search

ansible-collections / community.hashi_vault

Ansible collection for managing and working with HashiCorp Vault.
https://docs.ansible.com/ansible/devel/collections/community/hashi_vault/index.html
GNU General Public License v3.0
83 stars 62 forks source link

hashi_vault_write bug or feature ? #254

Closed rouja closed 2 years ago

rouja commented 2 years ago

Hi everyone !

SUMMARY

The documentation shows us this example :

- name: Write a value to the cubbyhole via the remote host with userpass auth
  community.hashi_vault.vault_write:
    url: https://vault:8201
    path: cubbyhole/mysecret
    data:
      key1: val1
      key2: val2
    auth_method: userpass
    username: user
    password: '{{ passwd }}'
  register: result

In my case I use environment variable to connect to vault so I simplified the example like that : 

- name: Write a value to the cubbyhole via the remote host with userpass auth
  community.hashi_vault.vault_write:
    path: cubbyhole/mysecret
    data:
      key1: val1
      key2: val2

Which work perfectly with the cubbyhole but not with kv engine (v2 in my case):

- name: Write a value to the cubbyhole via the remote host with userpass auth
  community.hashi_vault.vault_write:
    path: secret/data/mysecret
    data:
      key1: val1
      key2: val2

We got this error : 

File \"/home/jroussel/Git/qwant/venv/lib/python3.10/site-packages/hvac/utils.py\", line 32, in raise_for_error\n    raise exceptions.InvalidRequest(message, errors=errors)\nhvac.exceptions.InvalidRequest: no data provided\n", "module_stdout": "", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1

At the beginning I thought it's was python bug. But then I remembered that with curl we do something like :

curl -X PUT -H "X-Vault-Request: true" -H "X-Vault-Token: $(vault print token)" -d '{"data":{"test":"tutu"},"options":{}}' http://localhost:8200/v1/secret/data/mysecret

So I changed ansible task by :

- name: Write a value to the cubbyhole via the remote host with userpass auth
  community.hashi_vault.vault_write:
    path: secret/data/mysecret
    data:
      data:
        key1: val1
        key2: val2

And It works.

ISSUE TYPE
COMPONENT NAME

community.hashi_vault.vault_write

ANSIBLE VERSION

I tested with multiple ansible version from 2.9.20 to the last version.

COLLECTION VERSION
2.4.0

So, is it a bug or is it normal ? If it's normal, maybe the documentation should be update ?

Have a nice day

briantist commented 2 years ago

Hi @rouja ! As it happens this has already been raised in #245 and someone contributed a new documentation example for that, so clearly this was something needed! With #245 merged, you'll this updated in the "devel" docs on docs.ansible.com once version 2.5.0 of this collection is released, and you'll see it in "latest" on docs.ansible.com when the next version of the ansible package is released that contains 2.5.0 (probably in a few weeks).

For now, you can view the docs for the very latest commit that includes this example here: https://community-hashi-vault-main.surge.sh/collections/community/hashi_vault/vault_write_module.html#examples

The differences in documentation are explained here: https://github.com/ansible-collections/community.hashi_vault#collection-documentation

The reason it's not a bug, is that vault_write is intentionally general, and not meant to be KV-specific. It's working directly with API paths, so you very correctly related it to using the same structure you'd need when using curl for example.

Thanks for raising this @rouja , please don't be a stranger in the issues and discussions!