ansible-collections / community.hashi_vault

Ansible collection for managing and working with HashiCorp Vault.
https://docs.ansible.com/ansible/devel/collections/community/hashi_vault/index.html
GNU General Public License v3.0
81 stars 62 forks source link

Config via Ansible vars not resolving templating #443

Open onefourfive opened 3 months ago

onefourfive commented 3 months ago
SUMMARY

When I set ansible_hashi_vault_ variables as below, they are taken literally and not templated:

ansible_hashi_vault_url: "{{ vault_fqdn }}"
ansible_hashi_vault_token_path: "{{ lookup('env', 'HOME') }}/.vault-ansible/"
ansible_hashi_vault_token_file: "token-{{ zone }}"

In a case where all but url is specified as lookup keywords, and we intentionally omit the scheme, you can see the templating makes it into the error message:

localhost | FAILED! => {
    "msg": "An unhandled exception occurred while running the lookup plugin 'community.hashi_vault.hashi_vault'. 
Error was a <class 'requests.exceptions.MissingSchema'>, original message: 
Invalid URL '{{ vault_fqdn }}/v1/internal/data/tf': No scheme supplied. Perhaps you meant https://{{ vault_fqdn }}/v1/internal/data/tf?. 
Invalid URL '{{ vault_fqdn }}/v1/internal/data/tf': No scheme supplied. Perhaps you meant https://{{ vault_fqdn }}/v1/internal/data/tf?"
}
ISSUE TYPE
COMPONENT NAME

hashi_vault

ANSIBLE VERSION
ansible [core 2.17.1]
  config file = /home/iivv/vault-tools/vault-ansible/ansible.cfg
  configured module search path = ['/home/iivv/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/iivv/.virtualenvs/vault-ansible/lib/python3.12/site-packages/ansible
  ansible collection location = /home/iivv/vault-tools/vault-ansible/collections
  executable location = /home/iivv/.virtualenvs/vault-ansible/bin/ansible
  python version = 3.12.3 (main, Apr 10 2024, 05:33:47) [GCC 13.2.0] (/home/iivv/.virtualenvs/vault-ansible/bin/python)
  jinja version = 3.1.4
  libyaml = True
COLLECTION VERSION
Collection            Version
--------------------- -------
community.hashi_vault 6.2.0 
CONFIGURATION
n/a
OS / ENVIRONMENT

n/a

STEPS TO REPRODUCE
  1. Create a vars file specifying config with templating.
  2. Try to perform a lookup without specifying config keywords.
EXPECTED RESULTS

Templating should work so that I can work with different vault clusters and configs in a playbook run as necessary.

ACTUAL RESULTS

Errors result from template attempts. Only literal values are used.

localhost | FAILED! => {
    "msg": "An unhandled exception occurred while running the lookup plugin 'community.hashi_vault.hashi_vault'. Error was a <class 'requests.exceptions.MissingSchema'>, original message: Invalid URL '{{ vault_fqdn }}/v1/internal/data/tf': No scheme supplied. Perhaps you meant https://{{ vault_fqdn }}/v1/internal/data/tf?. Invalid URL '{{ vault_fqdn }}/v1/internal/data/tf': No scheme supplied. Perhaps you meant https://{{ vault_fqdn }}/v1/internal/data/tf?"
}
briantist commented 3 months ago

Hi @onefourfive this is unfortunately expected as it's a behavior controlled by ansible-core.

See also: