def hashivault_pki_url_get(module):
params = module.params
client = hashivault_auth_client(params)
mount_point = params.get('mount_point').strip('/')
# check if engine is enabled
_, err = check_secrets_engines(module, client)
if err:
return err
result = {"changed": False, "rc": 0}
from hvac.exceptions import InvalidPath
try:
result['data'] = client.secrets.pki.read_urls(
mount_point=mount_point).get('data')
except InvalidPath:
result['rc'] = 1
result['failed'] = True
result['msg'] = u"URLs must be configured before beeng read"
except Exception as e:
result['rc'] = 1
result['failed'] = True
result['msg'] = u"Exception: " + str(e)
return result
def hashivault_pki_cert_issue(module):
params = module.params
client = hashivault_auth_client(params)
role = params.get('role').strip('/')
common_name = params.get('common_name')
extra_params = params.get('extra_params')
mount_point = params.get('mount_point').strip('/')
# check if engine is enabled
_, err = check_secrets_engines(module, client)
if err:
return err
if not check_pki_role(name=role, mount_point=mount_point, client=client):
return {
'failed': True,
'rc': 1,
'msg': 'role not found or permission denied'
}
result = {"changed": False, "rc": 0}
try:
result['data'] = client.secrets.pki.generate_certificate(
name=role,
common_name=common_name,
extra_params=extra_params,
mount_point=mount_point).get('data')
except Exception as e:
result['rc'] = 1
result['failed'] = True
result['msg'] = u"Exception: " + str(e)
return result
def hashivault_pki_ca_set(module):
params = module.params
client = hashivault_auth_client(params)
mount_point = params.get('mount_point').strip('/')
pem_bundle = params.get('pem_bundle')
# check if engine is enabled
changed, err = check_secrets_engines(module, client)
if err:
return err
result = {'changed': changed}
if module.check_mode:
return result
data = client.secrets.pki.submit_ca_information(pem_bundle=pem_bundle,
mount_point=mount_point)
if data:
from requests.models import Response
if isinstance(data, Response):
result['data'] = data.text
else:
result['data'] = data
return result
def hashivault_pki_url(module):
params = module.params
client = hashivault_auth_client(params)
mount_point = params.get('mount_point').strip('/')
desired_state = {
'issuing_certificates': params.get('issuing_certificates'),
'crl_distribution_points': params.get('crl_distribution_points'),
'ocsp_servers': params.get('ocsp_servers')
}
# check if engine is enabled
changed, err = check_secrets_engines(module, client)
if err:
return err
# check if config exists
current_state = {}
try:
current_state = client.secrets.pki.read_urls(mount_point=mount_point).get('data')
except Exception:
# not configured yet.
changed = True
# compare current_state to desired_state
if not changed:
changed = not compare_state(desired_state, current_state)
# make the changes!
if changed and not module.check_mode:
client.secrets.pki.set_urls(mount_point=mount_point, params=desired_state)
return {'changed': changed}
def hashivault_pki_crl(module):
params = module.params
client = hashivault_auth_client(params)
mount_point = params.get('mount_point').strip('/')
desired_state = {
'disable': params.get('disable'),
'expiry': params.get('expiry')
}
# check if engine is enabled
changed, err = check_secrets_engines(module, client)
if err:
return err
# compare current_state to desired_state
if not changed:
from hvac.exceptions import InvalidPath
try:
current_state = client.secrets.pki.read_crl_configuration(
mount_point=mount_point).get('data')
changed = not compare_state(desired_state, current_state)
except InvalidPath:
changed = True
# make the changes!
if changed and not module.check_mode:
client.secrets.pki.set_crl_configuration(mount_point=mount_point,
extra_params=desired_state)
return {'changed': changed}
def hashivault_pki_ca(module):
params = module.params
client = hashivault_auth_client(params)
common_name = params.get('common_name')
mount_point = params.get('mount_point').strip('/')
state = params.get('state')
kind = params.get('kind')
type = params.get('type')
config = params.get('config')
exists = False
# check if engine is enabled
changed, err = check_secrets_engines(module, client)
if err:
return err
# check if CA certificate exists
if client.secrets.pki.read_ca_certificate(mount_point=mount_point):
# WARNING: if king is `intermediate` and signed CSR have not been inported back to vault, module will regenerate
# private key and create new CSR. This check will not see that CA exist although private key is generate, and
# CSR might be in proccess to be signed.
exists = True
if (exists and state == 'absent') or (not exists and state == 'present'):
changed = True
result = {"changed": changed, "rc": 0}
# make the changes!
if changed and state == 'present' and not module.check_mode:
if kind == 'root':
resp = client.secrets.pki.generate_root(type=type,
common_name=common_name,
extra_params=config,
mount_point=mount_point)
result['data'] = resp.get('data')
if resp.get('warnings'):
result['warnings'] = resp.get('warnings')
elif kind == 'intermediate':
resp = client.secrets.pki.generate_intermediate(
type=type,
common_name=common_name,
extra_params=config,
mount_point=mount_point)
result['data'] = resp.get('data')
if resp.get('warnings'):
result['warnings'] = resp.get('warnings')
elif changed and state == 'absent' and not module.check_mode:
client.secrets.pki.delete_root(mount_point=mount_point)
return result
def hashivault_azure_secret_engine_role(module):
params = module.params
client = hashivault_auth_client(params)
azure_role_file = params.get('azure_role_file')
mount_point = params.get('mount_point').strip('/')
azure_role = params.get('azure_role')
name = params.get('name').strip('/')
changed = False
# if azure_role_file is set, set azure_role to contents
# else assume azure_role is set and use that value
if azure_role_file:
azure_role = json.loads(
open(params.get('azure_role_file'), 'r').read())['azure_role']
# check if engine is enabled
changed, err = check_secrets_engines(module, client)
if err:
return err
# check if role exists or any at all
try:
existing_roles = client.secrets.azure.list_roles(
mount_point=mount_point)
if name not in existing_roles['keys']:
changed = True
except Exception:
changed = True
# azure_role comes from json which is assigned as a str object type, convert to py objs
azure_role = literal_eval(azure_role)
if not changed:
# check if role content == desired
current = client.secrets.aws.read_role(
name=name, mount_point=mount_point)['data']['azure_roles']
caught = 0
for i in azure_role:
for i2 in current:
if i.items() <= i2.items():
caught = caught + 1
if caught != len(azure_role) or caught != len(current):
changed = True
# make the changes!
if changed and not module.check_mode:
client.secrets.azure.create_or_update_role(name=name,
azure_roles=azure_role)
return {'changed': changed}
def hashivault_pki_cert_sign(module):
supported_types = {
'certificate': certificate,
'intermediate': intermediate,
'verbatim': verbatim
}
params = module.params
client = hashivault_auth_client(params)
mount_point = params.get('mount_point').strip('/')
# check if engine is enabled
_, err = check_secrets_engines(module, client)
if err:
return err
return supported_types[params.get('type')](params=params, mount_point=mount_point, client=client)
def hashivault_pki_ca_set(module):
params = module.params
client = hashivault_auth_client(params)
mount_point = params.get('mount_point').strip('/')
pem_bundle = params.get('pem_bundle')
# check if engine is enabled
changed, err = check_secrets_engines(module, client)
if err:
return err
if module.check_mode:
return {'changed': changed}
data = client.secrets.pki.submit_ca_information(pem_bundle=pem_bundle,
mount_point=mount_point)
return {'changed': changed, 'data': data}
def hashivault_pki_role_list(module):
params = module.params
client = hashivault_auth_client(params)
mount_point = params.get('mount_point').strip('/')
# check if engine is enabled
_, err = check_secrets_engines(module, client)
if err:
return err
try:
return {
'data':
client.secrets.pki.list_roles(
