search

ansible-collections / community.hashi_vault

Ansible collection for managing and working with HashiCorp Vault.
https://docs.ansible.com/ansible/devel/collections/community/hashi_vault/index.html
GNU General Public License v3.0
81 stars 58 forks source link

Add plugins to list objects in Vault #343

Closed tomkivlin closed 1 year ago

tomkivlin commented 1 year ago
SUMMARY

Two plugins: one lookup, one module to list objects from a given path. e.g.

Fixes #295

ISSUE TYPE
COMPONENT NAME

vault_list (lookup and module)

github-actions[bot] commented 1 year ago

Docs Build 📝

Thank you for contribution!✨

This PR has been merged and the docs are now incorporated into main: https://ansible-collections.github.io/community.hashi_vault/branch/main

codecov[bot] commented 1 year ago

Codecov Report

Merging #343 (2b43f4c) into main (6c93da9) will increase coverage by 0.06%. The diff coverage is 100.00%.

@@            Coverage Diff             @@
##             main     #343      +/-   ##
==========================================
+ Coverage   98.75%   98.82%   +0.06%     
==========================================
  Files          76       80       +4     
  Lines        3862     4086     +224     
  Branches      250      258       +8     
==========================================
+ Hits         3814     4038     +224     
  Misses         39       39              
  Partials        9        9
Flag Coverage Δ
env_docker-default 98.82% <100.00%> (+0.06%) :arrow_up:
integration 81.30% <87.80%> (+0.37%) :arrow_up:
sanity 39.86% <47.56%> (+0.43%) :arrow_up:
target_ansible-doc 100.00% <ø> (ø)
target_auth_approle 89.47% <ø> (ø)
target_auth_aws_iam 50.00% <ø> (ø)
target_auth_azure 53.84% <ø> (ø)
target_auth_cert 86.36% <ø> (ø)
target_auth_jwt 91.30% <ø> (ø)
target_auth_ldap 89.47% <ø> (ø)
target_auth_none 100.00% <ø> (ø)
target_auth_token 71.42% <ø> (ø)
target_auth_userpass 85.71% <ø> (ø)
target_connection_options 74.76% <ø> (ø)
target_controller 83.67% <93.40%> (+0.47%) :arrow_up:
target_filter_vault_login_token 77.77% <ø> (ø)
target_import 39.86% <47.56%> (+0.43%) :arrow_up:
target_lookup_hashi_vault 81.33% <ø> (ø)
target_lookup_vault_ansible_settings 56.28% <ø> (ø)
target_lookup_vault_kv1_get 91.30% <ø> (ø)
target_lookup_vault_kv2_get 91.11% <ø> (ø)
target_lookup_vault_list 90.00% <90.00%> (?)
target_lookup_vault_login 88.57% <ø> (ø)
target_lookup_vault_read 90.00% <ø> (ø)
target_lookup_vault_token_create 79.24% <ø> (ø)
target_lookup_vault_write 57.39% <ø> (ø)
target_module_utils 97.36% <ø> (ø)
target_module_vault_kv1_get 87.50% <ø> (ø)
target_module_vault_kv2_delete 56.93% <ø> (ø)
target_module_vault_kv2_get 87.23% <ø> (ø)
target_module_vault_list 85.71% <85.71%> (?)
target_module_vault_login 83.72% <ø> (ø)
target_module_vault_pki_generate_certificate 78.72% <ø> (ø)
target_module_vault_read 85.71% <ø> (ø)
target_module_vault_token_create 91.66% <ø> (ø)
target_module_vault_write 56.25% <ø> (ø)
target_modules 81.78% <96.24%> (+1.12%) :arrow_up:
units 96.54% <96.42%> (-0.01%) :arrow_down:

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files Coverage Δ
plugins/lookup/vault_list.py 100.00% <100.00%> (ø)
plugins/modules/vault_list.py 100.00% <100.00%> (ø)
tests/unit/plugins/lookup/test_vault_list.py 100.00% <100.00%> (ø)
tests/unit/plugins/modules/test_vault_list.py 100.00% <100.00%> (ø)

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

tomkivlin commented 1 year ago

So for example, an example showing how to loop over a list of policies might show a loop like this:

loop: "{{ query('community.hashi_vault.vault_list', 'sys/policies/acl').keys }}"

and an example for kv2 might look like this:

loop: "{{ query('community.hashi_vault.vault_list', 'secret/metadata/path').data.keys }}"

(EDIT I just realized fixing the above path that the examples should also have their "secret" listing paths updates to include metadata and some path)

These types of examples that show how to do specific things tend to be highly used, and in fact sometimes people try to do these operations, get failures, and open issues about it, even if they only needed to tweak their path, or massage the output data.

Thanks - great idea! However, I have come across some unexpected (to me) behaviour, possibly because 'keys' is a built-in method - hope my alternatives make sense. (In https://github.com/tomkivlin/community.hashi_vault/commit/cd583f9b8c8985a792deac010c295aa2a8cbb33a).

tomkivlin commented 1 year ago

@briantist thanks for your comprehensive feedback on this, really helpful. I've added some updates, hopefully that covers it all?

briantist commented 1 year ago

Thanks - great idea! However, I have come across some unexpected (to me) behaviour, possibly because 'keys' is a built-in method - hope my alternatives make sense. (In tomkivlin@cd583f9).

ah! yes that makes sense, I might tweak it further with jinja in a way that will work even with multiple terms, I'll give it a closer look

@briantist thanks for your comprehensive feedback on this, really helpful. I've added some updates, hopefully that covers it all?

Pretty much yeah, I see a little bit I'd like to update in the fixture tests, and we're missing a tiny bit of coverage that I want to fill. I aim for 100% coverage on everything new, and we're missing just one line I think (a 404/missing path response).

I have some time today so I'm going to pull this down and see if I button up these last little things, and then give it another over. I'll push something up soon.

briantist commented 1 year ago

hey @tomkivlin , ~it seems I cannot push my changes to your fork. There should be a checkbox on this PR in the right column that allows you to grant maintainers the ability to push changes (see the last screenshot here).~

~Would you mind ensuring that is checked?~

~If you prefer not to enable that, that's ok too, I can send a .patch or .diff that you can apply locally to push. Let me know!~

EDIT: please disregard, I didn't realize you opened the PR from main on your fork and I was trying to push to the wrong branch.

briantist commented 1 year ago

@tomkivlin would you take a look at the commits I've pushed up and see if everything looks ok to you? Let me know if there are any questions or things I missed.

There's some weirdness zuul right now (ansible third party check), but that's because of anything in this PR as far as I can tell.

briantist commented 1 year ago

Thanks very much @tomkivlin ! Great work, I hope you'll stick and around consider contributing more in the future :)

I'll look to get version 4.1.0 released soon.

tomkivlin commented 1 year ago

Thanks very much @tomkivlin ! Great work, I hope you'll stick and around consider contributing more in the future :)

I'll look to get version 4.1.0 released soon.

Me too, thanks for your support 👍