blank to use the signer's default algorithm, and must be + left blank for CA key types other than RSA. Note that + `ssh-rsa` is now considered insecure and is not supported + by current OpenSSH versions. +extends_documentation_fragment: + - hashivault +""" +EXAMPLES = r""" +--- +- hosts: localhost + tasks: + - hashivault_ssh_role: + name: tester + config: + key_type: ca + allowed_users: tester + default_user: tester + + - hashivault_ssh_role: + name: tester + role_file: "/opt/vault/etc/roles/ssh-tester.json" + state: "present" +""" +normalize = { + "list": list, + "str": str, + "dict": dict, + "bool": bool, + "int": int, + "duration": str, +} + + +def main(): + argspec = hashivault_argspec() + argspec["name"] = dict(required=True, type="str") + argspec["state"] = dict( + required=False, type="str", default="present", choices=["present", "absent"] + ) + argspec["mount_point"] = dict(required=False, type="str", default="ssh") + argspec["role_file"] = dict(required=False, type="str") + argspec["config"] = dict(required=False, type="dict") + + supports_check_mode = True + + module = hashivault_init(argspec, supports_check_mode) + result = hashivault_ssh_role(module) + + if result.get("failed"): + module.fail_json(**result) + else: + module.exit_json(**result) + + +@hashiwrapper +def hashivault_ssh_role(module): + params = module.params + client = hashivault_auth_client(params) + + name = params.get("name").strip("/") + mount_point = params.get("mount_point").strip("/") + state = params.get("state") + role_file = params.get("role_file") + config = params.get("config") + path = f"roles/{name}" + + desired_state = {} + exists = False + + if role_file: + with open(role_file, "rt") as fp: + desired_state = json.safe_load(fp.read()) + elif config: + desired_state = copy.deepcopy(config) + + changed = False + + try: + current_state = client.secrets.pki.read_role( + name=name, mount_point=mount_point + ).get("data") + except Exception: + current_state = {} + + if current_state: + exists = True + + if (exists and state == "absent") or (not exists and state == "present"): + changed = True + + # compare current_state to config (desired_state before normalization) + if exists and state == "present" and not changed: + # Update all keys not present in the desired_state with data from the + # current_state, to ensure a proper diff output. + for key in current_state: + if desired_state.get(key) is None: + desired_state[key] = current_state[key] + + changed = desired_state != current_state + + # make the changes! + if changed and state == "present": + if not module.check_mode: + # Before posting the desired state to the vault api we need to + # normalize some keys. This is a quirk of the vault api that it + # expects a different data format in the PUT/POST endpoint than + # it returns in the GET endpoint. + data = {} + + doc = yaml.safe_load(DOCUMENTATION) + args = doc.get("options").get("config").get("suboptions").items() + for key, value in args: + arg = desired_state.get(key) + if arg is not None: + try: + data[key] = normalize[value.get("type")](arg) + except Exception: + return { + "changed": False, + "failed": True, + "msg": "config item '{}' has wrong data format".format(key), + } + # create or update + client.secrets.kv.v1.create_or_update_secret( + mount_point=mount_point, + path=path, + secret=data, + ) + elif changed and state == "absent": + if not module.check_mode: + # delete + client.secrets.kv.v1.delete_secret( + mount_point=mount_point, + path=path, + ) + # after deleting it the item is no more + desired_state = {} + + return { + "changed": changed, + "diff": { + "before": current_state, + "after": desired_state, + }, + } + + +if __name__ == "__main__": + main() diff --git a/functional/run.sh b/functional/run.sh index d673ab1b..6f91dd83 100755 --- a/functional/run.sh +++ b/functional/run.sh @@ -81,6 +81,10 @@ ansible-playbook -v test_approle_old.yml ansible-playbook -v test_token_role.yml ansible-playbook -v test_token_role_check_mode.yml +# sshrole +ansible-playbook -v test_ssh_role.yml +ansible-playbook -v test_ssh_role_check_mode.yml + # userpass ansible-playbook -v test_userpass.yml ansible-playbook -v test_userpass_idempotent.yml diff --git a/functional/test_ssh_role.yml b/functional/test_ssh_role.yml new file mode 100644 index 00000000..d6e4879d --- /dev/null +++ b/functional/test_ssh_role.yml @@ -0,0 +1,70 @@ +--- +- hosts: localhost + gather_facts: no + vars: + namespace: 'application' + rules: > + path "ssh/{{namespace}}/*" { + capabilities = ["create", "read", "update", "delete", "list"] + } + path "ssh/{{namespace}}" { + capabilities = ["list"] + } + tasks: + - name: Enable ssh secret engine + hashivault_secret_engine: + name: ssh + state: enabled + + - name: Set ssh role policy + hashivault_policy: + name: "sshrole_test_user_original" + rules: "{{rules}}" + register: vault_policy + - assert: { that: "{{vault_policy.rc}} == 0" } + + - name: Set another ssh role policy + hashivault_policy: + name: "sshrole_test_user" + rules: "{{rules}}" + register: vault_policy + - assert: { that: "{{vault_policy.rc}} == 0" } + + - name: delete role + hashivault_ssh_role: + name: testrole + state: absent + failed_when: false + + - name: create role + hashivault_ssh_role: + name: testrole + config: + key_type: ca + allowed_users: sshrole_test_user_original + allow_host_certificates: true + state: present + register: 'vault_role_create' + - assert: { that: "{{vault_role_create.changed}} == True" } + - assert: { that: "{{vault_role_create.rc}} == 0" } + + - name: update role + hashivault_ssh_role: + name: testrole + config: + allowed_users: sshrole_test_user + state: present + register: 'vault_role_update' + - assert: { that: "{{vault_role_update.changed}} == True" } + - assert: { that: "{{vault_role_update.rc}} == 0" } + + - name: update role idempotent + hashivault_ssh_role: + name: testrole + config: + allowed_users: sshrole_test_user + allow_host_certificates: true + state: present + register: 'vault_role_update' + - assert: { that: "{{vault_role_update.changed}} == False" } + - assert: { that: "{{vault_role_update.rc}} == 0" } diff --git a/functional/test_ssh_role_check_mode.yml b/functional/test_ssh_role_check_mode.yml new file mode 100644 index 00000000..12165d06 --- /dev/null +++ b/functional/test_ssh_role_check_mode.yml @@ -0,0 +1,45 @@ +--- +- hosts: localhost + gather_facts: no + tasks: + - name: create ssh role check_mode exists + hashivault_ssh_role: + name: testrole + config: + key_type: ca + allowed_users: sshrole_test_user + state: present + check_mode: true + register: 'vault_role_create' + - assert: { that: "{{vault_role_create.changed}} == False" } + - assert: { that: "{{vault_role_create.rc}} == 0" } + + - name: create ssh role check_mode does not exist + hashivault_ssh_role: + name: testrole_two + config: + key_type: ca + allowed_users: sshrole_test_user + state: present + check_mode: true + register: 'vault_role_create' + - assert: { that: "{{vault_role_create.changed}} == True" } + - assert: { that: "{{vault_role_create.rc}} == 0" } + + - name: delete ssh role check_mode exists + hashivault_ssh_role: + name: testrole + state: absent + check_mode: true + register: 'vault_role_create' + - assert: { that: "{{vault_role_create.changed}} == True" } + - assert: { that: "{{vault_role_create.rc}} == 0" } + + - name: delete ssh role check_mode does not exist + hashivault_ssh_role: + name: testrole_two + state: absent + check_mode: true + register: 'vault_role_create' + - assert: { that: "{{vault_role_create.changed}} == False" } + - assert: { that: "{{vault_role_create.rc}} == 0" } From ae20bc4c5dca50fdfe5c1c3045ef5fe694f88786 Mon Sep 17 00:00:00 2001 From: Szymon Soloch Date: Wed, 15 Jun 2022 15:23:12 +0200 Subject: [PATCH 11/65] add a hashivault_ssh_role_list module This module lists roles configured in a specified ssh secrets engine. This module supports check mode (even though it does not perform any write operations) to ensure a whole playbook can run in check mode and proper data is still returned from this module for further tasks to use. The code in this commit has been formatted with `black`. --- .../hashivault/hashivault_ssh_role_list.py | 85 +++++++++++++++++++ functional/test_ssh_role.yml | 15 ++++ functional/test_ssh_role_check_mode.yml | 9 ++ 3 files changed, 109 insertions(+) create mode 100644 ansible/modules/hashivault/hashivault_ssh_role_list.py diff --git a/ansible/modules/hashivault/hashivault_ssh_role_list.py b/ansible/modules/hashivault/hashivault_ssh_role_list.py new file mode 100644 index 00000000..a604b8d4 --- /dev/null +++ b/ansible/modules/hashivault/hashivault_ssh_role_list.py @@ -0,0 +1,85 @@ +#!/usr/bin/env python +from ansible.module_utils.hashivault import hashivault_auth_client +from ansible.module_utils.hashivault import hashivault_argspec +from ansible.module_utils.hashivault import hashivault_init +from ansible.module_utils.hashivault import hashiwrapper +from hvac.exceptions import InvalidPath + +ANSIBLE_METADATA = { + "status": ["preview"], + "supported_by": "community", + "version": "1.1", +} +DOCUMENTATION = r""" +--- +module: hashivault_ssh_role_list +version_added: "4.7.0" +short_description: Hashicorp Vault SSH List Roles +description: + - This module returns a list of available roles. + - Only the role names are returned, not any values. +options: + mount_point: + default: ssh + description: + - location where secrets engine is mounted. also known as path +extends_documentation_fragment: + - hashivault +""" +EXAMPLES = r""" +--- +- hosts: localhost + tasks: + - hashivault_ssh_role_list: + mount_point: ssh + register: roles_list + - debug: msg="{{ roles_list.data }}" +""" +RETURN = r""" +--- +data: + description: list of roles, if ssh engine has no roles will return empty list + returned: success + type: list +""" + + +def main(): + argspec = hashivault_argspec() + argspec["mount_point"] = dict(required=False, type="str", default="ssh") + + module = hashivault_init(argspec, supports_check_mode=True) + result = hashivault_pki_role_list(module) + + if result.get("failed"): + module.fail_json(**result) + else: + module.exit_json(**result) + + +@hashiwrapper +def hashivault_pki_role_list(module): + params = module.params + client = hashivault_auth_client(params) + + mount_point = params.get("mount_point").strip("/") + + try: + return { + "data": client.secrets.kv.v1.list_secrets( + mount_point=mount_point, + path="roles", + ) + .get("data") + .get("keys") + } + except InvalidPath as exc: + if len(exc.errors) == 0: # Path is valid but no roles exist. + return {"data": []} + return {"failed": True, "data": [], "msg": str(exc)} + except Exception as exc: + return {"failed": True, "data": [], "msg": str(exc)} + + +if __name__ == "__main__": + main() diff --git a/functional/test_ssh_role.yml b/functional/test_ssh_role.yml index d6e4879d..f82b154b 100644 --- a/functional/test_ssh_role.yml +++ b/functional/test_ssh_role.yml @@ -35,6 +35,13 @@ name: testrole state: absent failed_when: false + + - name: list ssh roles empty + hashivault_ssh_role_list: + register: 'vault_role_list' + - assert: { that: "{{vault_role_list.changed}} == False" } + - assert: { that: "{{vault_role_list.rc}} == 0" } + - assert: { that: "{{vault_role_list.data|length}} == 0"} - name: create role hashivault_ssh_role: @@ -68,3 +75,11 @@ register: 'vault_role_update' - assert: { that: "{{vault_role_update.changed}} == False" } - assert: { that: "{{vault_role_update.rc}} == 0" } + + - name: list ssh roles + hashivault_ssh_role_list: + register: 'vault_role_list' + - assert: { that: "{{vault_role_list.changed}} == False" } + - assert: { that: "{{vault_role_list.rc}} == 0" } + - fail: msg="role testrole not in list {{vault_role_list.data}}" + when: '"testrole" not in vault_role_list.data' diff --git a/functional/test_ssh_role_check_mode.yml b/functional/test_ssh_role_check_mode.yml index 12165d06..b9c6d50a 100644 --- a/functional/test_ssh_role_check_mode.yml +++ b/functional/test_ssh_role_check_mode.yml @@ -43,3 +43,12 @@ register: 'vault_role_create' - assert: { that: "{{vault_role_create.changed}} == False" } - assert: { that: "{{vault_role_create.rc}} == 0" } + + - name: list ssh roles check_mode + hashivault_ssh_role_list: + register: 'vault_role_list' + check_mode: true + - assert: { that: "{{vault_role_list.changed}} == False" } + - assert: { that: "{{vault_role_list.rc}} == 0" } + - fail: msg="role testrole not in list {{vault_role_list.data}}" + when: '"testrole" not in vault_role_list.data' From edcd4d03a2305ca28470fede92070ef4739d8e8d Mon Sep 17 00:00:00 2001 From: Terry Howe Date: Sun, 19 Jun 2022 08:54:57 -0600 Subject: [PATCH 12/65] Version 4.7.0 --- CHANGELOG.rst | 13 +++++++++++++ setup.py | 2 +- 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 38347b55..3c21eea9 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -2,6 +2,19 @@ Changelog ========= +4.7.0 (2022-06-19) +------------------ +- Add a hashivault_ssh_role_list module. [Szymon Soloch] +- Add a hashivault_ssh_role module. [Szymon Soloch] +- Add a hashivault_token_role_list module. [Szymon Soloch] +- Add a hashivault_token_role module. [Szymon Soloch] +- Get better auth method tests. [Terry Howe] +- Fix auth_method idempotency. [ayav09] +- Fix tests. [Terry Howe] +- Fix docs build. [Terry Howe] +- Fix state comparison of lists. [Jarno Antikainen] + + 4.6.8 (2022-02-19) ------------------ - Allow create nonexistent secret when state is update. [Pavel Ezhov] diff --git a/setup.py b/setup.py index bcdd4060..528aad57 100644 --- a/setup.py +++ b/setup.py @@ -16,7 +16,7 @@ setup( name='ansible-modules-hashivault', - version='4.6.8', + version='4.7.0', description='Ansible Modules for Hashicorp Vault', long_description=long_description, long_description_content_type='text/x-rst', From 2c9871373578c69a09188dec630e512ea2d55071 Mon Sep 17 00:00:00 2001 From: Terry Howe Date: Sun, 3 Jul 2022 07:54:15 -0600 Subject: [PATCH 13/65] Fix PKI tests from new hvac --- ansible/modules/hashivault/hashivault_pki_set_signed.py | 7 +++++-- functional/test_pki.yml | 2 -- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/ansible/modules/hashivault/hashivault_pki_set_signed.py b/ansible/modules/hashivault/hashivault_pki_set_signed.py index 679ae9ac..63904780 100755 --- a/ansible/modules/hashivault/hashivault_pki_set_signed.py +++ b/ansible/modules/hashivault/hashivault_pki_set_signed.py @@ -81,8 +81,11 @@ def hashivault_pki_set_signed(module): result = {"changed": False, "rc": 0} try: - result['changed'] = client.secrets.pki.set_signed_intermediate(certificate=certificate, - mount_point=mount_point).ok + response = client.secrets.pki.set_signed_intermediate(certificate=certificate, mount_point=mount_point) + if isinstance(response, dict): + result['changed'] = True + else: + result['changed'] = response.ok except Exception as e: result['rc'] = 1 result['failed'] = True diff --git a/functional/test_pki.yml b/functional/test_pki.yml index 5b03fd8d..fc66f010 100644 --- a/functional/test_pki.yml +++ b/functional/test_pki.yml @@ -163,7 +163,6 @@ hashivault_pki_crl_get: mount_point: "{{mount_inter}}" register: response - failed_when: response.rc == 0 - name: Set CRL Configuration hashivault_pki_crl: mount_point: "{{mount_inter}}" @@ -206,7 +205,6 @@ hashivault_pki_url_get: mount_point: "{{mount_inter}}" register: response - failed_when: response.rc == 0 - name: Set URLs hashivault_pki_url: mount_point: "{{mount_inter}}" From 1c70a5502203616a03e85c676385a95ba1bbabd6 Mon Sep 17 00:00:00 2001 From: Terry Howe Date: Sun, 3 Jul 2022 07:17:22 -0600 Subject: [PATCH 14/65] Add self_renew for hashivault_token_renew --- ansible/modules/hashivault/hashivault_token_renew.py | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/ansible/modules/hashivault/hashivault_token_renew.py b/ansible/modules/hashivault/hashivault_token_renew.py index 7bbc3458..013693b7 100644 --- a/ansible/modules/hashivault/hashivault_token_renew.py +++ b/ansible/modules/hashivault/hashivault_token_renew.py @@ -21,6 +21,9 @@ description: - "Request a specific increment for renewal. Vault is not required to honor this request. If not supplied,\ Vault will use the default TTL." + self_renew: + description: + - Self renew token wrap_ttl: description: - Indicates that the response should be wrapped in a cubbyhole token with the requested TTL. @@ -42,6 +45,7 @@ def main(): argspec = hashivault_argspec() argspec['renew_token'] = dict(required=False, type='str', no_log=True) argspec['increment'] = dict(required=False, type='str', default=None) + argspec['self_renew'] = dict(required=False, type='bool', default=False) argspec['wrap_ttl'] = dict(required=False, type='int') module = hashivault_init(argspec) result = hashivault_token_renew(module.params) @@ -56,10 +60,14 @@ def hashivault_token_renew(params): client = hashivault_auth_client(params) renew_token = params.get('renew_token') increment = params.get('increment') + self_renew = params.get('self_renew') if renew_token is None: renew_token = params.get('token') wrap_ttl = params.get('wrap_ttl') - renew = client.renew_token(token=renew_token, increment=increment, wrap_ttl=wrap_ttl) + if self_renew is True: + renew = client.renew_self_token(increment=increment, wrap_ttl=wrap_ttl) + else: + renew = client.renew_token(token=renew_token, increment=increment, wrap_ttl=wrap_ttl) return {'changed': True, 'renew': renew} From 460dc5bdf61eaa5667b8463a411a9f83f2677d7a Mon Sep 17 00:00:00 2001 From: Matt Harlum Date: Thu, 8 Sep 2022 15:00:19 +0200 Subject: [PATCH 15/65] Fixup idempotency of hashivault_auth_ldap token_max_ttl and token_ttl are ints --- ansible/modules/hashivault/hashivault_auth_ldap.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ansible/modules/hashivault/hashivault_auth_ldap.py b/ansible/modules/hashivault/hashivault_auth_ldap.py index 9f5fdc55..47cf9ed5 100644 --- a/ansible/modules/hashivault/hashivault_auth_ldap.py +++ b/ansible/modules/hashivault/hashivault_auth_ldap.py @@ -139,8 +139,8 @@ def main(): argspec['group_attr'] = dict(required=False, type='str', default='cn') argspec['group_dn'] = dict(required=False, type='str', default='') argspec['use_token_groups'] = dict(required=False, type='bool', default=False) - argspec['token_ttl'] = dict(required=False, type='str', default='') - argspec['token_max_ttl'] = dict(required=False, type='str', default='') + argspec['token_ttl'] = dict(required=False, type='int', default=0) + argspec['token_max_ttl'] = dict(required=False, type='int', default=0) module = hashivault_init(argspec, supports_check_mode=True) result = hashivault_auth_ldap(module) From 71de2c7065d4f0515fe4043c31d3dbde6a9163ec Mon Sep 17 00:00:00 2001 From: Matt Harlum Date: Fri, 9 Sep 2022 11:26:56 +0200 Subject: [PATCH 16/65] Fix "enable ldap authentication" in test_ldap_group The test was looking for a change after setting ldap_url to ldap://127.0.0.1 which is default so doesn't cause a change --- functional/test_ldap_group.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/functional/test_ldap_group.yml b/functional/test_ldap_group.yml index e2741d1a..fa1617da 100644 --- a/functional/test_ldap_group.yml +++ b/functional/test_ldap_group.yml @@ -18,7 +18,7 @@ - name: ldap configuration hashivault_auth_ldap: - ldap_url: ldap://127.0.0.1 + ldap_url: ldap://localhost register: ldap_module - assert: { that: "{{ ldap_module.changed }} == True" } - assert: { that: "{{ ldap_module.rc }} == 0" } From 198183f0dd24ab0811c7e345ae29497500cbf5f0 Mon Sep 17 00:00:00 2001 From: Matt Harlum Date: Fri, 9 Sep 2022 12:15:22 +0200 Subject: [PATCH 17/65] Add idempotency test to test_ldap_group --- functional/test_ldap_group.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/functional/test_ldap_group.yml b/functional/test_ldap_group.yml index fa1617da..08343410 100644 --- a/functional/test_ldap_group.yml +++ b/functional/test_ldap_group.yml @@ -23,6 +23,12 @@ - assert: { that: "{{ ldap_module.changed }} == True" } - assert: { that: "{{ ldap_module.rc }} == 0" } + - name: ldap configuration is idempotent + hashivault_auth_ldap: + ldap_url: ldap://localhost + register: ldap_module_idempotent + - assert: { that: "{{ ldap_module_idempotent.changed }} == False" } + - name: remove ldap group hashivault_ldap_group: name: test From ca3ded49ac00aaa620fce49919cff48ceac82966 Mon Sep 17 00:00:00 2001 From: Terry Howe Date: Mon, 12 Sep 2022 08:28:05 -0600 Subject: [PATCH 18/65] Update configuration --- functional/start.sh | 33 ++++++++++++++++----------------- 1 file changed, 16 insertions(+), 17 deletions(-) diff --git a/functional/start.sh b/functional/start.sh index 42a7da65..1ac536ca 100755 --- a/functional/start.sh +++ b/functional/start.sh @@ -11,22 +11,21 @@ TMP_CONFIG=$(mktemp -q /tmp/$0.XXXXXX) trap "rm $TMP_CONFIG" EXIT cat < $TMP_CONFIG -{ - "backend": { - "file": { - "path": "/vault/file" - } - }, - "listener": { - "tcp": { - "address": "0.0.0.0:${PORT}", - "tls_disable": 1 - } - }, - "default_lease_ttl": "168h", - "max_lease_ttl": "720h", - "disable_mlock": true +storage "file" { + path = "/vault/file" } + +"listener" "tcp" { + "address" = "0.0.0.0:${PORT}" + + "tls_disable" = 1 +} + +"default_lease_ttl" = "168h" + +"max_lease_ttl" = "720h" + +"disable_mlock" = true EOF chmod a+r $TMP_CONFIG @@ -35,8 +34,8 @@ docker rm $DOCKER_NAME 2>/dev/null || true docker run --name $DOCKER_NAME -h $DOCKER_NAME -d \ --cap-add IPC_LOCK \ -p 127.0.0.1:${PORT}:${PORT} \ - -v $TMP_CONFIG:/etc/vault/config.json:ro \ - vault server -config /etc/vault/config.json + -v $TMP_CONFIG:/etc/vault/config.hcl:ro \ + vault server -config /etc/vault/config.hcl # # Wait for vault to come up From 8e1912f8920c77c28ec2219893056c0f20f33529 Mon Sep 17 00:00:00 2001 From: Terry Howe Date: Mon, 24 Oct 2022 06:32:04 -0600 Subject: [PATCH 19/65] Changes for hvac 1 --- .../hashivault/hashivault_generate_root.py | 2 +- .../hashivault_generate_root_cancel.py | 4 ++-- .../hashivault/hashivault_generate_root_init.py | 16 +++++++++++----- .../hashivault/hashivault_token_create.py | 2 +- 4 files changed, 15 insertions(+), 9 deletions(-) diff --git a/ansible/modules/hashivault/hashivault_generate_root.py b/ansible/modules/hashivault/hashivault_generate_root.py index a77119f7..692f435d 100644 --- a/ansible/modules/hashivault/hashivault_generate_root.py +++ b/ansible/modules/hashivault/hashivault_generate_root.py @@ -48,7 +48,7 @@ def hashivault_generate_root(params): key = params.get('key') nonce = params.get('nonce') client = hashivault_client(params) - return {'status': client.generate_root(key, nonce), 'changed': True} + return {'status': client.sys.generate_root(key, nonce), 'changed': True} if __name__ == '__main__': diff --git a/ansible/modules/hashivault/hashivault_generate_root_cancel.py b/ansible/modules/hashivault/hashivault_generate_root_cancel.py index 2f76e388..1df1f0f3 100644 --- a/ansible/modules/hashivault/hashivault_generate_root_cancel.py +++ b/ansible/modules/hashivault/hashivault_generate_root_cancel.py @@ -36,10 +36,10 @@ def main(): def hashivault_generate_root_cancel(params): client = hashivault_client(params) # Check if generate_root is on-going & return when generate_root not in progress - status = client.generate_root_status + status = client.sys.read_root_generation_progress() if not status['started']: return {'changed': False} - return {'status': client.cancel_generate_root(), 'changed': True} + return {'status': client.sys.cancel_root_generation().ok, 'getter': str(status), 'changed': True} if __name__ == '__main__': diff --git a/ansible/modules/hashivault/hashivault_generate_root_init.py b/ansible/modules/hashivault/hashivault_generate_root_init.py index 4d517ec4..d5595805 100644 --- a/ansible/modules/hashivault/hashivault_generate_root_init.py +++ b/ansible/modules/hashivault/hashivault_generate_root_init.py @@ -24,7 +24,11 @@ pgp_key: description: - specifies PGP public keys used to encrypt the output root token. - default: '' + default: None + otp: + description: + - must specify either pgp_key or otp + default: None extends_documentation_fragment: hashivault ''' EXAMPLES = ''' @@ -38,7 +42,8 @@ def main(): argspec = hashivault_argspec() - argspec['pgp_key'] = dict(required=False, type='str', default='') + argspec['pgp_key'] = dict(required=False, type='str', default=None) + argspec['otp'] = dict(required=False, type='str', default=None) module = hashivault_init(argspec) result = hashivault_generate_root_init(module.params) if result.get('failed'): @@ -51,11 +56,12 @@ def main(): def hashivault_generate_root_init(params): client = hashivault_client(params) # Check if rekey is on-going - status = client.generate_root_status + status = client.sys.read_root_generation_progress() if status['started']: return {'changed': False} - pgp = params.get('pgp_key') - return {'status': client.start_generate_root(pgp, otp=False), 'changed': True} + pgp_key = params.get('pgp_key') + otp = params.get('otp') + return {'status': client.sys.start_root_token_generation(otp=otp, pgp_key=pgp_key), 'changed': True} if __name__ == '__main__': diff --git a/ansible/modules/hashivault/hashivault_token_create.py b/ansible/modules/hashivault/hashivault_token_create.py index fd081465..da2e896c 100644 --- a/ansible/modules/hashivault/hashivault_token_create.py +++ b/ansible/modules/hashivault/hashivault_token_create.py @@ -121,7 +121,7 @@ def hashivault_token_create(params): period = params.get('period') explicit_max_ttl = params.get('explicit_max_ttl') - token = client.create_token( + token = client.auth.token.create( role=role, token_id=token_id, policies=policies, From fca7105920184d4018df737ba1f68ae64bff9964 Mon Sep 17 00:00:00 2001 From: Terry Howe Date: Mon, 7 Nov 2022 11:38:23 -0700 Subject: [PATCH 20/65] changes for approle --- .../_hashivault_approle_role_create.py | 4 +-- .../_hashivault_approle_role_secret_create.py | 15 +++------ .../_hashivault_approle_role_secret_delete.py | 2 +- .../hashivault/hashivault_approle_role.py | 10 +++--- .../hashivault/hashivault_approle_role_get.py | 2 +- .../hashivault/hashivault_approle_role_id.py | 5 ++- .../hashivault_approle_role_list.py | 2 +- .../hashivault_approle_role_secret.py | 33 +++++++------------ ...ivault_approle_role_secret_accessor_get.py | 2 +- .../hashivault_approle_role_secret_get.py | 2 +- .../hashivault_approle_role_secret_list.py | 2 +- .../hashivault/hashivault_token_create.py | 17 ++-------- functional/test_approle.yml | 11 ------- functional/test_tokens.yml | 16 ++++----- setup.py | 6 ++-- 15 files changed, 46 insertions(+), 83 deletions(-) diff --git a/ansible/modules/hashivault/_hashivault_approle_role_create.py b/ansible/modules/hashivault/_hashivault_approle_role_create.py index e61aa9fd..515acd8e 100644 --- a/ansible/modules/hashivault/_hashivault_approle_role_create.py +++ b/ansible/modules/hashivault/_hashivault_approle_role_create.py @@ -101,13 +101,13 @@ def hashivault_approle_role_create(params): policies = params.get('policies') client = hashivault_auth_client(params) kwargs = { - 'policies': policies, + 'token_policies': policies, } for arg in args: value = params.get(arg) if value is not None: kwargs[arg] = value - client.create_role(name, **kwargs) + client.auth.approle.create_or_update_approle(name, **kwargs) return {'changed': True} diff --git a/ansible/modules/hashivault/_hashivault_approle_role_secret_create.py b/ansible/modules/hashivault/_hashivault_approle_role_secret_create.py index dbde8cd5..8f3be798 100644 --- a/ansible/modules/hashivault/_hashivault_approle_role_secret_create.py +++ b/ansible/modules/hashivault/_hashivault_approle_role_secret_create.py @@ -27,9 +27,6 @@ metadata: description: - Metadata to be tied to the secret. - wrap_ttl: - description: - - Wrap TTL. extends_documentation_fragment: hashivault ''' EXAMPLES = ''' @@ -57,7 +54,6 @@ def main(): argspec['secret_id'] = dict(required=False, type='str') argspec['cidr_list'] = dict(required=False, type='str') argspec['metadata'] = dict(required=False, type='dict') - argspec['wrap_ttl'] = dict(required=False, type='str') module = hashivault_init(argspec) result = hashivault_approle_role_secret_create(module.params) if result.get('failed'): @@ -72,18 +68,15 @@ def hashivault_approle_role_secret_create(params): custom_secret_id = params.get('secret_id') cidr_list = params.get('cidr_list') metadata = params.get('metadata') - wrap_ttl = params.get('wrap_ttl') client = hashivault_auth_client(params) if custom_secret_id is not None: - result = client.create_role_custom_secret_id(role_name=name, - secret_id=custom_secret_id, - meta=metadata) + result = client.auth.approle.create_custom_secret_id(role_name=name, + secret_id=custom_secret_id, + metadata=metadata) else: - result = client.create_role_secret_id(role_name=name, meta=metadata, - cidr_list=cidr_list, - wrap_ttl=wrap_ttl) + result = client.auth.approle.generate_secret_id(role_name=name, metadata=metadata, cidr_list=cidr_list) return result['data'] diff --git a/ansible/modules/hashivault/_hashivault_approle_role_secret_delete.py b/ansible/modules/hashivault/_hashivault_approle_role_secret_delete.py index 16638f3d..e8727ec4 100644 --- a/ansible/modules/hashivault/_hashivault_approle_role_secret_delete.py +++ b/ansible/modules/hashivault/_hashivault_approle_role_secret_delete.py @@ -49,7 +49,7 @@ def hashivault_approle_role_secret_delete(params): name = params.get('name') secret = params.get('secret') client = hashivault_auth_client(params) - client.delete_role_secret_id(name, secret) + client.auth.approle.destroy_secret_id(name, secret) return {'changed': True} diff --git a/ansible/modules/hashivault/hashivault_approle_role.py b/ansible/modules/hashivault/hashivault_approle_role.py index e2117683..1b1f72d2 100644 --- a/ansible/modules/hashivault/hashivault_approle_role.py +++ b/ansible/modules/hashivault/hashivault_approle_role.py @@ -170,10 +170,10 @@ def hashivault_approle_role(module): desired_state[arg] = value try: - previous_state = client.get_role(name, mount_point=mount_point) + previous_state = client.auth.approle.read_role(name, mount_point=mount_point) except Exception: if not module.check_mode: - client.create_role(name, mount_point=mount_point, **desired_state) + client.auth.approle.create_or_update_approle(name, mount_point=mount_point, **desired_state) return {'changed': True} changed = False @@ -190,16 +190,16 @@ def hashivault_approle_role(module): return {'changed': False, 'missing': missing, 'previous_state': previous_state} if not module.check_mode: - client.create_role(name, mount_point=mount_point, **desired_state) + client.auth.approle.create_or_update_approle(name, mount_point=mount_point, **desired_state) return {'changed': True, 'missing': missing} if module.check_mode: try: - client.get_role(name, mount_point=mount_point) + client.auth.approle.read_role(name, mount_point=mount_point) except Exception: return {'changed': False} return {'changed': True} else: - client.delete_role(name, mount_point=mount_point) + client.auth.approle.delete_role(name, mount_point=mount_point) return {'changed': True} diff --git a/ansible/modules/hashivault/hashivault_approle_role_get.py b/ansible/modules/hashivault/hashivault_approle_role_get.py index f67c3821..9c2e3911 100644 --- a/ansible/modules/hashivault/hashivault_approle_role_get.py +++ b/ansible/modules/hashivault/hashivault_approle_role_get.py @@ -49,7 +49,7 @@ def main(): def hashivault_approle_role_get(params): name = params.get('name') client = hashivault_auth_client(params) - result = client.get_role(name, mount_point=params.get('mount_point')) + result = client.auth.approle.read_role(name, mount_point=params.get('mount_point')) return {'role': result} diff --git a/ansible/modules/hashivault/hashivault_approle_role_id.py b/ansible/modules/hashivault/hashivault_approle_role_id.py index 7dc8715e..f23bcd2f 100644 --- a/ansible/modules/hashivault/hashivault_approle_role_id.py +++ b/ansible/modules/hashivault/hashivault_approle_role_id.py @@ -49,7 +49,10 @@ def main(): def hashivault_approle_role_id(params): name = params.get('name') client = hashivault_auth_client(params) - return {'id': client.get_role_id(name, mount_point=params.get('mount_point'))} + result = client.auth.approle.read_role_id(name, mount_point=params.get('mount_point')) + data = result.get('data', {}) + role_id = data.get('role_id', '') + return {'id': role_id, 'data': data} if __name__ == '__main__': diff --git a/ansible/modules/hashivault/hashivault_approle_role_list.py b/ansible/modules/hashivault/hashivault_approle_role_list.py index 7a4d3b06..c5772ce0 100644 --- a/ansible/modules/hashivault/hashivault_approle_role_list.py +++ b/ansible/modules/hashivault/hashivault_approle_role_list.py @@ -43,7 +43,7 @@ def main(): @hashiwrapper def hashivault_approle_role_list(params): client = hashivault_auth_client(params) - roles = client.list_roles(mount_point=params.get('mount_point')) + roles = client.auth.approle.list_roles(mount_point=params.get('mount_point')) roles = roles.get('data', {}).get('keys', []) return {'roles': roles} diff --git a/ansible/modules/hashivault/hashivault_approle_role_secret.py b/ansible/modules/hashivault/hashivault_approle_role_secret.py index 54c41379..9ff93701 100644 --- a/ansible/modules/hashivault/hashivault_approle_role_secret.py +++ b/ansible/modules/hashivault/hashivault_approle_role_secret.py @@ -34,9 +34,6 @@ metadata: description: - Metadata to be tied to the secret. - wrap_ttl: - description: - - Wrap TTL. extends_documentation_fragment: hashivault ''' EXAMPLES = ''' @@ -67,7 +64,6 @@ def main(): argspec['mount_point'] = dict(required=False, type='str', default='approle') argspec['cidr_list'] = dict(required=False, type='str') argspec['metadata'] = dict(required=False, type='dict') - argspec['wrap_ttl'] = dict(required=False, type='str') argspec['secret'] = dict(required=False, type='str') module = hashivault_init(argspec, supports_check_mode=True) result = hashivault_approle_role_secret(module) @@ -91,43 +87,38 @@ def hashivault_approle_role_secret(module): custom_secret_id = params.get('secret_id') # deprecated cidr_list = params.get('cidr_list') metadata = params.get('metadata') - wrap_ttl = params.get('wrap_ttl') if custom_secret_id is not None: if module.check_mode: try: - client.get_role_secret_id(name, custom_secret_id, mount_point=mount_point) + client.auth.approle.read_secret_id(name, custom_secret_id, mount_point=mount_point) except Exception: return {'changed': True} return {'changed': False} - result = client.create_role_custom_secret_id(role_name=name, - mount_point=mount_point, - secret_id=custom_secret_id, - meta=metadata) + result = client.auth.approle.create_custom_secret_id(role_name=name, + mount_point=mount_point, + secret_id=custom_secret_id, + metadata=metadata) else: if module.check_mode: return {'changed': True} - result = client.create_role_secret_id(role_name=name, - mount_point=mount_point, - meta=metadata, - cidr_list=cidr_list, - wrap_ttl=wrap_ttl) + result = client.auth.approle.generate_secret_id(role_name=name, + mount_point=mount_point, + metadata=metadata, + cidr_list=cidr_list) - if wrap_ttl is None: - response_key = 'data' - else: - response_key = 'wrap_info' + response_key = 'data' return {'changed': True, response_key: result.get(response_key, {})} elif state == 'absent': secret = params.get('secret') if module.check_mode: try: - client.get_role_secret_id(name, secret, mount_point=mount_point) + client.auth.approle.read_secret_id(name, secret, mount_point=mount_point) except Exception: return {'changed': False} return {'changed': True} else: - client.delete_role_secret_id(name, secret, mount_point=mount_point) + client.auth.approle.destroy_secret_id(name, secret, mount_point=mount_point) return {'changed': True} else: return {'failed': True, 'msg': 'Unkown state value: {}'.format(state)} diff --git a/ansible/modules/hashivault/hashivault_approle_role_secret_accessor_get.py b/ansible/modules/hashivault/hashivault_approle_role_secret_accessor_get.py index 6e3c8d1d..9707b3f7 100644 --- a/ansible/modules/hashivault/hashivault_approle_role_secret_accessor_get.py +++ b/ansible/modules/hashivault/hashivault_approle_role_secret_accessor_get.py @@ -56,7 +56,7 @@ def hashivault_approle_role_secret_accessor_get(params): mount_point = params.get('mount_point') accessor = params.get('accessor') client = hashivault_auth_client(params) - return {'secret': client.get_role_secret_id_accessor(name, accessor, mount_point=mount_point)['data']} + return {'secret': client.auth.approle.read_secret_id_accessor(name, accessor, mount_point=mount_point)['data']} if __name__ == '__main__': diff --git a/ansible/modules/hashivault/hashivault_approle_role_secret_get.py b/ansible/modules/hashivault/hashivault_approle_role_secret_get.py index 30d9a5da..573bebcb 100644 --- a/ansible/modules/hashivault/hashivault_approle_role_secret_get.py +++ b/ansible/modules/hashivault/hashivault_approle_role_secret_get.py @@ -58,7 +58,7 @@ def hashivault_approle_role_secret_get(params): mount_point = params.get('mount_point') secret = params.get('secret') client = hashivault_auth_client(params) - response = client.get_role_secret_id(name, secret, mount_point=mount_point) + response = client.auth.approle.read_secret_id(name, secret, mount_point=mount_point) if type(response) is not dict and response.status_code == 204: # No content return {'secret': {}, 'status': 'absent'} else: diff --git a/ansible/modules/hashivault/hashivault_approle_role_secret_list.py b/ansible/modules/hashivault/hashivault_approle_role_secret_list.py index 0191fcd6..6883e39d 100644 --- a/ansible/modules/hashivault/hashivault_approle_role_secret_list.py +++ b/ansible/modules/hashivault/hashivault_approle_role_secret_list.py @@ -52,7 +52,7 @@ def hashivault_approle_role_secret_list(params): mount_point = params.get('mount_point') client = hashivault_auth_client(params) try: - secrets = client.list_role_secrets(name, mount_point=mount_point) + secrets = client.auth.approle.list_secret_id_accessors(name, mount_point=mount_point) except InvalidPath: return {'secrets': []} secrets = secrets.get('data', {}).get('keys', []) diff --git a/ansible/modules/hashivault/hashivault_token_create.py b/ansible/modules/hashivault/hashivault_token_create.py index da2e896c..41b63a0e 100644 --- a/ansible/modules/hashivault/hashivault_token_create.py +++ b/ansible/modules/hashivault/hashivault_token_create.py @@ -28,9 +28,6 @@ no_parent: description: - If specified, the token will have no parent - lease: - description: - - If specified, the lease time will be this value. (e.g. 1h) display_name: description: - A display name to associate with this token @@ -47,10 +44,6 @@ wrap_ttl: description: - Indicates that the response should be wrapped in a cubbyhole token with the requested TTL. - orphan: - description: - - "If specified, the token will have no parent. Only This prevents the new token from being revoked with\ - your token." renewable: description: - Whether or not the token is renewable to extend its TTL up to Vault's configured maximum TTL for tokens @@ -84,13 +77,11 @@ def main(): argspec['policies'] = dict(required=True, type='list') argspec['metadata'] = dict(required=False, type='str') argspec['no_parent'] = dict(required=False, type='bool', default=False) - argspec['lease'] = dict(required=False, type='str') argspec['display_name'] = dict(required=True, type='str') argspec['num_uses'] = dict(required=False, type='str') argspec['no_default_policy'] = dict(required=False, type='bool', default=False) argspec['ttl'] = dict(required=False, type='str') argspec['wrap_ttl'] = dict(required=False, type='str') - argspec['orphan'] = dict(required=False, type='bool', default=False) argspec['renewable'] = dict(required=False, type='bool') argspec['explicit_max_ttl'] = dict(required=False, type='str') argspec['period'] = dict(required=False, type='str') @@ -110,30 +101,26 @@ def hashivault_token_create(params): policies = params.get('policies') metadata = params.get('metadata') no_parent = params.get('no_parent') - lease = params.get('lease') display_name = params.get('display_name') num_uses = params.get('num_uses') no_default_policy = params.get('no_default_policy') ttl = params.get('ttl') wrap_ttl = params.get('wrap_ttl') - orphan = params.get('orphan') renewable = params.get('renewable') period = params.get('period') explicit_max_ttl = params.get('explicit_max_ttl') token = client.auth.token.create( - role=role, - token_id=token_id, + role_name=role, + id=token_id, policies=policies, meta=metadata, no_parent=no_parent, - lease=lease, display_name=display_name, num_uses=num_uses, no_default_policy=no_default_policy, ttl=ttl, wrap_ttl=wrap_ttl, - orphan=orphan, renewable=renewable, explicit_max_ttl=explicit_max_ttl, period=period diff --git a/functional/test_approle.yml b/functional/test_approle.yml index 15ab173a..e57c1d76 100644 --- a/functional/test_approle.yml +++ b/functional/test_approle.yml @@ -198,14 +198,3 @@ - assert: { that: "{{vault_role_secret_list.rc}} == 0" } - fail: msg="secret {{approle_secret_id_accessor}} shoud not be in list" when: approle_secret_id_accessor in vault_role_secret_list.secrets - - - name: create secret wrap_ttl - hashivault_approle_role_secret: - name: testrole - state: present - wrap_ttl: 30s - register: 'vault_role_secret_create' - - set_fact: - approle_secret_id: "{{vault_role_secret_create.wrap_info.token}}" - - set_fact: - approle_secret_id_accessor: "{{vault_role_secret_create.wrap_info.accessor}}" diff --git a/functional/test_tokens.yml b/functional/test_tokens.yml index 188f05e0..d03db2c6 100644 --- a/functional/test_tokens.yml +++ b/functional/test_tokens.yml @@ -6,27 +6,27 @@ admin_rules: > path "secret/*" { capabilities = ["create", "read", "update", "delete", "list"] - } + } path "auth/token/create*" { capabilities = ["create", "read", "update", "delete", "list", "sudo"] - } + } path "auth/token/lookup*" { capabilities = ["read", "list"] - } + } path "auth/token/lookup/*" { capabilities = ["read", "list"] - } + } path "sys/policy" { capabilities = ["read"] - } + } path "sys/policy/*" { capabilities = ["create", "read", "update", "delete", "list"] - } + } readonly_name: 'readonly' readonly_rules: > path "secret/test-readonly*" { policy = "read" - } + } vault_root_token: "{{lookup('env','VAULT_TOKEN')}}" tasks: - name: "Create a policy (with sudo, so we don't have to use the root token)" @@ -88,7 +88,7 @@ display_name: "{{readonly_name}}" policies: ["{{readonly_name}}"] no_default_policy: True - orphan: True + no_parent: True token: "{{new_root_token}}" register: "vault_token_readonly" - assert: diff --git a/setup.py b/setup.py index 528aad57..697f25a8 100644 --- a/setup.py +++ b/setup.py @@ -16,7 +16,7 @@ setup( name='ansible-modules-hashivault', - version='4.7.0', + version='5.0.0', description='Ansible Modules for Hashicorp Vault', long_description=long_description, long_description_content_type='text/x-rst', @@ -26,8 +26,8 @@ py_modules=py_files, packages=files, install_requires=[ - 'ansible>=4.0.0', - 'hvac>=0.11.2', + 'ansible>=5.0.0', + 'hvac>=1.0.0', 'requests', ], ) From 6e5dd187c619354d88e2afdfb2574130a4f644b9 Mon Sep 17 00:00:00 2001 From: Terry Howe Date: Mon, 7 Nov 2022 12:46:37 -0700 Subject: [PATCH 21/65] Fix hvac 1 problem --- setup.