Allow to continue execution of plugin when secret not found or permission denied

ansible-collections / community.hashi_vault

Ansible collection for managing and working with HashiCorp Vault.

https://docs.ansible.com/ansible/devel/collections/community/hashi_vault/index.html

GNU General Public License v3.0

81 stars 62 forks source link

Allow to continue execution of plugin when secret not found or permission denied #69

Closed joao-p-marques closed 3 years ago

joao-p-marques commented 3 years ago

SUMMARY

Allow the plugin to continue without failure when Vault returns a permission denied error or a value of None (secret does not exist)

ISSUE TYPE

Feature Idea

COMPONENT NAME

hashi_vault lookup plugin

ADDITIONAL INFORMATION

Vault can return a permission denied error, or None data when the secret does not exist or the user does not have permission to access it. However, there might be situations where you need to follow the execution of the plugin and playbook, and it would be nice to get an empty answer instead of an exception thrown in those situations.

- name: obtain secrets
      loop:
        - secret1
        - secret2
        - secret3
      set_fact:
        secrets_dict:
          "{{ secrets_dict | d({}) | combine( { item : lookup('community.hashi_vault.hashi_vault', 'secret/data/secrets/' + item, auth_method='userpass', password=vault_password, username=vault_username, url=vault_api, allow_failure=True) } )}}"

The allow_failure option would prevent those 2 exceptions from being thrown, but instead make the plugin return an empty value, which could be treated easily in Ansible.

cc @Yajo

briantist commented 3 years ago

Hello again @joao-p-marques ! Luckily this is possible automatically with all lookup plugins, by using the errors parameter, as described here:

You can control how errors behave in all lookup plugins by setting errors to ignore, warn, or strict. The default setting is strict, which causes the task to fail if the lookup returns an error.

By using errors=warn or errors=ignore (depending on if you want to see a warning or not), you can combine it with the | default() filter as well, as long as you set the second parameter in default() to True, which tells default to work not only on "undefined" variables, but also on empty values.

"{{ 
    lookup('community.hashi_vault.hashi_vault', 'secret/data/secrets/' + item, auth_method='userpass', password=vault_password, username=vault_username, url=vault_api, errors='warn')  
    | default('My default value', True)
}}"

yajo commented 3 years ago

I guess that should do the trick, thanks.

joao-p-marques commented 3 years ago

Hi @briantist

Sorry for the delayed response. Indeed, I didn't know that option on the lookup plugins, and it does exactly what we need, when combined with the default option. I guess the only issue would be potentially ignoring other important errors, but it shouldn't be a blocking problem and we can handle that further in the playbook.

Thanks for the pointer :+1: 🙂