Add ability to use ansible vars to specify options

[briantist]

SUMMARY

Fixes #49 Fixes #65

The big change here is adding vars: entries for several options:

• url ->
  • ansible_hashi_vault_url
  • ansible_hashi_vault_addr
• proxies -> ansible_hashi_vault_proxies
• namespace -> ansible_hashi_vault_namespace
• token -> ansible_hashi_vault_token
• token_validate -> ansible_hashi_vault_token_validate
• role_id -> ansible_hashi_vault_role_id
• secret_id -> ansible_hashi_vault_secret_id
• auth_method -> ansible_hashi_vault_auth_method

Some new examples of usage:

- name: use ansible vars to supply some options
  vars:
    ansible_hashi_vault_url: 'https://myvault:8282'
    ansible_hashi_vault_auth_method: token
  set_fact:
    secret1: "{{ lookup('secret/data/secret1') }}"
    secret2: "{{ lookup('secret/data/secret2') }}"

- name: use proxies with a dict (as direct ansible var)
  vars:
    ansible_hashi_vault_proxies:
      http: http://myproxy1
      https: https://myproxy2
  ansible.builtin.debug:
    msg: "{{ lookup('community.hashi_vault.hashi_vault', '...' }}"

Important Note

Using templating in task vars won't work because of https://github.com/ansible/ansible/issues/73268 so this example will fail:

- name: use ansible vars to supply some options
  vars:
    ansible_hashi_vault_url: '{{ my_other_url }}'
  debug:
    msg: "{{ lookup('secret/data/secret1') }}"

Instead, use set_fact to ensure your vars are evaluated beforehand.

- set_fact:
    ansible_hashi_vault_url: '{{ my_other_url }}'

- name: use ansible vars to supply some options
  debug:
    msg: "{{ lookup('secret/data/secret1') }}"

Other Changes

• There were many unnecessary test loops around the validate_certs option, checking different types of ways to specify yes/no, but they used environment variables via the environment: keyword which doesn't affect the lookup anyway. They have been removed, as unit tests now cover the various ways of supplying that option.
• Other test loops also erroneously used environment variables to set the Vault URL; that wasn't actually being used, it was actually using the default option value, so those would have broken after #83 . They have been replaced with ansible var equivalents.
• An additional proxy test loop was added that specified the proxies option as a dict via an ansible var.
• Templating in conditionals was removed to get rid of some warnings in the test output (#65).
• Removed a conditional about cryptography version that's not needed anymore.
• Other areas have been changed to use ansible vars to get more coverage on them or to simplify a test or both. I expect more replacements in the future to greatly cut down on the amount of string concatenation we're doing in the term string.
• A stronger evaluation of the token validation with no default policy expected failure test, by adding an assert to ensure the failure happens and with the message we expect.

ISSUE TYPE

• Feature Pull Request

COMPONENT NAME

hashi_vault

ADDITIONAL INFORMATION

[codecov[bot]]

Codecov Report

Merging #86 (c3fea8d) into main (a6e6f37) will not change coverage. The diff coverage is 100.00%.

@@           Coverage Diff           @@
##             main      #86   +/-   ##
=======================================
  Coverage   82.88%   82.88%           
=======================================
  Files          16       16           
  Lines         783      783           
  Branches       78       78           
=======================================
  Hits          649      649           
  Misses        120      120           
  Partials       14       14           

Impacted Files	Coverage Δ
plugins/doc_fragments/connection.py	100.00% <ø> (ø)
plugins/lookup/hashi_vault.py	63.15% <100.00%> (ø)

---

Continue to review full report at Codecov.

Legend - Click here to learn more Δ = absolute <relative> (impact), ø = not affected, ? = missing data Powered by Codecov. Last update a6e6f37...c3fea8d. Read the comment docs.

[briantist]

cc @h3m5k @erinn @morco @elcomtik @pilou- @wenottingham @infra-monkey

Would you be able to try out this PR with AWX and see if it meets your needs for supplying values that don't rely on environment variables?

[grnrk]

I'v tested this with AWX 15.0.1 and ansible 2.10.6 and it works like a charm. The vars included in the test were (on separate occasions): ansible_hashi_vault_url ansible_hashi_vault_addr ansible_hashi_vault_token ansible_hashi_vault_role_id ansible_hashi_vault_secret_id ansible_hashi_vault_auth_method

Let me know if you'd like me to try something else. Thanks a bunch!

[briantist]

@h3m5k great! thanks a lot, I really appreciate that extra testing. Given how important it is to AWX users I wanted someone to use it hands-on before merging in case anything else was needed.