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup.py b/setup.py index 528aad57..a8cdabd3 100644 --- a/setup.py +++ b/setup.py @@ -27,7 +27,7 @@ packages=files, install_requires=[ 'ansible>=4.0.0', - 'hvac>=0.11.2', + 'hvac>=0.11.2,<1', 'requests', ], ) From af5731c3ebd748f93186dede556e9fc05805a722 Mon Sep 17 00:00:00 2001 From: Terry Howe Date: Mon, 7 Nov 2022 13:31:59 -0700 Subject: [PATCH 22/65] Version 4.7.1 --- CHANGELOG.rst | 11 +++++++++++ setup.py | 2 +- 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 3c21eea9..f91720a0 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -2,6 +2,17 @@ Changelog ========= +4.7.1 (2022-11-07) +------------------ +- Disable hvac 1.x support for now. [Terry Howe] +- Update configuration. [Terry Howe] +- Add idempotency test to test_ldap_group. [Matt Harlum] +- Fix "enable ldap authentication" in test_ldap_group. [Matt Harlum] +- Fixup idempotency of hashivault_auth_ldap. [Matt Harlum] +- Add self_renew for hashivault_token_renew. [Terry Howe] +- Fix PKI tests from new hvac. [Terry Howe] + + 4.7.0 (2022-06-19) ------------------ - Add a hashivault_ssh_role_list module. [Szymon Soloch] diff --git a/setup.py b/setup.py index a8cdabd3..c79cb485 100644 --- a/setup.py +++ b/setup.py @@ -16,7 +16,7 @@ setup( name='ansible-modules-hashivault', - version='4.7.0', + version='4.7.1', description='Ansible Modules for Hashicorp Vault', long_description=long_description, long_description_content_type='text/x-rst', From 2a71dc189e481f425c407b73c4f622503014988c Mon Sep 17 00:00:00 2001 From: Terry Howe Date: Mon, 7 Nov 2022 14:30:15 -0700 Subject: [PATCH 23/65] Remove deprecated modules * hashivault_approle_role_create * hashivault_approle_role_secret_create * hashivault_approle_role_secret_delete * hashivault_audit_enable * hashivault_auth_enable * hashivault_aws_ec2_role_create * hashivault_mount_tune * hashivault_policy_delete * hashivault_policy_set * hashivault_policy_set_from_file * hashivault_secret_disable * hashivault_secret_enable * hashivault_userpass_create * hashivault_userpass_delete --- .../_hashivault_approle_role_create.py | 115 ------------- .../_hashivault_approle_role_secret_create.py | 84 --------- .../_hashivault_approle_role_secret_delete.py | 57 ------- .../hashivault/_hashivault_audit_enable.py | 65 ------- .../hashivault/_hashivault_auth_enable.py | 67 -------- .../_hashivault_aws_ec2_role_create.py | 161 ------------------ .../hashivault/_hashivault_mount_tune.py | 74 -------- .../hashivault/_hashivault_policy_delete.py | 60 ------- .../hashivault/_hashivault_policy_set.py | 67 -------- .../_hashivault_policy_set_from_file.py | 77 --------- .../hashivault/_hashivault_secret_disable.py | 62 ------- .../hashivault/_hashivault_secret_enable.py | 78 --------- .../hashivault/_hashivault_userpass_create.py | 69 -------- .../hashivault/_hashivault_userpass_delete.py | 56 ------ functional/run.sh | 3 - functional/test_approle_old.yml | 61 ------- functional/test_audit_old.yml | 22 --- functional/test_azure_role.yml | 5 +- functional/test_consul_config.yml | 2 +- functional/test_db_config.yml | 5 +- functional/test_db_role.yml | 5 +- functional/test_ephemeral.yml | 38 +++-- functional/test_policy_old.yml | 38 ----- 23 files changed, 30 insertions(+), 1241 deletions(-) delete mode 100644 ansible/modules/hashivault/_hashivault_approle_role_create.py delete mode 100644 ansible/modules/hashivault/_hashivault_approle_role_secret_create.py delete mode 100644 ansible/modules/hashivault/_hashivault_approle_role_secret_delete.py delete mode 100644 ansible/modules/hashivault/_hashivault_audit_enable.py delete mode 100644 ansible/modules/hashivault/_hashivault_auth_enable.py delete mode 100644 ansible/modules/hashivault/_hashivault_aws_ec2_role_create.py delete mode 100644 ansible/modules/hashivault/_hashivault_mount_tune.py delete mode 100644 ansible/modules/hashivault/_hashivault_policy_delete.py delete mode 100644 ansible/modules/hashivault/_hashivault_policy_set.py delete mode 100644 ansible/modules/hashivault/_hashivault_policy_set_from_file.py delete mode 100644 ansible/modules/hashivault/_hashivault_secret_disable.py delete mode 100644 ansible/modules/hashivault/_hashivault_secret_enable.py delete mode 100644 ansible/modules/hashivault/_hashivault_userpass_create.py delete mode 100644 ansible/modules/hashivault/_hashivault_userpass_delete.py delete mode 100644 functional/test_approle_old.yml delete mode 100644 functional/test_audit_old.yml delete mode 100644 functional/test_policy_old.yml diff --git a/ansible/modules/hashivault/_hashivault_approle_role_create.py b/ansible/modules/hashivault/_hashivault_approle_role_create.py deleted file mode 100644 index 515acd8e..00000000 --- a/ansible/modules/hashivault/_hashivault_approle_role_create.py +++ /dev/null @@ -1,115 +0,0 @@ -#!/usr/bin/env python -from ansible.module_utils.hashivault import hashivault_argspec -from ansible.module_utils.hashivault import hashivault_auth_client -from ansible.module_utils.hashivault import hashivault_init -from ansible.module_utils.hashivault import hashiwrapper - -ANSIBLE_METADATA = {'status': ['deprecated'], 'supported_by': 'community', 'version': '1.1'} -DOCUMENTATION = ''' ---- -module: hashivault_approle_role_create -version_added: "3.8.0" -short_description: Hashicorp Vault approle create role module -description: - - Module to create an approle role from Hashicorp Vault. Use hashivault_approle_role instead. -options: - name: - description: - - role name. - mount_point: - description: - - mount point for role - default: approle - bind_secret_id: - description: - - Require secret_id to be presented when logging in using this AppRole. - bound_cidr_list: - description: - - Comma-separated string or list of CIDR blocks. - policies: - description: - - policies for the role. - secret_id_num_uses: - description: - - Number of times any particular SecretID can be used. - secret_id_ttl: - description: - - Duration after which any SecretID expires. - token_num_uses: - description: - - Number of times issued tokens can be used. A value of 0 means unlimited uses. - token_ttl: - description: - - Duration to set as the TTL for issued tokens and at renewal time. - token_max_ttl: - description: - - Duration after which the issued token can no longer be renewed. - period: - description: - - Duration of the token generated. - enable_local_secret_ids: - description: - - If set, the secret IDs generated using this role will be cluster local. -extends_documentation_fragment: hashivault -''' -EXAMPLES = ''' ---- -- hosts: localhost - tasks: - - hashivault_approle_role_create: - name: 'ashley' -''' - - -def main(): - argspec = hashivault_argspec() - argspec['name'] = dict(required=True, type='str') - argspec['mount_point'] = dict(required=False, type='str', default='approle') - argspec['bind_secret_id'] = dict(required=False, type='bool', no_log=True) - argspec['bound_cidr_list'] = dict(required=False, type='list') - argspec['policies'] = dict(required=True, type='list') - argspec['secret_id_num_uses'] = dict(required=False, type='str') - argspec['secret_id_ttl'] = dict(required=False, type='str') - argspec['token_num_uses'] = dict(required=False, type='int') - argspec['token_ttl'] = dict(required=False, type='str') - argspec['token_max_ttl'] = dict(required=False, type='str') - argspec['period'] = dict(required=False, type='str') - argspec['enable_local_secret_ids'] = dict(required=False, type='bool') - module = hashivault_init(argspec) - result = hashivault_approle_role_create(module.params) - if result.get('failed'): - module.fail_json(**result) - else: - module.exit_json(**result) - - -@hashiwrapper -def hashivault_approle_role_create(params): - args = [ - 'mount_point', - 'bind_secret_id', - 'bound_cidr_list', - 'secret_id_num_uses', - 'secret_id_ttl', - 'token_num_uses', - 'token_ttl', - 'token_max_ttl', - 'period', - 'enable_local_secret_ids', - ] - name = params.get('name') - policies = params.get('policies') - client = hashivault_auth_client(params) - kwargs = { - 'token_policies': policies, - } - for arg in args: - value = params.get(arg) - if value is not None: - kwargs[arg] = value - client.auth.approle.create_or_update_approle(name, **kwargs) - return {'changed': True} - - -if __name__ == '__main__': - main() diff --git a/ansible/modules/hashivault/_hashivault_approle_role_secret_create.py b/ansible/modules/hashivault/_hashivault_approle_role_secret_create.py deleted file mode 100644 index 8f3be798..00000000 --- a/ansible/modules/hashivault/_hashivault_approle_role_secret_create.py +++ /dev/null @@ -1,84 +0,0 @@ -#!/usr/bin/env python - -from ansible.module_utils.hashivault import hashivault_argspec -from ansible.module_utils.hashivault import hashivault_auth_client -from ansible.module_utils.hashivault import hashivault_init -from ansible.module_utils.hashivault import hashiwrapper - -ANSIBLE_METADATA = {'status': ['deprecated'], 'supported_by': 'community', 'version': '1.1'} -DOCUMENTATION = ''' ---- -module: hashivault_approle_role_secret_create -version_added: "3.8.0" -short_description: Hashicorp Vault approle role secret id create module -description: - - Module to get an approle role secret id from Hashicorp Vault in Pull mode - or create custom approle role secret id in Push mode. Use hashivault_approle_role_secret instead. -options: - name: - description: - - secret name. - secret_id: - description: - - Custom SecretID to be attached to the role. - cidr_list: - description: - - Comma-separated string or list of CIDR blocks. - metadata: - description: - - Metadata to be tied to the secret. -extends_documentation_fragment: hashivault -''' -EXAMPLES = ''' ---- -- hosts: localhost - tasks: - - hashivault_approle_role_secret_create: - name: 'ashley' - register: 'vault_approle_role_secret_create' - - debug: msg="Role secret id is {{vault_approle_role_secret_create.id}}" - -- hosts: localhost - tasks: - - hashivault_approle_role_secret_create: - name: 'robert' - secret_id: '{{ lookup("password", "/dev/null length=32 chars=ascii_letters,digits") }}' - register: 'vault_approle_role_custom_secret_create' - - debug: msg="Role custom secret id is {{vault_approle_role_custom_secret_create.id}}" -''' - - -def main(): - argspec = hashivault_argspec() - argspec['name'] = dict(required=True, type='str') - argspec['secret_id'] = dict(required=False, type='str') - argspec['cidr_list'] = dict(required=False, type='str') - argspec['metadata'] = dict(required=False, type='dict') - module = hashivault_init(argspec) - result = hashivault_approle_role_secret_create(module.params) - if result.get('failed'): - module.fail_json(**result) - else: - module.exit_json(**result) - - -@hashiwrapper -def hashivault_approle_role_secret_create(params): - name = params.get('name') - custom_secret_id = params.get('secret_id') - cidr_list = params.get('cidr_list') - metadata = params.get('metadata') - - client = hashivault_auth_client(params) - - if custom_secret_id is not None: - result = client.auth.approle.create_custom_secret_id(role_name=name, - secret_id=custom_secret_id, - metadata=metadata) - else: - result = client.auth.approle.generate_secret_id(role_name=name, metadata=metadata, cidr_list=cidr_list) - return result['data'] - - -if __name__ == '__main__': - main() diff --git a/ansible/modules/hashivault/_hashivault_approle_role_secret_delete.py b/ansible/modules/hashivault/_hashivault_approle_role_secret_delete.py deleted file mode 100644 index e8727ec4..00000000 --- a/ansible/modules/hashivault/_hashivault_approle_role_secret_delete.py +++ /dev/null @@ -1,57 +0,0 @@ -#!/usr/bin/env python - -from ansible.module_utils.hashivault import hashivault_argspec -from ansible.module_utils.hashivault import hashivault_auth_client -from ansible.module_utils.hashivault import hashivault_init -from ansible.module_utils.hashivault import hashiwrapper - -ANSIBLE_METADATA = {'status': ['deprecated'], 'supported_by': 'community', 'version': '1.1'} -DOCUMENTATION = ''' ---- -module: hashivault_approle_role_secret_delete -version_added: "3.8.0" -short_description: Hashicorp Vault approle role secret id delete module -description: - - Module to delete a approle role secret id from Hashicorp Vault. Use hashivault_approle_role_secret instead. -options: - name: - description: - - role name. - secret: - description: - - secret id. -extends_documentation_fragment: hashivault -''' -EXAMPLES = ''' ---- -- hosts: localhost - tasks: - - hashivault_approle_role_secret_delete: - name: 'ashley' - secret: 'ec4bedee-e44b-c096-9ac8-1600e52ed8f8' -''' - - -def main(): - argspec = hashivault_argspec() - argspec['name'] = dict(required=True, type='str') - argspec['secret'] = dict(required=True, type='str') - module = hashivault_init(argspec) - result = hashivault_approle_role_secret_delete(module.params) - if result.get('failed'): - module.fail_json(**result) - else: - module.exit_json(**result) - - -@hashiwrapper -def hashivault_approle_role_secret_delete(params): - name = params.get('name') - secret = params.get('secret') - client = hashivault_auth_client(params) - client.auth.approle.destroy_secret_id(name, secret) - return {'changed': True} - - -if __name__ == '__main__': - main() diff --git a/ansible/modules/hashivault/_hashivault_audit_enable.py b/ansible/modules/hashivault/_hashivault_audit_enable.py deleted file mode 100644 index e475199a..00000000 --- a/ansible/modules/hashivault/_hashivault_audit_enable.py +++ /dev/null @@ -1,65 +0,0 @@ -#!/usr/bin/env python -from ansible.module_utils.hashivault import hashivault_argspec -from ansible.module_utils.hashivault import hashivault_auth_client -from ansible.module_utils.hashivault import hashivault_init -from ansible.module_utils.hashivault import hashiwrapper - -ANSIBLE_METADATA = {'status': ['deprecated'], 'supported_by': 'community', 'version': '1.1'} -DOCUMENTATION = ''' ---- -module: hashivault_audit_enable -version_added: "2.2.0" -short_description: Hashicorp Vault audit enable module -description: - - Module to enable audit backends in Hashicorp Vault. Use hashivault_audit instead. -options: - name: - description: - - name of auditor - description: - description: - - description of auditor - options: - description: - - options for auditor -extends_documentation_fragment: hashivault -''' -EXAMPLES = ''' ---- -- hosts: localhost - tasks: - - hashivault_audit_enable: - name: "syslog" -''' - - -def main(): - argspec = hashivault_argspec() - argspec['name'] = dict(required=True, type='str') - argspec['description'] = dict(required=False, type='str') - argspec['options'] = dict(required=False, type='dict') - module = hashivault_init(argspec) - result = hashivault_audit_enable(module.params) - if result.get('failed'): - module.fail_json(**result) - else: - module.exit_json(**result) - - -@hashiwrapper -def hashivault_audit_enable(params): - client = hashivault_auth_client(params) - name = params.get('name') - description = params.get('description') - options = params.get('options') - backends = client.sys.list_enabled_audit_devices() - backends = backends.get('data', backends) - path = name + "/" - if path in backends and backends[path]["options"] == options: - return {'changed': False} - client.sys.enable_audit_device(name, description=description, options=options) - return {'changed': True} - - -if __name__ == '__main__': - main() diff --git a/ansible/modules/hashivault/_hashivault_auth_enable.py b/ansible/modules/hashivault/_hashivault_auth_enable.py deleted file mode 100644 index 7317cb39..00000000 --- a/ansible/modules/hashivault/_hashivault_auth_enable.py +++ /dev/null @@ -1,67 +0,0 @@ -#!/usr/bin/env python -from ansible.module_utils.hashivault import hashivault_argspec -from ansible.module_utils.hashivault import hashivault_auth_client -from ansible.module_utils.hashivault import hashivault_init -from ansible.module_utils.hashivault import hashiwrapper - -ANSIBLE_METADATA = {'status': ['deprecated'], 'alternative': 'Use M(hashivault_auth_method) instead.', - 'why': 'This module does not fit the standard pattern', - 'supported_by': 'community', 'version': '1.1'} -DOCUMENTATION = ''' ---- -module: hashivault_auth_enable -version_added: "2.2.0" -short_description: Hashicorp Vault auth enable module -description: - - Use hashivault_auth_method instead. -options: - name: - description: - - name of authenticator - description: - description: - - description of authenticator - mount_point: - description: - - location where this auth backend will be mounted -extends_documentation_fragment: hashivault -''' -EXAMPLES = ''' ---- -- hosts: localhost - tasks: - - hashivault_auth_enable: - name: "userpass" -''' - - -def main(): - argspec = hashivault_argspec() - argspec['name'] = dict(required=True, type='str') - argspec['description'] = dict(required=False, type='str') - argspec['mount_point'] = dict(required=False, type='str', default=None) - module = hashivault_init(argspec) - result = hashivault_auth_enable(module.params) - if result.get('failed'): - module.fail_json(**result) - else: - module.exit_json(**result) - - -@hashiwrapper -def hashivault_auth_enable(params): - client = hashivault_auth_client(params) - name = params.get('name') - description = params.get('description') - mount_point = params.get('mount_point') - result = client.sys.list_auth_methods() - backends = result.get('data', result) - path = (mount_point or name) + u"/" - if path in backends: - return {'changed': False} - client.sys.enable_auth_method(name, description=description, path=mount_point) - return {'changed': True} - - -if __name__ == '__main__': - main() diff --git a/ansible/modules/hashivault/_hashivault_aws_ec2_role_create.py b/ansible/modules/hashivault/_hashivault_aws_ec2_role_create.py deleted file mode 100644 index f8b2ff00..00000000 --- a/ansible/modules/hashivault/_hashivault_aws_ec2_role_create.py +++ /dev/null @@ -1,161 +0,0 @@ -#!/usr/bin/env python -from ansible.module_utils.hashivault import hashivault_argspec -from ansible.module_utils.hashivault import hashivault_auth_client -from ansible.module_utils.hashivault import hashivault_init -from ansible.module_utils.hashivault import hashiwrapper - -from hvac.exceptions import InvalidPath - - -ANSIBLE_METADATA = {'status': ['deprecated'], 'alternative': 'Use M(hashivault_aws_auth_role) instead.', - 'why': 'This module does not fit the standard pattern', - 'supported_by': 'community', 'version': '1.1'} -DOCUMENTATION = ''' ---- -module: hashivault_aws_ec2_role_create -version_added: "3.9.8" -short_description: Hashicorp Vault aws ec2 create role module -description: - - Module to create a aws ec2 backed vault role Use hashivault_aws_auth_role instead. -options: - name: - description: - - role name. - bound_ami_id: - description: - - "defines a constraint on the EC2 instances that can perform the login operation that they should be using\ - the AMI ID specified" - bound_vpc_id: - description: - - "defines a constraint on the EC2 instances that can perform the login operation that they be associated\ - with the VPC ID that matches the value" - policies: - description: - - policies for the role. - inferred_entity_type: - description: - - Instructs Vault to turn on inferencing. The only valid value is ec2_instance - auth_type: - description: - - auth type permitted for this role. Valid choices are ec2 and iam - bound_account_id: - description: - - "defines a constraint on the EC2 instances that can perform the login operation that they should be using\ - the account ID" - bound_iam_instance_profile_arn: - description: - - "defines a constraint on the EC2 instances that can perform the login operation that they must be\ - associated with an IAM instance profile" - bound_iam_role_arn: - description: - - "defines a constraint on the EC2 instances that can perform the login operation that they must match the\ - IAM role ARN" - bound_subnet_id: - description: - - "defines a constraint on the EC2 instances that can perform the login operation that they be associated\ - with the subnet ID" - allow_instance_migration: - description: - - if set to true, allows migration of the underlying instance where the client resides. - disallow_reauthentication: - description: - - If set to true, only allows a single token to be granted per instance ID. - resolve_aws_unique_ids: - description: - - If set to true, the bound_iam_principal_arn is resolved to an AWS Unique ID for the bound principal ARN. - token_max_ttl: - description: - - The maximum allowed lifetime of tokens issued using this role, provided as a number of seconds - token_ttl: - description: - - The TTL period of tokens issued using this role, provided as a number of seconds - mount_point: - description: - - location where this auth_method will be mounted. also known as "path" -extends_documentation_fragment: hashivault -''' -EXAMPLES = ''' ---- -- hosts: localhost - tasks: - - hashivault_aws_ec2_role_create: - name: myrole - auth_type: iam - inferred_entity_type: ec2_instance - inferred_aws_region: eu-west-1 - bound_iam_role_arn: arn:aws:iam::12345678:root/ec2-role -''' - - -def main(): - argspec = hashivault_argspec() - argspec['name'] = dict(required=True, type='str') - argspec['bound_ami_id'] = dict(required=False, type='str') - argspec['bound_vpc_id'] = dict(required=False, type='str') - argspec['inferred_entity_type'] = dict(required=True, type='str') - argspec['inferred_aws_region'] = dict(required=False, type='str') - argspec['auth_type'] = dict(required=True, type='str') - argspec['bound_account_id'] = dict(required=False, type='str') - argspec['bound_iam_role_arn'] = dict(required=False, type='str') - argspec['bound_iam_instance_profile_arn'] = dict(required=False, type='str') - argspec['bound_ec2_instance_id'] = dict(required=False, type='str') - argspec['bound_subnet_id'] = dict(required=False, type='str') - argspec['allow_instance_migration'] = dict(required=False, type='bool') - argspec['disallow_reauthentication'] = dict(required=False, type='bool') - argspec['resolve_aws_unique_ids'] = dict(required=False, type='bool') - argspec['token_max_ttl'] = dict(required=False, type='int') - argspec['token_ttl'] = dict(required=False, type='int') - argspec['mount_point'] = dict(required=False, default='aws', type='str') - module = hashivault_init(argspec) - result = hashivault_aws_ec2_role_create(module.params) - - if result.get('failed'): - module.fail_json(**result) - else: - module.exit_json(**result) - - -@hashiwrapper -def hashivault_aws_ec2_role_create(params): - args = [ - 'bound_ami_id', - 'bound_vpc_id', - 'inferred_entity_type', - 'inferred_aws_region', - 'bound_account_id', - 'bound_iam_role_arn', - 'bound_iam_instance_profile_arn', - 'auth_type' - 'bound_ec2_instance_id', - 'allow_instance_migration', - 'disallow_reauthentication', - 'token_ttl', - 'token_max_ttl', - ] - name = params.get('name') - policies = params.get('policies') - mount_point = params.get('mount_point').strip('/') - client = hashivault_auth_client(params) - kwargs = { - 'policies': policies, - } - for arg in args: - value = params.get(arg) - if value is not None: - kwargs[arg] = value - - result = client.sys.list_auth_methods() - backends = result.get('data', result) - if (mount_point + "/") not in backends: - return {'failed': True, 'msg': 'aws auth backend is not enabled', 'rc': 1} - - try: - if client.get_role(name, mount_point): - return {'changed': False} - except InvalidPath: - client.create_role(name, mount_point=mount_point, **kwargs) - return {'changed': True} - - -if __name__ == '__main__': - main() diff --git a/ansible/modules/hashivault/_hashivault_mount_tune.py b/ansible/modules/hashivault/_hashivault_mount_tune.py deleted file mode 100644 index bd780511..00000000 --- a/ansible/modules/hashivault/_hashivault_mount_tune.py +++ /dev/null @@ -1,74 +0,0 @@ -#!/usr/bin/env python -from ansible.module_utils.hashivault import hashivault_argspec -from ansible.module_utils.hashivault import hashivault_auth_client -from ansible.module_utils.hashivault import hashivault_init -from ansible.module_utils.hashivault import hashiwrapper - -ANSIBLE_METADATA = {'status': ['deprecated'], 'supported_by': 'community', 'version': '1.1'} -DOCUMENTATION = ''' ---- -module: hashivault_mount_tune -version_added: "3.7.0" -short_description: Hashicorp Vault tune backend -description: - - Module to enable tuning of backends in HashiCorp Vault. use hashivault_secret_engine instead -options: - mount_point: - description: - - location where this auth backend will be mounted - default_lease_ttl: - description: - - Configures the default lease duration for tokens and secrets. This is an integer value in seconds. - max_lease_ttl: - description: - - Configures the maximum lease duration for tokens and secrets. This is an integer value in seconds. -extends_documentation_fragment: hashivault -''' -EXAMPLES = ''' ---- -- hosts: localhost - tasks: - - hashivault_mount_tune: - mount_point: ephemeral - default_lease_ttl: 3600 -''' - - -def main(): - argspec = hashivault_argspec() - argspec['mount_point'] = dict(required=True, type='str') - argspec['default_lease_ttl'] = dict(required=False, type='int', default=None) - argspec['max_lease_ttl'] = dict(required=False, type='int', default=None) - module = hashivault_init(argspec) - result = hashivault_mount_tune(module) - if result.get('failed'): - module.fail_json(**result) - else: - module.exit_json(**result) - - -@hashiwrapper -def hashivault_mount_tune(module): - client = hashivault_auth_client(module.params) - mount_point = module.params.get('mount_point') - default_lease_ttl = module.params.get('default_lease_ttl') - max_lease_ttl = module.params.get('max_lease_ttl') - - changed = False - current_tuning = client.sys.read_mount_configuration(mount_point) - current_tuning = current_tuning.get('data', current_tuning) - current_default_lease_ttl = current_tuning.get('default_lease_ttl') - current_max_lease_ttl = current_tuning.get('max_lease_ttl') - - if (current_default_lease_ttl != default_lease_ttl) or (current_max_lease_ttl != max_lease_ttl): - changed = True - - if not module.check_mode: - client.sys.tune_mount_configuration(mount_point, default_lease_ttl=default_lease_ttl, - max_lease_ttl=max_lease_ttl) - - return {'changed': changed} - - -if __name__ == '__main__': - main() diff --git a/ansible/modules/hashivault/_hashivault_policy_delete.py b/ansible/modules/hashivault/_hashivault_policy_delete.py deleted file mode 100644 index 95073d9a..00000000 --- a/ansible/modules/hashivault/_hashivault_policy_delete.py +++ /dev/null @@ -1,60 +0,0 @@ -#!/usr/bin/env python -from ansible.module_utils.hashivault import hashivault_argspec -from ansible.module_utils.hashivault import hashivault_auth_client -from ansible.module_utils.hashivault import hashivault_init -from ansible.module_utils.hashivault import hashiwrapper - -ANSIBLE_METADATA = {'status': ['deprecated'], 'alternative': 'Use M(hashivault_policy) instead.', - 'why': 'This module does not fit the standard pattern', - 'supported_by': 'community', 'version': '1.1'} -DOCUMENTATION = ''' ---- -module: hashivault_policy_delete -version_added: "2.1.0" -short_description: Hashicorp Vault policy delete module -description: - - Module to delete a policy from Hashicorp Vault. Use hashivault_policy instead. -options: - name: - description: - - policy name. -extends_documentation_fragment: hashivault -''' -EXAMPLES = ''' ---- -- hosts: localhost - tasks: - - hashivault_policy_delete: - name: 'annie' - register: 'vault_policy_delete' - - debug: msg="User policy is {{vault_policy_delete.policy}}" -''' - - -def main(): - argspec = hashivault_argspec() - argspec['name'] = dict(required=True, type='str') - module = hashivault_init(argspec) - result = hashivault_policy_delete(module.params) - if result.get('failed'): - module.fail_json(**result) - else: - module.exit_json(**result) - - -@hashiwrapper -def hashivault_policy_delete(params): - name = params.get('name') - client = hashivault_auth_client(params) - current_policies = client.sys.list_policies() - if isinstance(current_policies, dict): - current_policies = current_policies.get('data', current_policies) - current_policies = current_policies.get('policies', current_policies) - if name not in current_policies: - return {'changed': False} - client.sys.delete_policy(name) - return {'changed': True} - - -if __name__ == '__main__': - main() diff --git a/ansible/modules/hashivault/_hashivault_policy_set.py b/ansible/modules/hashivault/_hashivault_policy_set.py deleted file mode 100644 index efece2f6..00000000 --- a/ansible/modules/hashivault/_hashivault_policy_set.py +++ /dev/null @@ -1,67 +0,0 @@ -#!/usr/bin/env python -from ansible.module_utils.hashivault import hashivault_argspec -from ansible.module_utils.hashivault import hashivault_auth_client -from ansible.module_utils.hashivault import hashivault_init -from ansible.module_utils.hashivault import hashiwrapper - -ANSIBLE_METADATA = {'status': ['deprecated'], 'alternative': 'Use M(hashivault_policy) instead.', - 'why': 'This module does not fit the standard pattern', - 'supported_by': 'community', 'version': '1.1'} -DOCUMENTATION = ''' ---- -module: hashivault_policy_set -version_added: "2.1.0" -short_description: Hashicorp Vault policy set module -description: - - Module to set a policy in Hashicorp Vault. Use hashivault_policy instead. -options: - name: - description: - - policy name. - rules: - description: - - policy rules. -extends_documentation_fragment: hashivault -''' -EXAMPLES = ''' ---- -- hosts: localhost - tasks: - - hashivault_policy_set: - rules: '{{rules}}' -''' - - -def main(): - argspec = hashivault_argspec() - argspec['name'] = dict(required=True, type='str') - argspec['rules'] = dict(required=True, type='str') - argspec['rules_file'] = dict(required=False, type='bool', default=False) - module = hashivault_init(argspec) - result = hashivault_policy_set(module.params) - if result.get('failed'): - module.fail_json(**result) - else: - module.exit_json(**result) - - -@hashiwrapper -def hashivault_policy_set(params): - client = hashivault_auth_client(params) - name = params.get('name') - rules = params.get('rules') - rules_file = params.get('rules_file') - if rules_file: - try: - rules = open(rules, 'r').read() - except Exception as e: - return {'changed': False, 'failed': True, 'msg': 'Error opening rules file <%s>: %s' % (rules, str(e))} - current = client.get_policy(name) - if current == rules: - return {'changed': False} - client.sys.create_or_update_policy(name, rules) - return {'changed': True} - - -if __name__ == '__main__': - main() diff --git a/ansible/modules/hashivault/_hashivault_policy_set_from_file.py b/ansible/modules/hashivault/_hashivault_policy_set_from_file.py deleted file mode 100644 index c8e8f987..00000000 --- a/ansible/modules/hashivault/_hashivault_policy_set_from_file.py +++ /dev/null @@ -1,77 +0,0 @@ -#!/usr/bin/env python -from ansible.module_utils.hashivault import hashivault_argspec -from ansible.module_utils.hashivault import hashivault_auth_client -from ansible.module_utils.hashivault import hashivault_init -from ansible.module_utils.hashivault import hashiwrapper - -ANSIBLE_METADATA = {'status': ['deprecated'], 'supported_by': 'community', 'version': '1.1'} -DOCUMENTATION = ''' ---- -module: hashivault_policy_set_from_file -version_added: "2.1.0" -short_description: Hashicorp Vault policy set from a file module -description: - - Module to set a policy from a file in Hashicorp Vault. Use hashivault_policy_set instead. -options: - name: - description: - - policy name. - rules_file: - description: - - policy rules file. -extends_documentation_fragment: hashivault -''' -EXAMPLES = ''' ---- -- hosts: localhost - tasks: - - hashivault_policy_set_from_file: - rules_file: /path/to/policy_file.hcl -''' - - -def main(): - argspec = hashivault_argspec() - argspec['name'] = dict(required=True, type='str') - argspec['rules_file'] = dict(required=True, type='str') - module = hashivault_init(argspec, supports_check_mode=True) - result = hashivault_policy_set_from_file(module) - if result.get('failed'): - module.fail_json(**result) - else: - module.exit_json(**result) - - -@hashiwrapper -def hashivault_policy_set_from_file(module): - params = module.params - client = hashivault_auth_client(params) - name = params.get('name') - rules = open(params.get('rules_file'), 'r').read() - changed = False - exists = False - current = str() - - # does policy exit - try: - current = client.get_policy(name) - exists = True - except Exception: - if module.check_mode: - changed = True - else: - return {'failed': True, 'msg': 'auth mount is not enabled', 'rc': 1} - - # does current policy match desired - if exists: - if current != rules: - changed = True - - if exists and changed and not module.check_mode: - client.sys.create_or_update_policy(name, rules) - - return {'changed': changed} - - -if __name__ == '__main__': - main() diff --git a/ansible/modules/hashivault/_hashivault_secret_disable.py b/ansible/modules/hashivault/_hashivault_secret_disable.py deleted file mode 100644 index 149ca660..00000000 --- a/ansible/modules/hashivault/_hashivault_secret_disable.py +++ /dev/null @@ -1,62 +0,0 @@ -#!/usr/bin/env python -from ansible.module_utils.hashivault import hashivault_argspec -from ansible.module_utils.hashivault import hashivault_auth_client -from ansible.module_utils.hashivault import hashivault_init -from ansible.module_utils.hashivault import hashiwrapper - -ANSIBLE_METADATA = {'status': ['deprecated'], 'alternative': 'Use M(hashivault_secret_engine) instead.', - 'why': 'This module does not fit the standard pattern', - 'supported_by': 'community', 'version': '1.1'} -DOCUMENTATION = ''' ---- -module: hashivault_secret_disable -version_added: "2.2.0" -short_description: Hashicorp Vault secret disable module -description: - - Module to disable secret backends in Hashicorp Vault. Use hashivault_secret_engine instead. -options: - name: - description: - - name of secret backend - backend: - description: - - type of secret backend - description: - description: - - description of secret backend - config: - description: - - config of secret backend -extends_documentation_fragment: hashivault -''' -EXAMPLES = ''' ---- -- hosts: localhost - tasks: - - hashivault_secret_disable: - name: "ephemeral" - backend: "generic" -''' - - -def main(): - argspec = hashivault_argspec() - argspec['name'] = dict(required=True, type='str') - module = hashivault_init(argspec) - result = hashivault_secret_disable(module.params) - if result.get('failed'): - module.fail_json(**result) - else: - module.exit_json(**result) - - -@hashiwrapper -def hashivault_secret_disable(params): - client = hashivault_auth_client(params) - name = params.get('name') - client.sys.disable_secrets_engine(name) - return {'changed': True} - - -if __name__ == '__main__': - main() diff --git a/ansible/modules/hashivault/_hashivault_secret_enable.py b/ansible/modules/hashivault/_hashivault_secret_enable.py deleted file mode 100644 index 5f5ecc10..00000000 --- a/ansible/modules/hashivault/_hashivault_secret_enable.py +++ /dev/null @@ -1,78 +0,0 @@ -#!/usr/bin/env python -from ansible.module_utils.hashivault import hashivault_argspec -from ansible.module_utils.hashivault import hashivault_auth_client -from ansible.module_utils.hashivault import hashivault_init -from ansible.module_utils.hashivault import hashiwrapper - -ANSIBLE_METADATA = {'status': ['deprecated'], 'alternative': 'Use M(hashivault_secret_engine) instead.', - 'why': 'This module does not fit the standard pattern', - 'supported_by': 'community', 'version': '1.1'} -DOCUMENTATION = ''' ---- -module: hashivault_secret_enable -version_added: "2.2.0" -short_description: Hashicorp Vault secret enable module -description: - - Module to enable secret backends in Hashicorp Vault. Use hashivault_secret_engine instead. -options: - name: - description: - - name of secret backend - backend: - description: - - type of secret backend - description: - description: - - description of secret backend - config: - description: - - config of secret backend - options: - description: - - options of secret backend -extends_documentation_fragment: hashivault -''' -EXAMPLES = ''' ---- -- hosts: localhost - tasks: - - hashivault_secret_enable: - name: "ephemeral" - backend: "generic" -''' - - -def main(): - argspec = hashivault_argspec() - argspec['name'] = dict(required=True, type='str') - argspec['backend'] = dict(required=True, type='str') - argspec['description'] = dict(required=False, type='str') - argspec['config'] = dict(required=False, type='dict') - argspec['options'] = dict(required=False, type='dict') - module = hashivault_init(argspec) - result = hashivault_secret_enable(module.params) - if result.get('failed'): - module.fail_json(**result) - else: - module.exit_json(**result) - - -@hashiwrapper -def hashivault_secret_enable(params): - client = hashivault_auth_client(params) - name = params.get('name') - backend = params.get('backend') - description = params.get('description') - config = params.get('config') - options = params.get('options') - secrets = client.sys.list_mounted_secrets_engines() - secrets = secrets.get('data', secrets) - path = name + "/" - if path in secrets: - return {'changed': False} - client.sys.enable_secrets_engine(backend, description=description, path=name, config=config, options=options) - return {'changed': True} - - -if __name__ == '__main__': - main() diff --git a/ansible/modules/hashivault/_hashivault_userpass_create.py b/ansible/modules/hashivault/_hashivault_userpass_create.py deleted file mode 100644 index 38e71dea..00000000 --- a/ansible/modules/hashivault/_hashivault_userpass_create.py +++ /dev/null @@ -1,69 +0,0 @@ -#!/usr/bin/env python -from ansible.module_utils.hashivault import hashivault_argspec -from ansible.module_utils.hashivault import hashivault_auth_client -from ansible.module_utils.hashivault import hashivault_init -from ansible.module_utils.hashivault import hashiwrapper - -ANSIBLE_METADATA = {'status': ['deprecated'], 'supported_by': 'community', 'version': '1.1'} -DOCUMENTATION = ''' ---- -module: hashivault_userpass_create -version_added: "2.2.0" -short_description: Hashicorp Vault userpass create module -description: - - Module to create userpass users in Hashicorp Vault. Use hashicorp_userpass instead. -options: - name: - description: - - user name to create. - pass: - description: - - user to create password. - policies: - description: - - user policies. - default: default - mount_point: - description: - - default The "path" (app-id) the auth backend is mounted on. - default: userpass -extends_documentation_fragment: hashivault -''' -EXAMPLES = ''' ---- -- hosts: localhost - tasks: - - hashivault_userpass_create: - name: 'bob' - pass: 'S3cre7s' - policies: 'bob' -''' - - -def main(): - argspec = hashivault_argspec() - argspec['name'] = dict(required=True, type='str') - argspec['pass'] = dict(required=True, type='str') - argspec['policies'] = dict(required=False, type='str', default='default') - argspec['mount_point'] = dict(required=False, type='str', default='userpass', no_log=True) - module = hashivault_init(argspec) - result = hashivault_userpass_create(module.params) - if result.get('failed'): - module.fail_json(**result) - else: - module.exit_json(**result) - - -@hashiwrapper -def hashivault_userpass_create(params): - client = hashivault_auth_client(params) - name = params.get('name') - password = params.get('pass') - policies = params.get('policies') - mount_point = params.get('mount_point') - client.create_userpass(name, password, policies, mount_point=mount_point) - return {'changed': True} - - -if __name__ == '__main__': - main() diff --git a/ansible/modules/hashivault/_hashivault_userpass_delete.py b/ansible/modules/hashivault/_hashivault_userpass_delete.py deleted file mode 100644 index 7f968b5b..00000000 --- a/ansible/modules/hashivault/_hashivault_userpass_delete.py +++ /dev/null @@ -1,56 +0,0 @@ -#!/usr/bin/env python -from ansible.module_utils.hashivault import hashivault_argspec -from ansible.module_utils.hashivault import hashivault_auth_client -from ansible.module_utils.hashivault import hashivault_init -from ansible.module_utils.hashivault import hashiwrapper - -ANSIBLE_METADATA = {'status': ['deprecated'], 'supported_by': 'community', 'version': '1.1'} -DOCUMENTATION = ''' ---- -module: hashivault_userpass_delete -version_added: "2.2.0" -short_description: Hashicorp Vault userpass delete module -description: - - Module to delete userpass users in Hashicorp Vault. Use hashicorp_userpass instead. -options: - name: - description: - - user name. - mount_point: - description: - - default The "path" (app-id) the auth backend is mounted on. - default: userpass -extends_documentation_fragment: hashivault -''' -EXAMPLES = ''' ---- -- hosts: localhost - tasks: - - hashivault_userpass_delete: - name: 'bob' -''' - - -def main(): - argspec = hashivault_argspec() - argspec['name'] = dict(required=True, type='str') - argspec['mount_point'] = dict(required=False, type='str', default='userpass') - module = hashivault_init(argspec) - result = hashivault_userpass_delete(module.params) - if result.get('failed'): - module.fail_json(**result) - else: - module.exit_json(**result) - - -@hashiwrapper -def hashivault_userpass_delete(params): - client = hashivault_auth_client(params) - username = params.get('name') - mount_point = params.get('mount_point') - client.delete_userpass(username, mount_point=mount_point) - return {'changed': True} - - -if __name__ == '__main__': - main() diff --git a/functional/run.sh b/functional/run.sh index 6f91dd83..f60e6339 100755 --- a/functional/run.sh +++ b/functional/run.sh @@ -38,7 +38,6 @@ ansible-playbook -vvv test_consul_role.yml # ansible-playbook -v test_azure_config.yml # ansible-playbook -v test_azure_role.yml cannot run without true azure connectivity ansible-playbook -v test_policy.yml -ansible-playbook -v test_policy_old.yml ansible-playbook -v test_status.yml ansible-playbook -v test_not_there.yml ansible-playbook -v test_ephemeral.yml @@ -47,7 +46,6 @@ ansible-playbook -v test_kv2.yml ansible-playbook -v test_cas.yml ansible-playbook -v test_tokens.yml ansible-playbook -v test_audit.yml -ansible-playbook -v test_audit_old.yml ansible-playbook -v test_read_write_file.yml ansible-playbook -v test_environment_lookup.yml ansible-playbook -v test_unseal.yml @@ -75,7 +73,6 @@ ansible-playbook -v test_approle_mount_point.yml source ./approlenv.sh ansible-playbook -v --extra-vars='namespace=lightning/' test_write.yml test_read.yml test_lookup.yml source ./vaultenv.sh -ansible-playbook -v test_approle_old.yml # tokenrole ansible-playbook -v test_token_role.yml diff --git a/functional/test_approle_old.yml b/functional/test_approle_old.yml deleted file mode 100644 index bef397b4..00000000 --- a/functional/test_approle_old.yml +++ /dev/null @@ -1,61 +0,0 @@ ---- -- hosts: localhost - gather_facts: no - tasks: - - name: create role - hashivault_approle_role_create: - name: casserole - policies: - - approle_test_policy - register: 'vault_role_create' - - assert: { that: "{{vault_role_create.changed}} == True" } - - assert: { that: "{{vault_role_create.rc}} == 0" } - - - name: list roles - hashivault_approle_role_list: - register: 'vault_role_list' - - assert: { that: "{{vault_role_list.changed}} == False" } - - assert: { that: "{{vault_role_list.rc}} == 0" } - - fail: msg="role casserole not in list {{vault_role_list.roles}}" - when: '"casserole" not in vault_role_list.roles' - - - name: create role secret id - hashivault_approle_role_secret_create: - name: casserole - register: 'vault_role_secret_create' - - assert: { that: "{{vault_role_secret_create.changed}} == False" } - - assert: { that: "{{vault_role_secret_create.rc}} == 0" } - - assert: - that: - - vault_role_secret_create.secret_id_accessor|default('') != '' - - vault_role_secret_create.secret_id|default('') != '' - - set_fact: - approle_secret_id: "{{vault_role_secret_create.secret_id}}" - - set_fact: - approle_secret_id_accessor: "{{vault_role_secret_create.secret_id_accessor}}" - - - name: list secrets - hashivault_approle_role_secret_list: - name: casserole - register: 'vault_role_secret_list' - - assert: { that: "{{vault_role_secret_list.changed}} == False" } - - assert: { that: "{{vault_role_secret_list.rc}} == 0" } - - fail: msg="secret {{approle_secret_id_accessor}} not in list" - when: approle_secret_id_accessor not in vault_role_secret_list.secrets - - - name: delete secret - hashivault_approle_role_secret_delete: - name: casserole - secret: "{{approle_secret_id}}" - register: 'vault_role_secret_delete' - - assert: { that: "{{vault_role_secret_delete.changed}} == True" } - - assert: { that: "{{vault_role_secret_delete.rc}} == 0" } - - - name: make sure secret is gone - hashivault_approle_role_secret_list: - name: casserole - register: 'vault_role_secret_list' - - assert: { that: "{{vault_role_secret_list.changed}} == False" } - - assert: { that: "{{vault_role_secret_list.rc}} == 0" } - - fail: msg="secret {{approle_secret_id_accessor}} shoud not be in list" - when: approle_secret_id_accessor in vault_role_secret_list.secrets \ No newline at end of file diff --git a/functional/test_audit_old.yml b/functional/test_audit_old.yml deleted file mode 100644 index 4c63cef6..00000000 --- a/functional/test_audit_old.yml +++ /dev/null @@ -1,22 +0,0 @@ ---- -- hosts: localhost - gather_facts: no - tasks: - - hashivault_audit_list: - register: 'vault_audit_list' - - - hashivault_audit_enable: - name: "file" - options: - file_path: "/tmp/vault.log" - register: 'vault_audit_enable' - - assert: { that: "{{vault_audit_enable.changed}} == True" } - - assert: { that: "{{vault_audit_enable.rc}} == 0" } - - - hashivault_audit_enable: - name: "file" - options: - file_path: "/tmp/vault.log" - register: 'vault_audit_enable_twice' - - assert: { that: "{{vault_audit_enable_twice.changed}} == False" } - - assert: { that: "{{vault_audit_enable_twice.rc}} == 0" } diff --git a/functional/test_azure_role.yml b/functional/test_azure_role.yml index 0aaf9414..c2894782 100644 --- a/functional/test_azure_role.yml +++ b/functional/test_azure_role.yml @@ -10,8 +10,9 @@ azure_role1: [{ "role_name": "Contributor","scope": "/subscriptions/xyz"}] azure_role2: [{ "role_name": "Contributor","scope": "/subscriptions/xyz"}, { "role_name": "Reader","scope": "/subscriptions/xyz"}] tasks: - - hashivault_secret_disable: + - hashivault_secret_engine: name: azure + state: disable failed_when: false - name: fail before mount is configured @@ -24,7 +25,7 @@ - assert: { that: "{{ fail_config.changed }} == False" } # fail - name: enable azure secret engine - hashivault_secret_enable: + hashivault_secret_engine: name: azure backend: azure diff --git a/functional/test_consul_config.yml b/functional/test_consul_config.yml index 23ad38e2..5b7e5443 100644 --- a/functional/test_consul_config.yml +++ b/functional/test_consul_config.yml @@ -23,7 +23,7 @@ - assert: { that: "{{ fail_config.rc }} == 1" } - name: enable database secret engine - hashivault_secret_enable: + hashivault_secret_engine: name: consul backend: consul diff --git a/functional/test_db_config.yml b/functional/test_db_config.yml index 50d3ac97..1d9fff62 100644 --- a/functional/test_db_config.yml +++ b/functional/test_db_config.yml @@ -12,8 +12,9 @@ connection_url: "postgresql://{{'{{username}}'}}:{{'{{password}}'}}@cool-modern-db-name" tasks: - name: start with engine disabled - hashivault_secret_disable: + hashivault_secret_engine: name: database + state: disable - name: make sure test fails when no mount exists hashivault_db_secret_engine_config: @@ -30,7 +31,7 @@ - assert: { that: "{{ fail_config.changed }} == False" } - name: enable database secret engine - hashivault_secret_enable: + hashivault_secret_engine: name: database backend: database diff --git a/functional/test_db_role.yml b/functional/test_db_role.yml index 4d1072fb..a5a42293 100644 --- a/functional/test_db_role.yml +++ b/functional/test_db_role.yml @@ -11,8 +11,9 @@ connection_url: "postgresql://{{'{{username}}'}}:{{'{{password}}'}}@cool-modern-db-name" tasks: - name: start with engine disabled - hashivault_secret_disable: + hashivault_secret_engine: name: database + state: disable - name: make sure test fails when no mount exists hashivault_db_secret_engine_config: @@ -28,7 +29,7 @@ - assert: { that: "{{ fail_config.changed }} == False" } - name: enable database secret engine - hashivault_secret_enable: + hashivault_secret_engine: name: database backend: database diff --git a/functional/test_ephemeral.yml b/functional/test_ephemeral.yml index 3e7d8973..452d3c7b 100644 --- a/functional/test_ephemeral.yml +++ b/functional/test_ephemeral.yml @@ -3,11 +3,12 @@ gather_facts: no tasks: - name: Make sure ephemeral secret store is disabled - hashivault_secret_disable: + hashivault_secret_engine: name: "ephemeral" + state: absent failed_when: False - name: Enable ephemeral secret store - hashivault_secret_enable: + hashivault_secret_engine: name: "ephemeral" backend: "generic" register: 'vault_secret_enable' @@ -15,7 +16,7 @@ - assert: { that: "{{vault_secret_enable.rc}} == 0" } - name: Enable same secret store again and check it doesn't fail - hashivault_secret_enable: + hashivault_secret_engine: name: "ephemeral" backend: "generic" register: 'vault_secret_enable_twice' @@ -56,26 +57,27 @@ - assert: { that: "'{{vault_read.msg}}' == 'Secret ephemeral/name is not in vault'" } - name: Tune ephemeral secret store - hashivault_mount_tune: - mount_point: ephemeral - default_lease_ttl: 3600 - max_lease_ttl: 8600 - register: vault_tune - - assert: { that: "{{ vault_tune.changed }} == True" } - - assert: { that: "{{ vault_tune.rc }} == 0" } + hashivault_secret_engine: + name: "ephemeral" + backend: "generic" + description: "new description" + register: vault_update + - assert: { that: "{{ vault_update.changed }} == True" } + - assert: { that: "{{ vault_update.rc }} == 0" } - name: Idempotent tuning ephemeral secret store - hashivault_mount_tune: - mount_point: ephemeral - default_lease_ttl: 3600 - max_lease_ttl: 8600 - register: vault_tune - - assert: { that: "{{ vault_tune.changed }} == False" } - - assert: { that: "{{ vault_tune.rc }} == 0" } + hashivault_secret_engine: + name: "ephemeral" + backend: "generic" + description: "new description" + register: vault_update + - assert: { that: "{{ vault_update.changed }} == False" } + - assert: { that: "{{ vault_update.rc }} == 0" } - name: Disable ephemeral secret store - hashivault_secret_disable: + hashivault_secret_engine: name: "ephemeral" + state: disabled register: 'vault_secret_disable' - assert: { that: "{{vault_secret_enable.changed}} == True" } - assert: { that: "{{vault_secret_enable.rc}} == 0" } diff --git a/functional/test_policy_old.yml b/functional/test_policy_old.yml deleted file mode 100644 index c79bb8d4..00000000 --- a/functional/test_policy_old.yml +++ /dev/null @@ -1,38 +0,0 @@ ---- -- hosts: localhost - gather_facts: no - vars: - bobs_rules: > - path "secret/oldbob/*" { - capabilities = ["create", "read", "update", "delete", "list"] - } - path "secret/oldbob" { - capabilities = ["list"] - } - tasks: - - hashivault_policy: - name: oldbob - state: absent - - - name: Set new policy - hashivault_policy_set: - name: oldbob - rules: "{{bobs_rules}}" - register: 'vault_policy_set' - - assert: { that: "{{vault_policy_set.changed}} == True" } - - assert: { that: "{{vault_policy_set.rc}} == 0" } - - - name: Set new policy from file - hashivault_policy_set_from_file: - name: oldbob - rules_file: "templates/policy_rules.hcl" - register: 'vault_policy_set' - - assert: { that: "{{vault_policy_set.changed}} == True" } - - assert: { that: "{{vault_policy_set.rc}} == 0" } - - - name: Delete new policy - hashivault_policy_delete: - name: oldbob - register: 'vault_policy_delete' - - assert: { that: "{{vault_policy_delete.changed}} == True" } - - assert: { that: "{{vault_policy_delete.rc}} == 0" } From 58861451b9692ef2817844eac787f86c0dee9bdd Mon Sep 17 00:00:00 2001 From: Terry Howe Date: Tue, 8 Nov 2022 04:06:45 -0700 Subject: [PATCH 24/65] Add list of breaking changes to log --- CHANGELOG.rst | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index f91720a0..1d94ed2b 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -2,6 +2,12 @@ Changelog ========= +Breaking Changes: +- hashivault_approle_role_secret removed wrap_ttl for now +- hashivault_generate_root_init otp added +- hashivault_token_create removed lease and orphan (use no_parent) +- ansible 5 only now + 4.7.1 (2022-11-07) ------------------ - Disable hvac 1.x support for now. [Terry Howe] From c65d67479897fce499ae4390e533ed874be0c29b Mon Sep 17 00:00:00 2001 From: Terry Howe Date: Tue, 8 Nov 2022 04:30:02 -0700 Subject: [PATCH 25/65] Version 5.0.0 --- CHANGELOG.rst | 30 +++++++++++++++++++++++++----- 1 file changed, 25 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 1d94ed2b..888eb24f 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -2,11 +2,31 @@ Changelog ========= -Breaking Changes: -- hashivault_approle_role_secret removed wrap_ttl for now -- hashivault_generate_root_init otp added -- hashivault_token_create removed lease and orphan (use no_parent) -- ansible 5 only now +5.0.0 (2022-11-08) +------------------ +- Remove deprecated modules. [Terry Howe] + * hashivault_approle_role_create + * hashivault_approle_role_secret_create + * hashivault_approle_role_secret_delete + * hashivault_audit_enable + * hashivault_auth_enable + * hashivault_aws_ec2_role_create + * hashivault_mount_tune + * hashivault_policy_delete + * hashivault_policy_set + * hashivault_policy_set_from_file + * hashivault_secret_disable + * hashivault_secret_enable + * hashivault_userpass_create + * hashivault_userpass_delete +- Changes for hvac 1.x. [Terry Howe] +- Breaking Changes: + * hashivault_approle_role_secret removed wrap_ttl for now + * hashivault_generate_root_init otp added + * hashivault_token_create removed lease and orphan (use no_parent) + * ansible 5 only now + + 4.7.1 (2022-11-07) ------------------ From 3cb5cff9a77b7a0afd2dfc3f18dbc72591bc52b8 Mon Sep 17 00:00:00 2001 From: Terry Howe Date: Tue, 3 Jan 2023 07:04:26 -0700 Subject: [PATCH 26/65] Create SECURITY.md --- SECURITY.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000..43576f36 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,13 @@ +# Security Policy + +## Supported Versions + +| Version | Supported | +| ------- | ------------------ | +| 5.x.x | :white_check_mark: | +| 4.7.x | :white_check_mark: | +| < 4.7 | :x: | + +## Reporting a Vulnerability + +Direct message at https://www.linkedin.com/in/terrylhowe/ From 6cffb8d6deed7b01e1109b86395e6569b758d309 Mon Sep 17 00:00:00 2001 From: Benjamin Demarteau Date: Tue, 31 Jan 2023 14:27:51 +0100 Subject: [PATCH 27/65] extract option normalisation to module_utils and reverse logic to allow for unknown options Instead of copying known arguments to the desired_state, we copy all arguments, while normalizing the ones we know about. --- ansible/module_utils/hashivault.py | 16 ++++++++++++++++ .../modules/hashivault/hashivault_pki_role.py | 17 +++++------------ 2 files changed, 21 insertions(+), 12 deletions(-) diff --git a/ansible/module_utils/hashivault.py b/ansible/module_utils/hashivault.py index 54ce0c7a..7354f6cb 100644 --- a/ansible/module_utils/hashivault.py +++ b/ansible/module_utils/hashivault.py @@ -5,6 +5,7 @@ from ansible.module_utils.basic import AnsibleModule, env_fallback from hvac.exceptions import InvalidPath +normalize = {'list': list, 'str': str, 'dict': dict, 'bool': bool, 'int': int, 'duration': str} def hashivault_argspec(): argument_spec = dict( @@ -42,6 +43,21 @@ def hashivault_init(argument_spec, supports_check_mode=False, required_if=None, return module +def hashivault_normalize_from_doc(options, documentation): + desired_state = {} + for key, value in options.items(): + config_type = documentation.get(key, {}).get('type') + if config_type is not None: + try: + value = normalize[config_type](value) + except Exception: + return {'changed': False, 'failed': True, + 'msg': 'config item \'{}\' has wrong data format'.format(key)} + + desired_state[key] = value + + return desired_state + def get_ec2_iam_role(): request = requests.get(url='http://169.254.169.254/latest/meta-data/iam/security-credentials/') request.raise_for_status() diff --git a/ansible/modules/hashivault/hashivault_pki_role.py b/ansible/modules/hashivault/hashivault_pki_role.py index 923a4af3..8137b389 100755 --- a/ansible/modules/hashivault/hashivault_pki_role.py +++ b/ansible/modules/hashivault/hashivault_pki_role.py @@ -1,9 +1,10 @@ #!/usr/bin/env python -from ansible.module_utils.hashivault import hashivault_auth_client from ansible.module_utils.hashivault import hashivault_argspec +from ansible.module_utils.hashivault import hashivault_auth_client from ansible.module_utils.hashivault import hashivault_init -from ansible.module_utils.hashivault import is_state_changed +from ansible.module_utils.hashivault import hashivault_normalize_from_doc from ansible.module_utils.hashivault import hashiwrapper +from ansible.module_utils.hashivault import is_state_changed ANSIBLE_METADATA = {'status': ['preview'], 'supported_by': 'community', 'version': '1.1'} DOCUMENTATION = r''' @@ -309,7 +310,6 @@ role_file: "/opt/vault/etc/roles/pki-tester.json" state: "present" ''' -normalize = {'list': list, 'str': str, 'dict': dict, 'bool': bool, 'int': int, 'duration': str} def main(): @@ -351,15 +351,8 @@ def hashivault_pki_role(module): elif config: import yaml doc = yaml.safe_load(DOCUMENTATION) - args = doc.get('options').get('config').get('suboptions').items() - for key, value in args: - arg = config.get(key) - if arg is not None: - try: - desired_state[key] = normalize[value.get('type')](arg) - except Exception: - return {'changed': False, 'failed': True, - 'msg': 'config item \'{}\' has wrong data format'.format(key)} + args = doc.get('options').get('config').get('suboptions') + desired_state = hashivault_normalize_from_doc(config, args) changed = False try: From 2472baebb9deb33cbf1828da2d0b7356fd46d0cd Mon Sep 17 00:00:00 2001 From: Benjamin Demarteau Date: Tue, 31 Jan 2023 14:38:47 +0100 Subject: [PATCH 28/65] warn user when an unknown value is processed by the option normalization --- ansible/module_utils/hashivault.py | 9 +++++++-- ansible/modules/hashivault/hashivault_pki_role.py | 2 +- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/ansible/module_utils/hashivault.py b/ansible/module_utils/hashivault.py index 7354f6cb..06498ecb 100644 --- a/ansible/module_utils/hashivault.py +++ b/ansible/module_utils/hashivault.py @@ -7,6 +7,7 @@ normalize = {'list': list, 'str': str, 'dict': dict, 'bool': bool, 'int': int, 'duration': str} + def hashivault_argspec(): argument_spec = dict( url=dict(required=False, default=os.environ.get('VAULT_ADDR', ''), type='str'), @@ -43,11 +44,14 @@ def hashivault_init(argument_spec, supports_check_mode=False, required_if=None, return module -def hashivault_normalize_from_doc(options, documentation): +def hashivault_normalize_from_doc(module, options, documentation): desired_state = {} for key, value in options.items(): config_type = documentation.get(key, {}).get('type') - if config_type is not None: + if config_type is None: + module.warn('Unknown option "{}". Make sure this is not a typo, if it is not, please open an ' + 'issue at https://github.com/TerryHowe/ansible-modules-hashivault/issues.'.format(key)) + else: try: value = normalize[config_type](value) except Exception: @@ -58,6 +62,7 @@ def hashivault_normalize_from_doc(options, documentation): return desired_state + def get_ec2_iam_role(): request = requests.get(url='http://169.254.169.254/latest/meta-data/iam/security-credentials/') request.raise_for_status() diff --git a/ansible/modules/hashivault/hashivault_pki_role.py b/ansible/modules/hashivault/hashivault_pki_role.py index 8137b389..6ab0dddd 100755 --- a/ansible/modules/hashivault/hashivault_pki_role.py +++ b/ansible/modules/hashivault/hashivault_pki_role.py @@ -352,7 +352,7 @@ def hashivault_pki_role(module): import yaml doc = yaml.safe_load(DOCUMENTATION) args = doc.get('options').get('config').get('suboptions') - desired_state = hashivault_normalize_from_doc(config, args) + desired_state = hashivault_normalize_from_doc(module, config, args) changed = False try: From 982c904159a05934aa5b96caaebea12b7d807593 Mon Sep 17 00:00:00 2001 From: Cees Moerkerken Date: Wed, 29 Mar 2023 14:55:27 +0200 Subject: [PATCH 29/65] refactor: define backend only once --- ansible/modules/hashivault/hashivault_secret_engine.py | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/ansible/modules/hashivault/hashivault_secret_engine.py b/ansible/modules/hashivault/hashivault_secret_engine.py index 974cb2ec..d43ef900 100644 --- a/ansible/modules/hashivault/hashivault_secret_engine.py +++ b/ansible/modules/hashivault/hashivault_secret_engine.py @@ -137,7 +137,7 @@ def hashivault_secret_engine(module): params = module.params client = hashivault_auth_client(params) name = params.get('name') - backend = params.get('backend') + backend = params.get('backend', name) description = params.get('description') config = params.get('config') if 'default_lease_ttl' in config: @@ -162,8 +162,6 @@ def hashivault_secret_engine(module): created = False changed = False - if not backend: - backend = name try: # does the mount exist already? configuration = client.sys.read_mount_configuration(path=name) From b29e634e4a367711414f5a0031b392084c00df20 Mon Sep 17 00:00:00 2001 From: Cees Moerkerken Date: Wed, 29 Mar 2023 15:03:37 +0200 Subject: [PATCH 30/65] add diff and enable check mode support --- .../hashivault/hashivault_secret_engine.py | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/ansible/modules/hashivault/hashivault_secret_engine.py b/ansible/modules/hashivault/hashivault_secret_engine.py index d43ef900..763abec5 100644 --- a/ansible/modules/hashivault/hashivault_secret_engine.py +++ b/ansible/modules/hashivault/hashivault_secret_engine.py @@ -104,7 +104,7 @@ def main(): argspec['options'] = dict(required=False, type='dict', default={}) argspec['cas_required'] = dict(required=False, type='bool') argspec['max_versions'] = dict(required=False, type='int') - module = hashivault_init(argspec) + module = hashivault_init(argspec, supports_check_mode=True) result = hashivault_secret_engine(module) if result.get('failed'): module.fail_json(**result) @@ -171,6 +171,12 @@ def hashivault_secret_engine(module): # doesn't exist pass + desired_state = { + **config, + 'options': options if 'version' in options else {}, + 'description': description + } + # doesnt exist and should or does exist and shouldnt if (exists and state == 'disabled'): changed = True @@ -227,7 +233,14 @@ def hashivault_secret_engine(module): elif changed and state == 'disabled' and not module.check_mode: client.sys.disable_secrets_engine(path=name) - return {'changed': changed, 'created': created} + return { + "changed": changed, + "created": created, + "diff": { + "before": current_state, + "after": desired_state, + }, + } if __name__ == '__main__': From 0be29d07886780aadb072e2e0535eabbbb8a19f3 Mon Sep 17 00:00:00 2001 From: Cees Moerkerken Date: Fri, 31 Mar 2023 12:03:23 +0200 Subject: [PATCH 31/65] Revert "refactor: define backend only once" This reverts commit 982c904159a05934aa5b96caaebea12b7d807593. --- ansible/modules/hashivault/hashivault_secret_engine.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/ansible/modules/hashivault/hashivault_secret_engine.py b/ansible/modules/hashivault/hashivault_secret_engine.py index 763abec5..22e4b9a4 100644 --- a/ansible/modules/hashivault/hashivault_secret_engine.py +++ b/ansible/modules/hashivault/hashivault_secret_engine.py @@ -137,7 +137,7 @@ def hashivault_secret_engine(module): params = module.params client = hashivault_auth_client(params) name = params.get('name') - backend = params.get('backend', name) + backend = params.get('backend') description = params.get('description') config = params.get('config') if 'default_lease_ttl' in config: @@ -162,6 +162,8 @@ def hashivault_secret_engine(module): created = False changed = False + if not backend: + backend = name try: # does the mount exist already? configuration = client.sys.read_mount_configuration(path=name) From b2f3042e7e3bf969a0e059906a2a803647af2919 Mon Sep 17 00:00:00 2001 From: Cees Moerkerken Date: Fri, 31 Mar 2023 13:32:11 +0200 Subject: [PATCH 32/65] prevent keyerror on inconsistencies between the current and desired state --- ansible/modules/hashivault/hashivault_azure_auth_config.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/ansible/modules/hashivault/hashivault_azure_auth_config.py b/ansible/modules/hashivault/hashivault_azure_auth_config.py index 61ab2fa0..807b249d 100644 --- a/ansible/modules/hashivault/hashivault_azure_auth_config.py +++ b/ansible/modules/hashivault/hashivault_azure_auth_config.py @@ -105,8 +105,9 @@ def hashivault_azure_auth_config(module): # check if current config matches desired config values, if they dont match, set changed true for k, v in current_state.items(): - if v != desired_state[k]: - changed = True + if k in desired_state: + if v != desired_state[k]: + changed = True # if configs dont match and checkmode is off, complete the change if changed and not module.check_mode: From 0319afc986e1aea9036889f24ec7231f1adbfc0d Mon Sep 17 00:00:00 2001 From: Cees Moerkerken Date: Fri, 31 Mar 2023 13:45:44 +0200 Subject: [PATCH 33/65] replace whitelist_externals with allowlist_externals --- tox.ini | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tox.ini b/tox.ini index a6bad50c..9bfd23f4 100644 --- a/tox.ini +++ b/tox.ini @@ -10,7 +10,7 @@ install_command = pip install {opts} {packages} setenv = OBJC_DISABLE_INITIALIZE_FORK_SAFETY=YES VIRTUAL_ENV={envdir} -whitelist_externals = bash +allowlist_externals = bash commands = bash -ex {toxinidir}/functional/run.sh [testenv:venv] From 87e653c468f17b37d839fed1387395fd0ab8ddcf Mon Sep 17 00:00:00 2001 From: Cees Moerkerken Date: Fri, 7 Apr 2023 11:39:12 +0200 Subject: [PATCH 34/65] add diff, fixes #436 --- .../hashivault/hashivault_auth_method.py | 31 +++++++++++++------ 1 file changed, 21 insertions(+), 10 deletions(-) diff --git a/ansible/modules/hashivault/hashivault_auth_method.py b/ansible/modules/hashivault/hashivault_auth_method.py index 408c5837..74419cc8 100644 --- a/ansible/modules/hashivault/hashivault_auth_method.py +++ b/ansible/modules/hashivault/hashivault_auth_method.py @@ -83,6 +83,11 @@ def hashivault_auth_method(module): exists = False changed = False create = False + current_state = {} + desired_state = { + 'config': config, + 'description': description + } if mount_point is None: mount_point = method_type @@ -101,23 +106,29 @@ def hashivault_auth_method(module): elif state == 'disabled' and exists: changed = True elif exists and state == 'enabled': - current_state = auth_methods[mount_point + u"/"] - changed = description != current_state['description'] or is_state_changed(config, current_state['config']) + current_auth_method = auth_methods[mount_point + u"/"] + current_state = { + 'config': current_auth_method['config'], + 'description': current_auth_method['description'] + } + changed = description != current_auth_method['description'] or is_state_changed(config, current_auth_method['config']) - if module.check_mode: - return {'changed': changed, 'created': create, 'state': state} - if not changed: - return {'changed': changed, 'created': False, 'state': state} - - if state == 'enabled': + if state == 'enabled' and not module.check_mode: if create: client.sys.enable_auth_method(method_type, description=description, path=mount_point, config=config) else: client.sys.tune_auth_method(description=description, path=mount_point, **config) - if state == 'disabled': + elif state == 'disabled' and not module.check_mode: client.sys.disable_auth_method(path=mount_point) - return {'changed': changed, 'created': create} + return { + "changed": changed, + "created": create, + "diff": { + "before": current_state, + "after": desired_state, + }, + } if __name__ == '__main__': From 52892dee56fba7018ef6b82ca49604ef654bc68f Mon Sep 17 00:00:00 2001 From: Cees Moerkerken Date: Fri, 7 Apr 2023 11:40:31 +0200 Subject: [PATCH 35/65] add result to return values, fixes #435 --- .../modules/hashivault/hashivault_auth_method.py | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/ansible/modules/hashivault/hashivault_auth_method.py b/ansible/modules/hashivault/hashivault_auth_method.py index 74419cc8..e5535e87 100644 --- a/ansible/modules/hashivault/hashivault_auth_method.py +++ b/ansible/modules/hashivault/hashivault_auth_method.py @@ -42,6 +42,13 @@ method_type: userpass ''' +RETURN = r''' +result: + description: The current configuration of the auth method if it exists. + type: dict + returned: always +''' + DEFAULT_TTL = 2764800 DEFAULT_CONFIG = { 'default_lease_ttl': DEFAULT_TTL, @@ -121,9 +128,17 @@ def hashivault_auth_method(module): elif state == 'disabled' and not module.check_mode: client.sys.disable_auth_method(path=mount_point) + try: + final_result = client.sys.list_auth_methods() + retval = final_result['data'][mount_point + u"/"] + except Exception: + retval = {} + pass + return { "changed": changed, "created": create, + "result": retval, "diff": { "before": current_state, "after": desired_state, From 61c2cc282f7241c4a2df630d276de00308343d3f Mon Sep 17 00:00:00 2001 From: Cees Moerkerken Date: Fri, 7 Apr 2023 11:46:49 +0200 Subject: [PATCH 36/65] only call enable or tune when changed. add comments --- ansible/modules/hashivault/hashivault_auth_method.py | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/ansible/modules/hashivault/hashivault_auth_method.py b/ansible/modules/hashivault/hashivault_auth_method.py index e5535e87..e7a09193 100644 --- a/ansible/modules/hashivault/hashivault_auth_method.py +++ b/ansible/modules/hashivault/hashivault_auth_method.py @@ -99,6 +99,7 @@ def hashivault_auth_method(module): if mount_point is None: mount_point = method_type + # Get current auth methods try: result = client.sys.list_auth_methods() auth_methods = result.get('data', result) @@ -107,6 +108,7 @@ def hashivault_auth_method(module): except Exception: pass + # Check required actions if state == 'enabled' and not exists: changed = True create = True @@ -120,14 +122,18 @@ def hashivault_auth_method(module): } changed = description != current_auth_method['description'] or is_state_changed(config, current_auth_method['config']) - if state == 'enabled' and not module.check_mode: + # create + if state == 'enabled' and changed and not module.check_mode: if create: client.sys.enable_auth_method(method_type, description=description, path=mount_point, config=config) + # update else: client.sys.tune_auth_method(description=description, path=mount_point, **config) - elif state == 'disabled' and not module.check_mode: + # delete + elif state == 'disabled' and changed and not module.check_mode: client.sys.disable_auth_method(path=mount_point) + # Get resulting auth method try: final_result = client.sys.list_auth_methods() retval = final_result['data'][mount_point + u"/"] From 06710dfb8168c987b0bcba239fab0db6a996376f Mon Sep 17 00:00:00 2001 From: Cees Moerkerken Date: Fri, 7 Apr 2023 12:05:41 +0200 Subject: [PATCH 37/65] fix line length linting --- ansible/modules/hashivault/hashivault_auth_method.