search

ansible-collections / community.hashi_vault

Ansible collection for managing and working with HashiCorp Vault.
https://docs.ansible.com/ansible/devel/collections/community/hashi_vault/index.html
GNU General Public License v3.0
81 stars 58 forks source link

read and write module not use ansible vars #327

Closed orblazer closed 1 year ago

orblazer commented 1 year ago
SUMMARY

Arguments url and token still required when use modules and the variables ansible_hashi_vault_addr and ansible_hashi_vault_token is defined.

ISSUE TYPE
COMPONENT NAME
ANSIBLE VERSION
ansible [core 2.13.5]
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/home/orblazer/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.10/site-packages/ansible
  ansible collection location = /home/orblazer/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/bin/ansible
  python version = 3.10.8 (main, Oct 13 2022, 21:13:48) [GCC 12.2.0]
  jinja version = 3.1.2
  libyaml = True
COLLECTION VERSION
$ ansible-galaxy collection list community.hashi_vault

# /usr/lib/python3.10/site-packages/ansible_collections
Collection            Version
--------------------- -------
community.hashi_vault 3.3.1
CONFIGURATION
Nothing.
OS / ENVIRONMENT
STEPS TO REPRODUCE
- name: Configure vault
  hosts: all
  connection: local
  gather_facts: false
  tasks:
    - name: Check Vault status
      community.hashi_vault.vault_read:
        auth_method: none
        path: "sys/seal-status"
      register: vault_status
    # ...
    - name: Configure host for Vault kubernetes auth
      community.hashi_vault.vault_write:
        path: auth/kubernetes/config
        data:
          kubernetes_host: "https://10.43.0.1"
EXPECTED RESULTS

Work great without need add url and token,

ACTUAL RESULTS

Throw error Required option url was not set or No Vault Token specified or discovered..

TASK [core : Check Vault status] ***********************************************
task path: /home/orblazer/.../roles/core/tasks/vault.yaml:33
<192.168.121.108> ESTABLISH LOCAL CONNECTION FOR USER: orblazer
<192.168.121.108> EXEC /bin/sh -c 'echo ~orblazer && sleep 0'
<192.168.121.108> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /home/orblazer/.ansible/tmp `"&& mkdir "` echo /home/orblazer/.ansible/tmp/ansible-tmp-1668259608.2616677-65296-70636143614965 `" && echo ansible-tmp-1668259608.2616677-65296-70636143614965="` echo /home/orblazer/.ansible/tmp/ansible-tmp-1668259608.2616677-65296-70636143614965 `" ) && sleep 0'
Using module file /usr/lib/python3.10/site-packages/ansible_collections/community/hashi_vault/plugins/modules/vault_read.py
<192.168.121.108> PUT /home/orblazer/.ansible/tmp/ansible-local-63757w0efhkfl/tmpyt8kfjuh TO /home/orblazer/.ansible/tmp/ansible-tmp-1668259608.2616677-65296-70636143614965/AnsiballZ_vault_read.py
<192.168.121.108> EXEC /bin/sh -c 'chmod u+x /home/orblazer/.ansible/tmp/ansible-tmp-1668259608.2616677-65296-70636143614965/ /home/orblazer/.ansible/tmp/ansible-tmp-1668259608.2616677-65296-70636143614965/AnsiballZ_vault_read.py && sleep 0'
<192.168.121.108> EXEC /bin/sh -c '/usr/bin/python3 /home/orblazer/.ansible/tmp/ansible-tmp-1668259608.2616677-65296-70636143614965/AnsiballZ_vault_read.py && sleep 0'
<192.168.121.108> EXEC /bin/sh -c 'rm -f -r /home/orblazer/.ansible/tmp/ansible-tmp-1668259608.2616677-65296-70636143614965/ > /dev/null 2>&1 && sleep 0'
The full traceback is:
Traceback (most recent call last):
  File "/home/orblazer/.ansible/tmp/ansible-tmp-1668259608.2616677-65296-70636143614965/AnsiballZ_vault_read.py", line 107, in <module>
    _ansiballz_main()
  File "/home/orblazer/.ansible/tmp/ansible-tmp-1668259608.2616677-65296-70636143614965/AnsiballZ_vault_read.py", line 99, in _ansiballz_main
    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)
  File "/home/orblazer/.ansible/tmp/ansible-tmp-1668259608.2616677-65296-70636143614965/AnsiballZ_vault_read.py", line 47, in invoke_module
    runpy.run_module(mod_name='ansible_collections.community.hashi_vault.plugins.modules.vault_read', init_globals=dict(_module_fqn='ansible_collections.community.hashi_vault.plugins.modules.vault_read', _modlib_path=modlib_path),
  File "/usr/lib/python3.10/runpy.py", line 224, in run_module
    return _run_module_code(code, init_globals, run_name, mod_spec)
  File "/usr/lib/python3.10/runpy.py", line 96, in _run_module_code
    _run_code(code, mod_globals, init_globals,
  File "/usr/lib/python3.10/runpy.py", line 86, in _run_code
    exec(code, run_globals)
  File "/tmp/ansible_community.hashi_vault.vault_read_payload_xeypnctm/ansible_community.hashi_vault.vault_read_payload.zip/ansible_collections/community/hashi_vault/plugins/modules/vault_read.py", line 130, in <module>
  File "/tmp/ansible_community.hashi_vault.vault_read_payload_xeypnctm/ansible_community.hashi_vault.vault_read_payload.zip/ansible_collections/community/hashi_vault/plugins/modules/vault_read.py", line 126, in main
  File "/tmp/ansible_community.hashi_vault.vault_read_payload_xeypnctm/ansible_community.hashi_vault.vault_read_payload.zip/ansible_collections/community/hashi_vault/plugins/modules/vault_read.py", line 104, in run_module
  File "/tmp/ansible_community.hashi_vault.vault_read_payload_xeypnctm/ansible_community.hashi_vault.vault_read_payload.zip/ansible_collections/community/hashi_vault/plugins/module_utils/_connection_options.py", line 117, in process_connection_options
  File "/tmp/ansible_community.hashi_vault.vault_read_payload_xeypnctm/ansible_community.hashi_vault.vault_read_payload.zip/ansible_collections/community/hashi_vault/plugins/module_utils/_hashi_vault_common.py", line 268, in process_late_binding_env_vars
ansible_collections.community.hashi_vault.plugins.module_utils._hashi_vault_common.HashiVaultValueError: Required option url was not set.
fatal: [salamandre]: FAILED! => {
    "changed": false,
    "module_stderr": "Traceback (most recent call last):\n  File \"/home/orblazer/.ansible/tmp/ansible-tmp-1668259608.2616677-65296-70636143614965/AnsiballZ_vault_read.py\", line 107, in <module>\n    _ansiballz_main()\n  File \"/home/orblazer/.ansible/tmp/ansible-tmp-1668259608.2616677-65296-70636143614965/AnsiballZ_vault_read.py\", line 99, in _ansiballz_main\n    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n  File \"/home/orblazer/.ansible/tmp/ansible-tmp-1668259608.2616677-65296-70636143614965/AnsiballZ_vault_read.py\", line 47, in invoke_module\n    runpy.run_module(mod_name='ansible_collections.community.hashi_vault.plugins.modules.vault_read', init_globals=dict(_module_fqn='ansible_collections.community.hashi_vault.plugins.modules.vault_read', _modlib_path=modlib_path),\n  File \"/usr/lib/python3.10/runpy.py\", line 224, in run_module\n    return _run_module_code(code, init_globals, run_name, mod_spec)\n  File \"/usr/lib/python3.10/runpy.py\", line 96, in _run_module_code\n    _run_code(code, mod_globals, init_globals,\n  File \"/usr/lib/python3.10/runpy.py\", line 86, in _run_code\n    exec(code, run_globals)\n  File \"/tmp/ansible_community.hashi_vault.vault_read_payload_xeypnctm/ansible_community.hashi_vault.vault_read_payload.zip/ansible_collections/community/hashi_vault/plugins/modules/vault_read.py\", line 130, in <module>\n  File \"/tmp/ansible_community.hashi_vault.vault_read_payload_xeypnctm/ansible_community.hashi_vault.vault_read_payload.zip/ansible_collections/community/hashi_vault/plugins/modules/vault_read.py\", line 126, in main\n  File \"/tmp/ansible_community.hashi_vault.vault_read_payload_xeypnctm/ansible_community.hashi_vault.vault_read_payload.zip/ansible_collections/community/hashi_vault/plugins/modules/vault_read.py\", line 104, in run_module\n  File \"/tmp/ansible_community.hashi_vault.vault_read_payload_xeypnctm/ansible_community.hashi_vault.vault_read_payload.zip/ansible_collections/community/hashi_vault/plugins/module_utils/_connection_options.py\", line 117, in process_connection_options\n  File \"/tmp/ansible_community.hashi_vault.vault_read_payload_xeypnctm/ansible_community.hashi_vault.vault_read_payload.zip/ansible_collections/community/hashi_vault/plugins/module_utils/_hashi_vault_common.py\", line 268, in process_late_binding_env_vars\nansible_collections.community.hashi_vault.plugins.module_utils._hashi_vault_common.HashiVaultValueError: Required option url was not set.\n",
    "module_stdout": "",
    "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error",
    "rc": 1
}
briantist commented 1 year ago

Hi @orblazer ! Thanks for opening this issue.

This behavior is a limitation of Ansible itself; those variables only apply to plugins, not modules.

You can see this in the documentation by comparing for example the vault_read lookup: image

to the vault_read module: image

The good news is that to help with this, we have a special lookup plugin, vault_ansible_settings which can be used to get the same settings that would be used in a lookup, and then apply those to module_defaults.

Have a look at the examples in that link, and let me know if that's helpful for you.

orblazer commented 1 year ago

Ok thanks, so the documentation for vault_write module and vault_read module is not clear because its say token param -> ansible var -> ANSIBLE_HASHI_VAULT_TOKEN -> VAULT_TOKEN -> token file, so for me ansible var took the facts ansible_hashi_vault_addr and ansible_hashi_vault_token.

briantist commented 1 year ago

I see; the description is shared between all modules and plugins, which is why it shows up the same for all.

I've opened an issue to update that to make it clearer: