search

ansible-collections / community.hashi_vault

Ansible collection for managing and working with HashiCorp Vault.
https://docs.ansible.com/ansible/devel/collections/community/hashi_vault/index.html
GNU General Public License v3.0
80 stars 59 forks source link

Allow for "default" in the lookup plugin #334

Closed tonk closed 1 year ago

tonk commented 1 year ago
SUMMARY

We use the vault_read lookup plugin for retrieving passwords from our Vault. Our initial setup uses the root user with a default password. During the first provisioning run, the Ansible user is created with a new password and the root password is also changed. This means that a second run will fail.

When I try to read the new path during the first run, I will get an error, because this does not exist (yet) and with a second run I cannot login, because the root password was changed.

I would like to have an extra flag added to the lookup plugin community.hashi_vault.vault_read that allows for the default filter, so that no exception is generated.

ISSUE TYPE
COMPONENT NAME

The community.hashi_vault.vault_read lookup plugin

ADDITIONAL INFORMATION

At the bottom I would like to change:

132              if data is None:
133                  raise AnsibleError("The path '%s' doesn't seem to exist." % term)
134
135              ret.append(data)

into

  132             if data is None:
  133                 if not kwargs.get('allow_default', False):
  134                     raise AnsibleError("The path '%s' doesn't seem to exist." % term)
  135             else:
  136                 ret.append(data)

This feature would solve the fact that I can retrieve the user and password from the Vault through the Inventory without running into exceptions when a path does not exist.

vault_url: https://vault.example.net
vault_path: kv/data/Linux_Servers
vault_plugin: community.hashi_vault.vault_read
vault_user: vault_user
vault_pass: VerySecretVaultPassword

ansible_user: "{{ 'ansible' if (lookup(vault_plugin,
  vault_path + '/' + inventory_hostname,
  auth_method='ldap',
  url=vault_url,
  validate_certs=true,
  username=vault_user,
  password=vault_pass,
  allow_default=True,
  )['data']['data']['ansible_user'] | default('')) else 'root' }}"

ansible_root_pass: "{{ lookup(vault_plugin,
  vault_path + '/defaults',
  auth_method='ldap',
  url=vault_url,
  validate_certs=true,
  username=vault_user,
  password=vault_pass,
  )['data']['data']['default_password'] }}"

ansible_pass: "{{ lookup(vault_plugin,
  vault_path + '/' + inventory_hostname,
  auth_method='ldap',
  url=vault_url,
  validate_certs=true,
  username=vault_user,
  password=vault_pass,
  allow_default=True,
  )['data']['data']['ansible_password'] | default(ansible_root_pass) }}"
briantist commented 1 year ago

Hi @tonk !

This is possible with errors parameter that's built in to every lookup in Ansible, see https://docs.ansible.com/ansible/latest/plugins/lookup.html

By setting errors='ignore' (or errors='warn') the lookup will not fail, and you can pipe it to the default filter that way.

You might have to set the second parameter of the default filter to True for this to work.

tonk commented 1 year ago

Thanks, missed that. I'll give that a try.

tonk commented 1 year ago

Yes, this works. Thanks a lot!!