forked from ansible-collections/community.hashi_vault
-
Notifications
You must be signed in to change notification settings - Fork 0
/
vault_list.py
134 lines (109 loc) · 4.17 KB
/
vault_list.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
#!/usr/bin/python
# -*- coding: utf-8 -*-
# (c) 2023, Tom Kivlin (@tomkivlin)
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
from __future__ import (absolute_import, division, print_function)
__metaclass__ = type
DOCUMENTATION = """
module: vault_list
version_added: 4.1.0
author:
- Tom Kivlin (@tomkivlin)
short_description: Perform a list operation against HashiCorp Vault
requirements:
- C(hvac) (L(Python library,https://hvac.readthedocs.io/en/stable/overview.html))
- For detailed requirements, see R(the collection requirements page,ansible_collections.community.hashi_vault.docsite.user_guide.requirements).
description:
- Performs a generic list operation against a given path in HashiCorp Vault.
seealso:
- ref: community.hashi_vault.vault_list lookup <ansible_collections.community.hashi_vault.vault_list_lookup>
description: The official documentation for the C(community.hashi_vault.vault_list) lookup plugin.
extends_documentation_fragment:
- community.hashi_vault.attributes
- community.hashi_vault.attributes.action_group
- community.hashi_vault.attributes.check_mode_read_only
- community.hashi_vault.connection
- community.hashi_vault.auth
options:
path:
description: Vault path to be listed.
type: str
required: true
"""
EXAMPLES = """
- name: List kv2 secrets from Vault via the remote host with userpass auth
community.hashi_vault.vault_list:
url: https://vault:8201
path: secret/metadata
# For kv2, the path needs to follow the pattern 'mount_point/metadata' to list all secrets in that path
auth_method: userpass
username: user
password: '{{ passwd }}'
register: secret
- name: Display the secrets found at the path provided above
ansible.builtin.debug:
msg: "{{ secret.data.data['keys'] }}"
# Note that secret.data.data.keys won't work as 'keys' is a built-in method
- name: List access policies from Vault via the remote host
community.hashi_vault.vault_list:
url: https://vault:8201
path: sys/policies/acl
register: policies
- name: Display the policy names
ansible.builtin.debug:
msg: "{{ policies.data.data['keys'] }}"
# Note that secret.data.data.keys won't work as 'keys' is a built-in method
"""
RETURN = """
data:
description: The raw result of the list against the given path.
returned: success
type: dict
"""
import traceback
from ansible.module_utils._text import to_native
from ansible.module_utils.basic import missing_required_lib
from ansible_collections.community.hashi_vault.plugins.module_utils._hashi_vault_module import HashiVaultModule
from ansible_collections.community.hashi_vault.plugins.module_utils._hashi_vault_common import HashiVaultValueError
try:
import hvac
except ImportError:
HAS_HVAC = False
HVAC_IMPORT_ERROR = traceback.format_exc()
else:
HVAC_IMPORT_ERROR = None
HAS_HVAC = True
def run_module():
argspec = HashiVaultModule.generate_argspec(
path=dict(type='str', required=True),
)
module = HashiVaultModule(
argument_spec=argspec,
supports_check_mode=True
)
if not HAS_HVAC:
module.fail_json(
msg=missing_required_lib('hvac'),
exception=HVAC_IMPORT_ERROR
)
path = module.params.get('path')
module.connection_options.process_connection_options()
client_args = module.connection_options.get_hvac_connection_options()
client = module.helper.get_vault_client(**client_args)
try:
module.authenticator.validate()
module.authenticator.authenticate(client)
except (NotImplementedError, HashiVaultValueError) as e:
module.fail_json(msg=to_native(e), exception=traceback.format_exc())
try:
data = client.list(path)
except hvac.exceptions.Forbidden as e:
module.fail_json(msg="Forbidden: Permission Denied to path '%s'." % path, exception=traceback.format_exc())
if data is None:
module.fail_json(msg="The path '%s' doesn't seem to exist." % path)
module.exit_json(data=data)
def main():
run_module()
if __name__ == '__main__':
main()