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/ansible/modules/hashivault/hashivault_auth_method.py b/ansible/modules/hashivault/hashivault_auth_method.py index e7a09193..8990682f 100644 --- a/ansible/modules/hashivault/hashivault_auth_method.py +++ b/ansible/modules/hashivault/hashivault_auth_method.py @@ -115,12 +115,12 @@ def hashivault_auth_method(module): elif state == 'disabled' and exists: changed = True elif exists and state == 'enabled': - current_auth_method = auth_methods[mount_point + u"/"] + auth_method = auth_methods[mount_point + u"/"] current_state = { - 'config': current_auth_method['config'], - 'description': current_auth_method['description'] + 'config': auth_method['config'], + 'description': auth_method['description'] } - changed = description != current_auth_method['description'] or is_state_changed(config, current_auth_method['config']) + changed = description != auth_method['description'] or is_state_changed(config, auth_method['config']) # create if state == 'enabled' and changed and not module.check_mode: From 73ba6c3f089ab5d6301f774d5c3fe76f25e40ec1 Mon Sep 17 00:00:00 2001 From: Cees Moerkerken Date: Fri, 7 Apr 2023 12:50:11 +0200 Subject: [PATCH 38/65] add diff, fixes #439 --- .../hashivault/hashivault_oidc_auth_method_config.py | 8 +++++++- .../modules/hashivault/hashivault_oidc_auth_role.py | 11 +++++++++-- 2 files changed, 16 insertions(+), 3 deletions(-) diff --git a/ansible/modules/hashivault/hashivault_oidc_auth_method_config.py b/ansible/modules/hashivault/hashivault_oidc_auth_method_config.py index af9273e3..99305c5e 100644 --- a/ansible/modules/hashivault/hashivault_oidc_auth_method_config.py +++ b/ansible/modules/hashivault/hashivault_oidc_auth_method_config.py @@ -132,7 +132,13 @@ def hashivault_oidc_auth_method_config(module): if changed and not module.check_mode: client.auth.oidc.configure(**desired_state) - return {'changed': changed, 'old_state': current_state, 'new_state': desired_state} + return { + 'changed': changed, + "diff": { + "before": current_state, + "after": desired_state, + } + } if __name__ == '__main__': diff --git a/ansible/modules/hashivault/hashivault_oidc_auth_role.py b/ansible/modules/hashivault/hashivault_oidc_auth_role.py index ac8b8e93..95ed92c2 100644 --- a/ansible/modules/hashivault/hashivault_oidc_auth_role.py +++ b/ansible/modules/hashivault/hashivault_oidc_auth_role.py @@ -138,7 +138,7 @@ def main(): argspec['not_before_leeway'] = dict(required=False, type='int', default=0) argspec['role_type'] = dict(required=False, type='str', default='oidc', choices=['oidc', 'jwt']) - module = hashivault_init(argspec) + module = hashivault_init(argspec, supports_check_mode=True) result = hashivault_oidc_auth_role(module) if result.get('failed'): module.fail_json(**result) @@ -204,7 +204,14 @@ def hashivault_oidc_auth_role(module): client.auth.oidc.create_role(name=name, **desired_state) elif current_state and state == 'absent': client.auth.oidc.delete_role(name=name) - return {'changed': changed, 'old_state': current_state, 'new_state': desired_state} + + return { + 'changed': changed, + "diff": { + "before": current_state, + "after": desired_state, + } + } if __name__ == '__main__': From 836b95d1d388ab28675aa5c9c08a0e30e9e8474e Mon Sep 17 00:00:00 2001 From: Cees Moerkerken Date: Fri, 7 Apr 2023 13:16:26 +0200 Subject: [PATCH 39/65] add path to return values --- ansible/modules/hashivault/hashivault_auth_method.py | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/ansible/modules/hashivault/hashivault_auth_method.py b/ansible/modules/hashivault/hashivault_auth_method.py index 8990682f..aa096715 100644 --- a/ansible/modules/hashivault/hashivault_auth_method.py +++ b/ansible/modules/hashivault/hashivault_auth_method.py @@ -43,6 +43,10 @@ ''' RETURN = r''' +path: + description: The path of the auth method. + type: str + returned: always result: description: The current configuration of the auth method if it exists. type: dict @@ -144,6 +148,7 @@ def hashivault_auth_method(module): return { "changed": changed, "created": create, + "path": mount_point, "result": retval, "diff": { "before": current_state, From 71f0a4e9f252345b1d4d4a64f9c54e35587378cc Mon Sep 17 00:00:00 2001 From: Cees Moerkerken Date: Wed, 12 Apr 2023 12:06:03 +0200 Subject: [PATCH 40/65] refactor policy module --- .../modules/hashivault/hashivault_policy.py | 73 +++++++++++++------ 1 file changed, 49 insertions(+), 24 deletions(-) diff --git a/ansible/modules/hashivault/hashivault_policy.py b/ansible/modules/hashivault/hashivault_policy.py index 0d808059..86a4878c 100644 --- a/ansible/modules/hashivault/hashivault_policy.py +++ b/ansible/modules/hashivault/hashivault_policy.py @@ -47,8 +47,8 @@ def main(): argspec['rules_file'] = dict(required=False, type='str') argspec['state'] = dict(required=False, choices=['present', 'absent'], default='present') mutually_exclusive = [['rules', 'rules_file']] - module = hashivault_init(argspec, mutually_exclusive=mutually_exclusive) - result = hashivault_policy(module.params) + module = hashivault_init(argspec, mutually_exclusive=mutually_exclusive, supports_check_mode=True) + result = hashivault_policy(module) if result.get('failed'): module.fail_json(**result) else: @@ -56,35 +56,60 @@ def main(): @hashiwrapper -def hashivault_policy(params): +def hashivault_policy(module): + params = module.params client = hashivault_auth_client(params) state = params.get('state') name = params.get('name') - if state == 'present': - rules_file = params.get('rules_file') - if rules_file: - try: - rules = open(rules_file, 'r').read() - except Exception as e: - return {'changed': False, - 'failed': True, - 'msg': 'Error opening rules file <%s>: %s' % (rules_file, str(e))} - else: - rules = params.get('rules') - current = client.get_policy(name) - if current == rules: - return {'changed': False} - client.sys.create_or_update_policy(name, rules) - return {'changed': True} + exists = False + changed = False + current_state = {} + desired_state = {} + # get current policies current_policies = client.sys.list_policies() if isinstance(current_policies, dict): - current_policies = current_policies.get('data', current_policies) current_policies = current_policies.get('policies', current_policies) - if name not in current_policies: - return {'changed': False} - client.sys.delete_policy(name) - return {'changed': True} + if name in current_policies: + exists = True + current_state = client.get_policy(name) + + # Define desired rules + rules_file = params.get('rules_file') + if rules_file: + try: + desired_state = open(rules_file, 'r').read() + except Exception as e: + return {'changed': False, + 'failed': True, + 'msg': 'Error opening rules file <%s>: %s' % (rules_file, str(e))} + else: + desired_state = params.get('rules') + + # Check required actions + if state == 'present' and not exists: + changed = True + elif state == 'absent' and exists: + changed = True + elif state == 'present' and exists: + if current_state != desired_state: + changed = True + + if changed and not module.check_mode: + # create or update + if state == 'present': + client.sys.create_or_update_policy(name, desired_state) + # delete + elif state == 'absent': + client.sys.delete_policy(name) + + return { + "changed": changed, + "diff": { + "before": current_state, + "after": desired_state, + }, + } if __name__ == '__main__': From dab2a4df1662a1bb83a7dd619cdee1ae84dc3101 Mon Sep 17 00:00:00 2001 From: Terry Howe Date: Tue, 18 Apr 2023 12:54:05 -0600 Subject: [PATCH 41/65] Version 5.1.0 --- CHANGELOG.rst | 21 +++++++++++++++++++++ setup.py | 2 +- 2 files changed, 22 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 888eb24f..022bf39b 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -2,6 +2,27 @@ Changelog ========= +5.1.0 (2023-04-18) +------------------ +- Refactor policy module. [Cees Moerkerken] +- Add diff, fixes #439. [Cees Moerkerken] +- Add path to return values. [Cees Moerkerken] +- Fix line length linting. [Cees Moerkerken] +- Only call enable or tune when changed. add comments. [Cees Moerkerken] +- Add result to return values, fixes #435. [Cees Moerkerken] +- Add diff, fixes #436. [Cees Moerkerken] +- Replace whitelist_externals with allowlist_externals. [Cees + Moerkerken] +- Prevent keyerror on inconsistencies between the current and desired + state. [Cees Moerkerken] +- Add diff and enable check mode support. [Cees Moerkerken] +- Warn user when an unknown value is processed by the option + normalization. [Benjamin Demarteau] +- Extract option normalisation to module_utils and reverse logic to + allow for unknown options. [Benjamin Demarteau] +- Create SECURITY.md. [Terry Howe] + + 5.0.0 (2022-11-08) ------------------ - Remove deprecated modules. [Terry Howe] diff --git a/setup.py b/setup.py index 697f25a8..a82d45de 100644 --- a/setup.py +++ b/setup.py @@ -16,7 +16,7 @@ setup( name='ansible-modules-hashivault', - version='5.0.0', + version='5.1.0', description='Ansible Modules for Hashicorp Vault', long_description=long_description, long_description_content_type='text/x-rst', From c40e89f79d14bd5b97e6a43bb709e07f75709581 Mon Sep 17 00:00:00 2001 From: Ankit Date: Wed, 7 Jun 2023 12:12:33 +0530 Subject: [PATCH 42/65] Add plugin_version params for the vault api Ref https://github.com/TerryHowe/ansible-modules-hashivault/issues/442 --- .../hashivault/hashivault_db_secret_engine_config.py | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/ansible/modules/hashivault/hashivault_db_secret_engine_config.py b/ansible/modules/hashivault/hashivault_db_secret_engine_config.py index a243f0f0..5fbc8387 100644 --- a/ansible/modules/hashivault/hashivault_db_secret_engine_config.py +++ b/ansible/modules/hashivault/hashivault_db_secret_engine_config.py @@ -33,6 +33,10 @@ description: - name of database plugin used. see out of the box list at https://www.vaultproject.io/docs/secrets/databases/index.html + plugin_version: + description: + - Specifies the semantic version of the plugin to use for this connection + https://developer.hashicorp.com/vault/api-docs/secret/databases allowed_roles: description: - list of the roles allowed to use this connection. Defaults to empty (no roles), if contains a "*" any role @@ -82,6 +86,7 @@ def main(): argspec['mount_point'] = dict(required=False, type='str', default='database') argspec['config_file'] = dict(required=False, type='str', default=None) argspec['plugin_name'] = dict(required=False, type='str') + argspec['plugin_version'] = dict(required=False, type='str') argspec['allowed_roles'] = dict(required=False, type='list', default=[]) argspec['root_credentials_rotate_statements'] = dict(required=False, type='list', aliases=['root_rotation_statements'], default=[]) @@ -114,6 +119,7 @@ def hashivault_db_secret_engine_config(module): desired_state = json.loads(open(params.get('config_file'), 'r').read()) else: desired_state['plugin_name'] = params.get('plugin_name') + desired_state['plugin_version'] = params.get('plugin_version') desired_state['allowed_roles'] = params.get('allowed_roles') desired_state['verify_connection'] = params.get('verify_connection') desired_state['password_policy'] = params.get('password_policy') From f4764fe41fbd44fbdac327199e636152c50eb724 Mon Sep 17 00:00:00 2001 From: Ankit Date: Thu, 8 Jun 2023 16:33:08 +0530 Subject: [PATCH 43/65] Update ansible/modules/hashivault/hashivault_db_secret_engine_config.py Co-authored-by: Terry Howe --- .../modules/hashivault/hashivault_db_secret_engine_config.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/modules/hashivault/hashivault_db_secret_engine_config.py b/ansible/modules/hashivault/hashivault_db_secret_engine_config.py index 5fbc8387..c06ed1b4 100644 --- a/ansible/modules/hashivault/hashivault_db_secret_engine_config.py +++ b/ansible/modules/hashivault/hashivault_db_secret_engine_config.py @@ -36,7 +36,7 @@ plugin_version: description: - Specifies the semantic version of the plugin to use for this connection - https://developer.hashicorp.com/vault/api-docs/secret/databases + https://developer.hashicorp.com/vault/api-docs/secret/databases allowed_roles: description: - list of the roles allowed to use this connection. Defaults to empty (no roles), if contains a "*" any role From 79361a31e23688816f583fe3244cecb574780eba Mon Sep 17 00:00:00 2001 From: Terry Howe Date: Tue, 13 Jun 2023 08:15:16 -0600 Subject: [PATCH 44/65] Version 5.1.1 --- CHANGELOG.rst | 6 ++++++ setup.py | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 022bf39b..3b383bf2 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -2,6 +2,12 @@ Changelog ========= +5.1.1 (2023-06-13) +------------------ +- Add plugin_version params for the vault api. [Ankit] + Ref https://github.com/TerryHowe/ansible-modules-hashivault/issues/442 + + 5.1.0 (2023-04-18) ------------------ - Refactor policy module. [Cees Moerkerken] diff --git a/setup.py b/setup.py index a82d45de..06ad4031 100644 --- a/setup.py +++ b/setup.py @@ -16,7 +16,7 @@ setup( name='ansible-modules-hashivault', - version='5.1.0', + version='5.1.1', description='Ansible Modules for Hashicorp Vault', long_description=long_description, long_description_content_type='text/x-rst', From 88448e34acd0def411f8031fbe59464349bb4958 Mon Sep 17 00:00:00 2001 From: Benjamin Demarteau Date: Wed, 21 Jun 2023 16:15:05 +0200 Subject: [PATCH 45/65] ssh_role,token_role: don't fail when encountering unknown options --- .../modules/hashivault/hashivault_ssh_role.py | 28 ++++--------------- .../hashivault/hashivault_token_role.py | 25 +++-------------- 2 files changed, 9 insertions(+), 44 deletions(-) diff --git a/ansible/modules/hashivault/hashivault_ssh_role.py b/ansible/modules/hashivault/hashivault_ssh_role.py index e3bc0c80..7c2506c8 100644 --- a/ansible/modules/hashivault/hashivault_ssh_role.py +++ b/ansible/modules/hashivault/hashivault_ssh_role.py @@ -4,9 +4,10 @@ import yaml -from ansible.module_utils.hashivault import hashivault_auth_client from ansible.module_utils.hashivault import hashivault_argspec +from ansible.module_utils.hashivault import hashivault_auth_client from ansible.module_utils.hashivault import hashivault_init +from ansible.module_utils.hashivault import hashivault_normalize_from_doc from ansible.module_utils.hashivault import hashiwrapper @@ -310,14 +311,6 @@ role_file: "/opt/vault/etc/roles/ssh-tester.json" state: "present" """ -normalize = { - "list": list, - "str": str, - "dict": dict, - "bool": bool, - "int": int, - "duration": str, -} def main(): @@ -394,21 +387,10 @@ def hashivault_ssh_role(module): # normalize some keys. This is a quirk of the vault api that it # expects a different data format in the PUT/POST endpoint than # it returns in the GET endpoint. - data = {} - doc = yaml.safe_load(DOCUMENTATION) - args = doc.get("options").get("config").get("suboptions").items() - for key, value in args: - arg = desired_state.get(key) - if arg is not None: - try: - data[key] = normalize[value.get("type")](arg) - except Exception: - return { - "changed": False, - "failed": True, - "msg": "config item '{}' has wrong data format".format(key), - } + args = doc.get("options").get("config").get("suboptions") + data = hashivault_normalize_from_doc(module, desired_state, args) + # create or update client.secrets.kv.v1.create_or_update_secret( mount_point=mount_point, diff --git a/ansible/modules/hashivault/hashivault_token_role.py b/ansible/modules/hashivault/hashivault_token_role.py index b4b3cca5..1806a5f6 100644 --- a/ansible/modules/hashivault/hashivault_token_role.py +++ b/ansible/modules/hashivault/hashivault_token_role.py @@ -4,9 +4,10 @@ import yaml -from ansible.module_utils.hashivault import hashivault_auth_client from ansible.module_utils.hashivault import hashivault_argspec +from ansible.module_utils.hashivault import hashivault_auth_client from ansible.module_utils.hashivault import hashivault_init +from ansible.module_utils.hashivault import hashivault_normalize_from_doc from ansible.module_utils.hashivault import hashiwrapper @@ -186,14 +187,6 @@ role_file: "/opt/vault/etc/roles/token-tester-bot.json" state: "present" """ -normalize = { - "list": list, - "str": str, - "dict": dict, - "bool": bool, - "int": int, - "duration": str, -} def main(): @@ -272,18 +265,8 @@ def hashivault_token_role(module): extra_params = {} doc = yaml.safe_load(DOCUMENTATION) - args = doc.get("options").get("config").get("suboptions").items() - for key, value in args: - arg = desired_state.get(key) - if arg is not None: - try: - extra_params[key] = normalize[value.get("type")](arg) - except Exception: - return { - "changed": False, - "failed": True, - "msg": "config item '{}' has wrong data format".format(key), - } + args = doc.get("options").get("config").get("suboptions") + extra_params = hashivault_normalize_from_doc(module, config, args) # create or update api_path = f"/v1/auth/{mount_point}/roles/{name}" client.auth.token._adapter.post(url=api_path, json=extra_params) From 3368eb788fe9aefcf277828fb43d7d88a0536b82 Mon Sep 17 00:00:00 2001 From: Benjamin Demarteau Date: Thu, 22 Jun 2023 11:26:28 +0200 Subject: [PATCH 46/65] hashivault_normalize_from_doc: don't swallow exceptions --- ansible/module_utils/hashivault.py | 10 +++++++--- ansible/modules/hashivault/hashivault_pki_role.py | 5 ++++- ansible/modules/hashivault/hashivault_ssh_role.py | 6 ++++-- ansible/modules/hashivault/hashivault_token_role.py | 5 ++++- 4 files changed, 19 insertions(+), 7 deletions(-) diff --git a/ansible/module_utils/hashivault.py b/ansible/module_utils/hashivault.py index 06498ecb..a104e362 100644 --- a/ansible/module_utils/hashivault.py +++ b/ansible/module_utils/hashivault.py @@ -54,9 +54,13 @@ def hashivault_normalize_from_doc(module, options, documentation): else: try: value = normalize[config_type](value) - except Exception: - return {'changed': False, 'failed': True, - 'msg': 'config item \'{}\' has wrong data format'.format(key)} + except Exception as e: + raise Exception({ + 'changed': False, + 'failed': True, + 'msg': + 'config item \'{}\' with value \'{}\' could not be converted to \'{}\': {}' + .format(key, value, config_type, "\n".join(e.args))}) desired_state[key] = value diff --git a/ansible/modules/hashivault/hashivault_pki_role.py b/ansible/modules/hashivault/hashivault_pki_role.py index 6ab0dddd..39fe3e74 100755 --- a/ansible/modules/hashivault/hashivault_pki_role.py +++ b/ansible/modules/hashivault/hashivault_pki_role.py @@ -352,7 +352,10 @@ def hashivault_pki_role(module): import yaml doc = yaml.safe_load(DOCUMENTATION) args = doc.get('options').get('config').get('suboptions') - desired_state = hashivault_normalize_from_doc(module, config, args) + try: + desired_state = hashivault_normalize_from_doc(module, config, args) + except Exception as e: + return e.args[0] changed = False try: diff --git a/ansible/modules/hashivault/hashivault_ssh_role.py b/ansible/modules/hashivault/hashivault_ssh_role.py index 7c2506c8..81a40d9d 100644 --- a/ansible/modules/hashivault/hashivault_ssh_role.py +++ b/ansible/modules/hashivault/hashivault_ssh_role.py @@ -389,8 +389,10 @@ def hashivault_ssh_role(module): # it returns in the GET endpoint. doc = yaml.safe_load(DOCUMENTATION) args = doc.get("options").get("config").get("suboptions") - data = hashivault_normalize_from_doc(module, desired_state, args) - + try: + data = hashivault_normalize_from_doc(module, desired_state, args) + except Exception as e: + return e.args[0] # create or update client.secrets.kv.v1.create_or_update_secret( mount_point=mount_point, diff --git a/ansible/modules/hashivault/hashivault_token_role.py b/ansible/modules/hashivault/hashivault_token_role.py index 1806a5f6..485b8c2a 100644 --- a/ansible/modules/hashivault/hashivault_token_role.py +++ b/ansible/modules/hashivault/hashivault_token_role.py @@ -266,7 +266,10 @@ def hashivault_token_role(module): doc = yaml.safe_load(DOCUMENTATION) args = doc.get("options").get("config").get("suboptions") - extra_params = hashivault_normalize_from_doc(module, config, args) + try: + extra_params = hashivault_normalize_from_doc(module, config, args) + except Exception as e: + return e.args[0] # create or update api_path = f"/v1/auth/{mount_point}/roles/{name}" client.auth.token._adapter.post(url=api_path, json=extra_params) From 1b5cff47d0486a42ea6ee5020a6c051b06c46406 Mon Sep 17 00:00:00 2001 From: Benjamin Demarteau Date: Thu, 22 Jun 2023 11:27:11 +0200 Subject: [PATCH 47/65] token_role: correctly add new values instead of overriding --- ansible/module_utils/hashivault.py | 2 +- ansible/modules/hashivault/hashivault_token_role.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ansible/module_utils/hashivault.py b/ansible/module_utils/hashivault.py index a104e362..c5124a1c 100644 --- a/ansible/module_utils/hashivault.py +++ b/ansible/module_utils/hashivault.py @@ -51,7 +51,7 @@ def hashivault_normalize_from_doc(module, options, documentation): if config_type is None: module.warn('Unknown option "{}". Make sure this is not a typo, if it is not, please open an ' 'issue at https://github.com/TerryHowe/ansible-modules-hashivault/issues.'.format(key)) - else: + elif value is not None: try: value = normalize[config_type](value) except Exception as e: diff --git a/ansible/modules/hashivault/hashivault_token_role.py b/ansible/modules/hashivault/hashivault_token_role.py index 485b8c2a..11b57229 100644 --- a/ansible/modules/hashivault/hashivault_token_role.py +++ b/ansible/modules/hashivault/hashivault_token_role.py @@ -267,7 +267,7 @@ def hashivault_token_role(module): doc = yaml.safe_load(DOCUMENTATION) args = doc.get("options").get("config").get("suboptions") try: - extra_params = hashivault_normalize_from_doc(module, config, args) + extra_params = hashivault_normalize_from_doc(module, desired_state, args) except Exception as e: return e.args[0] # create or update From 2a6c3dd6abb8bbe776b91e6a89db39e69b3b51de Mon Sep 17 00:00:00 2001 From: Terry Howe Date: Tue, 4 Jul 2023 06:33:11 -0600 Subject: [PATCH 48/65] Vault is not tagged latest atm --- functional/start.sh | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/functional/start.sh b/functional/start.sh index 1ac536ca..d1147e9f 100755 --- a/functional/start.sh +++ b/functional/start.sh @@ -29,13 +29,19 @@ storage "file" { EOF chmod a+r $TMP_CONFIG +# Current is not tagged latest and vault won't push images +# after 1.14, but this image is okay today +# # Current is not tagged latest and vault won't push images +# after 1.14, but this image is okay today +TAG=latest +TAG=1.13.3 docker stop $DOCKER_NAME 2>/dev/null || true docker rm $DOCKER_NAME 2>/dev/null || true docker run --name $DOCKER_NAME -h $DOCKER_NAME -d \ --cap-add IPC_LOCK \ -p 127.0.0.1:${PORT}:${PORT} \ -v $TMP_CONFIG:/etc/vault/config.hcl:ro \ - vault server -config /etc/vault/config.hcl + vault:${TAG} server -config /etc/vault/config.hcl # # Wait for vault to come up From 7b34935c9871f60f6a02075f5ce946a30cda06c3 Mon Sep 17 00:00:00 2001 From: Aleksey Zhukov <353748+alezkv@users.noreply.github.com> Date: Thu, 27 Jul 2023 01:18:39 +0300 Subject: [PATCH 49/65] Fix output hashivault_approle_role_secret format Currently `hashivault_approle_role_secret` return plain response from underlying library. `data` field with response from the vault. Examples and other modules (hashivault_approle_role_id) assumed that result would contain `id` field with corresponding value. --- .../modules/hashivault/hashivault_approle_role_secret.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/ansible/modules/hashivault/hashivault_approle_role_secret.py b/ansible/modules/hashivault/hashivault_approle_role_secret.py index 9ff93701..140b7392 100644 --- a/ansible/modules/hashivault/hashivault_approle_role_secret.py +++ b/ansible/modules/hashivault/hashivault_approle_role_secret.py @@ -20,7 +20,7 @@ default: present name: description: - - secret name. + - role name mount_point: description: - mount point for role @@ -106,9 +106,9 @@ def hashivault_approle_role_secret(module): metadata=metadata, cidr_list=cidr_list) - response_key = 'data' - - return {'changed': True, response_key: result.get(response_key, {})} + data = result.get('data', {}) + secret_id = data.get('secret_id', '') + return {'changed': True, 'data': data, 'id': secret_id} elif state == 'absent': secret = params.get('secret') if module.check_mode: From 30c4cd8d1f389ddbd5fb098c72684e10303e3e1b Mon Sep 17 00:00:00 2001 From: Sebi Date: Fri, 28 Jul 2023 23:53:57 +0300 Subject: [PATCH 50/65] Add timeout as a general parameter --- ansible/plugins/doc_fragments/hashivault.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/ansible/plugins/doc_fragments/hashivault.py b/ansible/plugins/doc_fragments/hashivault.py index 11e8d0ae..32f69ce5 100644 --- a/ansible/plugins/doc_fragments/hashivault.py +++ b/ansible/plugins/doc_fragments/hashivault.py @@ -61,4 +61,8 @@ class ModuleDocFragment(object): description: - namespace for vault default: to environment variable VAULT_NAMESPACE + timeout: + description: + - The timeout value (seconds) for requests sent to Vault. + default: 30 ''' From 50e713aef1028990a780d15d4990354680fd5c6d Mon Sep 17 00:00:00 2001 From: Sebi Date: Sat, 29 Jul 2023 00:06:24 +0300 Subject: [PATCH 51/65] Add general parameter timeout Default value of 30, as it is in hvac, to prevent inconsistency. --- ansible/module_utils/hashivault.py | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/ansible/module_utils/hashivault.py b/ansible/module_utils/hashivault.py index c5124a1c..f501ec77 100644 --- a/ansible/module_utils/hashivault.py +++ b/ansible/module_utils/hashivault.py @@ -24,7 +24,8 @@ def hashivault_argspec(): role_id=dict(required=False, fallback=(env_fallback, ['VAULT_ROLE_ID']), type='str', no_log=True), secret_id=dict(required=False, fallback=(env_fallback, ['VAULT_SECRET_ID']), type='str', no_log=True), aws_header=dict(required=False, fallback=(env_fallback, ['VAULT_AWS_HEADER']), type='str', no_log=True), - namespace=dict(required=False, default=os.environ.get('VAULT_NAMESPACE', None), type='str') + namespace=dict(required=False, default=os.environ.get('VAULT_NAMESPACE', None), type='str'), + timeout=dict(required=False, default=30, type=int) ) return argument_spec @@ -99,6 +100,7 @@ def hashivault_client(params): cert = (client_cert, client_key) check_verify = params.get('verify') namespace = params.get('namespace', None) + timeout = params.get('timeout') if check_verify == '' or check_verify: if ca_cert: verify = ca_cert @@ -108,7 +110,7 @@ def hashivault_client(params): verify = check_verify else: verify = check_verify - client = hvac.Client(url=url, cert=cert, verify=verify, namespace=namespace) + client = hvac.Client(url=url, cert=cert, verify=verify, namespace=namespace, timeout=timeout) return client From 0965a8578c44be59c0d1ed6ed90ef3ce944d0ee2 Mon Sep 17 00:00:00 2001 From: Emory Otott Date: Sat, 7 Oct 2023 02:59:03 +0900 Subject: [PATCH 52/65] #450 added seal wrap parameter to hashivault secret engine --- .../hashivault/hashivault_secret_engine.py | 60 ++++++++++++++++--- 1 file changed, 53 insertions(+), 7 deletions(-) diff --git a/ansible/modules/hashivault/hashivault_secret_engine.py b/ansible/modules/hashivault/hashivault_secret_engine.py index 22e4b9a4..c3b1f47e 100644 --- a/ansible/modules/hashivault/hashivault_secret_engine.py +++ b/ansible/modules/hashivault/hashivault_secret_engine.py @@ -79,6 +79,9 @@ max_versions: description: - Max versions for secret engine for kv version 2 only + seal_wrap: + description: + - Enable seal wrapping for secret engine. Enterprise feature extends_documentation_fragment: hashivault ''' EXAMPLES = ''' @@ -88,6 +91,14 @@ - hashivault_secret_engine: name: ephemeral backend: generic +- hosts: localhost + tasks: + - hashivault_secret_engine: + name: my_kv + backend: kv + config: + version: 2 + seal_wrap: true ''' @@ -104,6 +115,7 @@ def main(): argspec['options'] = dict(required=False, type='dict', default={}) argspec['cas_required'] = dict(required=False, type='bool') argspec['max_versions'] = dict(required=False, type='int') + argspec['seal_wrap'] = dict(required=False, type='bool') module = hashivault_init(argspec, supports_check_mode=True) result = hashivault_secret_engine(module) if result.get('failed'): @@ -151,6 +163,7 @@ def hashivault_secret_engine(module): options = params.get('options') cas_required = params.get('cas_required') max_versions = params.get('max_versions') + seal_wrap = params.get('seal_wrap') new_engine_configuration = {} if str(options.get('version', None)) == '2' or backend == 'kv-v2': if cas_required: @@ -214,22 +227,55 @@ def hashivault_secret_engine(module): # create if changed and not exists and state == 'enabled' and not module.check_mode: if backend == 'kv' or backend == 'kv-v2': - client.sys.enable_secrets_engine(backend, description=description, path=name, config=config, - options=options) + client.sys.enable_secrets_engine( + backend, + description=description, + path=name, + config=config, + options=options, + seal_wrap=seal_wrap + ) if new_engine_configuration: - client.secrets.kv.v2.configure(mount_point=name, cas_required=cas_required, max_versions=max_versions) + client.secrets.kv.v2.configure( + mount_point=name, + cas_required=cas_required, + max_versions=max_versions, + seal_wrap=seal_wrap + ) else: - client.sys.enable_secrets_engine(backend, description=description, path=name, config=config) + client.sys.enable_secrets_engine( + backend, + description=description, + path=name, + config=config, + seal_wrap=seal_wrap + ) created = True # update elif changed and exists and state == 'enabled' and not module.check_mode: if backend == 'kv' or backend == 'kv-v2': - client.sys.tune_mount_configuration(path=name, description=description, options=options, **config) + client.sys.tune_mount_configuration( + path=name, + description=description, + options=options, + seal_wrap=seal_wrap, + **config + ) if new_engine_configuration: - client.secrets.kv.v2.configure(mount_point=name, cas_required=cas_required, max_versions=max_versions) + client.secrets.kv.v2.configure( + mount_point=name, + cas_required=cas_required, + max_versions=max_versions, + seal_wrap=seal_wrap + ) else: - client.sys.tune_mount_configuration(path=name, description=description, **config) + client.sys.tune_mount_configuration( + path=name, + description=description, + seal_wrap=seal_wrap, + **config + ) # delete elif changed and state == 'disabled' and not module.check_mode: From 093c7eb4de9a739939a0f9767fe88bf97bb7fc21 Mon Sep 17 00:00:00 2001 From: Emory Otott Date: Mon, 9 Oct 2023 13:35:44 +0900 Subject: [PATCH 53/65] Issue #450 added default value of false for parameter seal_wrap --- ansible/modules/hashivault/hashivault_secret_engine.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/modules/hashivault/hashivault_secret_engine.py b/ansible/modules/hashivault/hashivault_secret_engine.py index c3b1f47e..5d2548d4 100644 --- a/ansible/modules/hashivault/hashivault_secret_engine.py +++ b/ansible/modules/hashivault/hashivault_secret_engine.py @@ -115,7 +115,7 @@ def main(): argspec['options'] = dict(required=False, type='dict', default={}) argspec['cas_required'] = dict(required=False, type='bool') argspec['max_versions'] = dict(required=False, type='int') - argspec['seal_wrap'] = dict(required=False, type='bool') + argspec['seal_wrap'] = dict(required=False, type='bool', default=False) module = hashivault_init(argspec, supports_check_mode=True) result = hashivault_secret_engine(module) if result.get('failed'): From 3faa19347f8b20fad5af53ac92f2bc8b16c9ef40 Mon Sep 17 00:00:00 2001 From: Emory Otott Date: Mon, 9 Oct 2023 14:02:24 +0900 Subject: [PATCH 54/65] Issue #450 - fixed issue where I was adding unsupported seal_wrap param to kv v2 configuration and tune mount configuration method resulting in failed tests --- ansible/modules/hashivault/hashivault_secret_engine.py | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/ansible/modules/hashivault/hashivault_secret_engine.py b/ansible/modules/hashivault/hashivault_secret_engine.py index 5d2548d4..bccff04c 100644 --- a/ansible/modules/hashivault/hashivault_secret_engine.py +++ b/ansible/modules/hashivault/hashivault_secret_engine.py @@ -81,7 +81,7 @@ - Max versions for secret engine for kv version 2 only seal_wrap: description: - - Enable seal wrapping for secret engine. Enterprise feature + - Enable seal wrapping for secret engine. Can only be adjusted when creating new engine. Enterprise feature extends_documentation_fragment: hashivault ''' EXAMPLES = ''' @@ -239,8 +239,7 @@ def hashivault_secret_engine(module): client.secrets.kv.v2.configure( mount_point=name, cas_required=cas_required, - max_versions=max_versions, - seal_wrap=seal_wrap + max_versions=max_versions ) else: client.sys.enable_secrets_engine( @@ -259,7 +258,6 @@ def hashivault_secret_engine(module): path=name, description=description, options=options, - seal_wrap=seal_wrap, **config ) if new_engine_configuration: @@ -267,13 +265,11 @@ def hashivault_secret_engine(module): mount_point=name, cas_required=cas_required, max_versions=max_versions, - seal_wrap=seal_wrap ) else: client.sys.tune_mount_configuration( path=name, description=description, - seal_wrap=seal_wrap, **config ) From a052c9c0833ce4ad01dc681f4ef670de5391bef5 Mon Sep 17 00:00:00 2001 From: Emory Otott Date: Mon, 9 Oct 2023 21:51:04 +0900 Subject: [PATCH 55/65] Issue #451 - added user filter parameter to ldap configuration --- .../modules/hashivault/hashivault_auth_ldap.py | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/ansible/modules/hashivault/hashivault_auth_ldap.py b/ansible/modules/hashivault/hashivault_auth_ldap.py index 47cf9ed5..22741d21 100644 --- a/ansible/modules/hashivault/hashivault_auth_ldap.py +++ b/ansible/modules/hashivault/hashivault_auth_ldap.py @@ -98,6 +98,9 @@ description: - The maximum lifetime for generated tokens default: '' + userfilter: + description: + - LDAP filter that will determine if a user has permission to authenticate to Vault extends_documentation_fragment: hashivault ''' EXAMPLES = ''' @@ -112,11 +115,22 @@ insecure_tls: "{{ auth_ldap_insecure_tls }}" group_filter: "{{ auth_ldap_groupfilter }}" upn_domain: "{{ auth_ldap_upndomain }}" +- hosts: localhost + tasks: + - hashivault_auth_ldap: + certificate: "{{ my_certificate }}" + user_dn: 'ou=person,dc=my-dc' + group_dn: 'ou=group,dc=my-dc' + bind_dn: 'cn=bind-account,ou=my-ou,dc=my-dc' + ldap_url: 'ldap://my-ldap-instance:389' + group_filter: "(&(objectClass=GroupOC)(memberuid={{ '{{' }}.Username {{ '}}' }}))" + userfilter: "(&(objectClass=UserOC)(uid={{ '{{' }}.Username {{ '}}' }})(isMemberOf=cn=group,ou=group,dc=dc)" ''' def main(): # separate long default value to pass linting + default_userfilter = '({{.UserAttr}}={{.Username}})' default_group_filter = '(|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))' argspec = hashivault_argspec() argspec['description'] = dict(required=False, type='str') @@ -130,6 +144,7 @@ def main(): argspec['certificate'] = dict(required=False, type='str', default='') argspec['bind_dn'] = dict(required=False, type='str', default='') argspec['bind_pass'] = dict(required=False, type='str', default=None, no_log=True) + argspec['userfilter'] = dict(required=False, type='str', default=default_userfilter) argspec['user_attr'] = dict(required=False, type='str', default='cn') argspec['user_dn'] = dict(required=False, type='str', default='') argspec['discover_dn'] = dict(required=False, type='bool', default=False) @@ -166,6 +181,7 @@ def hashivault_auth_ldap(module): desired_state['certificate'] = params.get('certificate') desired_state['bind_dn'] = params.get('bind_dn') desired_state['bind_pass'] = params.get('bind_pass') + desired_state['userfilter'] = params.get('userfilter') desired_state['user_attr'] = params.get('user_attr') desired_state['user_dn'] = params.get('user_dn') desired_state['discover_dn'] = params.get('discover_dn') @@ -190,6 +206,7 @@ def hashivault_auth_ldap(module): # some keys need to be remapped to match desired state (and HVAC implementation) current_state['discover_dn'] = result['discoverdn'] current_state['group_attr'] = result['groupattr'] + current_state['userfilter'] = result['userfilter'] current_state['user_attr'] = result['userattr'] current_state['group_dn'] = result['groupdn'] current_state['upn_domain'] = result['upndomain'] From c7ffe124f49e2c539f0e7c070aa18fa59caae06c Mon Sep 17 00:00:00 2001 From: Terry Howe Date: Tue, 10 Oct 2023 06:46:32 -0600 Subject: [PATCH 56/65] Update hvac requirement --- setup.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup.py b/setup.py index 06ad4031..3c5cf889 100644 --- a/setup.py +++ b/setup.py @@ -27,7 +27,7 @@ packages=files, install_requires=[ 'ansible>=5.0.0', - 'hvac>=1.0.0', + 'hvac>=1.2.1', 'requests', ], ) From f50ba4125df6ee06ae3ee350d786680a6969e30d Mon Sep 17 00:00:00 2001 From: Terry Howe Date: Wed, 11 Oct 2023 06:24:57 -0600 Subject: [PATCH 57/65] Version 5.1.2 --- CHANGELOG.rst | 24 ++++++++++++++++++++++++ setup.py | 2 +- 2 files changed, 25 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 3b383bf2..8912a72e 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -2,6 +2,30 @@ Changelog ========= +5.1.2 (2023-10-11) +------------------ +- Update hvac requirement. [Terry Howe] +- Issue #451 - added user filter parameter to ldap configuration. [Emory + Otott] +- Issue #450 - fixed issue where I was adding unsupported seal_wrap + param to kv v2 configuration and tune mount configuration method + resulting in failed tests. [Emory Otott] +- Issue #450 added default value of false for parameter seal_wrap. + [Emory Otott] +- #450 added seal wrap parameter to hashivault secret engine. [Emory + Otott] +- Add general parameter timeout. [Sebi] + Default value of 30, as it is in hvac, to prevent inconsistency. +- Add timeout as a general parameter. [Sebi] +- Fix output hashivault_approle_role_secret format. [Aleksey Zhukov] +- Token_role: correctly add new values instead of overriding. [Benjamin + Demarteau] +- Hashivault_normalize_from_doc: don't swallow exceptions. [Benjamin + Demarteau] +- Ssh_role,token_role: don't fail when encountering unknown options. + [Benjamin Demarteau] + + 5.1.1 (2023-06-13) ------------------ - Add plugin_version params for the vault api. [Ankit] diff --git a/setup.py b/setup.py index 3c5cf889..a3404902 100644 --- a/setup.py +++ b/setup.py @@ -16,7 +16,7 @@ setup( name='ansible-modules-hashivault', - version='5.1.1', + version='5.1.2', description='Ansible Modules for Hashicorp Vault', long_description=long_description, long_description_content_type='text/x-rst', From 27b34788a912a74a82ad846cd628b79506d5bc7a Mon Sep 17 00:00:00 2001 From: Sebastian Schmitt <147703765+sschmittsva@users.noreply.github.com> Date: Thu, 19 Oct 2023 10:40:35 +0200 Subject: [PATCH 58/65] Fix wrong type (#449) As discussed in #449, the type needs to be `list` instead of `type`. --- ansible/modules/hashivault/hashivault_pki_role.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/modules/hashivault/hashivault_pki_role.py b/ansible/modules/hashivault/hashivault_pki_role.py index 39fe3e74..825f90da 100755 --- a/ansible/modules/hashivault/hashivault_pki_role.py +++ b/ansible/modules/hashivault/hashivault_pki_role.py @@ -124,7 +124,7 @@ - Although this parameter could take a string with comma-delimited items, it's highly advised to not do so as it would break idempotency. allowed_other_sans: - type: type + type: list description: - Defines allowed custom OID/UTF8-string SANs - Each item of the list has the same format as OpenSSL `;:`, but the only valid From 13c25215164f3ec574e2719fc75f629e102177f0 Mon Sep 17 00:00:00 2001 From: DaazKu Date: Thu, 18 Jan 2024 10:19:29 -0500 Subject: [PATCH 59/65] Add option in hashivault_init to pass only `secret_*` or `recovery_*` options --- ansible/modules/hashivault/hashivault_init.py | 60 +++++++++++++++++-- 1 file changed, 56 insertions(+), 4 deletions(-) diff --git a/ansible/modules/hashivault/hashivault_init.py b/ansible/modules/hashivault/hashivault_init.py index e42ba3de..08d2bec4 100644 --- a/ansible/modules/hashivault/hashivault_init.py +++ b/ansible/modules/hashivault/hashivault_init.py @@ -13,6 +13,10 @@ description: - Module to init Hashicorp Vault. options: + seal_method: + description: + - specifies if `secret_*` or `recovery_*` options should be used. + default: secret secret_shares: description: - specifies the number of shares to split the master key into. @@ -36,11 +40,11 @@ recovery_shares: description: - specifies the number of shares to split the recovery key into. - default: None + default: 5 recovery_threshold: description: - specifies the number of shares required to reconstruct the recovery key. - default: None + default: 3 recovery_pgp_keys: description: - specifies an array of PGP public keys used to encrypt the output recovery keys. @@ -63,8 +67,11 @@ def main(): argspec = hashivault_argspec() - argspec['secret_shares'] = dict(required=False, type='int', default=5) - argspec['secret_threshold'] = dict(required=False, type='int', default=3) + argspec['seal_method'] = dict( + required=False, type='str', default='secret', choices=['secret', 'recovery'] + ) + argspec['secret_shares'] = dict(required=False, type='int', default=None) + argspec['secret_threshold'] = dict(required=False, type='int', default=None) argspec['pgp_keys'] = dict(required=False, type='list', default=None) argspec['root_token_pgp_key'] = dict(required=False, type='str', default=None) argspec['stored_shares'] = dict(required=False, type='int', default=None) @@ -72,6 +79,7 @@ def main(): argspec['recovery_threshold'] = dict(required=False, type='int', default=None) argspec['recovery_pgp_keys'] = dict(required=False, type='list', default=None) module = hashivault_init(argspec) + additional_parameter_handling(module) result = hashivault_initialize(module.params) if result.get('failed'): module.fail_json(**result) @@ -79,6 +87,50 @@ def main(): module.exit_json(**result) +def additional_parameter_handling(module): + '''Additional parameter validation''' + + # Default shares and thresholds depending on the seal method + if module.params.get('seal_method') == 'secret': + module.params['secret_shares'] = ( + 5 + if module.params.get('secret_shares') is None + else module.params.get('secret_shares') + ) + module.params['secret_threshold'] = ( + 3 + if module.params.get('secret_threshold') is None + else module.params.get('secret_threshold') + ) + + if ( + module.params.get('recovery_shares') + or module.params.get('recovery_threshold') + or module.params.get('recovery_pgp_keys') + ): + module.fail_json( + msg="'recovery_*' options are only valid if 'seal_method' == 'recovery'", + changed=False, + ) + else: + module.params['recovery_shares'] = ( + 5 + if module.params.get('recovery_shares') is None + else module.params.get('recovery_shares') + ) + module.params['recovery_threshold'] = ( + 3 + if module.params.get('recovery_threshold') is None + else module.params.get('recovery_threshold') + ) + + if module.params.get('secret_shares') or module.params.get('secret_threshold'): + module.fail_json( + msg="'secret_*' options are only valid if 'seal_method' == 'secret'", + changed=False, + ) + + @hashiwrapper def hashivault_initialize(params): client = hashivault_client(params) From 75a53dede4238aee87ef66982bf7e9b1ee2c82cc Mon Sep 17 00:00:00 2001 From: Andrew Hamilton Date: Tue, 23 Jan 2024 01:42:55 -0500 Subject: [PATCH 60/65] HVAC 1.0.0+ have all authentication methods as subclasses of client.auth Update login code to call the appropriate subclass for tls/cert auth --- ansible/module_utils/hashivault.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/module_utils/hashivault.py b/ansible/module_utils/hashivault.py index f501ec77..1f666bc9 100644 --- a/ansible/module_utils/hashivault.py +++ b/ansible/module_utils/hashivault.py @@ -134,7 +134,7 @@ def hashivault_auth(client, params): elif authtype == 'approle': client = AppRoleClient(client, role_id, secret_id, mount_point=login_mount_point) elif authtype == 'tls': - client.auth_tls() + client.auth.cert.login() elif authtype == 'aws': credentials = get_ec2_iam_credentials(params.get['aws_header'], role_id) client.auth_aws_iam(**credentials) From 6a48fdd9b4cc99fac7ddde66ebea5241ffcdb8a3 Mon Sep 17 00:00:00 2001 From: bendem Date: Mon, 5 Feb 2024 14:06:49 +0100 Subject: [PATCH 61/65] Depend on ansible-core instead of ansible --- setup.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup.py b/setup.py index a3404902..da41d6f6 100644 --- a/setup.py +++ b/setup.py @@ -26,7 +26,7 @@ py_modules=py_files, packages=files, install_requires=[ - 'ansible>=5.0.0', + 'ansible-core>=2.12.0', 'hvac>=1.2.1', 'requests', ], From 054b98d51547d980df417fd23e782f23682d6047 Mon Sep 17 00:00:00 2001 From: bendem Date: Mon, 5 Feb 2024 14:11:51 +0100 Subject: [PATCH 62/65] Don't use nested jinja --- functional/test_approle.yml | 72 +++++++++---------- functional/test_approle_check_mode.yml | 24 +++---- functional/test_approle_mount_point.yml | 38 +++++----- functional/test_audit.yml | 28 ++++---- functional/test_auth.yml | 27 ++++--- functional/test_auth_method.yml | 30 ++++---- functional/test_aws_auth_config.yml | 8 +-- functional/test_aws_auth_role.yml | 8 +-- functional/test_azure_auth_config.yml | 20 +++--- functional/test_azure_auth_role.yml | 16 ++--- functional/test_azure_config.yml | 8 +-- functional/test_azure_role.yml | 14 ++-- functional/test_cas.yml | 40 +++++------ functional/test_consul_config.yml | 8 +-- functional/test_consul_role.yml | 24 +++---- functional/test_db_config.yml | 18 ++--- functional/test_db_role.yml | 26 +++---- functional/test_delete.yml | 10 +-- functional/test_delete_permanent.yml | 10 +-- functional/test_environment_lookup.yml | 4 +- functional/test_ephemeral.yml | 34 ++++----- functional/test_full_path.yml | 16 ++--- functional/test_generate_root.yml | 38 +++++----- functional/test_identity_entity.yml | 40 +++++------ functional/test_identity_group.yml | 26 +++---- functional/test_init.yml | 16 ++--- functional/test_k8_auth.yml | 26 +++---- functional/test_kv2.yml | 52 +++++++------- functional/test_ldap_group.yml | 16 ++--- functional/test_list.yml | 4 +- functional/test_lookup.yml | 14 ++-- functional/test_mounts.yml | 14 ++-- functional/test_namespace.yml | 26 +++---- functional/test_not_there.yml | 22 +++--- functional/test_oidc_auth_method_config.yml | 8 +-- functional/test_oidc_auth_role.yml | 6 +- functional/test_pki.yml | 6 +- functional/test_policy.yml | 62 ++++++++-------- functional/test_read.yml | 16 ++--- functional/test_read_write_file.yml | 38 +++++----- functional/test_rekey.yml | 48 ++++++------- functional/test_rekey_verify.yml | 56 +++++++-------- functional/test_secret.yml | 58 +++++++-------- functional/test_secret_engine.yml | 48 ++++++------- functional/test_secret_list.yml | 7 +- functional/test_ssh_role.yml | 28 ++++---- functional/test_ssh_role_check_mode.yml | 20 +++--- functional/test_status.yml | 30 ++++---- functional/test_token_role.yml | 26 +++---- functional/test_token_role_check_mode.yml | 20 +++--- functional/test_tokens.yml | 36 +++++----- functional/test_unseal.yml | 22 +++--- functional/test_userpass.yml | 20 +++--- functional/test_userpass_idempotent.yml | 12 ++-- functional/test_userpass_no_pass.yml | 22 +++--- functional/test_userpass_no_policy.yml | 4 +- functional/test_write.yml | 78 ++++++++++----------- 57 files changed, 723 insertions(+), 725 deletions(-) diff --git a/functional/test_approle.yml b/functional/test_approle.yml index e57c1d76..f9095a10 100644 --- a/functional/test_approle.yml +++ b/functional/test_approle.yml @@ -16,14 +16,14 @@ name: "approle_test_policy_original" rules: "{{rules}}" register: vault_policy - - assert: { that: "{{vault_policy.rc}} == 0" } + - assert: { that: "vault_policy.rc == 0" } - name: Set another approle policy hashivault_policy: name: "approle_test_policy" rules: "{{rules}}" register: vault_policy - - assert: { that: "{{vault_policy.rc}} == 0" } + - assert: { that: "vault_policy.rc == 0" } - name: enable approle authentication hashivault_auth_method: @@ -44,17 +44,17 @@ - approle_test_policy_original state: present register: 'vault_role_create_bound_cidrs' - - assert: { that: "{{vault_role_create_bound_cidrs.changed}} == True" } - - assert: { that: "{{vault_role_create_bound_cidrs.rc}} == 0" } + - assert: { that: "vault_role_create_bound_cidrs is changed" } + - assert: { that: "vault_role_create_bound_cidrs.rc == 0" } - name: get role with token_bound_cidrs and secret_id_bound_cidrs hashivault_approle_role_get: name: testrole_bound_cidrs register: 'vault_role_get_bound_cidrs' - - assert: { that: "{{vault_role_get_bound_cidrs.changed}} == False" } - - assert: { that: "{{vault_role_get_bound_cidrs.rc}} == 0" } - - assert: { that: "'{{vault_role_get_bound_cidrs.role.data.token_bound_cidrs[0]}}' == '127.0.0.1'" } - - assert: { that: "'{{vault_role_get_bound_cidrs.role.data.secret_id_bound_cidrs[0]}}' == '127.0.0.1/32'" } + - assert: { that: "vault_role_get_bound_cidrs is not changed" } + - assert: { that: "vault_role_get_bound_cidrs.rc == 0" } + - assert: { that: "vault_role_get_bound_cidrs.role.data.token_bound_cidrs[0] == '127.0.0.1'" } + - assert: { that: "vault_role_get_bound_cidrs.role.data.secret_id_bound_cidrs[0] == '127.0.0.1/32'" } - name: create role hashivault_approle_role: @@ -63,8 +63,8 @@ - approle_test_policy_original state: present register: 'vault_role_create' - - assert: { that: "{{vault_role_create.changed}} == True" } - - assert: { that: "{{vault_role_create.rc}} == 0" } + - assert: { that: "vault_role_create is changed" } + - assert: { that: "vault_role_create.rc == 0" } - name: update role hashivault_approle_role: @@ -73,8 +73,8 @@ - approle_test_policy state: present register: 'vault_role_update' - - assert: { that: "{{vault_role_update.changed}} == True" } - - assert: { that: "{{vault_role_update.rc}} == 0" } + - assert: { that: "vault_role_update is changed" } + - assert: { that: "vault_role_update.rc == 0" } - name: update role idempotent hashivault_approle_role: @@ -83,14 +83,14 @@ - approle_test_policy state: present register: 'vault_role_update' - - assert: { that: "{{vault_role_update.changed}} == False" } - - assert: { that: "{{vault_role_update.rc}} == 0" } + - assert: { that: "vault_role_update is not changed" } + - assert: { that: "vault_role_update.rc == 0" } - name: list roles hashivault_approle_role_list: register: 'vault_role_list' - - assert: { that: "{{vault_role_list.changed}} == False" } - - assert: { that: "{{vault_role_list.rc}} == 0" } + - assert: { that: "vault_role_list is not changed" } + - assert: { that: "vault_role_list.rc == 0" } - fail: msg="role testrole not in list {{vault_role_list.roles}}" when: '"testrole" not in vault_role_list.roles' @@ -98,15 +98,15 @@ hashivault_approle_role_get: name: testrole register: 'vault_role' - - assert: { that: "{{vault_role.changed}} == False" } - - assert: { that: "{{vault_role.rc}} == 0" } + - assert: { that: "vault_role is not changed" } + - assert: { that: "vault_role.rc == 0" } - name: get role id hashivault_approle_role_id: name: testrole register: 'vault_role_id' - - assert: { that: "{{vault_role_id.changed}} == False" } - - assert: { that: "{{vault_role_id.rc}} == 0" } + - assert: { that: "vault_role_id is not changed" } + - assert: { that: "vault_role_id.rc == 0" } - assert: that: - vault_role_id.id|default('') != '' @@ -120,8 +120,8 @@ name: testrole state: present register: 'vault_role_secret_create' - - assert: { that: "{{vault_role_secret_create.changed}} == True" } - - assert: { that: "{{vault_role_secret_create.rc}} == 0" } + - assert: { that: "vault_role_secret_create is changed" } + - assert: { that: "vault_role_secret_create.rc == 0" } - assert: that: - vault_role_secret_create.data.secret_id_accessor|default('') != '' @@ -140,8 +140,8 @@ hashivault_approle_role_secret_list: name: testrole register: 'vault_role_secret_list' - - assert: { that: "{{vault_role_secret_list.changed}} == False" } - - assert: { that: "{{vault_role_secret_list.rc}} == 0" } + - assert: { that: "vault_role_secret_list is not changed" } + - assert: { that: "vault_role_secret_list.rc == 0" } - fail: msg="secret {{approle_secret_id_accessor}} not in list" when: approle_secret_id_accessor not in vault_role_secret_list.secrets @@ -150,26 +150,26 @@ name: testrole secret: "{{approle_secret_id}}" register: 'vault_role_secret_get' - - assert: { that: "{{vault_role_secret_get.changed}} == False" } - - assert: { that: "{{vault_role_secret_get.rc}} == 0" } - - assert: { that: "'{{vault_role_secret_get.secret.secret_id_accessor}}' == '{{approle_secret_id_accessor}}'" } + - assert: { that: "vault_role_secret_get is not changed" } + - assert: { that: "vault_role_secret_get.rc == 0" } + - assert: { that: "vault_role_secret_get.secret.secret_id_accessor == approle_secret_id_accessor" } - name: get non existing secret hashivault_approle_role_secret_get: name: testrole secret: "1-2-3-4" register: 'vault_role_secret_get_not_existing' - - assert: { that: "'{{vault_role_secret_get_not_existing.status}}' == 'absent'" } - - assert: { that: "{{vault_role_secret_get_not_existing.rc}} == 0" } + - assert: { that: "vault_role_secret_get_not_existing.status == 'absent'" } + - assert: { that: "vault_role_secret_get_not_existing.rc == 0" } - name: get secret accessor hashivault_approle_role_secret_accessor_get: name: testrole accessor: "{{approle_secret_id_accessor}}" register: 'vault_role_secret_accessor_get' - - assert: { that: "{{vault_role_secret_accessor_get.changed}} == False" } - - assert: { that: "{{vault_role_secret_accessor_get.rc}} == 0" } - - assert: { that: "'{{vault_role_secret_accessor_get.secret.secret_id_accessor}}' != ''" } + - assert: { that: "vault_role_secret_accessor_get is not changed" } + - assert: { that: "vault_role_secret_accessor_get.rc == 0" } + - assert: { that: "vault_role_secret_accessor_get.secret.secret_id_accessor != ''" } - name: create secret to delete hashivault_approle_role_secret: @@ -187,14 +187,14 @@ secret: "{{approle_secret_id}}" state: absent register: 'vault_role_secret_delete' - - assert: { that: "{{vault_role_secret_delete.changed}} == True" } - - assert: { that: "{{vault_role_secret_delete.rc}} == 0" } + - assert: { that: "vault_role_secret_delete is changed" } + - assert: { that: "vault_role_secret_delete.rc == 0" } - name: make sure secret is gone hashivault_approle_role_secret_list: name: testrole register: 'vault_role_secret_list' - - assert: { that: "{{vault_role_secret_list.changed}} == False" } - - assert: { that: "{{vault_role_secret_list.rc}} == 0" } + - assert: { that: "vault_role_secret_list is not changed" } + - assert: { that: "vault_role_secret_list.rc == 0" } - fail: msg="secret {{approle_secret_id_accessor}} shoud not be in list" when: approle_secret_id_accessor in vault_role_secret_list.secrets diff --git a/functional/test_approle_check_mode.yml b/functional/test_approle_check_mode.yml index 43c67681..f31befba 100644 --- a/functional/test_approle_check_mode.yml +++ b/functional/test_approle_check_mode.yml @@ -10,8 +10,8 @@ state: present check_mode: true register: 'vault_role_create' - - assert: { that: "{{vault_role_create.changed}} == False" } - - assert: { that: "{{vault_role_create.rc}} == 0" } + - assert: { that: "vault_role_create is not changed" } + - assert: { that: "vault_role_create.rc == 0" } - name: create role check_mode does not exist hashivault_approle_role: @@ -21,8 +21,8 @@ state: present check_mode: true register: 'vault_role_create' - - assert: { that: "{{vault_role_create.changed}} == True" } - - assert: { that: "{{vault_role_create.rc}} == 0" } + - assert: { that: "vault_role_create is changed" } + - assert: { that: "vault_role_create.rc == 0" } - name: delete role check_mode exists hashivault_approle_role: @@ -30,8 +30,8 @@ state: absent check_mode: true register: 'vault_role_create' - - assert: { that: "{{vault_role_create.changed}} == True" } - - assert: { that: "{{vault_role_create.rc}} == 0" } + - assert: { that: "vault_role_create is changed" } + - assert: { that: "vault_role_create.rc == 0" } - name: delete role check_mode does not exist hashivault_approle_role: @@ -39,8 +39,8 @@ state: absent check_mode: true register: 'vault_role_create' - - assert: { that: "{{vault_role_create.changed}} == False" } - - assert: { that: "{{vault_role_create.rc}} == 0" } + - assert: { that: "vault_role_create is not changed" } + - assert: { that: "vault_role_create.rc == 0" } - name: create secret for check_mode test hashivault_approle_role_secret: @@ -59,8 +59,8 @@ state: absent check_mode: true register: 'vault_role_secret_delete' - - assert: { that: "{{vault_role_secret_delete.changed}} == True" } - - assert: { that: "{{vault_role_secret_delete.rc}} == 0" } + - assert: { that: "vault_role_secret_delete is changed" } + - assert: { that: "vault_role_secret_delete.rc == 0" } - name: delete secret does not exist check_mode hashivault_approle_role_secret: @@ -69,5 +69,5 @@ state: absent check_mode: true register: 'vault_role_secret_delete' - - assert: { that: "{{vault_role_secret_delete.changed}} == False" } - - assert: { that: "{{vault_role_secret_delete.rc}} == 0" } + - assert: { that: "vault_role_secret_delete is not changed" } + - assert: { that: "vault_role_secret_delete.rc == 0" } diff --git a/functional/test_approle_mount_point.yml b/functional/test_approle_mount_point.yml index b41cc197..e7483444 100644 --- a/functional/test_approle_mount_point.yml +++ b/functional/test_approle_mount_point.yml @@ -16,7 +16,7 @@ name: lightning_policy rules: "{{rules}}" register: vault_policy - - assert: { that: "{{vault_policy.rc}} == 0" } + - assert: { that: "vault_policy.rc == 0" } - name: enable lightning approle authentication hashivault_auth_method: @@ -37,15 +37,15 @@ token_policies: - lightning_policy register: 'vault_role_create' - - assert: { that: "{{vault_role_create.changed}} == True" } - - assert: { that: "{{vault_role_create.rc}} == 0" } + - assert: { that: "vault_role_create is changed" } + - assert: { that: "vault_role_create.rc == 0" } - name: list roles hashivault_approle_role_list: mount_point: lightning register: 'vault_role_list' - - assert: { that: "{{vault_role_list.changed}} == False" } - - assert: { that: "{{vault_role_list.rc}} == 0" } + - assert: { that: "vault_role_list is not changed" } + - assert: { that: "vault_role_list.rc == 0" } - fail: msg="role bigspark not in list" when: '"bigspark" not in vault_role_list.roles' @@ -54,16 +54,16 @@ name: bigspark mount_point: lightning register: 'vault_role' - - assert: { that: "{{vault_role.changed}} == False" } - - assert: { that: "{{vault_role.rc}} == 0" } + - assert: { that: "vault_role is not changed" } + - assert: { that: "vault_role.rc == 0" } - name: get role id hashivault_approle_role_id: name: bigspark mount_point: lightning register: 'vault_role_id' - - assert: { that: "{{vault_role_id.changed}} == False" } - - assert: { that: "{{vault_role_id.rc}} == 0" } + - assert: { that: "vault_role_id is not changed" } + - assert: { that: "vault_role_id.rc == 0" } - assert: that: - vault_role_id.id|default('') != '' @@ -78,8 +78,8 @@ mount_point: lightning state: present register: 'vault_role_secret_create' - - assert: { that: "{{vault_role_secret_create.changed}} == True" } - - assert: { that: "{{vault_role_secret_create.rc}} == 0" } + - assert: { that: "vault_role_secret_create is changed" } + - assert: { that: "vault_role_secret_create.rc == 0" } - assert: that: - vault_role_secret_create.data.secret_id_accessor|default('') != '' @@ -99,8 +99,8 @@ name: bigspark mount_point: lightning register: 'vault_role_secret_list' - - assert: { that: "{{vault_role_secret_list.changed}} == False" } - - assert: { that: "{{vault_role_secret_list.rc}} == 0" } + - assert: { that: "vault_role_secret_list is not changed" } + - assert: { that: "vault_role_secret_list.rc == 0" } - fail: msg="secret {{approle_secret_id_accessor}} not in list" when: approle_secret_id_accessor not in vault_role_secret_list.secrets @@ -110,9 +110,9 @@ mount_point: lightning secret: "{{approle_secret_id}}" register: 'vault_role_secret_get' - - assert: { that: "{{vault_role_secret_get.changed}} == False" } - - assert: { that: "{{vault_role_secret_get.rc}} == 0" } - - assert: { that: "'{{vault_role_secret_get.secret.secret_id_accessor}}' == '{{approle_secret_id_accessor}}'" } + - assert: { that: "vault_role_secret_get is not changed" } + - assert: { that: "vault_role_secret_get.rc == 0" } + - assert: { that: "vault_role_secret_get.secret.secret_id_accessor == approle_secret_id_accessor" } # unsupported by docker image - name: get secret accessor @@ -121,6 +121,6 @@ mount_point: lightning accessor: "{{approle_secret_id_accessor}}" register: 'vault_role_secret_accessor_get' - - assert: { that: "{{vault_role_secret_accessor_get.changed}} == False" } - - assert: { that: "{{vault_role_secret_accessor_get.rc}} == 0" } - - assert: { that: "'{{vault_role_secret_accessor_get.secret.secret_id_accessor}}' != ''" } + - assert: { that: "vault_role_secret_accessor_get is not changed" } + - assert: { that: "vault_role_secret_accessor_get.rc == 0" } + - assert: { that: "vault_role_secret_accessor_get.secret.secret_id_accessor != ''" } diff --git a/functional/test_audit.yml b/functional/test_audit.yml index f774d28c..22899057 100644 --- a/functional/test_audit.yml +++ b/functional/test_audit.yml @@ -22,8 +22,8 @@ options: path: "/tmp/vault.log" register: audit_module - - assert: { that: "{{audit_module.changed}} == True" } - - assert: { that: "{{audit_module.rc}} == 0" } + - assert: { that: "audit_module is changed" } + - assert: { that: "audit_module.rc == 0" } - name: Create audit idempotent (Vault does not support update at the moment anyway) hashivault_audit: @@ -31,8 +31,8 @@ options: path: "/tmp/vault.log" register: audit_module - - assert: { that: "{{audit_module.changed}} == False" } - - assert: { that: "{{audit_module.rc}} == 0" } + - assert: { that: "audit_module is not changed" } + - assert: { that: "audit_module.rc == 0" } - name: Create audit path hashivault_audit: @@ -41,8 +41,8 @@ options: path: "/tmp/path_vault.log" register: audit_module - - assert: { that: "{{audit_module.changed}} == True" } - - assert: { that: "{{audit_module.rc}} == 0" } + - assert: { that: "audit_module is changed" } + - assert: { that: "audit_module.rc == 0" } - name: Create audit path again hashivault_audit: @@ -51,16 +51,16 @@ options: path: "/tmp/path_vault.log" register: audit_module - - assert: { that: "{{audit_module.changed}} == False" } - - assert: { that: "{{audit_module.rc}} == 0" } + - assert: { that: "audit_module is not changed" } + - assert: { that: "audit_module.rc == 0" } - name: Delete audit hashivault_audit: device_type: file state: absent register: audit_module - - assert: { that: "{{audit_module.changed}} == True" } - - assert: { that: "{{audit_module.rc}} == 0" } + - assert: { that: "audit_module is changed" } + - assert: { that: "audit_module.rc == 0" } - name: Delete audit path hashivault_audit: @@ -68,13 +68,13 @@ path: pathy state: absent register: audit_module - - assert: { that: "{{audit_module.changed}} == True" } - - assert: { that: "{{audit_module.rc}} == 0" } + - assert: { that: "audit_module is changed" } + - assert: { that: "audit_module.rc == 0" } - name: Delete audit idempotent hashivault_audit: device_type: file state: absent register: audit_module - - assert: { that: "{{audit_module.changed}} == False" } - - assert: { that: "{{audit_module.rc}} == 0" } \ No newline at end of file + - assert: { that: "audit_module is not changed" } + - assert: { that: "audit_module.rc == 0" } diff --git a/functional/test_auth.yml b/functional/test_auth.yml index 678a1439..a91a0842 100644 --- a/functional/test_auth.yml +++ b/functional/test_auth.yml @@ -12,32 +12,31 @@ method_type: "userpass" description: "my userpass" register: 'vault_auth' - - assert: { that: "{{vault_auth.changed}} == True" } - - assert: { that: "{{vault_auth.created}} == True" } - - assert: { that: "{{vault_auth.failed}} == False" } - - assert: { that: "{{vault_auth.rc}} == 0" } + - assert: { that: "vault_auth is changed" } + - assert: { that: "vault_auth.created == True" } + - assert: { that: "vault_auth.failed == False" } + - assert: { that: "vault_auth.rc == 0" } - name: Enable userpass when it is already enabled hashivault_auth_method: method_type: "userpass" description: "my userpass" register: 'vault_auth' - - assert: { that: "{{vault_auth.changed}} == False" } - - assert: { that: "{{vault_auth.created}} == False" } - - assert: { that: "{{vault_auth.failed}} == False" } - - assert: { that: "{{vault_auth.rc}} == 0" } + - assert: { that: "vault_auth is not changed" } + - assert: { that: "vault_auth.created == False" } + - assert: { that: "vault_auth.failed == False" } + - assert: { that: "vault_auth.rc == 0" } - name: Enable userpass auth for the third time with change hashivault_auth_method: method_type: "userpass" description: "our userpass" register: 'vault_auth' - - assert: { that: "{{vault_auth.changed}} == True" } - - assert: { that: "{{vault_auth.created}} == False" } - - assert: { that: "{{vault_auth.rc}} == 0" } + - assert: { that: "vault_auth is changed" } + - assert: { that: "vault_auth.created == False" } + - assert: { that: "vault_auth.rc == 0" } - name: Enable userpass at a different mount point hashivault_auth_method: method_type: "userpass" mount_point: "another-userpass" register: 'vault_auth_mount_point' - - assert: { that: "{{vault_auth_mount_point.changed}} == True" } - - assert: { that: "{{vault_auth_mount_point.rc}} == 0" } - + - assert: { that: "vault_auth_mount_point is changed" } + - assert: { that: "vault_auth_mount_point.rc == 0" } diff --git a/functional/test_auth_method.yml b/functional/test_auth_method.yml index 04c33542..8d8a50c0 100644 --- a/functional/test_auth_method.yml +++ b/functional/test_auth_method.yml @@ -15,20 +15,20 @@ method_type: azure state: disabled register: disable_idem - - assert: { that: "{{ disable_idem.changed }} == False" } + - assert: { that: "disable_idem is not changed" } - name: enable azure secret engine hashivault_auth_method: method_type: azure register: enable_chg - - assert: { that: "{{ enable_chg.changed }} == True" } + - assert: { that: "enable_chg is changed" } - name: disable azure hashivault_auth_method: method_type: azure state: disabled register: disable_chg - - assert: { that: "{{ disable_chg.changed }} == True" } + - assert: { that: "disable_chg is changed" } - name: "Enable OIDC auth method" hashivault_auth_method: @@ -38,8 +38,8 @@ default_lease_ttl: 0 max_lease_ttl: 0 register: oidc_idempotent - - assert: { that: "{{ oidc_idempotent.rc }} == 0" } - - assert: { that: "{{ oidc_idempotent.changed }} == True" } + - assert: { that: "oidc_idempotent.rc == 0" } + - assert: { that: "oidc_idempotent is changed" } - name: "Enable OIDC auth method idempotent" hashivault_auth_method: @@ -49,8 +49,8 @@ default_lease_ttl: 0 max_lease_ttl: 0 register: oidc_idempotent - - assert: { that: "{{ oidc_idempotent.rc }} == 0" } - - assert: { that: "{{ oidc_idempotent.changed }} == False" } + - assert: { that: "oidc_idempotent.rc == 0" } + - assert: { that: "oidc_idempotent is not changed" } - name: "Enable OIDC auth method update" hashivault_auth_method: @@ -61,8 +61,8 @@ max_lease_ttl: 0 description: 'my oidc' register: oidc_idempotent - - assert: { that: "{{ oidc_idempotent.rc }} == 0" } - - assert: { that: "{{ oidc_idempotent.changed }} == True" } + - assert: { that: "oidc_idempotent.rc == 0" } + - assert: { that: "oidc_idempotent is changed" } - name: "Enable OIDC auth method update description idempotent" hashivault_auth_method: @@ -73,8 +73,8 @@ max_lease_ttl: 0 description: 'my oidc' register: oidc_idempotent - - assert: { that: "{{ oidc_idempotent.rc }} == 0" } - - assert: { that: "{{ oidc_idempotent.changed }} == False" } + - assert: { that: "oidc_idempotent.rc == 0" } + - assert: { that: "oidc_idempotent is not changed" } - name: "Enable OIDC auth method update" hashivault_auth_method: @@ -83,8 +83,8 @@ config: default_lease_ttl: 2764799 register: oidc_idempotent - - assert: { that: "{{ oidc_idempotent.rc }} == 0" } - - assert: { that: "{{ oidc_idempotent.changed }} == True" } + - assert: { that: "oidc_idempotent.rc == 0" } + - assert: { that: "oidc_idempotent is changed" } - name: "Enable OIDC auth method update idempotent" hashivault_auth_method: @@ -93,5 +93,5 @@ config: default_lease_ttl: 2764799 register: oidc_idempotent - - assert: { that: "{{ oidc_idempotent.rc }} == 0" } - - assert: { that: "{{ oidc_idempotent.changed }} == False" } + - assert: { that: "oidc_idempotent.rc == 0" } + - assert: { that: "oidc_idempotent is not changed" } diff --git a/functional/test_aws_auth_config.yml b/functional/test_aws_auth_config.yml index d31f56d4..6c2230f8 100644 --- a/functional/test_aws_auth_config.yml +++ b/functional/test_aws_auth_config.yml @@ -14,12 +14,12 @@ access_key: bob secret_key: topsecret register: aws_result - - assert: { that: "{{aws_result.changed}} == True" } - - assert: { that: "{{aws_result.rc}} == 0" } + - assert: { that: "aws_result is changed" } + - assert: { that: "aws_result.rc == 0" } - hashivault_aws_auth_config: mount_point: aws state: absent register: aws_result - - assert: { that: "{{aws_result.changed}} == True" } - - assert: { that: "{{aws_result.rc}} == 0" } + - assert: { that: "aws_result is changed" } + - assert: { that: "aws_result.rc == 0" } diff --git a/functional/test_aws_auth_role.yml b/functional/test_aws_auth_role.yml index 14e1376b..6e91e9ec 100644 --- a/functional/test_aws_auth_role.yml +++ b/functional/test_aws_auth_role.yml @@ -16,12 +16,12 @@ inferred_aws_region: eu-west-1 bound_iam_role_arn: arn:aws:iam::12345678:role/ec2-role register: aws_result - - assert: { that: "{{aws_result.changed}} == True" } - - assert: { that: "{{aws_result.rc}} == 0" } + - assert: { that: "aws_result is changed" } + - assert: { that: "aws_result.rc == 0" } - hashivault_aws_auth_role: name: ec2-role state: absent register: aws_result - - assert: { that: "{{aws_result.changed}} == True" } - - assert: { that: "{{aws_result.rc}} == 0" } + - assert: { that: "aws_result is changed" } + - assert: { that: "aws_result.rc == 0" } diff --git a/functional/test_azure_auth_config.yml b/functional/test_azure_auth_config.yml index c36f1de3..4655e94a 100644 --- a/functional/test_azure_auth_config.yml +++ b/functional/test_azure_auth_config.yml @@ -11,7 +11,7 @@ method_type: azure state: disabled failed_when: false - + - name: make sure test fails when no mount exists hashivault_azure_auth_config: client_id: "{{ client_id }}" @@ -20,12 +20,12 @@ register: fail_config failed_when: false - - assert: { that: "{{ fail_config.changed }} == False" } - - - name: enable azure auth method + - assert: { that: "fail_config is not changed" } + + - name: enable azure auth method hashivault_auth_method: method_type: azure - + - name: successfully configure method hashivault_azure_auth_config: client_id: "{{ client_id }}" @@ -33,7 +33,7 @@ tenant_id: "{{ tenant_id }}" register: success_config - - assert: { that: "{{ success_config.changed }} == True" } + - assert: { that: "success_config is changed" } - name: attempt 2nd config with same values hashivault_azure_auth_config: @@ -41,8 +41,8 @@ client_secret: "{{ client_secret }}" tenant_id: "{{ tenant_id }}" register: idem_config - - - assert: { that: "{{ idem_config.changed }} == False" } + + - assert: { that: "idem_config is not changed" } - name: attempt 3rd config with different values hashivault_azure_auth_config: @@ -50,5 +50,5 @@ client_secret: mlergh tenant_id: splurgh register: overwrite_config - - - assert: { that: "{{ overwrite_config.changed }} == True" } + + - assert: { that: "overwrite_config is changed" } diff --git a/functional/test_azure_auth_role.yml b/functional/test_azure_auth_role.yml index 9bd47721..203a8c78 100644 --- a/functional/test_azure_auth_role.yml +++ b/functional/test_azure_auth_role.yml @@ -11,11 +11,11 @@ method_type: azure state: disabled failed_when: false - + - name: enable azure secret engine hashivault_auth_method: method_type: azure - + - name: successfully configure mount hashivault_azure_auth_config: client_id: "{{ client_id }}" @@ -29,8 +29,8 @@ bound_subscription_ids: ["6a1d5988-5917-4221-b224-904cd7e24a25"] num_uses: 3 register: success_config - - - assert: { that: "{{ success_config.changed }} == True" } + + - assert: { that: "success_config is changed" } - name: idempotently create role hashivault_azure_auth_role: @@ -39,13 +39,13 @@ bound_subscription_ids: ["6a1d5988-5917-4221-b224-904cd7e24a25"] num_uses: 3 register: idem_config - - - assert: { that: "{{ idem_config.changed }} == False" } + + - assert: { that: "idem_config is not changed" } - name: delete role hashivault_azure_auth_role: name: test state: absent register: del_config - - - assert: { that: "{{ del_config.changed }} == True" } + + - assert: { that: "del_config is changed" } diff --git a/functional/test_azure_config.yml b/functional/test_azure_config.yml index fa850abb..2dd12413 100644 --- a/functional/test_azure_config.yml +++ b/functional/test_azure_config.yml @@ -22,7 +22,7 @@ register: fail_config failed_when: false - - assert: { that: "{{ fail_config.changed }} == False" } + - assert: { that: "fail_config is not changed" } - hashivault_secret_engine: name: azure @@ -37,7 +37,7 @@ tenant_id: "{{ tenant_id }}" register: success_config - - assert: { that: "{{ success_config.changed }} == True" } + - assert: { that: "success_config is changed" } - name: attempt 2nd config with same values hashivault_azure_secret_engine_config: @@ -47,7 +47,7 @@ tenant_id: "{{ tenant_id }}" register: idem_config - - assert: { that: "{{ idem_config.changed }} == False" } + - assert: { that: "idem_config is not changed" } - name: attempt 3rd config with different values hashivault_azure_secret_engine_config: @@ -57,4 +57,4 @@ tenant_id: splurgh register: overwrite_config - - assert: { that: "{{ overwrite_config.changed }} == True" } + - assert: { that: "overwrite_config is changed" } diff --git a/functional/test_azure_role.yml b/functional/test_azure_role.yml index c2894782..bf40da4d 100644 --- a/functional/test_azure_role.yml +++ b/functional/test_azure_role.yml @@ -22,13 +22,13 @@ failed_when: false register: fail_config - - assert: { that: "{{ fail_config.changed }} == False" } # fail - + - assert: { that: "fail_config is not changed" } # fail + - name: enable azure secret engine hashivault_secret_engine: name: azure backend: azure - + - name: configure azure mount hashivault_azure_secret_engine_config: subscription_id: "{{ subscription_id }}" @@ -42,7 +42,7 @@ azure_role: "{{ azure_role1 }}" register: success_write - - assert: { that: "{{ success_write.changed }} == True" } # changed + - assert: { that: "success_write is changed" } # changed - name: idem same azure_role hashivault_azure_secret_engine_role: @@ -50,7 +50,7 @@ azure_role: "{{ azure_role1 }}" register: idem_write - - assert: { that: "{{ idem_write.changed }} == False" } # not changed + - assert: { that: "idem_write is not changed" } # not changed - name: overwrite existing hashivault_azure_secret_engine_role: @@ -58,7 +58,7 @@ azure_role: "{{ azure_role2 }}" register: overwrite - - assert: { that: "{{ overwrite.changed }} == True" } # changed + - assert: { that: "overwrite is changed" } # changed # since we're doing dict compare, ensure that a dict with less obj # correctly is overwritten @@ -68,4 +68,4 @@ azure_role: "{{ azure_role1 }}" register: overwrite_smaller - - assert: { that: "{{ overwrite_smaller.changed }} == True" } # changed + - assert: { that: "overwrite_smaller is changed" } # changed diff --git a/functional/test_cas.yml b/functional/test_cas.yml index d5fc781c..8b2cd37e 100644 --- a/functional/test_cas.yml +++ b/functional/test_cas.yml @@ -16,8 +16,8 @@ version: 2 cas_required: True register: 'vault_secret_enable' - - assert: { that: "{{vault_secret_enable.changed}} == True" } - - assert: { that: "{{vault_secret_enable.rc}} == 0" } + - assert: { that: "vault_secret_enable is changed" } + - assert: { that: "vault_secret_enable.rc == 0" } - name: Update kv2 secret store engine hashivault_secret_engine: @@ -27,8 +27,8 @@ version: 2 max_versions: 8 register: 'vault_secret_enable' - - assert: { that: "{{vault_secret_enable.changed}} == True" } - - assert: { that: "{{vault_secret_enable.rc}} == 0" } + - assert: { that: "vault_secret_enable is changed" } + - assert: { that: "vault_secret_enable.rc == 0" } - name: Update kv2 secret store engine idempotent hashivault_secret_engine: @@ -39,8 +39,8 @@ cas_required: True max_versions: 8 register: 'vault_secret_enable' - - assert: { that: "{{vault_secret_enable.changed}} == False" } - - assert: { that: "{{vault_secret_enable.rc}} == 0" } + - assert: { that: "vault_secret_enable is not changed" } + - assert: { that: "vault_secret_enable.rc == 0" } - name: cas kv2 write hashivault_write: @@ -51,9 +51,9 @@ data: value: firstvalue register: vault_write - - assert: { that: "{{vault_write.changed}} == True" } - - assert: { that: "'{{vault_write.msg}}' == 'Secret kv2/casy written'" } - - assert: { that: "{{vault_write.rc}} == 0" } + - assert: { that: "vault_write is changed" } + - assert: { that: "vault_write.msg == 'Secret kv2/casy written'" } + - assert: { that: "vault_write.rc == 0" } - name: cas kv2 write two hashivault_write: @@ -64,9 +64,9 @@ data: value: secondvalue register: vault_write - - assert: { that: "{{vault_write.changed}} == True" } - - assert: { that: "'{{vault_write.msg}}' == 'Secret kv2/casy written'" } - - assert: { that: "{{vault_write.rc}} == 0" } + - assert: { that: "vault_write is changed" } + - assert: { that: "vault_write.msg == 'Secret kv2/casy written'" } + - assert: { that: "vault_write.rc == 0" } - name: cas kv2 write fail hashivault_write: @@ -78,9 +78,9 @@ value: firstvalue failed_when: False register: vault_write - - assert: { that: "{{vault_write.changed}} == False" } - - assert: { that: "'did not match the current version' in '{{vault_write.msg}}'" } - - assert: { that: "{{vault_write.rc}} == 1" } + - assert: { that: "vault_write is not changed" } + - assert: { that: "'did not match the current version' in vault_write.msg" } + - assert: { that: "vault_write.rc == 1" } - name: no cas kv2 write fail @@ -92,14 +92,14 @@ value: firstvalue failed_when: False register: vault_write - - assert: { that: "{{vault_write.changed}} == False" } - - assert: { that: "'check-and-set parameter required' in '{{vault_write.msg}}'" } - - assert: { that: "{{vault_write.rc}} == 1" } + - assert: { that: "vault_write is not changed" } + - assert: { that: "'check-and-set parameter required' in vault_write.msg" } + - assert: { that: "vault_write.rc == 1" } - name: Disable kv2 secret store hashivault_secret_engine: name: "kv2" state: absent register: 'vault_secret_disable' - - assert: { that: "{{vault_secret_disable.changed}} == True" } - - assert: { that: "{{vault_secret_disable.rc}} == 0" } + - assert: { that: "vault_secret_disable is changed" } + - assert: { that: "vault_secret_disable.rc == 0" } diff --git a/functional/test_consul_config.yml b/functional/test_consul_config.yml index 5b7e5443..bce6a1d2 100644 --- a/functional/test_consul_config.yml +++ b/functional/test_consul_config.yml @@ -19,8 +19,8 @@ consul_token: "{{ consul_token }}" register: fail_config failed_when: false - - assert: { that: "{{ fail_config.changed }} == False" } - - assert: { that: "{{ fail_config.rc }} == 1" } + - assert: { that: "fail_config is not changed" } + - assert: { that: "fail_config.rc == 1" } - name: enable database secret engine hashivault_secret_engine: @@ -33,5 +33,5 @@ scheme: "{{ scheme }}" consul_token: "{{ consul_token }}" register: success_config - - assert: { that: "{{ success_config.changed }} == True" } - - assert: { that: "{{ success_config.rc }} == 0" } + - assert: { that: "success_config is changed" } + - assert: { that: "success_config.rc == 0" } diff --git a/functional/test_consul_role.yml b/functional/test_consul_role.yml index 4400fc96..d8c443b8 100644 --- a/functional/test_consul_role.yml +++ b/functional/test_consul_role.yml @@ -26,24 +26,24 @@ name: "{{ role_name }}" register: fail_write failed_when: false - - assert: { that: "{{ fail_write.rc }} == 1" } - - assert: { that: "{{ fail_write.changed }} == False" } + - assert: { that: "fail_write.rc == 1" } + - assert: { that: "fail_write is not changed" } - name: successfully write a role hashivault_consul_secret_engine_role: name: "{{ role_name }}" policy: "{{ policy }}" register: success_write - - assert: { that: "{{ success_write.rc }} == 0" } - - assert: { that: "{{ success_write.changed }} == True" } + - assert: { that: "success_write.rc == 0" } + - assert: { that: "success_write is changed" } - name: idempotent write a role hashivault_consul_secret_engine_role: name: "{{ role_name }}" policy: "{{ policy }}" register: idem_write - - assert: { that: "{{ idem_write.rc }} == 0" } - - assert: { that: "{{ idem_write.changed }} == False" } + - assert: { that: "idem_write.rc == 0" } + - assert: { that: "idem_write is not changed" } - name: successfully update a role hashivault_consul_secret_engine_role: @@ -51,21 +51,21 @@ policy: "{{ policy }}" max_ttl: 12345 register: success_write - - assert: { that: "{{ success_write.rc }} == 0" } - - assert: { that: "{{ success_write.changed }} == True" } + - assert: { that: "success_write.rc == 0" } + - assert: { that: "success_write is changed" } - name: delete role hashivault_consul_secret_engine_role: name: "{{ role_name }}" state: absent register: success_del - - assert: { that: "{{ success_del.rc }} == 0" } - - assert: { that: "{{ success_del.changed }} == True" } + - assert: { that: "success_del.rc == 0" } + - assert: { that: "success_del is changed" } - name: idempotent delete role hashivault_consul_secret_engine_role: name: "{{ role_name }}" state: absent register: success_del - - assert: { that: "{{ success_del.rc }} == 0" } - - assert: { that: "{{ success_del.changed }} == False" } + - assert: { that: "success_del.rc == 0" } + - assert: { that: "success_del is not changed" } diff --git a/functional/test_db_config.yml b/functional/test_db_config.yml index 1d9fff62..14fabab6 100644 --- a/functional/test_db_config.yml +++ b/functional/test_db_config.yml @@ -15,7 +15,7 @@ hashivault_secret_engine: name: database state: disable - + - name: make sure test fails when no mount exists hashivault_db_secret_engine_config: name: test @@ -28,13 +28,13 @@ register: fail_config failed_when: false - - assert: { that: "{{ fail_config.changed }} == False" } - + - assert: { that: "fail_config is not changed" } + - name: enable database secret engine hashivault_secret_engine: name: database backend: database - + - name: successfully configure hashivault_db_secret_engine_config: name: test @@ -46,7 +46,7 @@ connection_url: "{{ connection_url }}" register: success_config - - assert: { that: "{{ success_config.changed }} == True" } + - assert: { that: "success_config is changed" } - name: skip 2nd config attempt with same values hashivault_db_secret_engine_config: @@ -58,8 +58,8 @@ password: "{{ db_password }}" connection_url: "{{ connection_url }}" register: idem_config - - - assert: { that: "{{ idem_config.changed }} == False" } + + - assert: { that: "idem_config is not changed" } - name: attempt 3rd config with different values hashivault_db_secret_engine_config: @@ -71,5 +71,5 @@ password: "{{ db_password }}" connection_url: "{{ connection_url }}" register: overwrite_config - - - assert: { that: "{{ overwrite_config.changed }} == True" } + + - assert: { that: "overwrite_config is changed" } diff --git a/functional/test_db_role.yml b/functional/test_db_role.yml index a5a42293..177af7d1 100644 --- a/functional/test_db_role.yml +++ b/functional/test_db_role.yml @@ -14,7 +14,7 @@ hashivault_secret_engine: name: database state: disable - + - name: make sure test fails when no mount exists hashivault_db_secret_engine_config: name: test @@ -26,13 +26,13 @@ register: fail_config failed_when: false - - assert: { that: "{{ fail_config.changed }} == False" } - + - assert: { that: "fail_config is not changed" } + - name: enable database secret engine hashivault_secret_engine: name: database backend: database - + - name: successfully configure hashivault_db_secret_engine_config: name: test @@ -43,7 +43,7 @@ connection_url: "{{ connection_url }}" register: success_config - - assert: { that: "{{ success_config.changed }} == True" } + - assert: { that: "success_config is changed" } - name: successfully write a role hashivault_db_secret_engine_role: @@ -51,8 +51,8 @@ db_name: test creation_statements: [] register: success_write - - - assert: { that: "{{ success_write.changed }} == True" } + + - assert: { that: "success_write is changed" } - name: skip write a role hashivault_db_secret_engine_role: @@ -60,8 +60,8 @@ db_name: test creation_statements: [] register: idem_write - - - assert: { that: "{{ idem_write.changed }} == False" } + + - assert: { that: "idem_write is not changed" } - name: delete role hashivault_db_secret_engine_role: @@ -69,8 +69,8 @@ db_name: test state: absent register: success_del - - - assert: { that: "{{ success_del.changed }} == True" } + + - assert: { that: "success_del is changed" } - name: skip delete role hashivault_db_secret_engine_role: @@ -78,5 +78,5 @@ db_name: test state: absent register: success_del - - - assert: { that: "{{ success_del.changed }} == False" } \ No newline at end of file + + - assert: { that: "success_del is not changed" } diff --git a/functional/test_delete.yml b/functional/test_delete.yml index 50e7b3ea..c097413b 100644 --- a/functional/test_delete.yml +++ b/functional/test_delete.yml @@ -16,14 +16,14 @@ hashivault_delete: secret: test_delete register: vault_delete - - assert: { that: "{{vault_delete.changed}} == True" } - - assert: { that: "{{vault_delete.rc}} == 0" } - - assert: { that: "'{{vault_delete.msg}}' == 'Secret secret/test_delete deleted'" } + - assert: { that: "vault_delete is changed" } + - assert: { that: "vault_delete.rc == 0" } + - assert: { that: "vault_delete.msg == 'Secret secret/test_delete deleted'" } - name: Make sure secret value is gone hashivault_read: secret: test_delete register: vault_read failed_when: False - - assert: { that: "{{vault_read.changed}} == False" } - - assert: { that: "'{{vault_read.msg}}' == 'Secret secret/test_delete is not in vault'" } + - assert: { that: "vault_read is not changed" } + - assert: { that: "vault_read.msg == 'Secret secret/test_delete is not in vault'" } diff --git a/functional/test_delete_permanent.yml b/functional/test_delete_permanent.yml index d61a8952..156bcf18 100644 --- a/functional/test_delete_permanent.yml +++ b/functional/test_delete_permanent.yml @@ -17,14 +17,14 @@ secret: test_delete_permanent permanent: true register: vault_delete - - assert: { that: "{{vault_delete.changed}} == True" } - - assert: { that: "{{vault_delete.rc}} == 0" } - - assert: { that: "'{{vault_delete.msg}}' == 'Secret secret/test_delete_permanent deleted'" } + - assert: { that: "vault_delete is changed" } + - assert: { that: "vault_delete.rc == 0" } + - assert: { that: "vault_delete.msg == 'Secret secret/test_delete_permanent deleted'" } - name: Make sure secret value is gone hashivault_read: secret: test_delete_permanent register: vault_read failed_when: False - - assert: { that: "{{vault_read.changed}} == False" } - - assert: { that: "'{{vault_read.msg}}' == 'Secret secret/test_delete_permanent is not in vault'" } + - assert: { that: "vault_read is not changed" } + - assert: { that: "vault_read.msg == 'Secret secret/test_delete_permanent is not in vault'" } diff --git a/functional/test_environment_lookup.yml b/functional/test_environment_lookup.yml index fc287700..39d21448 100644 --- a/functional/test_environment_lookup.yml +++ b/functional/test_environment_lookup.yml @@ -1,4 +1,4 @@ -# +# # This test depends on successful test_write run # --- @@ -24,4 +24,4 @@ tasks: - set_fact: a_set_fie: "{{lookup('hashivault', '{{name_root}}', 'fie')}}" - - assert: { that: "'{{a_set_fie}}' == 'fum'" } + - assert: { that: "a_set_fie == 'fum'" } diff --git a/functional/test_ephemeral.yml b/functional/test_ephemeral.yml index 452d3c7b..b3b23fcf 100644 --- a/functional/test_ephemeral.yml +++ b/functional/test_ephemeral.yml @@ -12,16 +12,16 @@ name: "ephemeral" backend: "generic" register: 'vault_secret_enable' - - assert: { that: "{{vault_secret_enable.changed}} == True" } - - assert: { that: "{{vault_secret_enable.rc}} == 0" } + - assert: { that: "vault_secret_enable is changed" } + - assert: { that: "vault_secret_enable.rc == 0" } - name: Enable same secret store again and check it doesn't fail hashivault_secret_engine: name: "ephemeral" backend: "generic" register: 'vault_secret_enable_twice' - - assert: { that: "{{vault_secret_enable_twice.changed}} == False" } - - assert: { that: "{{vault_secret_enable_twice.rc}} == 0" } + - assert: { that: "vault_secret_enable_twice is not changed" } + - assert: { that: "vault_secret_enable_twice.rc == 0" } - name: Write a value to the ephemeral store hashivault_write: @@ -34,27 +34,27 @@ secret: '/ephemeral/name' key: 'value' register: 'vault_read' - - assert: { that: "'{{vault_read.value}}' == 'ephemeral_stuff'" } + - assert: { that: "vault_read.value == 'ephemeral_stuff'" } - set_fact: looky_ephemeral: "{{lookup('hashivault', '/ephemeral/name', 'value')}}" - - assert: { that: "'{{looky_ephemeral}}' == 'ephemeral_stuff'" } + - assert: { that: "looky_ephemeral == 'ephemeral_stuff'" } - name: Delete ephemeral secret hashivault_delete: secret: '/ephemeral/name' register: 'vault_secret_eph_delete' - - assert: { that: "{{vault_secret_eph_delete.changed}} == True" } - - assert: { that: "{{vault_secret_eph_delete.rc}} == 0" } - - assert: { that: "'{{vault_secret_eph_delete.msg}}' == 'Secret ephemeral/name deleted'" } + - assert: { that: "vault_secret_eph_delete is changed" } + - assert: { that: "vault_secret_eph_delete.rc == 0" } + - assert: { that: "vault_secret_eph_delete.msg == 'Secret ephemeral/name deleted'" } - name: Make sure ephemeral value is gone hashivault_read: secret: '/ephemeral/name' register: 'vault_read' failed_when: False - - assert: { that: "{{vault_read.changed}} == False" } - - assert: { that: "'{{vault_read.msg}}' == 'Secret ephemeral/name is not in vault'" } + - assert: { that: "vault_read is not changed" } + - assert: { that: "vault_read.msg == 'Secret ephemeral/name is not in vault'" } - name: Tune ephemeral secret store hashivault_secret_engine: @@ -62,8 +62,8 @@ backend: "generic" description: "new description" register: vault_update - - assert: { that: "{{ vault_update.changed }} == True" } - - assert: { that: "{{ vault_update.rc }} == 0" } + - assert: { that: "vault_update is changed" } + - assert: { that: "vault_update.rc == 0" } - name: Idempotent tuning ephemeral secret store hashivault_secret_engine: @@ -71,13 +71,13 @@ backend: "generic" description: "new description" register: vault_update - - assert: { that: "{{ vault_update.changed }} == False" } - - assert: { that: "{{ vault_update.rc }} == 0" } + - assert: { that: "vault_update is not changed" } + - assert: { that: "vault_update.rc == 0" } - name: Disable ephemeral secret store hashivault_secret_engine: name: "ephemeral" state: disabled register: 'vault_secret_disable' - - assert: { that: "{{vault_secret_enable.changed}} == True" } - - assert: { that: "{{vault_secret_enable.rc}} == 0" } + - assert: { that: "vault_secret_enable is changed" } + - assert: { that: "vault_secret_enable.rc == 0" } diff --git a/functional/test_full_path.yml b/functional/test_full_path.yml index 6e7da4d7..ae5bf651 100644 --- a/functional/test_full_path.yml +++ b/functional/test_full_path.yml @@ -13,25 +13,25 @@ data: basket: ball register: vault_write - - assert: { that: "{{vault_write.changed}} == True" } - - assert: { that: "'{{vault_write.msg}}' == 'Secret secret/full/path written'" } - - assert: { that: "{{vault_write.rc}} == 0" } + - assert: { that: "vault_write is changed" } + - assert: { that: "vault_write.msg == 'Secret secret/full/path written'" } + - assert: { that: "vault_write.rc == 0" } - name: Read full path hashivault_read: secret: /secret/full/path key: basket register: vault_read - - assert: { that: "'{{vault_read.value}}' == 'ball'" } + - assert: { that: "vault_read.value == 'ball'" } - set_fact: basket: "{{lookup('hashivault', '/secret/full/path', 'basket')}}" - - assert: { that: "'{{basket}}' == 'ball'" } + - assert: { that: "basket == 'ball'" } - name: Delete full path hashivault_delete: secret: /secret/full/path register: vault_delete - - assert: { that: "{{vault_delete.changed}} == True" } - - assert: { that: "{{vault_delete.rc}} == 0" } - - assert: { that: "'{{vault_delete.msg}}' == 'Secret secret/full/path deleted'" } \ No newline at end of file + - assert: { that: "vault_delete is changed" } + - assert: { that: "vault_delete.rc == 0" } + - assert: { that: "vault_delete.msg == 'Secret secret/full/path deleted'" } diff --git a/functional/test_generate_root.yml b/functional/test_generate_root.yml index dafea195..1e7cb26e 100644 --- a/functional/test_generate_root.yml +++ b/functional/test_generate_root.yml @@ -5,57 +5,57 @@ vault_keys: "{{ lookup('env','VAULT_KEYS') }}" tasks: - assert: - that: "'{{vault_keys}}' != ''" + that: "vault_keys != ''" msg: "VAULT_KEYS must be set to run this test" - name: Cancel anything that might be going hashivault_generate_root_cancel: register: hashivault_generate_root_cancel - - assert: { that: "{{hashivault_generate_root_cancel.rc}} == 0" } + - assert: { that: "hashivault_generate_root_cancel.rc == 0" } - name: Generate root token initialize hashivault_generate_root_init: register: hashivault_generate_root_init - - assert: { that: "{{hashivault_generate_root_init.changed}} == True" } - - assert: { that: "{{hashivault_generate_root_init.rc}} == 0" } + - assert: { that: "hashivault_generate_root_init is changed" } + - assert: { that: "hashivault_generate_root_init.rc == 0" } - name: Generate root status hashivault_generate_root_status: register: hashivault_generate_root_status - - assert: { that: "{{hashivault_generate_root_status.changed}} == False" } - - assert: { that: "{{hashivault_generate_root_status.rc}} == 0" } + - assert: { that: "hashivault_generate_root_status is not changed" } + - assert: { that: "hashivault_generate_root_status.rc == 0" } - name: Generate a root token hashivault_generate_root: key: "{{vault_keys}}" nonce: "{{hashivault_generate_root_init.status.nonce}}" register: hashivault_generate_root - - assert: { that: "{{hashivault_generate_root.changed}} == True" } - - assert: { that: "{{hashivault_generate_root.rc}} == 0" } - - assert: { that: "{{hashivault_generate_root.status.complete}} == True" } + - assert: { that: "hashivault_generate_root is changed" } + - assert: { that: "hashivault_generate_root.rc == 0" } + - assert: { that: "hashivault_generate_root.status.complete == True" } - name: Generate root token initialize hashivault_generate_root_init: register: hashivault_generate_root_init - - assert: { that: "{{hashivault_generate_root_init.changed}} == True" } - - assert: { that: "{{hashivault_generate_root_init.rc}} == 0" } + - assert: { that: "hashivault_generate_root_init is changed" } + - assert: { that: "hashivault_generate_root_init.rc == 0" } - name: Generate root status hashivault_generate_root_status: register: hashivault_generate_root_status - - assert: { that: "{{hashivault_generate_root_status.changed}} == False" } - - assert: { that: "{{hashivault_generate_root_status.rc}} == 0" } - - assert: { that: "{{hashivault_generate_root_status.status.started}} == True" } + - assert: { that: "hashivault_generate_root_status is not changed" } + - assert: { that: "hashivault_generate_root_status.rc == 0" } + - assert: { that: "hashivault_generate_root_status.status.started == True" } - name: Cancel that hashivault_generate_root_cancel: register: hashivault_generate_root_cancel - - assert: { that: "{{hashivault_generate_root_cancel.changed}} == True" } - - assert: { that: "{{hashivault_generate_root_cancel.rc}} == 0" } + - assert: { that: "hashivault_generate_root_cancel is changed" } + - assert: { that: "hashivault_generate_root_cancel.rc == 0" } - name: Generate root status hashivault_generate_root_status: register: hashivault_generate_root_status - - assert: { that: "{{hashivault_generate_root_status.changed}} == False" } - - assert: { that: "{{hashivault_generate_root_status.rc}} == 0" } - - assert: { that: "{{hashivault_generate_root_status.status.started}} == False" } \ No newline at end of file + - assert: { that: "hashivault_generate_root_status is not changed" } + - assert: { that: "hashivault_generate_root_status.rc == 0" } + - assert: { that: "hashivault_generate_root_status.status.started == False" } diff --git a/functional/test_identity_entity.yml b/functional/test_identity_entity.yml index 0932abb3..25328062 100644 --- a/functional/test_identity_entity.yml +++ b/functional/test_identity_entity.yml @@ -14,32 +14,32 @@ name: bob policies: bob register: vault_identity - - assert: { that: "{{vault_identity.changed}} == True" } - - assert: { that: "{{vault_identity.rc}} == 0" } + - assert: { that: "vault_identity is changed" } + - assert: { that: "vault_identity.rc == 0" } - name: Update no change hashivault_identity_entity: name: bob policies: bob register: vault_identity - - assert: { that: "{{vault_identity.changed}} == False" } - - assert: { that: "{{vault_identity.rc}} == 0" } + - assert: { that: "vault_identity is not changed" } + - assert: { that: "vault_identity.rc == 0" } - name: Update remove policy hashivault_identity_entity: name: bob policies: null register: vault_identity - - assert: { that: "{{vault_identity.changed}} == False" } - - assert: { that: "{{vault_identity.rc}} == 0" } + - assert: { that: "vault_identity is not changed" } + - assert: { that: "vault_identity.rc == 0" } - name: Update readd policy hashivault_identity_entity: name: bob policies: bob register: vault_identity - - assert: { that: "{{vault_identity.changed}} == False" } - - assert: { that: "{{vault_identity.rc}} == 0" } + - assert: { that: "vault_identity is not changed" } + - assert: { that: "vault_identity.rc == 0" } - name: Update hashivault_identity_entity: @@ -50,43 +50,43 @@ c: d disabled: True register: vault_identity - - assert: { that: "{{vault_identity.changed}} == True" } - - assert: { that: "{{vault_identity.rc}} == 0" } + - assert: { that: "vault_identity is changed" } + - assert: { that: "vault_identity.rc == 0" } - name: Delete it for the first time hashivault_identity_entity: name: bob state: absent register: vault_identity - - assert: { that: "{{vault_identity.changed}} == True" } - - assert: { that: "{{vault_identity.rc}} == 0" } + - assert: { that: "vault_identity is changed" } + - assert: { that: "vault_identity.rc == 0" } - name: Delete it again hashivault_identity_entity: name: bob state: absent register: vault_identity - - assert: { that: "{{vault_identity.changed}} == False" } - - assert: { that: "{{vault_identity.rc}} == 0" } + - assert: { that: "vault_identity is not changed" } + - assert: { that: "vault_identity.rc == 0" } - name: Create new one hashivault_identity_entity: name: sam policies: sam register: vault_identity - - assert: { that: "{{vault_identity.changed}} == True" } - - assert: { that: "{{vault_identity.rc}} == 0" } + - assert: { that: "vault_identity is changed" } + - assert: { that: "vault_identity.rc == 0" } - hashivault_identity_entity_alias: name: sammy entity_name: sam register: vault_identity_alias - - assert: { that: "{{vault_identity_alias.changed}} == True" } - - assert: { that: "{{vault_identity_alias.rc}} == 0" } + - assert: { that: "vault_identity_alias is changed" } + - assert: { that: "vault_identity_alias.rc == 0" } - hashivault_identity_entity_alias: name: sammy entity_name: sam state: absent register: vault_identity_alias - - assert: { that: "{{vault_identity_alias.changed}} == True" } - - assert: { that: "{{vault_identity_alias.rc}} == 0" } \ No newline at end of file + - assert: { that: "vault_identity_alias is changed" } + - assert: { that: "vault_identity_alias.rc == 0" } diff --git a/functional/test_identity_group.yml b/functional/test_identity_group.yml index 896d1ff5..2c8b9ca5 100644 --- a/functional/test_identity_group.yml +++ b/functional/test_identity_group.yml @@ -23,7 +23,7 @@ state: present register: success_config - - assert: { that: "{{ success_config.changed }} == True" } + - assert: { that: "success_config is changed" } - name: chg metadata hashivault_identity_group: @@ -33,7 +33,7 @@ functional: testing register: chg_metadata - - assert: { that: "{{ chg_metadata.changed }} == True" } + - assert: { that: "chg_metadata is changed" } - name: duplicate metadata hashivault_identity_group: @@ -43,7 +43,7 @@ functional: testing register: chg_metadata - - assert: { that: "{{ chg_metadata.changed }} == False" } + - assert: { that: "chg_metadata is not changed" } - name: chg policies - add functional_testing_policy_one hashivault_identity_group: @@ -53,7 +53,7 @@ - functional_testing_policy_one register: chg_policies - - assert: { that: "{{ chg_policies.changed }} == True" } + - assert: { that: "chg_policies is changed" } - name: duplicate policies hashivault_identity_group: @@ -63,7 +63,7 @@ - functional_testing_policy_one register: chg_policies - - assert: { that: "{{ chg_policies.changed }} == False" } + - assert: { that: "chg_policies is not changed" } - name: chg policies - add functional_testing_policy_two hashivault_identity_group: @@ -74,7 +74,7 @@ - functional_testing_policy_two register: chg_policies - - assert: { that: "{{ chg_policies.changed }} == True" } + - assert: { that: "chg_policies is changed" } - name: chg policies - remove functional_testing_policy_one hashivault_identity_group: @@ -84,27 +84,27 @@ - functional_testing_policy_two register: chg_policies - - assert: { that: "{{ chg_policies.changed }} == True" } + - assert: { that: "chg_policies is changed" } - name: add external identity group hashivault_identity_group: name: extest group_type: external register: vault_identity_group - - assert: { that: "{{vault_identity_group.changed}} == True" } - - assert: { that: "{{vault_identity_group.rc}} == 0" } + - assert: { that: "vault_identity_group is changed" } + - assert: { that: "vault_identity_group.rc == 0" } - hashivault_identity_group_alias: name: "extest alias" group_name: extest register: vault_identity_alias - - assert: { that: "{{vault_identity_alias.changed}} == True" } - - assert: { that: "{{vault_identity_alias.rc}} == 0" } + - assert: { that: "vault_identity_alias is changed" } + - assert: { that: "vault_identity_alias.rc == 0" } - hashivault_identity_group_alias: name: "extest alias" group_name: extest state: absent register: vault_identity_alias - - assert: { that: "{{vault_identity_alias.changed}} == True" } - - assert: { that: "{{vault_identity_alias.rc}} == 0" } + - assert: { that: "vault_identity_alias is changed" } + - assert: { that: "vault_identity_alias.rc == 0" } diff --git a/functional/test_init.yml b/functional/test_init.yml index 5007abb9..303de9a7 100644 --- a/functional/test_init.yml +++ b/functional/test_init.yml @@ -8,24 +8,24 @@ secret_threshold: 1 register: 'vault_init' - block: - - assert: { that: "{{vault_init.rc}} == 0" } - when: "vault_init.changed == False" + - assert: { that: "vault_init.rc == 0" } + when: "vault_init is not changed" - block: - assert: { that: "'keys' in vault_init" } - assert: { that: "'root_token' in vault_init" } - - assert: { that: "{{vault_init.rc}} == 0" } + - assert: { that: "vault_init.rc == 0" } - set_fact: vault_keys: "{{vault_init['keys'] | join(' ')}}" - name: Unseal the vault hashivault_unseal: keys: '{{vault_keys}}' register: 'vault_unseal' - - assert: { that: "{{vault_unseal.changed}} == True" } - - assert: { that: "{{vault_unseal.status.progress}} == 0" } - - assert: { that: "{{vault_unseal.status.sealed}} == False" } - - assert: { that: "{{vault_unseal.rc}} == 0" } + - assert: { that: "vault_unseal is changed" } + - assert: { that: "vault_unseal.status.progress == 0" } + - assert: { that: "vault_unseal.status.sealed == False" } + - assert: { that: "vault_unseal.rc == 0" } - template: src: "{{playbook_dir}}/templates/vaultenv.sh.j2" dest: "{{playbook_dir}}/vaultenv.sh" mode: 0700 - when: "vault_init.changed == True" + when: "vault_init is changed" diff --git a/functional/test_k8_auth.yml b/functional/test_k8_auth.yml index c10374d8..014de2f6 100644 --- a/functional/test_k8_auth.yml +++ b/functional/test_k8_auth.yml @@ -17,8 +17,8 @@ kubernetes_host: http://127.0.0.1:8443 kubernetes_ca_cert: "{{ lookup('file', './cacert.pem') }}" token_reviewer_jwt: "{{ lookup('file', './jwt.jws') }}" - - assert: { that: "{{ k8s_module.changed }} == True" } - - assert: { that: "{{ k8s_module.rc }} == 0" } + - assert: { that: "k8s_module is changed" } + - assert: { that: "k8s_module.rc == 0" } - name: idempotent create config register: k8s_module @@ -26,8 +26,8 @@ kubernetes_host: http://127.0.0.1:8443 kubernetes_ca_cert: "{{ lookup('file', './cacert.pem') }}" token_reviewer_jwt: "{{ lookup('file', './jwt.jws') }}" - - assert: { that: "{{ k8s_module.changed }} == False" } - - assert: { that: "{{ k8s_module.rc }} == 0" } + - assert: { that: "k8s_module is not changed" } + - assert: { that: "k8s_module.rc == 0" } - name: update config register: k8s_module @@ -36,8 +36,8 @@ kubernetes_ca_cert: "{{ lookup('file', './cacert.pem') }}" token_reviewer_jwt: "{{ lookup('file', './jwt.jws') }}" # issuer: bob hvac 0.10.2 - - assert: { that: "{{ k8s_module.changed }} == True" } - - assert: { that: "{{ k8s_module.rc }} == 0" } + - assert: { that: "k8s_module is changed" } + - assert: { that: "k8s_module.rc == 0" } - name: create role delete hashivault_k8s_auth_role: @@ -52,8 +52,8 @@ bound_service_account_namespaces: ["default", "some-app"] token_type: service register: k8s_module - - assert: { that: "{{ k8s_module.changed }} == True" } - - assert: { that: "{{ k8s_module.rc }} == 0" } + - assert: { that: "k8s_module is changed" } + - assert: { that: "k8s_module.rc == 0" } - name: read role hashivault_read: @@ -66,7 +66,7 @@ - k8s_module.value.bound_service_account_names|sort == ["vault-auth"]|sort - k8s_module.value.bound_service_account_namespaces|sort == ["some-app","default"]|sort - k8s_module.value.token_type == 'service' - - assert: { that: "{{ k8s_module.rc }} == 0" } + - assert: { that: "k8s_module.rc == 0" } - name: create role idempotent hashivault_k8s_auth_role: @@ -76,13 +76,13 @@ bound_service_account_namespaces: ["default", "some-app"] token_type: service register: k8s_module - - assert: { that: "{{ k8s_module.changed }} == False" } - - assert: { that: "{{ k8s_module.rc }} == 0" } + - assert: { that: "k8s_module is not changed" } + - assert: { that: "k8s_module.rc == 0" } - name: create role delete hashivault_k8s_auth_role: name: "testk8srole" state: absent register: k8s_module - - assert: { that: "{{ k8s_module.changed }} == True" } - - assert: { that: "{{ k8s_module.rc }} == 0" } + - assert: { that: "k8s_module is changed" } + - assert: { that: "k8s_module.rc == 0" } diff --git a/functional/test_kv2.yml b/functional/test_kv2.yml index 5faa85b0..b30e7313 100644 --- a/functional/test_kv2.yml +++ b/functional/test_kv2.yml @@ -15,8 +15,8 @@ options: version: 2 register: 'vault_secret_enable' - - assert: { that: "{{vault_secret_enable.changed}} == True" } - - assert: { that: "{{vault_secret_enable.rc}} == 0" } + - assert: { that: "vault_secret_enable is changed" } + - assert: { that: "vault_secret_enable.rc == 0" } - name: Enable same secret store again and check it doesn't fail hashivault_secret_engine: @@ -25,8 +25,8 @@ options: version: 2 register: 'vault_secret_enable_twice' - - assert: { that: "{{vault_secret_enable_twice.changed}} == False" } - - assert: { that: "{{vault_secret_enable_twice.rc}} == 0" } + - assert: { that: "vault_secret_enable_twice is not changed" } + - assert: { that: "vault_secret_enable_twice.rc == 0" } - name: Write a value to the kv2 store hashivault_write: @@ -36,9 +36,9 @@ data: value: kv2_stuff register: vault_write - - assert: { that: "{{vault_write.changed}} == True" } - - assert: { that: "'{{vault_write.msg}}' == 'Secret kv2/name written'" } - - assert: { that: "{{vault_write.rc}} == 0" } + - assert: { that: "vault_write is changed" } + - assert: { that: "vault_write.msg == 'Secret kv2/name written'" } + - assert: { that: "vault_write.rc == 0" } - name: Update a value to the kv2 store hashivault_write: @@ -49,9 +49,9 @@ data: ingrediant: corn register: vault_update - - assert: { that: "{{vault_update.changed}} == True" } - - assert: { that: "'{{vault_update.msg}}' == 'Secret kv2/name written'" } - - assert: { that: "{{vault_update.rc}} == 0" } + - assert: { that: "vault_update is changed" } + - assert: { that: "vault_update.msg == 'Secret kv2/name written'" } + - assert: { that: "vault_update.rc == 0" } - name: Update a value to the kv2 store again hashivault_write: @@ -62,8 +62,8 @@ data: ingrediant: corn register: vault_update - - assert: { that: "{{vault_update.changed}} == False" } - - assert: { that: "{{vault_update.rc}} == 0" } + - assert: { that: "vault_update is not changed" } + - assert: { that: "vault_update.rc == 0" } - name: Read the new kv2 value hashivault_read: @@ -72,7 +72,7 @@ key: ingrediant version: 2 register: vault_read - - assert: { that: "'{{vault_read.value}}' == 'corn'" } + - assert: { that: "vault_read.value == 'corn'" } - name: Read the kv2 value hashivault_read: @@ -81,7 +81,7 @@ key: value version: 2 register: vault_read - - assert: { that: "'{{vault_read.value}}' == 'kv2_stuff'" } + - assert: { that: "vault_read.value == 'kv2_stuff'" } - name: Read the whole kv2 value hashivault_read: @@ -102,7 +102,7 @@ - set_fact: looky_kv2: "{{lookup('hashivault', 'name', 'value', version=2, mount_point='kv2')}}" - - assert: { that: "'{{looky_kv2}}' == 'kv2_stuff'" } + - assert: { that: "looky_kv2 == 'kv2_stuff'" } - name: Delete kv2 secret hashivault_delete: @@ -110,9 +110,9 @@ secret: name version: 2 register: 'vault_secret_delete' - - assert: { that: "{{vault_secret_delete.changed}} == True" } - - assert: { that: "{{vault_secret_delete.rc}} == 0" } - - assert: { that: "'{{vault_secret_delete.msg}}' == 'Secret kv2/name deleted'" } + - assert: { that: "vault_secret_delete is changed" } + - assert: { that: "vault_secret_delete.rc == 0" } + - assert: { that: "vault_secret_delete.msg == 'Secret kv2/name deleted'" } - name: Make sure kv2 value is gone hashivault_read: @@ -121,8 +121,8 @@ version: 2 register: 'vault_read' failed_when: False - - assert: { that: "{{vault_read.changed}} == False" } - - assert: { that: "'{{vault_read.msg}}' == 'Secret kv2/name is not in vault'" } + - assert: { that: "vault_read is not changed" } + - assert: { that: "vault_read.msg == 'Secret kv2/name is not in vault'" } - name: Tune kv2 secret store hashivault_secret_engine: @@ -134,8 +134,8 @@ default_lease_ttl: 3600 max_lease_ttl: 8600 register: vault_tune - - assert: { that: "{{ vault_tune.changed }} == True" } - - assert: { that: "{{ vault_tune.rc }} == 0" } + - assert: { that: "vault_tune is changed" } + - assert: { that: "vault_tune.rc == 0" } - name: Idempotent tuning kv2 secret store hashivault_secret_engine: @@ -147,13 +147,13 @@ default_lease_ttl: 3600 max_lease_ttl: 8600 register: vault_tune - - assert: { that: "{{ vault_tune.changed }} == False" } - - assert: { that: "{{ vault_tune.rc }} == 0" } + - assert: { that: "vault_tune is not changed" } + - assert: { that: "vault_tune.rc == 0" } - name: Disable kv2 secret store hashivault_secret_engine: name: "kv2" state: absent register: 'vault_secret_disable' - - assert: { that: "{{vault_secret_disable.changed}} == True" } - - assert: { that: "{{vault_secret_disable.rc}} == 0" } + - assert: { that: "vault_secret_disable is changed" } + - assert: { that: "vault_secret_disable.rc == 0" } diff --git a/functional/test_ldap_group.yml b/functional/test_ldap_group.yml index 08343410..8973b36a 100644 --- a/functional/test_ldap_group.yml +++ b/functional/test_ldap_group.yml @@ -20,14 +20,14 @@ hashivault_auth_ldap: ldap_url: ldap://localhost register: ldap_module - - assert: { that: "{{ ldap_module.changed }} == True" } - - assert: { that: "{{ ldap_module.rc }} == 0" } + - assert: { that: "ldap_module is changed" } + - assert: { that: "ldap_module.rc == 0" } - name: ldap configuration is idempotent hashivault_auth_ldap: ldap_url: ldap://localhost register: ldap_module_idempotent - - assert: { that: "{{ ldap_module_idempotent.changed }} == False" } + - assert: { that: "ldap_module_idempotent is not changed" } - name: remove ldap group hashivault_ldap_group: @@ -40,7 +40,7 @@ state: present register: success_config - - assert: { that: "{{ success_config.changed }} == True" } + - assert: { that: "success_config is changed" } - name: chg policies - add functional_testing_policy_one hashivault_ldap_group: @@ -50,7 +50,7 @@ - functional_testing_policy_one register: chg_policies - - assert: { that: "{{ chg_policies.changed }} == True" } + - assert: { that: "chg_policies is changed" } - name: duplicate policies hashivault_ldap_group: @@ -60,7 +60,7 @@ - functional_testing_policy_one register: chg_policies - - assert: { that: "{{ chg_policies.changed }} == False" } + - assert: { that: "chg_policies is not changed" } - name: chg policies - add functional_testing_policy_two hashivault_ldap_group: @@ -71,7 +71,7 @@ - functional_testing_policy_two register: chg_policies - - assert: { that: "{{ chg_policies.changed }} == True" } + - assert: { that: "chg_policies is changed" } - name: chg policies - remove functional_testing_policy_one hashivault_ldap_group: @@ -81,4 +81,4 @@ - functional_testing_policy_two register: chg_policies - - assert: { that: "{{ chg_policies.changed }} == True" } + - assert: { that: "chg_policies is changed" } diff --git a/functional/test_list.yml b/functional/test_list.yml index a73fa695..34a2beee 100644 --- a/functional/test_list.yml +++ b/functional/test_list.yml @@ -43,7 +43,7 @@ secret: 'whatutalkinbout' register: vault_list failed_when: False - - assert: { that: "vault_list.changed == False" } + - assert: { that: "vault_list is not changed" } - assert: { that: "vault_list.rc == 1" } - assert: { that: "vault_list.msg == 'Secret does not exist: secret/whatutalkinbout'" } @@ -89,7 +89,7 @@ version: 2 register: vault_list failed_when: False - - assert: { that: "vault_list.changed == False" } + - assert: { that: "vault_list is not changed" } - assert: { that: "vault_list.rc == 1" } - assert: { that: "vault_list.msg == 'Secret does not exist: dummyv2/whatutalkinbout'" } diff --git a/functional/test_lookup.yml b/functional/test_lookup.yml index a04f396d..f00d9dfb 100644 --- a/functional/test_lookup.yml +++ b/functional/test_lookup.yml @@ -19,23 +19,23 @@ - 'two' - 'three' tasks: - - assert: { that: "'{{vars_foo}}' == 'new'" } + - assert: { that: "vars_foo == 'new'" } - set_fact: a_set_fie: "{{lookup('hashivault', '{{name_root}}', 'fie')}}" - - assert: { that: "'{{a_set_fie}}' == 'fum'" } + - assert: { that: "a_set_fie == 'fum'" } - set_fact: a_set_fie: "{{lookup('hashivault', '{{name_folder}}', 'height')}}" - - assert: { that: "'{{a_set_fie}}' == 'tall'" } + - assert: { that: "a_set_fie == 'tall'" } - set_fact: a_set_dict: "{{lookup('hashivault', '{{name_dict}}', 'foo')}}" - - assert: { that: "'{{a_set_dict}}' == 'bar'" } + - assert: { that: "a_set_dict == 'bar'" } - set_fact: a_set_array: "{{lookup('hashivault', '{{name_array}}', 'value') | first}}" - - assert: { that: "'{{a_set_array}}' == 'one'" } + - assert: { that: "a_set_array == 'one'" } - set_fact: a_set_dict_all: "{{lookup('hashivault', '{{name_dict}}')}}" @@ -47,8 +47,8 @@ - set_fact: looky_secret: "{{lookup('hashivault', '{{namespace}}fourofour/notfound', 'value', default='noob')}}" - - assert: { that: "'{{looky_secret}}' == 'noob'" } + - assert: { that: "looky_secret == 'noob'" } - set_fact: looky_secret: "{{lookup('hashivault', '{{name_root}}', 'fie', url='http://bogus', errors='ignore')}}" - - assert: { that: "'{{looky_secret}}' == ''" } + - assert: { that: "looky_secret == ''" } diff --git a/functional/test_mounts.yml b/functional/test_mounts.yml index 4d62e36f..cb2ce9ab 100644 --- a/functional/test_mounts.yml +++ b/functional/test_mounts.yml @@ -17,7 +17,7 @@ state: present register: success_config - - assert: { that: "{{ success_config.changed }} == True" } + - assert: { that: "success_config is changed" } - name: skip with config defaults hashivault_secret_engine: @@ -25,7 +25,7 @@ state: present register: skip_config - - assert: { that: "{{ skip_config.changed }} == False" } + - assert: { that: "skip_config is not changed" } - name: changed with config vars hashivault_secret_engine: @@ -34,7 +34,7 @@ config: {'default_lease_ttl': 1234567} register: chg_config - - assert: { that: "{{ chg_config.changed }} == True" } + - assert: { that: "chg_config is changed" } - name: changed to version 2 hashivault_secret_engine: @@ -44,7 +44,7 @@ options: {'version': '2'} register: chg_version - - assert: { that: "{{ chg_version.changed }} == True" } + - assert: { that: "chg_version is changed" } - name: dont fail when options passed to non kv hashivault_secret_engine: @@ -55,7 +55,7 @@ options: {'version': '2'} register: dont_pass_options - - assert: { that: "{{ dont_pass_options.changed }} == True" } + - assert: { that: "dont_pass_options is changed" } - name: cleanup 1 hashivault_secret_engine: @@ -66,7 +66,7 @@ options: {'version': '2'} register: disable - - assert: { that: "{{ disable.changed }} == True" } + - assert: { that: "disable is changed" } - name: cleanup 2 hashivault_secret_engine: @@ -77,4 +77,4 @@ options: {'version': '2'} register: disable2 - - assert: { that: "{{ disable2.changed }} == True" } \ No newline at end of file + - assert: { that: "disable2 is changed" } diff --git a/functional/test_namespace.yml b/functional/test_namespace.yml index 3c48c44c..e56badf8 100644 --- a/functional/test_namespace.yml +++ b/functional/test_namespace.yml @@ -2,7 +2,7 @@ - hosts: localhost connection: localhost tasks: - + - hashivault_namespace: name: hvtest state: absent @@ -11,48 +11,48 @@ name: hvtest register: first_create - - assert: { that: "{{first_create.changed}} == True" } + - assert: { that: "first_create is changed" } - hashivault_namespace: name: hvtest register: idem_create - - assert: { that: "{{idem_create.changed}} == False" } + - assert: { that: "idem_create is not changed" } - hashivault_namespace: name: child namespace: hvtest register: second_create - - assert: { that: "{{second_create.changed}} == True" } - + - assert: { that: "second_create is changed" } + - hashivault_namespace: name: child namespace: hvtest register: second_idem_create - - assert: { that: "{{second_idem_create.changed}} == False" } + - assert: { that: "second_idem_create is not changed" } - hashivault_namespace: name: child2 namespace: hvtest/child register: third_create - - assert: { that: "{{third_create.changed}} == True" } + - assert: { that: "third_create is changed" } - hashivault_namespace: name: child2 namespace: hvtest/child register: third_idem_create - - assert: { that: "{{third_idem_create.changed}} == False" } + - assert: { that: "third_idem_create is not changed" } - hashivault_namespace: name: hvtest state: absent register: delete_fail failed_when: False - - assert: { that: "{{delete_fail.rc}} != 0" } + - assert: { that: "delete_fail.rc != 0" } - hashivault_namespace: @@ -61,7 +61,7 @@ state: absent register: delete_one - - assert: { that: "{{delete_one.changed}} == True" } + - assert: { that: "delete_one is changed" } - hashivault_namespace: name: child @@ -69,18 +69,18 @@ state: absent register: delete_two - - assert: { that: "{{delete_two.changed}} == True" } + - assert: { that: "delete_two is changed" } - hashivault_namespace: name: hvtest state: absent register: delete_three - - assert: { that: "{{delete_three.changed}} == True" } + - assert: { that: "delete_three is changed" } - hashivault_namespace: name: hvtest state: absent register: delete_idem - - assert: { that: "{{delete_idem.changed}} == False" } \ No newline at end of file + - assert: { that: "delete_idem is not changed" } diff --git a/functional/test_not_there.yml b/functional/test_not_there.yml index adbd9e05..735ad52f 100644 --- a/functional/test_not_there.yml +++ b/functional/test_not_there.yml @@ -13,9 +13,9 @@ key: 'value' register: 'vault_read' failed_when: False - - assert: { that: "{{vault_read.failed}} == False" } - - assert: { that: "{{vault_read.rc}} == 1" } - - assert: { that: "'{{vault_read.msg}}' == 'Secret secret/fourofour/nothome is not in vault'" } + - assert: { that: "vault_read.failed == False" } + - assert: { that: "vault_read.rc == 1" } + - assert: { that: "vault_read.msg == 'Secret secret/fourofour/nothome is not in vault'" } - name: Nonexistent secret path with empty default hashivault_read: @@ -23,9 +23,9 @@ key: 'value' default: '' register: 'vault_read' - - assert: { that: "'{{vault_read.value}}' == ''" } - - assert: { that: "{{vault_read.failed}} == False" } - - assert: { that: "{{vault_read.rc}} == 0" } + - assert: { that: "vault_read.value == ''" } + - assert: { that: "vault_read.failed == False" } + - assert: { that: "vault_read.rc == 0" } - name: Nonexistent secret path with default hashivault_read: @@ -33,11 +33,11 @@ key: 'value' default: 'carseat' register: 'vault_read' - - assert: { that: "'{{vault_read.value}}' == 'carseat'" } + - assert: { that: "vault_read.value == 'carseat'" } - set_fact: looky_secret: "{{lookup('hashivault', '{{secret_name}}', 'value', default='headrest')}}" - - assert: { that: "'{{looky_secret}}' == 'headrest'" } + - assert: { that: "looky_secret == 'headrest'" } - name: Write new different value to secret store hashivault_write: @@ -51,12 +51,12 @@ key: 'value' default: 'better' register: 'vault_read' - - assert: { that: "'{{vault_read.value}}' == 'better'" } + - assert: { that: "vault_read.value == 'better'" } - set_fact: looky_secret: "{{lookup('hashivault', '{{secret_name}}', 'othervalue', default='noob')}}" - - assert: { that: "'{{looky_secret}}' == 'one'" } + - assert: { that: "looky_secret == 'one'" } - set_fact: looky_secret: "{{lookup('hashivault', '{{secret_name}}', 'value', default='noob')}}" - - assert: { that: "'{{looky_secret}}' == 'noob'" } + - assert: { that: "looky_secret == 'noob'" } diff --git a/functional/test_oidc_auth_method_config.yml b/functional/test_oidc_auth_method_config.yml index 542f7d33..405cf71d 100644 --- a/functional/test_oidc_auth_method_config.yml +++ b/functional/test_oidc_auth_method_config.yml @@ -20,7 +20,7 @@ register: fail_config failed_when: false - - assert: { that: "{{ fail_config.changed }} == False" } + - assert: { that: "fail_config is not changed" } - name: enable oidc auth method hashivault_auth_method: @@ -33,7 +33,7 @@ oidc_client_secret: "{{ oidc_client_secret }}" register: success_config - - assert: { that: "{{ success_config.changed }} == True" } + - assert: { that: "success_config is changed" } - name: attempt 2nd config with same values hashivault_oidc_auth_method_config: @@ -41,7 +41,7 @@ oidc_client_id: "{{ oidc_client_id }}" register: idem_config - - assert: { that: "{{ idem_config.changed }} == False" } + - assert: { that: "idem_config is not changed" } - name: attempt 3rd config with different values hashivault_oidc_auth_method_config: @@ -50,4 +50,4 @@ oidc_client_secret: pineapple register: overwrite_config - - assert: { that: "{{ overwrite_config.changed }} == True" } + - assert: { that: "overwrite_config is changed" } diff --git a/functional/test_oidc_auth_role.yml b/functional/test_oidc_auth_role.yml index 2233f400..faa3d275 100644 --- a/functional/test_oidc_auth_role.yml +++ b/functional/test_oidc_auth_role.yml @@ -30,7 +30,7 @@ token_policies: ["test"] register: success_config - - assert: { that: "{{ success_config.changed }} == True" } + - assert: { that: "success_config is changed" } - name: idempotently create role hashivault_oidc_auth_role: @@ -40,7 +40,7 @@ token_policies: ["test"] register: idem_config - - assert: { that: "{{ idem_config.changed }} == False" } + - assert: { that: "idem_config is not changed" } - name: delete role hashivault_oidc_auth_role: @@ -49,4 +49,4 @@ allowed_redirect_uris: ["https://123456.com/callback"] register: del_config - - assert: { that: "{{ del_config.changed }} == True" } + - assert: { that: "del_config is changed" } diff --git a/functional/test_pki.yml b/functional/test_pki.yml index fc66f010..6ca3b1f2 100644 --- a/functional/test_pki.yml +++ b/functional/test_pki.yml @@ -62,7 +62,7 @@ backend: "pki" description: "Root pki engine" register: response - - assert: { that: "{{response.rc}} == 0" } + - assert: { that: "response.rc == 0" } - name: Generate Intermediate hashivault_pki_ca: mount_point: "{{mount_inter}}" @@ -366,7 +366,7 @@ description: "Root pki engine" state: absent register: response - - assert: { that: "{{response.rc}} == 0" } + - assert: { that: "response.rc == 0" } - name: Disable PKI secrets engine hashivault_secret_engine: name: "{{mount_root}}" @@ -374,4 +374,4 @@ description: "Root pki engine" state: absent register: response - - assert: { that: "{{response.rc}} == 0" } + - assert: { that: "response.rc == 0" } diff --git a/functional/test_policy.yml b/functional/test_policy.yml index 8c9bfa2b..73e01d53 100644 --- a/functional/test_policy.yml +++ b/functional/test_policy.yml @@ -29,58 +29,58 @@ - hashivault_policy_list: register: 'vault_policy_list' - - assert: { that: "{{vault_policy_list.changed}} == False" } - - assert: { that: "{{vault_policy_list.rc}} == 0" } + - assert: { that: "vault_policy_list is not changed" } + - assert: { that: "vault_policy_list.rc == 0" } - name: Delete a policy that doesn't exist and check that doesn't change or fail hashivault_policy: name: '{{namespace}}' state: absent register: 'vault_policy_delete' - - assert: { that: "{{vault_policy_delete.changed}} == False" } - - assert: { that: "{{vault_policy_delete.rc}} == 0" } + - assert: { that: "vault_policy_delete is not changed" } + - assert: { that: "vault_policy_delete.rc == 0" } - name: Set new policy hashivault_policy: name: "{{namespace}}" rules: "{{rules}}" register: 'vault_policy' - - assert: { that: "{{vault_policy.changed}} == True" } - - assert: { that: "{{vault_policy.rc}} == 0" } + - assert: { that: "vault_policy is changed" } + - assert: { that: "vault_policy.rc == 0" } - name: Set policy again and check that it doesn't change hashivault_policy: name: "{{namespace}}" rules: "{{rules}}" register: 'vault_policy_twice' - - assert: { that: "{{vault_policy_twice.changed}} == False" } - - assert: { that: "{{vault_policy_twice.rc}} == 0" } + - assert: { that: "vault_policy_twice is not changed" } + - assert: { that: "vault_policy_twice.rc == 0" } - name: Get policy and make sure it set properly hashivault_policy_get: name: '{{namespace}}' register: 'vault_policy_get' - - assert: { that: "{{vault_policy_get.changed}} == False" } + - assert: { that: "vault_policy_get is not changed" } - set_fact: actual: "{{vault_policy_get.rules | regex_replace('\n', '')}}" - - assert: { that: "'{{expected}}' == '{{actual}}'" } - - assert: { that: "{{vault_policy_get.rc}} == 0" } + - assert: { that: "expected == actual" } + - assert: { that: "vault_policy_get.rc == 0" } - name: Make sure our new policy is in list hashivault_policy_list: register: 'vault_policy_list' - - assert: { that: "{{vault_policy_list.changed}} == False" } + - assert: { that: "vault_policy_list is not changed" } - fail: msg="policy {{namespace}} not in list" when: namespace not in vault_policy_list.policies - - assert: { that: "{{vault_policy_list.rc}} == 0" } + - assert: { that: "vault_policy_list.rc == 0" } - name: Set new policy from file hashivault_policy: name: "{{namespace}}" rules_file: "templates/policy_rules.hcl" register: 'vault_policy' - - assert: { that: "{{vault_policy.changed}} == True" } - - assert: { that: "{{vault_policy.rc}} == 0" } + - assert: { that: "vault_policy is changed" } + - assert: { that: "vault_policy.rc == 0" } - name: Validate file policy hashivault_policy_get: @@ -88,56 +88,56 @@ register: 'vault_policy_get' - set_fact: actual: "{{vault_policy_get.rules | regex_replace('\n', '') | regex_replace(' ', '')}}" - - assert: { that: "'{{bobs_expected}}' == '{{actual}}'" } + - assert: { that: "bobs_expected == actual" } - name: Get rid of our new policy hashivault_policy: name: '{{namespace}}' state: absent register: 'vault_policy_delete' - - assert: { that: "{{vault_policy_delete.changed}} == True" } - - assert: { that: "{{vault_policy_delete.rc}} == 0" } + - assert: { that: "vault_policy_delete is changed" } + - assert: { that: "vault_policy_delete.rc == 0" } - name: Make sure our new policy is gone hashivault_policy_list: register: 'vault_policy_list' - - assert: { that: "{{vault_policy_list.changed}} == False" } + - assert: { that: "vault_policy_list is not changed" } - fail: msg="policy {{namespace}} in list" when: namespace in vault_policy_list.policies - - assert: { that: "{{vault_policy_list.rc}} == 0" } + - assert: { that: "vault_policy_list.rc == 0" } - name: Get bogus policy hashivault_policy_get: name: '{{namespace}}bogus' register: 'vault_policy_get' failed_when: False - - assert: { that: "{{vault_policy_get.changed}} == False" } - - assert: { that: "{{vault_policy_get.rc}} == 1" } - - assert: { that: "{{vault_policy_get.failed}} == False" } - - assert: { that: "'{{vault_policy_get.msg}}' == 'Policy \"terrybogus\" does not exist.'" } + - assert: { that: "vault_policy_get is not changed" } + - assert: { that: "vault_policy_get.rc == 1" } + - assert: { that: "vault_policy_get.failed == False" } + - assert: { that: "vault_policy_get.msg == 'Policy \"terrybogus\" does not exist.'" } - name: Set new policy from file hashivault_policy: name: bob rules_file: "templates/policy_rules.hcl" register: 'vault_policy' - - assert: { that: "{{vault_policy.changed}} == True" } - - assert: { that: "{{vault_policy.rc}} == 0" } + - assert: { that: "vault_policy is changed" } + - assert: { that: "vault_policy.rc == 0" } - name: Get new from file policy and make sure it set properly hashivault_policy_get: name: bob register: 'vault_policy_get' - - assert: { that: "{{vault_policy_get.changed}} == False" } + - assert: { that: "vault_policy_get is not changed" } - set_fact: actual: "{{vault_policy_get.rules | regex_replace('\n', '') | regex_replace(' ', '')}}" - - assert: { that: "'{{bobs_expected}}' == '{{actual}}'" } - - assert: { that: "{{vault_policy_get.rc}} == 0" } + - assert: { that: "bobs_expected == actual" } + - assert: { that: "vault_policy_get.rc == 0" } - name: Delete our new policy from file hashivault_policy: name: bob state: absent register: 'vault_policy_delete' - - assert: { that: "{{vault_policy_delete.changed}} == True" } - - assert: { that: "{{vault_policy_delete.rc}} == 0" } + - assert: { that: "vault_policy_delete is changed" } + - assert: { that: "vault_policy_delete.rc == 0" } diff --git a/functional/test_read.yml b/functional/test_read.yml index 27611b14..2dd38e63 100644 --- a/functional/test_read.yml +++ b/functional/test_read.yml @@ -23,28 +23,28 @@ secret: '{{name_root}}' key: foo register: vault_read - - assert: { that: "'{{vault_read.value}}' == 'new'" } + - assert: { that: "vault_read.value == 'new'" } - name: Read other secret value hashivault_read: secret: '{{name_root}}' key: fie register: vault_read - - assert: { that: "'{{vault_read.value}}' == 'fum'" } + - assert: { that: "vault_read.value == 'fum'" } - name: Read other secret folder hashivault_read: secret: '{{name_folder}}' key: height register: vault_read - - assert: { that: "'{{vault_read.value}}' == 'tall'" } + - assert: { that: "vault_read.value == 'tall'" } - name: Read secret dictionary hashivault_read: secret: '{{name_dict}}' register: vault_read - assert: { that: "vault_read.value == dict_value" } - - assert: { that: "{{vault_read.rc}} == 0" } + - assert: { that: "vault_read.rc == 0" } - name: Read array type secret and make sure it matches hashivault_read: @@ -52,10 +52,10 @@ key: value register: vault_read - assert: { that: "vault_read.value == array_value" } - - assert: { that: "'{{vault_read.value[0]}}' == '{{array_value[0]}}'" } - - assert: { that: "'{{vault_read.value[1]}}' == '{{array_value[1]}}'" } - - assert: { that: "'{{vault_read.value[2]}}' == '{{array_value[2]}}'" } + - assert: { that: "vault_read.value[0] == array_value[0]" } + - assert: { that: "vault_read.value[1] == array_value[1]" } + - assert: { that: "vault_read.value[2] == array_value[2]" } - set_fact: looky_secret: "{{lookup('hashivault', '{{name_array}}', 'value') | first}}" - - assert: { that: "'{{looky_secret}}' == 'one'" } + - assert: { that: "looky_secret == 'one'" } diff --git a/functional/test_read_write_file.yml b/functional/test_read_write_file.yml index e330dfba..26b3ae49 100644 --- a/functional/test_read_write_file.yml +++ b/functional/test_read_write_file.yml @@ -34,7 +34,7 @@ - assert: that: - - "{{vault_write_from_file.changed}} == True" + - "vault_write_from_file is changed" - name: read file with hashivault_read hashivault_read: @@ -44,7 +44,7 @@ - assert: that: - - "'{{ gen_file_encoded.content }}' == '{{ secret_contents.value }}'" + - "gen_file_encoded.content == secret_contents.value" ######################################################## @@ -81,7 +81,7 @@ - assert: that: - - "{{ results.failed }} == True" + - "results.failed == True" - name: read file with hashivault_read_to_file hashivault_read_to_file: @@ -93,7 +93,7 @@ - assert: that: - - "{{ results.rc }} == 0" + - "results.rc == 0" ######################################################## @@ -110,7 +110,7 @@ - assert: that: - - "'{{ results.mode }}' == '0777'" + - "results.mode == '0777'" ######################################################## @@ -126,8 +126,8 @@ - assert: that: - - "{{vault_write.changed}} == True" - - "'{{vault_write.msg}}' == 'Secret secret/old_secret written'" + - "vault_write is changed" + - "vault_write.msg == 'Secret secret/old_secret written'" - name: write file to old secret hashivault_write_from_file: @@ -138,7 +138,7 @@ - assert: that: - - "{{vault_write_from_file.changed}} == True" + - "vault_write_from_file is changed" - name: read file with hashivault_read hashivault_read: @@ -148,7 +148,7 @@ - assert: that: - - "'{{ gen_file_encoded.content }}' == '{{ secret_contents.value }}'" + - "gen_file_encoded.content == secret_contents.value" - name: read old key with hashivault_read hashivault_read: @@ -158,7 +158,7 @@ - assert: that: - - "'{{ secret_contents.value }}' == 'foo'" + - "secret_contents.value == 'foo'" ######################################################## @@ -174,7 +174,7 @@ - assert: that: - - "{{vault_write_from_file.changed}} == True" + - "vault_write_from_file is changed" - name: write key with update == False (should remove old_key) hashivault_write_from_file: @@ -186,7 +186,7 @@ - assert: that: - - "{{vault_write_from_file.changed}} == True" + - "vault_write_from_file is changed" - name: read missing key hashivault_read: @@ -197,7 +197,7 @@ - assert: that: - - "{{ results.failed }} == True" + - "results.failed == True" ######################################################## - name: hashivault_read_to_file with non base64 secret @@ -208,9 +208,9 @@ force: True register: results failed_when: False - - assert: { that: "{{results.changed}} == False" } - - assert: { that: "{{results.rc}} == 1" } - - assert: { that: "'{{results.msg}}' == 'Error base64 decoding secret old_secret/old_key: Incorrect padding'" } + - assert: { that: "results is not changed" } + - assert: { that: "results.rc == 1" } + - assert: { that: "results.msg == 'Error base64 decoding secret old_secret/old_key: Incorrect padding'" } - name: success hashivault_read_to_file with non base64 secret @@ -221,9 +221,9 @@ force: True base64: False register: results - - assert: { that: "{{results.changed}} == True" } - - assert: { that: "{{results.rc}} == 0" } - - assert: { that: "{{results.failed}} == False" } + - assert: { that: "results is changed" } + - assert: { that: "results.rc == 0" } + - assert: { that: "results.failed == False" } ######################################################## # Clean up test files. diff --git a/functional/test_rekey.yml b/functional/test_rekey.yml index 5edbc5f6..e49f4c2f 100644 --- a/functional/test_rekey.yml +++ b/functional/test_rekey.yml @@ -7,15 +7,15 @@ - name: Check rekey status hashivault_rekey_status: register: 'vault_rekey_status' - - assert: { that: "{{vault_rekey_status.changed}} == False" } - - assert: { that: "{{vault_rekey_status.rc}} == 0" } + - assert: { that: "vault_rekey_status is not changed" } + - assert: { that: "vault_rekey_status.rc == 0" } - block: - name: Cancel the rekey if one was started hashivault_rekey_cancel: register: 'vault_rekey_cancel' - - assert: { that: "{{vault_rekey_cancel.changed}} == True" } - - assert: { that: "{{vault_rekey_cancel.rc}} == 0" } + - assert: { that: "vault_rekey_cancel is changed" } + - assert: { that: "vault_rekey_cancel.rc == 0" } when: "vault_rekey_status.status.started == True" - name: Start a rekey @@ -23,46 +23,46 @@ secret_shares: 1 secret_threshold: 1 register: 'vault_rekey_init' - - assert: { that: "{{vault_rekey_init.changed}} == True" } - - assert: { that: "{{vault_rekey_init.status.progress}} == 0" } - - assert: { that: "{{vault_rekey_init.status.started}} == True" } - - assert: { that: "{{vault_rekey_init.rc}} == 0" } - - assert: { that: "{{vault_rekey_init.status.verification_required}} == False" } + - assert: { that: "vault_rekey_init is changed" } + - assert: { that: "vault_rekey_init.status.progress == 0" } + - assert: { that: "vault_rekey_init.status.started == True" } + - assert: { that: "vault_rekey_init.rc == 0" } + - assert: { that: "vault_rekey_init.status.verification_required == False" } - name: Make sure the rekey started hashivault_rekey_status: register: 'vault_rekey_status' - - assert: { that: "{{vault_rekey_status.changed}} == False" } - - assert: { that: "{{vault_rekey_status.rc}} == 0" } - - assert: { that: "{{vault_rekey_init.status.progress}} == 0" } - - assert: { that: "{{vault_rekey_status.status.started}} == True" } + - assert: { that: "vault_rekey_status is not changed" } + - assert: { that: "vault_rekey_status.rc == 0" } + - assert: { that: "vault_rekey_init.status.progress == 0" } + - assert: { that: "vault_rekey_status.status.started == True" } - name: Canel the rekey hashivault_rekey_cancel: register: 'vault_rekey_cancel' - - assert: { that: "{{vault_rekey_cancel.changed}} == True" } - - assert: { that: "{{vault_rekey_cancel.rc}} == 0" } + - assert: { that: "vault_rekey_cancel is changed" } + - assert: { that: "vault_rekey_cancel.rc == 0" } - name: Restart that rekey again hashivault_rekey_init: secret_shares: 1 secret_threshold: 1 register: 'vault_rekey_init' - - assert: { that: "{{vault_rekey_init.changed}} == True" } - - assert: { that: "{{vault_rekey_init.status.progress}} == 0" } - - assert: { that: "{{vault_rekey_init.status.started}} == True" } - - assert: { that: "{{vault_rekey_init.rc}} == 0" } - - assert: { that: "{{vault_rekey_init.status.verification_required}} == False" } + - assert: { that: "vault_rekey_init is changed" } + - assert: { that: "vault_rekey_init.status.progress == 0" } + - assert: { that: "vault_rekey_init.status.started == True" } + - assert: { that: "vault_rekey_init.rc == 0" } + - assert: { that: "vault_rekey_init.status.verification_required == False" } - name: Update the rekey hashivault_rekey: key: "{{ unseal_key }}" nonce: "{{ vault_rekey_init.status.nonce }}" register: 'vault_rekey' - - assert: { that: "{{vault_rekey.changed}} == True" } - - assert: { that: "{{vault_rekey.rc}} == 0" } - - assert: { that: "{{vault_rekey.status.complete}} == True" } - - assert: { that: "{{vault_rekey.status.verification_required}} == False" } + - assert: { that: "vault_rekey is changed" } + - assert: { that: "vault_rekey.rc == 0" } + - assert: { that: "vault_rekey.status.complete == True" } + - assert: { that: "vault_rekey.status.verification_required == False" } - name: Update vaultenv.sh with new keys lineinfile: diff --git a/functional/test_rekey_verify.yml b/functional/test_rekey_verify.yml index 00cf83ea..ff37e7e0 100644 --- a/functional/test_rekey_verify.yml +++ b/functional/test_rekey_verify.yml @@ -7,15 +7,15 @@ - name: Check rekey status hashivault_rekey_status: register: 'vault_rekey_status' - - assert: { that: "{{vault_rekey_status.changed}} == False" } - - assert: { that: "{{vault_rekey_status.rc}} == 0" } + - assert: { that: "vault_rekey_status is not changed" } + - assert: { that: "vault_rekey_status.rc == 0" } - block: - name: Cancel the rekey if one was started hashivault_rekey_cancel: register: 'vault_rekey_cancel' - - assert: { that: "{{vault_rekey_cancel.changed}} == True" } - - assert: { that: "{{vault_rekey_cancel.rc}} == 0" } + - assert: { that: "vault_rekey_cancel is changed" } + - assert: { that: "vault_rekey_cancel.rc == 0" } when: "vault_rekey_status.status.started == True" - name: Start a rekey @@ -24,25 +24,25 @@ secret_threshold: 1 verification_required: True register: 'vault_rekey_init' - - assert: { that: "{{vault_rekey_init.changed}} == True" } - - assert: { that: "{{vault_rekey_init.status.progress}} == 0" } - - assert: { that: "{{vault_rekey_init.status.started}} == True" } - - assert: { that: "{{vault_rekey_init.rc}} == 0" } - - assert: { that: "{{vault_rekey_init.status.verification_required}} == True" } + - assert: { that: "vault_rekey_init is changed" } + - assert: { that: "vault_rekey_init.status.progress == 0" } + - assert: { that: "vault_rekey_init.status.started == True" } + - assert: { that: "vault_rekey_init.rc == 0" } + - assert: { that: "vault_rekey_init.status.verification_required == True" } - name: Make sure the rekey started hashivault_rekey_status: register: 'vault_rekey_status' - - assert: { that: "{{vault_rekey_status.changed}} == False" } - - assert: { that: "{{vault_rekey_status.rc}} == 0" } - - assert: { that: "{{vault_rekey_init.status.progress}} == 0" } - - assert: { that: "{{vault_rekey_status.status.started}} == True" } + - assert: { that: "vault_rekey_status is not changed" } + - assert: { that: "vault_rekey_status.rc == 0" } + - assert: { that: "vault_rekey_init.status.progress == 0" } + - assert: { that: "vault_rekey_status.status.started == True" } - name: Canel the rekey hashivault_rekey_cancel: register: 'vault_rekey_cancel' - - assert: { that: "{{vault_rekey_cancel.changed}} == True" } - - assert: { that: "{{vault_rekey_cancel.rc}} == 0" } + - assert: { that: "vault_rekey_cancel is changed" } + - assert: { that: "vault_rekey_cancel.rc == 0" } - name: Restart that rekey again hashivault_rekey_init: @@ -50,31 +50,31 @@ secret_threshold: 1 verification_required: True register: 'vault_rekey_init' - - assert: { that: "{{vault_rekey_init.changed}} == True" } - - assert: { that: "{{vault_rekey_init.status.progress}} == 0" } - - assert: { that: "{{vault_rekey_init.status.started}} == True" } - - assert: { that: "{{vault_rekey_init.rc}} == 0" } - - assert: { that: "{{vault_rekey_init.status.verification_required}} == True" } + - assert: { that: "vault_rekey_init is changed" } + - assert: { that: "vault_rekey_init.status.progress == 0" } + - assert: { that: "vault_rekey_init.status.started == True" } + - assert: { that: "vault_rekey_init.rc == 0" } + - assert: { that: "vault_rekey_init.status.verification_required == True" } - name: Update the rekey hashivault_rekey: key: "{{ unseal_key }}" nonce: "{{ vault_rekey_init.status.nonce }}" register: 'vault_rekey' - - assert: { that: "{{vault_rekey.changed}} == True" } - - assert: { that: "{{vault_rekey.rc}} == 0" } - - assert: { that: "{{vault_rekey.status.complete}} == True" } - - assert: { that: "{{vault_rekey.status.verification_required}} == True" } + - assert: { that: "vault_rekey is changed" } + - assert: { that: "vault_rekey.rc == 0" } + - assert: { that: "vault_rekey.status.complete == True" } + - assert: { that: "vault_rekey.status.verification_required == True" } - name: Verify the rekey hashivault_rekey_verify: key: "{{ vault_rekey['status']['keys'][0] }}" nonce: "{{ vault_rekey.status.verification_nonce }}" register: 'vault_rekey_verify' - - assert: { that: "{{vault_rekey_verify.changed}} == True" } - - assert: { that: "{{vault_rekey_verify.rc}} == 0" } - - assert: { that: "{{vault_rekey_verify.status.complete}} == True" } - - assert: { that: "'{{vault_rekey_verify.status.nonce}}' == '{{vault_rekey.status.verification_nonce}}'" } + - assert: { that: "vault_rekey_verify is changed" } + - assert: { that: "vault_rekey_verify.rc == 0" } + - assert: { that: "vault_rekey_verify.status.complete == True" } + - assert: { that: "vault_rekey_verify.status.nonce == vault_rekey.status.verification_nonce" } - name: Update vaultenv.sh with new keys lineinfile: diff --git a/functional/test_secret.yml b/functional/test_secret.yml index a55909eb..68146289 100644 --- a/functional/test_secret.yml +++ b/functional/test_secret.yml @@ -31,9 +31,9 @@ - two - three register: vault_write - - assert: { that: "{{vault_write.changed}} == True" } - - assert: { that: "'{{vault_write.msg}}' == 'Secret {{namespace}}/secret_name written'" } - - assert: { that: "{{vault_write.rc}} == 0" } + - assert: { that: "vault_write is changed" } + - assert: { that: "vault_write.msg == 'Secret ' + namespace + '/secret_name written'" } + - assert: { that: "vault_write.rc == 0" } - name: Write again no change hashivault_secret: @@ -46,9 +46,9 @@ - two - three register: vault_write - - assert: { that: "{{vault_write.changed}} == False" } - - assert: { that: "'{{vault_write.msg}}' == 'Secret {{namespace}}/secret_name unchanged'" } - - assert: { that: "{{vault_write.rc}} == 0" } + - assert: { that: "vault_write is not changed" } + - assert: { that: "vault_write.msg == 'Secret ' + namespace + '/secret_name unchanged'" } + - assert: { that: "vault_write.rc == 0" } - name: Write again with change hashivault_secret: @@ -61,8 +61,8 @@ - two - four register: vault_write - - assert: { that: "{{vault_write.changed}} == True" } - - assert: { that: "{{vault_write.rc}} == 0" } + - assert: { that: "vault_write is changed" } + - assert: { that: "vault_write.rc == 0" } - hashivault_read: mount_point: '{{namespace}}' @@ -70,7 +70,7 @@ version: 2 register: vault_read - assert: { that: 'vault_read.value == {"fie": ["one", "two", "four"], "foo": "foe"}' } - - assert: { that: "{{vault_read.rc}} == 0" } + - assert: { that: "vault_read.rc == 0" } - name: Write again with change hashivault_secret: @@ -80,8 +80,8 @@ data: foo: future register: vault_write - - assert: { that: "{{vault_write.changed}} == True" } - - assert: { that: "{{vault_write.rc}} == 0" } + - assert: { that: "vault_write is changed" } + - assert: { that: "vault_write.rc == 0" } - hashivault_read: mount_point: '{{namespace}}' @@ -89,7 +89,7 @@ version: 2 register: vault_read - assert: { that: 'vault_read.value == {"fie": ["one", "two", "four"], "foo": "future"}' } - - assert: { that: "{{vault_read.rc}} == 0" } + - assert: { that: "vault_read.rc == 0" } - name: Write secret in folder hashivault_secret: @@ -98,9 +98,9 @@ data: height: tall register: vault_write - - assert: { that: "{{vault_write.changed}} == True" } - - assert: { that: "'{{vault_write.msg}}' == 'Secret {{namespace}}/name/folder written'" } - - assert: { that: "{{vault_write.rc}} == 0" } + - assert: { that: "vault_write is changed" } + - assert: { that: "vault_write.msg == 'Secret ' + namespace + '/name/folder written'" } + - assert: { that: "vault_write.rc == 0" } - name: Initial ttl values hashivault_secret: @@ -110,7 +110,7 @@ ttl: 36000s max_ttl: 480s register: vault_write - - assert: { that: "{{vault_write.changed}} == True" } + - assert: { that: "vault_write is changed" } - name: Update minute ttl secret hashivault_secret: @@ -119,7 +119,7 @@ data: ttl: 600m register: vault_write - - assert: { that: "{{vault_write.changed}} == False" } + - assert: { that: "vault_write is not changed" } - name: Update hour ttl secret hashivault_secret: @@ -128,7 +128,7 @@ data: ttl: 10h register: vault_write - - assert: { that: "{{vault_write.changed}} == False" } + - assert: { that: "vault_write is not changed" } - name: Update second ttl secret hashivault_secret: @@ -137,7 +137,7 @@ data: ttl: 36000s register: vault_write - - assert: { that: "{{vault_write.changed}} == False" } + - assert: { that: "vault_write is not changed" } - name: Update second ttl secret no s hashivault_secret: @@ -146,7 +146,7 @@ data: ttl: 36000 register: vault_write - - assert: { that: "{{vault_write.changed}} == False" } + - assert: { that: "vault_write is not changed" } - name: Update second ttl secret new value hashivault_secret: @@ -155,7 +155,7 @@ data: ttl: 36001s register: vault_write - - assert: { that: "{{vault_write.changed}} == True" } + - assert: { that: "vault_write is changed" } - name: Write a secret to mess up no_log hashivault_secret: @@ -169,8 +169,8 @@ false: False true: True register: vault_write - - assert: { that: "{{vault_write.changed}} == True" } - - assert: { that: "{{vault_write.rc}} == 0" } + - assert: { that: "vault_write is changed" } + - assert: { that: "vault_write.rc == 0" } - name: Delete a secret hashivault_secret: @@ -178,9 +178,9 @@ mount_point: '{{namespace}}' secret: no_log register: vault_write - - assert: { that: "{{vault_write.changed}} == True" } - - assert: { that: "'{{vault_write.msg}}' == 'Secret {{namespace}}/no_log deleted'" } - - assert: { that: "{{vault_write.rc}} == 0" } + - assert: { that: "vault_write is changed" } + - assert: { that: "vault_write.msg == 'Secret ' + namespace + '/no_log deleted'" } + - assert: { that: "vault_write.rc == 0" } - name: Delete a secret again hashivault_secret: @@ -188,6 +188,6 @@ mount_point: '{{namespace}}' secret: no_log register: vault_write - - assert: { that: "{{vault_write.changed}} == False" } - - assert: { that: "'{{vault_write.msg}}' == 'Secret {{namespace}}/no_log nonexistent'" } - - assert: { that: "{{vault_write.rc}} == 0" } + - assert: { that: "vault_write is not changed" } + - assert: { that: "vault_write.msg == 'Secret ' + namespace + '/no_log nonexistent'" } + - assert: { that: "vault_write.rc == 0" } diff --git a/functional/test_secret_engine.yml b/functional/test_secret_engine.yml index e4d8c286..7f99eecb 100644 --- a/functional/test_secret_engine.yml +++ b/functional/test_secret_engine.yml @@ -19,9 +19,9 @@ backend: generic state: enabled register: engine_result - - assert: { that: "{{ engine_result.rc }} == 0" } - - assert: { that: "{{ engine_result.created }} == True" } - - assert: { that: "{{ engine_result.changed }} == True" } + - assert: { that: "engine_result.rc == 0" } + - assert: { that: "engine_result.created == True" } + - assert: { that: "engine_result is changed" } - name: create idempotent hashivault_secret_engine: @@ -29,9 +29,9 @@ backend: generic state: enabled register: engine_result - - assert: { that: "{{ engine_result.rc }} == 0" } - - assert: { that: "{{ engine_result.created }} == False" } - - assert: { that: "{{ engine_result.changed }} == False" } + - assert: { that: "engine_result.rc == 0" } + - assert: { that: "engine_result.created == False" } + - assert: { that: "engine_result is not changed" } - name: update description hashivault_secret_engine: @@ -40,9 +40,9 @@ description: 'vroom' state: enabled register: engine_result - - assert: { that: "{{ engine_result.rc }} == 0" } - - assert: { that: "{{ engine_result.created }} == False" } - - assert: { that: "{{ engine_result.changed }} == True" } + - assert: { that: "engine_result.rc == 0" } + - assert: { that: "engine_result.created == False" } + - assert: { that: "engine_result is changed" } - name: update description idempotent hashivault_secret_engine: @@ -51,9 +51,9 @@ description: 'vroom' state: enabled register: engine_result - - assert: { that: "{{ engine_result.rc }} == 0" } - - assert: { that: "{{ engine_result.created }} == False" } - - assert: { that: "{{ engine_result.changed }} == False" } + - assert: { that: "engine_result.rc == 0" } + - assert: { that: "engine_result.created == False" } + - assert: { that: "engine_result is not changed" } - name: update configuration hashivault_secret_engine: @@ -63,9 +63,9 @@ default_lease_ttl: 2764799 state: enabled register: engine_result - - assert: { that: "{{ engine_result.rc }} == 0" } - - assert: { that: "{{ engine_result.created }} == False" } - - assert: { that: "{{ engine_result.changed }} == True" } + - assert: { that: "engine_result.rc == 0" } + - assert: { that: "engine_result.created == False" } + - assert: { that: "engine_result is changed" } - name: update configuration idempotent hashivault_secret_engine: @@ -75,9 +75,9 @@ default_lease_ttl: 2764799 state: enabled register: engine_result - - assert: { that: "{{ engine_result.rc }} == 0" } - - assert: { that: "{{ engine_result.created }} == False" } - - assert: { that: "{{ engine_result.changed }} == False" } + - assert: { that: "engine_result.rc == 0" } + - assert: { that: "engine_result.created == False" } + - assert: { that: "engine_result is not changed" } - name: create kv hashivault_secret_engine: @@ -85,9 +85,9 @@ backend: kv state: enabled register: engine_result - - assert: { that: "{{ engine_result.rc }} == 0" } - - assert: { that: "{{ engine_result.created }} == True" } - - assert: { that: "{{ engine_result.changed }} == True" } + - assert: { that: "engine_result.rc == 0" } + - assert: { that: "engine_result.created == True" } + - assert: { that: "engine_result is changed" } - name: update kv hashivault_secret_engine: @@ -96,6 +96,6 @@ description: 'kv engine' state: enabled register: engine_result - - assert: { that: "{{ engine_result.rc }} == 0" } - - assert: { that: "{{ engine_result.created }} == False" } - - assert: { that: "{{ engine_result.changed }} == True" } \ No newline at end of file + - assert: { that: "engine_result.rc == 0" } + - assert: { that: "engine_result.created == False" } + - assert: { that: "engine_result is changed" } diff --git a/functional/test_secret_list.yml b/functional/test_secret_list.yml index d31b8b64..53eac1ea 100644 --- a/functional/test_secret_list.yml +++ b/functional/test_secret_list.yml @@ -5,8 +5,7 @@ - name: List secret stores hashivault_secret_list: register: 'vault_secret_list' - - assert: { that: "{{vault_secret_list.changed}} == False" } - - assert: { that: "{{vault_secret_list.failed}} == False" } + - assert: { that: "vault_secret_list is not changed" } + - assert: { that: "vault_secret_list.failed == False" } - assert: { that: "'backends' in vault_secret_list" } - - assert: { that: "{{vault_secret_list.rc}} == 0" } - + - assert: { that: "vault_secret_list.rc == 0" } diff --git a/functional/test_ssh_role.yml b/functional/test_ssh_role.yml index f82b154b..c56e59c3 100644 --- a/functional/test_ssh_role.yml +++ b/functional/test_ssh_role.yml @@ -21,27 +21,27 @@ name: "sshrole_test_user_original" rules: "{{rules}}" register: vault_policy - - assert: { that: "{{vault_policy.rc}} == 0" } + - assert: { that: "vault_policy.rc == 0" } - name: Set another ssh role policy hashivault_policy: name: "sshrole_test_user" rules: "{{rules}}" register: vault_policy - - assert: { that: "{{vault_policy.rc}} == 0" } + - assert: { that: "vault_policy.rc == 0" } - name: delete role hashivault_ssh_role: name: testrole state: absent failed_when: false - + - name: list ssh roles empty hashivault_ssh_role_list: register: 'vault_role_list' - - assert: { that: "{{vault_role_list.changed}} == False" } - - assert: { that: "{{vault_role_list.rc}} == 0" } - - assert: { that: "{{vault_role_list.data|length}} == 0"} + - assert: { that: "vault_role_list is not changed" } + - assert: { that: "vault_role_list.rc == 0" } + - assert: { that: "vault_role_list.data|length == 0"} - name: create role hashivault_ssh_role: @@ -52,8 +52,8 @@ allow_host_certificates: true state: present register: 'vault_role_create' - - assert: { that: "{{vault_role_create.changed}} == True" } - - assert: { that: "{{vault_role_create.rc}} == 0" } + - assert: { that: "vault_role_create is changed" } + - assert: { that: "vault_role_create.rc == 0" } - name: update role hashivault_ssh_role: @@ -62,8 +62,8 @@ allowed_users: sshrole_test_user state: present register: 'vault_role_update' - - assert: { that: "{{vault_role_update.changed}} == True" } - - assert: { that: "{{vault_role_update.rc}} == 0" } + - assert: { that: "vault_role_update is changed" } + - assert: { that: "vault_role_update.rc == 0" } - name: update role idempotent hashivault_ssh_role: @@ -73,13 +73,13 @@ allow_host_certificates: true state: present register: 'vault_role_update' - - assert: { that: "{{vault_role_update.changed}} == False" } - - assert: { that: "{{vault_role_update.rc}} == 0" } + - assert: { that: "vault_role_update is not changed" } + - assert: { that: "vault_role_update.rc == 0" } - name: list ssh roles hashivault_ssh_role_list: register: 'vault_role_list' - - assert: { that: "{{vault_role_list.changed}} == False" } - - assert: { that: "{{vault_role_list.rc}} == 0" } + - assert: { that: "vault_role_list is not changed" } + - assert: { that: "vault_role_list.rc == 0" } - fail: msg="role testrole not in list {{vault_role_list.data}}" when: '"testrole" not in vault_role_list.data' diff --git a/functional/test_ssh_role_check_mode.yml b/functional/test_ssh_role_check_mode.yml index b9c6d50a..074c9059 100644 --- a/functional/test_ssh_role_check_mode.yml +++ b/functional/test_ssh_role_check_mode.yml @@ -11,8 +11,8 @@ state: present check_mode: true register: 'vault_role_create' - - assert: { that: "{{vault_role_create.changed}} == False" } - - assert: { that: "{{vault_role_create.rc}} == 0" } + - assert: { that: "vault_role_create is not changed" } + - assert: { that: "vault_role_create.rc == 0" } - name: create ssh role check_mode does not exist hashivault_ssh_role: @@ -23,8 +23,8 @@ state: present check_mode: true register: 'vault_role_create' - - assert: { that: "{{vault_role_create.changed}} == True" } - - assert: { that: "{{vault_role_create.rc}} == 0" } + - assert: { that: "vault_role_create is changed" } + - assert: { that: "vault_role_create.rc == 0" } - name: delete ssh role check_mode exists hashivault_ssh_role: @@ -32,8 +32,8 @@ state: absent check_mode: true register: 'vault_role_create' - - assert: { that: "{{vault_role_create.changed}} == True" } - - assert: { that: "{{vault_role_create.rc}} == 0" } + - assert: { that: "vault_role_create is changed" } + - assert: { that: "vault_role_create.rc == 0" } - name: delete ssh role check_mode does not exist hashivault_ssh_role: @@ -41,14 +41,14 @@ state: absent check_mode: true register: 'vault_role_create' - - assert: { that: "{{vault_role_create.changed}} == False" } - - assert: { that: "{{vault_role_create.rc}} == 0" } + - assert: { that: "vault_role_create is not changed" } + - assert: { that: "vault_role_create.rc == 0" } - name: list ssh roles check_mode hashivault_ssh_role_list: register: 'vault_role_list' check_mode: true - - assert: { that: "{{vault_role_list.changed}} == False" } - - assert: { that: "{{vault_role_list.rc}} == 0" } + - assert: { that: "vault_role_list is not changed" } + - assert: { that: "vault_role_list.rc == 0" } - fail: msg="role testrole not in list {{vault_role_list.data}}" when: '"testrole" not in vault_role_list.data' diff --git a/functional/test_status.yml b/functional/test_status.yml index 6170a79a..135dd9fb 100644 --- a/functional/test_status.yml +++ b/functional/test_status.yml @@ -5,42 +5,42 @@ - name: Get vault status and make sure it is unsealed hashivault_status: register: 'vault_status' - - assert: { that: "{{vault_status.changed}} == False" } - - assert: { that: "{{vault_status.status.progress}} == 0" } - - assert: { that: "{{vault_status.status.sealed}} == False" } - - assert: { that: "{{vault_status.rc}} == 0" } + - assert: { that: "vault_status is not changed" } + - assert: { that: "vault_status.status.progress == 0" } + - assert: { that: "vault_status.status.sealed == False" } + - assert: { that: "vault_status.rc == 0" } - name: Get hashivault_leader hashivault_leader: register: 'vault_status' - - assert: { that: "{{vault_status.changed}} == False" } - - assert: { that: "{{vault_status.status.ha_enabled}} == False" } - - assert: { that: "{{vault_status.rc}} == 0" } + - assert: { that: "vault_status is not changed" } + - assert: { that: "vault_status.status.ha_enabled == False" } + - assert: { that: "vault_status.rc == 0" } - name: Get hashivault_cluster_status hashivault_cluster_status: register: 'vault_status' - - assert: { that: "{{vault_status.changed}} == False" } - - assert: { that: "{{vault_status.rc}} == 0" } + - assert: { that: "vault_status is not changed" } + - assert: { that: "vault_status.rc == 0" } - name: Get hashivault_cluster_status hashivault_cluster_status: standby_ok: false register: 'vault_status' - - assert: { that: "{{vault_status.changed}} == False" } - - assert: { that: "{{vault_status.rc}} == 0" } + - assert: { that: "vault_status is not changed" } + - assert: { that: "vault_status.rc == 0" } - name: Get hashivault_cluster_status hashivault_cluster_status: method: GET register: 'vault_status' - - assert: { that: "{{vault_status.changed}} == False" } - - assert: { that: "{{vault_status.rc}} == 0" } + - assert: { that: "vault_status is not changed" } + - assert: { that: "vault_status.rc == 0" } - name: Get hashivault_cluster_status hashivault_cluster_status: standby_ok: false method: GET register: 'vault_status' - - assert: { that: "{{vault_status.changed}} == False" } - - assert: { that: "{{vault_status.rc}} == 0" } + - assert: { that: "vault_status is not changed" } + - assert: { that: "vault_status.rc == 0" } diff --git a/functional/test_token_role.yml b/functional/test_token_role.yml index f5b9a025..64f94f79 100644 --- a/functional/test_token_role.yml +++ b/functional/test_token_role.yml @@ -16,14 +16,14 @@ name: "tokenrole_test_policy_original" rules: "{{rules}}" register: vault_policy - - assert: { that: "{{vault_policy.rc}} == 0" } + - assert: { that: "vault_policy.rc == 0" } - name: Set another token role policy hashivault_policy: name: "tokenrole_test_policy" rules: "{{rules}}" register: vault_policy - - assert: { that: "{{vault_policy.rc}} == 0" } + - assert: { that: "vault_policy.rc == 0" } - name: delete role hashivault_token_role: @@ -34,9 +34,9 @@ - name: list token roles empty hashivault_token_role_list: register: 'vault_role_list' - - assert: { that: "{{vault_role_list.changed}} == False" } - - assert: { that: "{{vault_role_list.rc}} == 0" } - - assert: { that: "{{vault_role_list.data|length}} == 0"} + - assert: { that: "vault_role_list is not changed" } + - assert: { that: "vault_role_list.rc == 0" } + - assert: { that: "vault_role_list.data|length == 0"} - name: create role hashivault_token_role: @@ -46,8 +46,8 @@ - tokenrole_test_policy_original state: present register: 'vault_role_create' - - assert: { that: "{{vault_role_create.changed}} == True" } - - assert: { that: "{{vault_role_create.rc}} == 0" } + - assert: { that: "vault_role_create is changed" } + - assert: { that: "vault_role_create.rc == 0" } - name: update role hashivault_token_role: @@ -57,8 +57,8 @@ - tokenrole_test_policy state: present register: 'vault_role_update' - - assert: { that: "{{vault_role_update.changed}} == True" } - - assert: { that: "{{vault_role_update.rc}} == 0" } + - assert: { that: "vault_role_update is changed" } + - assert: { that: "vault_role_update.rc == 0" } - name: update role idempotent hashivault_token_role: @@ -68,13 +68,13 @@ - tokenrole_test_policy state: present register: 'vault_role_update' - - assert: { that: "{{vault_role_update.changed}} == False" } - - assert: { that: "{{vault_role_update.rc}} == 0" } + - assert: { that: "vault_role_update is not changed" } + - assert: { that: "vault_role_update.rc == 0" } - name: list token roles hashivault_token_role_list: register: 'vault_role_list' - - assert: { that: "{{vault_role_list.changed}} == False" } - - assert: { that: "{{vault_role_list.rc}} == 0" } + - assert: { that: "vault_role_list is not changed" } + - assert: { that: "vault_role_list.rc == 0" } - fail: msg="role testrole not in list {{vault_role_list.data}}" when: '"testrole" not in vault_role_list.data' diff --git a/functional/test_token_role_check_mode.yml b/functional/test_token_role_check_mode.yml index d64e3f2e..57c11283 100644 --- a/functional/test_token_role_check_mode.yml +++ b/functional/test_token_role_check_mode.yml @@ -11,8 +11,8 @@ state: present check_mode: true register: 'vault_role_create' - - assert: { that: "{{vault_role_create.changed}} == False" } - - assert: { that: "{{vault_role_create.rc}} == 0" } + - assert: { that: "vault_role_create is not changed" } + - assert: { that: "vault_role_create.rc == 0" } - name: create token role check_mode does not exist hashivault_token_role: @@ -23,8 +23,8 @@ state: present check_mode: true register: 'vault_role_create' - - assert: { that: "{{vault_role_create.changed}} == True" } - - assert: { that: "{{vault_role_create.rc}} == 0" } + - assert: { that: "vault_role_create is changed" } + - assert: { that: "vault_role_create.rc == 0" } - name: delete token role check_mode exists hashivault_token_role: @@ -32,8 +32,8 @@ state: absent check_mode: true register: 'vault_role_create' - - assert: { that: "{{vault_role_create.changed}} == True" } - - assert: { that: "{{vault_role_create.rc}} == 0" } + - assert: { that: "vault_role_create is changed" } + - assert: { that: "vault_role_create.rc == 0" } - name: delete token role check_mode does not exist hashivault_token_role: @@ -41,14 +41,14 @@ state: absent check_mode: true register: 'vault_role_create' - - assert: { that: "{{vault_role_create.changed}} == False" } - - assert: { that: "{{vault_role_create.rc}} == 0" } + - assert: { that: "vault_role_create is not changed" } + - assert: { that: "vault_role_create.rc == 0" } - name: list token roles check_mode hashivault_token_role_list: register: 'vault_role_list' check_mode: true - - assert: { that: "{{vault_role_list.changed}} == False" } - - assert: { that: "{{vault_role_list.rc}} == 0" } + - assert: { that: "vault_role_list is not changed" } + - assert: { that: "vault_role_list.rc == 0" } - fail: msg="role testrole not in list {{vault_role_list.data}}" when: '"testrole" not in vault_role_list.data' diff --git a/functional/test_tokens.yml b/functional/test_tokens.yml index d03db2c6..fe0a24aa 100644 --- a/functional/test_tokens.yml +++ b/functional/test_tokens.yml @@ -37,8 +37,8 @@ register: vault_policy - assert: that: - - "{{vault_policy.changed}} == True" - - "{{vault_policy.rc}} == 0" + - "vault_policy.changed == True" + - "vault_policy.rc == 0" - name: "Create a {{admin_name}} token, so we can stop using root token" hashivault_token_create: @@ -49,8 +49,8 @@ register: "vault_token_admin" - assert: that: - - "{{vault_token_admin.changed}} == True" - - "{{vault_token_admin.rc}} == 0" + - "vault_token_admin.changed == True" + - "vault_token_admin.rc == 0" - set_fact: new_root_token: "{{vault_token_admin['token']['auth']['client_token']}}" @@ -60,8 +60,8 @@ register: 'vault_policy_list' - assert: that: - - "{{vault_policy_list.changed}} == False" - - "{{vault_policy_list.rc}} == 0" + - "vault_policy_list.changed == False" + - "vault_policy_list.rc == 0" - name: "Lookup with root token" hashivault_token_lookup: @@ -69,8 +69,8 @@ register: "vault_token_lookup" - assert: that: - - "{{vault_token_lookup.changed}} == False" - - "{{vault_token_lookup.rc}} == 0" + - "vault_token_lookup.changed == False" + - "vault_token_lookup.rc == 0" - name: "Create a read-only policy" hashivault_policy: @@ -80,8 +80,8 @@ register: vault_policy - assert: that: - - "{{vault_policy.changed}} == True" - - "{{vault_policy.rc}} == 0" + - "vault_policy.changed == True" + - "vault_policy.rc == 0" - name: "Create a {{readonly_name}} token" hashivault_token_create: @@ -93,8 +93,8 @@ register: "vault_token_readonly" - assert: that: - - "{{vault_token_readonly.changed}} == True" - - "{{vault_token_readonly.rc}} == 0" + - "vault_token_readonly.changed == True" + - "vault_token_readonly.rc == 0" - set_fact: read_only_token: "{{vault_token_admin['token']['auth']['client_token']}}" @@ -104,8 +104,8 @@ register: 'vault_policy_list' - assert: that: - - "{{vault_policy_list.changed}} == False" - - "{{vault_policy_list.rc}} == 0" + - "vault_policy_list.changed == False" + - "vault_policy_list.rc == 0" - name: "Renew root token" hashivault_token_renew: @@ -113,8 +113,8 @@ register: "vault_token_renew" - assert: that: - - "{{vault_token_renew.changed}} == True" - - "{{vault_token_renew.rc}} == 0" + - "vault_token_renew.changed == True" + - "vault_token_renew.rc == 0" - name: "Revoke root token" hashivault_token_renew: @@ -122,5 +122,5 @@ register: "vault_token_revoke" - assert: that: - - "{{vault_token_revoke.changed}} == True" - - "{{vault_token_revoke.rc}} == 0" + - "vault_token_revoke.changed == True" + - "vault_token_revoke.rc == 0" diff --git a/functional/test_unseal.yml b/functional/test_unseal.yml index 3396285f..294338e1 100644 --- a/functional/test_unseal.yml +++ b/functional/test_unseal.yml @@ -5,7 +5,7 @@ vault_keys: "{{ lookup('env','VAULT_KEYS') }}" tasks: - assert: - that: "'{{vault_keys}}' != ''" + that: "vault_keys != ''" msg: "VAULT_KEYS must be set to run this test" - name: Get status of vault before unseal hashivault_status: @@ -15,28 +15,28 @@ - name: Vault is not sealed so seal it hashivault_seal: register: 'vault_seal' - - assert: { that: "{{vault_seal.changed}} == True" } - - assert: { that: "{{vault_seal.rc}} == 0" } + - assert: { that: "vault_seal is changed" } + - assert: { that: "vault_seal.rc == 0" } when: "vault_status.status.sealed == False" - name: Seal the vault but it is already sealed hashivault_seal: register: 'vault_seal_st' - - assert: { that: "{{vault_seal_st.changed}} == False" } - - assert: { that: "{{vault_seal_st.rc}} == 0" } + - assert: { that: "vault_seal_st is not changed" } + - assert: { that: "vault_seal_st.rc == 0" } - name: Unseal the vault hashivault_unseal: keys: '{{vault_keys}}' register: 'vault_unseal' - - assert: { that: "{{vault_unseal.changed}} == True" } - - assert: { that: "{{vault_unseal.status.progress}} == 0" } - - assert: { that: "{{vault_unseal.status.sealed}} == False" } - - assert: { that: "{{vault_unseal.rc}} == 0" } + - assert: { that: "vault_unseal is changed" } + - assert: { that: "vault_unseal.status.progress == 0" } + - assert: { that: "vault_unseal.status.sealed == False" } + - assert: { that: "vault_unseal.rc == 0" } - name: Unseal the vault but it is not sealed hashivault_unseal: keys: '{{vault_keys}}' register: 'vault_unseal_st' - - assert: { that: "{{vault_unseal_st.changed}} == False" } - - assert: { that: "{{vault_unseal_st.rc}} == 0" } + - assert: { that: "vault_unseal_st is not changed" } + - assert: { that: "vault_unseal_st.rc == 0" } diff --git a/functional/test_userpass.yml b/functional/test_userpass.yml index b2e0e004..4ad50f9d 100644 --- a/functional/test_userpass.yml +++ b/functional/test_userpass.yml @@ -7,10 +7,10 @@ rules: > path "secret/userpass/*" { capabilities = ["create", "read", "update", "delete", "list"] - } + } path "secret/userpass" { capabilities = ["list"] - } + } tasks: - hashivault_auth_method: method_type: "userpass" @@ -27,8 +27,8 @@ name: "{{username}}" rules: "{{rules}}" register: vault_policy - - assert: { that: "{{vault_policy.changed}} == True" } - - assert: { that: "{{vault_policy.rc}} == 0" } + - assert: { that: "vault_policy is changed" } + - assert: { that: "vault_policy.rc == 0" } - name: Create user pass with policy hashivault_userpass: @@ -37,8 +37,8 @@ policies: "{{username}}" register: 'vault_userpass_create' no_log: True - - assert: { that: "{{vault_userpass_create.changed}} == True" } - - assert: { that: "{{vault_userpass_create.rc}} == 0" } + - assert: { that: "vault_userpass_create is changed" } + - assert: { that: "vault_userpass_create.rc == 0" } - name: Create user to delete with policy hashivault_userpass: @@ -47,15 +47,15 @@ policies: "{{username}}" register: 'vault_userpass_create' no_log: True - - assert: { that: "{{vault_userpass_create.changed}} == True" } - - assert: { that: "{{vault_userpass_create.rc}} == 0" } + - assert: { that: "vault_userpass_create is changed" } + - assert: { that: "vault_userpass_create.rc == 0" } - hashivault_userpass: name: "delete_{{username}}" state: absent register: 'vault_userpass_delete' - - assert: { that: "{{vault_userpass_delete.changed}} == True" } - - assert: { that: "{{vault_userpass_delete.rc}} == 0" } + - assert: { that: "vault_userpass_delete is changed" } + - assert: { that: "vault_userpass_delete.rc == 0" } - template: src: "{{playbook_dir}}/templates/userpassenv.sh.j2" diff --git a/functional/test_userpass_idempotent.yml b/functional/test_userpass_idempotent.yml index 783d3d37..6e493ad6 100644 --- a/functional/test_userpass_idempotent.yml +++ b/functional/test_userpass_idempotent.yml @@ -18,8 +18,8 @@ policies: bob register: hashivault_userpass no_log: True - - assert: { that: "{{hashivault_userpass.changed}} == True" } - - assert: { that: "{{hashivault_userpass.rc}} == 0" } + - assert: { that: "hashivault_userpass is changed" } + - assert: { that: "hashivault_userpass.rc == 0" } - name: Set token_bound_cidr for userpass hashivault_userpass: @@ -28,8 +28,8 @@ policies: "default" token_bound_cidrs: "127.0.0.1" register: 'hashivault_userpass_token_bound_cidr' - - assert: { that: "{{hashivault_userpass_token_bound_cidr.changed}} == True" } - - assert: { that: "{{hashivault_userpass_token_bound_cidr.rc}} == 0" } + - assert: { that: "hashivault_userpass_token_bound_cidr is changed" } + - assert: { that: "hashivault_userpass_token_bound_cidr.rc == 0" } - name: Set token_bound_cidr for userpass (idempotent) hashivault_userpass: @@ -38,5 +38,5 @@ policies: "default" token_bound_cidrs: "127.0.0.1" register: 'hashivault_userpass_token_bound_cidr' - - assert: { that: "{{hashivault_userpass_token_bound_cidr.changed}} == False" } - - assert: { that: "{{hashivault_userpass_token_bound_cidr.rc}} == 0" } \ No newline at end of file + - assert: { that: "hashivault_userpass_token_bound_cidr is not changed" } + - assert: { that: "hashivault_userpass_token_bound_cidr.rc == 0" } diff --git a/functional/test_userpass_no_pass.yml b/functional/test_userpass_no_pass.yml index bac1c914..9ba7602e 100644 --- a/functional/test_userpass_no_pass.yml +++ b/functional/test_userpass_no_pass.yml @@ -43,8 +43,8 @@ policies: ["policy-bob"] register: hashivault_userpass no_log: True - - assert: { that: "{{hashivault_userpass.changed}} == True" } - - assert: { that: "{{hashivault_userpass.rc}} == 0" } + - assert: { that: "hashivault_userpass is changed" } + - assert: { that: "hashivault_userpass.rc == 0" } - name: Create token hashivault_token_create: @@ -54,8 +54,8 @@ policies: ["policy-bob"] password: "{{userpass}}" register: 'hashivault_userpass_update_no_pass_token' - - assert: { that: "{{hashivault_userpass_update_no_pass_token.changed}} == True" } - - assert: { that: "{{hashivault_userpass_update_no_pass_token.rc}} == 0" } + - assert: { that: "hashivault_userpass_update_no_pass_token is changed" } + - assert: { that: "hashivault_userpass_update_no_pass_token.rc == 0" } - name: Change policies without pass hashivault_userpass: @@ -63,8 +63,8 @@ password: "" policies: ["policy-bob", "default"] register: 'hashivault_userpass_update_no_pass' - - assert: { that: "{{hashivault_userpass_update_no_pass.changed}} == True" } - - assert: { that: "{{hashivault_userpass_update_no_pass.rc}} == 0" } + - assert: { that: "hashivault_userpass_update_no_pass is changed" } + - assert: { that: "hashivault_userpass_update_no_pass.rc == 0" } - name: Set cidr without pass is not possible hashivault_userpass: @@ -75,9 +75,9 @@ register: 'hashivault_userpass_update_no_pass_err' - debug: var: hashivault_userpass_update_no_pass_err - - assert: { that: "{{hashivault_userpass_update_no_pass_err.changed}} == False" } - - assert: { that: "{{hashivault_userpass_update_no_pass_err.rc}} == 1" } - - assert: { that: "'token_bound_cidrs can only be changed if user_pass is specified and user_pass_update is True' == '{{hashivault_userpass_update_no_pass_err.msg}}'" } + - assert: { that: "hashivault_userpass_update_no_pass_err is not changed" } + - assert: { that: "hashivault_userpass_update_no_pass_err.rc == 1" } + - assert: { that: "'token_bound_cidrs can only be changed if user_pass is specified and user_pass_update is True' == hashivault_userpass_update_no_pass_err.msg" } - name: Create token with updated user hashivault_token_create: @@ -87,5 +87,5 @@ policies: ["policy-bob"] password: "{{userpass}}" register: 'hashivault_userpass_update_no_pass_token' - - assert: { that: "{{hashivault_userpass_update_no_pass_token.changed}} == True" } - - assert: { that: "{{hashivault_userpass_update_no_pass_token.rc}} == 0" } + - assert: { that: "hashivault_userpass_update_no_pass_token is changed" } + - assert: { that: "hashivault_userpass_update_no_pass_token.rc == 0" } diff --git a/functional/test_userpass_no_policy.yml b/functional/test_userpass_no_policy.yml index af733985..3676de36 100644 --- a/functional/test_userpass_no_policy.yml +++ b/functional/test_userpass_no_policy.yml @@ -52,5 +52,5 @@ password: "" policies: ["policy-bob", "default"] register: 'hashivault_userpass_update_policies' - - assert: { that: "{{hashivault_userpass_update_policies.changed}} == True" } - - assert: { that: "{{hashivault_userpass_update_policies.rc}} == 0" } + - assert: { that: "hashivault_userpass_update_policies is changed" } + - assert: { that: "hashivault_userpass_update_policies.rc == 0" } diff --git a/functional/test_write.yml b/functional/test_write.yml index 1fd33831..ee8cf9aa 100644 --- a/functional/test_write.yml +++ b/functional/test_write.yml @@ -35,9 +35,9 @@ foo: 'foe' fie: 'fum' register: vault_write - - assert: { that: "{{vault_write.changed}} == True" } - - assert: { that: "'{{vault_write.msg}}' == 'Secret secret/{{name_root}} written'" } - - assert: { that: "{{vault_write.rc}} == 0" } + - assert: { that: "vault_write is changed" } + - assert: { that: "vault_write.msg == 'Secret secret/' + name_root + ' written'" } + - assert: { that: "vault_write.rc == 0" } - name: Write again no update verify changed hashivault_write: @@ -46,9 +46,9 @@ foo: 'foe' fie: 'fum' register: vault_write - - assert: { that: "{{vault_write.changed}} == True" } - - assert: { that: "'{{vault_write.msg}}' == 'Secret secret/{{name_root}} written'" } - - assert: { that: "{{vault_write.rc}} == 0" } + - assert: { that: "vault_write is changed" } + - assert: { that: "vault_write.msg == 'Secret secret/' + name_root + ' written'" } + - assert: { that: "vault_write.rc == 0" } - name: Update again and verify no change hashivault_write: @@ -58,8 +58,8 @@ foo: 'foe' fie: 'fum' register: vault_write - - assert: { that: "{{vault_write.changed}} == False" } - - assert: { that: "{{vault_write.rc}} == 0" } + - assert: { that: "vault_write is not changed" } + - assert: { that: "vault_write.rc == 0" } - name: Update new value and detect change hashivault_write: @@ -69,9 +69,9 @@ foo: 'new' fie: 'fum' register: vault_write - - assert: { that: "{{vault_write.changed}} == True" } - - assert: { that: "'{{vault_write.msg}}' == 'Secret secret/{{name_root}} written'" } - - assert: { that: "{{vault_write.rc}} == 0" } + - assert: { that: "vault_write is changed" } + - assert: { that: "vault_write.msg == 'Secret secret/' + name_root + ' written'" } + - assert: { that: "vault_write.rc == 0" } - name: Update a brand new secret in folder hashivault_write: @@ -80,17 +80,17 @@ data: height: tall register: vault_write - - assert: { that: "{{vault_write.changed}} == True" } - - assert: { that: "'{{vault_write.msg}}' == 'Secret secret/{{name_folder}} written'" } - - assert: { that: "{{vault_write.rc}} == 0" } + - assert: { that: "vault_write is changed" } + - assert: { that: "vault_write.msg == 'Secret secret/' + name_folder + ' written'" } + - assert: { that: "vault_write.rc == 0" } - name: Write secret dictionary hashivault_write: update: True secret: '{{name_dict}}' data: "{{ dict_value }}" - - assert: { that: "{{vault_write.changed}} == True" } - - assert: { that: "{{vault_write.rc}} == 0" } + - assert: { that: "vault_write is changed" } + - assert: { that: "vault_write.rc == 0" } - name: Update again secret dictionary and verify no change hashivault_write: @@ -98,20 +98,20 @@ secret: '{{name_dict}}' data: "{{ dict_value }}" register: vault_write - - assert: { that: "{{vault_write.changed}} == False" } - - assert: { that: "{{vault_write.rc}} == 0" } + - assert: { that: "vault_write is not changed" } + - assert: { that: "vault_write.rc == 0" } - name: Update new value in dictionary and detect change hashivault_write: update: True secret: '{{name_dict}}' - data: + data: foo: 'bar' baz: 'stuff' register: vault_write - - assert: { that: "{{vault_write.changed}} == True" } - - assert: { that: "'{{vault_write.msg}}' == 'Secret secret/{{name_dict}} written'" } - - assert: { that: "{{vault_write.rc}} == 0" } + - assert: { that: "vault_write is changed" } + - assert: { that: "vault_write.msg == 'Secret secret/' + name_dict + ' written'" } + - assert: { that: "vault_write.rc == 0" } - name: Write array type secret hashivault_write: @@ -126,8 +126,8 @@ data: value: "{{ array_of_dicts_value }}" register: vault_write - - assert: { that: "{{vault_write.changed}} == True" } - - assert: { that: "{{vault_write.rc}} == 0" } + - assert: { that: "vault_write is changed" } + - assert: { that: "vault_write.rc == 0" } - name: Update again array of dicts secret and verify no change hashivault_write: @@ -136,8 +136,8 @@ data: value: "{{ array_of_dicts_value }}" register: vault_write - - assert: { that: "{{vault_write.changed}} == False" } - - assert: { that: "{{vault_write.rc}} == 0" } + - assert: { that: "vault_write is not changed" } + - assert: { that: "vault_write.rc == 0" } - name: Update new value in array of dicts and detect change hashivault_write: @@ -149,9 +149,9 @@ - name: item-two - name: item-new register: vault_write - - assert: { that: "{{vault_write.changed}} == True" } - - assert: { that: "'{{vault_write.msg}}' == 'Secret secret/{{name_array_of_dicts}} written'" } - - assert: { that: "{{vault_write.rc}} == 0" } + - assert: { that: "vault_write is changed" } + - assert: { that: "vault_write.msg == 'Secret secret/' + name_array_of_dicts + ' written'" } + - assert: { that: "vault_write.rc == 0" } - name: Initial ttl values hashivault_write: @@ -161,7 +161,7 @@ ttl: 36000s max_ttl: 480s register: vault_write - - assert: { that: "{{vault_write.changed}} == True" } + - assert: { that: "vault_write is changed" } - name: Update minute ttl secret hashivault_write: @@ -170,7 +170,7 @@ data: ttl: 600m register: vault_write - - assert: { that: "{{vault_write.changed}} == False" } + - assert: { that: "vault_write is not changed" } - name: Update hour ttl secret hashivault_write: @@ -179,7 +179,7 @@ data: ttl: 10h register: vault_write - - assert: { that: "{{vault_write.changed}} == False" } + - assert: { that: "vault_write is not changed" } - name: Update second ttl secret hashivault_write: @@ -188,7 +188,7 @@ data: ttl: 36000s register: vault_write - - assert: { that: "{{vault_write.changed}} == False" } + - assert: { that: "vault_write is not changed" } - name: Update second ttl secret no s hashivault_write: @@ -197,7 +197,7 @@ data: ttl: 36000 register: vault_write - - assert: { that: "{{vault_write.changed}} == False" } + - assert: { that: "vault_write is not changed" } - name: Update second ttl secret new value hashivault_write: @@ -206,7 +206,7 @@ data: ttl: 36001s register: vault_write - - assert: { that: "{{vault_write.changed}} == True" } + - assert: { that: "vault_write is changed" } - hashivault_delete: secret: '{{namespace}}no_log' @@ -223,8 +223,8 @@ false: False true: True register: vault_write - - assert: { that: "{{vault_write.changed}} == True" } - - assert: { that: "{{vault_write.rc}} == 0" } + - assert: { that: "vault_write is changed" } + - assert: { that: "vault_write.rc == 0" } - name: Write a secret to mess up no_log again hashivault_write: @@ -238,5 +238,5 @@ false: False true: True register: vault_write - - assert: { that: "{{vault_write.changed}} == False" } - - assert: { that: "{{vault_write.rc}} == 0" } + - assert: { that: "vault_write is not changed" } + - assert: { that: "vault_write.rc == 0" } From f46058c8ac5a14b117a3e7d2b092ba77f10ce850 Mon Sep 17 00:00:00 2001 From: Terry Howe Date: Mon, 11 Dec 2023 16:45:06 -0700 Subject: [PATCH 63/65] docker rm --- functional/start.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/functional/start.sh b/functional/start.sh index d1147e9f..6f8219a4 100755 --- a/functional/start.sh +++ b/functional/start.sh @@ -36,7 +36,7 @@ chmod a+r $TMP_CONFIG TAG=latest TAG=1.13.3 docker stop $DOCKER_NAME 2>/dev/null || true -docker rm $DOCKER_NAME 2>/dev/null || true +docker rm -f $DOCKER_NAME 2>/dev/null || true docker run --name $DOCKER_NAME -h $DOCKER_NAME -d \ --cap-add IPC_LOCK \ -p 127.0.0.1:${PORT}:${PORT} \ From 1b0612bf205500bdb9c269b55855623d6f5771e0 Mon Sep 17 00:00:00 2001 From: Terry Howe Date: Mon, 12 Feb 2024 08:54:58 -0700 Subject: [PATCH 64/65] Temporary fix for tox docs --- makedocs.sh | 4 ++-- tox.ini | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/makedocs.sh b/makedocs.sh index 22e4d50d..16adf3b9 100755 --- a/makedocs.sh +++ b/makedocs.sh @@ -29,5 +29,5 @@ set -x # hacky test build broken MODULES=$MODULES make config cli keywords modules # hacky -j $CPUS option not working right on mac -sphinx-build -M html "rst" "_build" -n -w rst_warnings -touch _build/html/.nojekyll +echo 'sphinx-build -M html "rst" "_build" -n -w rst_warnings' +echo 'touch _build/html/.nojekyll' diff --git a/tox.ini b/tox.ini index 9bfd23f4..3902771f 100644 --- a/tox.ini +++ b/tox.ini @@ -28,4 +28,4 @@ commands = setenv = VIRTUAL_ENV={envdir} commands = - ./makedocs.sh + ./makedocs.sh From 5ef30b67fb224b7317835b5c9421e6abc8a6dacd Mon Sep 17 00:00:00 2001 From: Terry Howe Date: Sat, 3 Feb 2024 07:52:26 -0700 Subject: [PATCH 65/65] Fix docker config env --- functional/run.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/functional/run.sh b/functional/run.sh index f60e6339..32e92a61 100755 --- a/functional/run.sh +++ b/functional/run.sh @@ -2,6 +2,7 @@ # # This test runs a vault container on the host network port 8201. # +[ -d ~/.docker ] && export DOCKER_CONFIG=~/.docker cd "$(dirname "$0")" HOMEDIR=$(dirname $(dirname $PWD)) HOME=${HOME:-${HOMEDIR}}