mount_point=mount_point).get('data').get('keys')
}
except Exception:
return {'data': []}
def hashivault_azure_secret_engine_config(module):
params = module.params
client = hashivault_auth_client(params)
changed = False
config_file = params.get('config_file')
mount_point = params.get('mount_point').strip('/')
desired_state = dict()
current_state = dict()
# if config_file is set, set sub_id, ten_id, client_id, client_secret from file
# else set from passed args
if config_file:
desired_state = json.loads(open(params.get('config_file'), 'r').read())
if 'environment' not in desired_state:
desired_state['environment'] = 'AzurePublicCloud'
else:
desired_state['tenant_id'] = params.get('tenant_id')
desired_state['subscription_id'] = params.get('subscription_id')
desired_state['client_id'] = params.get('client_id')
desired_state['client_secret'] = params.get('client_secret')
desired_state['environment'] = params.get('environment')
# check if engine is enabled
changed, err = check_secrets_engines(module, client)
if err:
return err
# check if current config matches desired config values, if they match, set changed to false to prevent action
try:
current_state = client.secrets.azure.read_config()
except Exception:
changed = True
for k, v in current_state.items():
if v != desired_state[k]:
changed = True
# if configs dont match and checkmode is off, complete the change
if changed and not module.check_mode:
client.secrets.azure.configure(mount_point=mount_point,
**desired_state)
return {'changed': changed}
def hashivault_pki_tidy(module):
params = module.params
client = hashivault_auth_client(params)
config = params.get('config')
mount_point = params.get('mount_point').strip('/')
# check if engine is enabled
_, err = check_secrets_engines(module, client)
if err:
return err
result = {"changed": False, "rc": 0}
try:
client.secrets.pki.tidy(extra_params=config, mount_point=mount_point)
except Exception as e:
result['rc'] = 1
result['failed'] = True
result['msg'] = u"Exception: " + str(e)
return result
def hashivault_pki_cert_get(module):
params = module.params
client = hashivault_auth_client(params)
serial = params.get('serial')
mount_point = params.get('mount_point').strip('/')
# check if engine is enabled
_, err = check_secrets_engines(module, client)
if err:
return err
try:
return {
'data':
client.secrets.pki.read_certificate(
serial=serial, mount_point=mount_point).get('data')
}
except Exception:
return {'data': {}}
def hashivault_pki_cert_revoke(module):
params = module.params
client = hashivault_auth_client(params)
serial = params.get('serial')
mount_point = params.get('mount_point').strip('/')
# check if engine is enabled
_, err = check_secrets_engines(module, client)
if err:
return err
result = {"changed": False, "rc": 0}
try:
result['data'] = client.secrets.pki.revoke_certificate(serial_number=serial,
mount_point=mount_point).get('data')
except Exception as e:
result['rc'] = 1
result['failed'] = True
result['msg'] = u"Exception: " + str(e)
return result
def hashivault_pki_set_signed(module):
params = module.params
client = hashivault_auth_client(params)
certificate = params.get('certificate')
mount_point = params.get('mount_point').strip('/')
# check if engine is enabled
_, err = check_secrets_engines(module, client)
if err:
return err
result = {"changed": False, "rc": 0}
try:
result['changed'] = client.secrets.pki.set_signed_intermediate(
certificate=certificate, mount_point=mount_point).ok
except Exception as e:
result['rc'] = 1
result['failed'] = True
result['msg'] = u"Exception: " + str(e)
return result
def hashivault_pki_crl_rotate(module):
params = module.params
client = hashivault_auth_client(params)
mount_point = params.get('mount_point').strip('/')
failed = False
# check if engine is enabled
_, err = check_secrets_engines(module, client)
if err:
return err
# make the changes!
if not module.check_mode:
failed = not client.secrets.pki.rotate_crl(
mount_point=mount_point).get('data').get('success')
return {
'failed': failed,
'changed': not failed,
'msg': 'oops, something went wrong.' if failed else '',
'rc': 1 if failed else 0
}
def hashivault_db_secret_engine_config(module):
params = module.params
client = hashivault_auth_client(params)
config_file = params.get('config_file')
mount_point = params.get('mount_point').strip('/')
state = params.get('state')
name = params.get('name')
desired_state = dict()
exists = False
# if config_file is set value from file
# else set from passed args
if config_file:
desired_state = json.loads(open(params.get('config_file'), 'r').read())
else:
desired_state['plugin_name'] = params.get('plugin_name')
desired_state['allowed_roles'] = params.get('allowed_roles')
desired_state['verify_connection'] = params.get('verify_connection')
desired_state['root_credentials_rotate_statements'] = params.get(
'root_credentials_rotate_statements')
connection_details = params.get('connection_details')
desired_state.update(connection_details)
del connection_details["password"]
# not a required param but must ensure a value for current vs desired object comparison
if 'root_credentials_rotate_statements' not in desired_state:
desired_state['root_credentials_rotate_statements'] = []
# check if engine is enabled
changed, err = check_secrets_engines(module, client)
if err:
return err
# check if any config exists
try:
current_state = client.secrets.database.read_connection(name=name)
exists = True
except Exception:
# does not exist
pass
if (exists and state == 'absent') or (not exists and state == 'present'):
changed = True
# check if current config matches desired config values
if not changed and state == 'present':
for k, v in current_state['data'].items():
# connection_url is passed as a nested item
if k == 'connection_details':
if v['username'] != desired_state['username']:
changed = True
if v['connection_url'] != desired_state['connection_url']:
changed = True
else:
if v != desired_state[k]:
changed = True
# if configs dont match and checkmode is off, complete the change
if changed and state == 'present' and not module.check_mode:
client.secrets.database.configure(name=name,
mount_point=mount_point,
**desired_state)
elif changed and state == 'absent' and not module.check_mode:
client.secrets.database.delete_connection(name=name,
mount_point=mount_point)
return {'changed': changed}
def hashivault_pki_role(module):
params = module.params
client = hashivault_auth_client(params)
name = params.get('name').strip('/')
mount_point = params.get('mount_point').strip('/')
state = params.get('state')
role_file = params.get('role_file')
config = params.get('config')
desired_state = {}
exists = False
if role_file:
import json
desired_state = json.loads(open(role_file, 'r').read())
elif config:
import yaml
doc = yaml.safe_load(DOCUMENTATION)
args = doc.get('options').get('config').get('suboptions').items()
for key, value in args:
arg = config.get(key)
if arg is not None:
try:
desired_state[key] = normalize[value.get('type')](arg)
except Exception:
return {
'changed':
False,
'failed':
True,
'msg':
'config item \'{}\' has wrong data fromat'.format(key)
}
# check if engine is enabled
changed, err = check_secrets_engines(module, client)
if err:
return err
current_state = check_pki_role(name=name,
mount_point=mount_point,
client=client)
if current_state:
exists = True
if (exists and state == 'absent') or (not exists and state == 'present'):
changed = True
# compare current_state to desired_state
if exists and state == 'present' and not changed:
changed = not compare_state(desired_state, current_state)
# make the changes!
if changed and state == 'present' and not module.check_mode:
client.secrets.pki.create_or_update_role(name=name,
mount_point=mount_point,
extra_params=desired_state)
elif changed and state == 'absent' and not module.check_mode:
client.secrets.pki.delete_role(name=name, mount_point=mount_point)
return {'changed': changed}
def hashivault_db_secret_engine_role(module):
params = module.params
client = hashivault_auth_client(params)
mount_point = params.get('mount_point').strip('/')
role_file = params.get('role_file')
name = params.get('name').strip('/')
state = params.get('state')
desired_state = dict()
exists = False
changed = False
# if role_file is set, set desired_state to contents
# else take values from ansible play
if role_file:
desired_state = json.loads(open(params.get('role_file'), 'r').read())
else:
desired_state['default_ttl'] = params.get('token_ttl')
desired_state['max_ttl'] = params.get('token_max_ttl')
desired_state['creation_statements'] = params.get(
'creation_statements')
desired_state['revocation_statements'] = params.get(
'revocation_statements')
desired_state['rollback_statements'] = params.get(
'rollback_statements')
desired_state['db_name'] = params.get('db_name')
# check if engine is enabled
changed, err = check_secrets_engines(module, client)
if err:
return err
# check if role exists
try:
client.secrets.database.read_role(name=name, mount_point=mount_point)
# this role exists
exists = True
except Exception:
# no roles exist yet
pass
if (exists and state == 'absent') or (not exists and state == 'present'):
changed = True
# compare current_state to desired_state
if exists and state == 'present' and not changed:
current_state = client.secrets.database.read_role(
name=name, mount_point=mount_point)['data']
for k, v in desired_state.items():
if v != current_state[k]:
changed = True
elif exists and state == 'absent':
changed = True
# make the changes!
if changed and state == 'present' and not module.check_mode:
client.secrets.database.create_role(name=name,
mount_point=mount_point,
**desired_state)
elif changed and state == 'absent' and not module.check_mode:
client.secrets.database.delete_role(name=name, mount_point=mount_point)
return {'changed': changed}
