def main():
arg_parser = argparse.ArgumentParser()
arg_parser.add_argument(
'--name', '-n', action='store', help='secret name to add')
arg_parser.add_argument(
'--value', '-v', action='store', help='secret value to add')
arg_parser.add_argument(
'--delete', '-d', action='store', help='secret name to delete')
arg_parser.add_argument(
'--keyvault', '-k', action='store', help='key vault name')
args = arg_parser.parse_args()
if args.name is None and args.delete is None:
sys.exit('Error: --name (-n) or --delete (-d) argument not provided.')
# Load Azure app defaults
try:
with open('azurermconfig.json') as config_file:
config_data = json.load(config_file)
except FileNotFoundError:
sys.exit("Error: Expecting azurermconfig.json in current folder")
tenant_id = config_data['tenantId']
app_id = config_data['appId']
app_secret = config_data['appSecret']
if args.keyvault is None:
kv_name = config_data['keyvault']
else:
kv_name = args.keyvault
key_vault_uri = f'https://{kv_name}.vault.azure.net/'
# get credentials
credentials = ServicePrincipalCredentials(client_id=app_id,
secret=app_secret,
tenant=tenant_id)
# instantiate a key vault client
client = KeyVaultClient(credentials)
try:
if args.value is not None: # add a secret
secret_bundle = client.set_secret(key_vault_uri, args.name, args.value)
print('Secret added:', secret_bundle.id)
elif args.delete is not None: # delete a secret
client.delete_secret(key_vault_uri, args.delete)
print('Secret deleted:', args.delete)
else: # get a secret
secret = client.get_secret(key_vault_uri, args.name, '')
print(secret.value)
except Exception as ex:
print(ex)
class AzureRMKeyVaultSecret(AzureRMModuleBase):
''' Module that creates or deletes secrets in Azure KeyVault '''
def __init__(self):
self.module_arg_spec = dict(secret_name=dict(type='str',
required=True),
secret_value=dict(type='str', no_log=True),
keyvault_uri=dict(type='str',
required=True),
state=dict(type='str',
default='present',
choices=['present', 'absent']))
required_if = [('state', 'present', ['secret_value'])]
self.results = dict(changed=False, state=dict())
self.secret_name = None
self.secret_value = None
self.keyvault_uri = None
self.state = None
self.data_creds = None
self.client = None
self.tags = None
super(AzureRMKeyVaultSecret, self).__init__(self.module_arg_spec,
supports_check_mode=True,
required_if=required_if,
supports_tags=True)
def exec_module(self, **kwargs):
for key in list(self.module_arg_spec.keys()) + ['tags']:
setattr(self, key, kwargs[key])
# Create KeyVault Client using KeyVault auth class and auth_callback
def auth_callback(server, resource, scope):
if self.credentials['client_id'] is None or self.credentials[
'secret'] is None:
self.fail(
'Please specify client_id, secret and tenant to access azure Key Vault.'
)
tenant = self.credentials.get('tenant')
if not self.credentials['tenant']:
tenant = "common"
authcredential = ServicePrincipalCredentials(
client_id=self.credentials['client_id'],
secret=self.credentials['secret'],
tenant=tenant,
resource="https://vault.azure.net")
token = authcredential.token
return token['token_type'], token['access_token']
self.client = KeyVaultClient(KeyVaultAuthentication(auth_callback))
results = dict()
changed = False
try:
results['secret_id'] = self.get_secret(self.secret_name)
# Secret exists and will be deleted
if self.state == 'absent':
changed = True
except KeyVaultErrorException:
# Secret doesn't exist
if self.state == 'present':
changed = True
self.results['changed'] = changed
self.results['state'] = results
if not self.check_mode:
# Create secret
if self.state == 'present' and changed:
results['secret_id'] = self.create_secret(
self.secret_name, self.secret_value, self.tags)
self.results['state'] = results
self.results['state']['status'] = 'Created'
# Delete secret
elif self.state == 'absent' and changed:
results['secret_id'] = self.delete_secret(self.secret_name)
self.results['state'] = results
self.results['state']['status'] = 'Deleted'
else:
if self.state == 'present' and changed:
self.results['state']['status'] = 'Created'
elif self.state == 'absent' and changed:
self.results['state']['status'] = 'Deleted'
return self.results
def get_secret(self, name, version=''):
''' Gets an existing secret '''
secret_bundle = self.client.get_secret(self.keyvault_uri, name,
version)
if secret_bundle:
secret_id = KeyVaultId.parse_secret_id(secret_bundle.id)
return secret_id.id
def create_secret(self, name, secret, tags):
''' Creates a secret '''
secret_bundle = self.client.set_secret(self.keyvault_uri, name, secret,
tags)
secret_id = KeyVaultId.parse_secret_id(secret_bundle.id)
return secret_id.id
def delete_secret(self, name):
''' Deletes a secret '''
deleted_secret = self.client.delete_secret(self.keyvault_uri, name)
secret_id = KeyVaultId.parse_secret_id(deleted_secret.id)
return secret_id.id
vault_url = os.getenv("AZURE_KEYVAULT_URL")
# Initialize KV client
credentials = ServicePrincipalCredentials(
client_id=os.getenv("AZURE_KEYVAULT_CLIENT_ID"),
secret=os.getenv("AZURE_KEYVAULT_CLIENT_SECRET"),
tenant=os.getenv("AZURE_TENANT_ID"))
kvclient = KeyVaultClient(credentials)
#Create list of secrets
secrets = ["root-ca", "intermediate-ca"]
# Load host names
hosts = json.loads(open("hostnames.json", "rt").read())["hosts"]
# Remove all secrets
for secret in secrets:
try:
kvclient.delete_secret(vault_url, secret)
except:
logging.critical("Failed to remove: {}".format(secret))
# Remove all hosts
for host in hosts:
try:
kvclient.delete_certificate(vault_url, host)
except:
logging.critical("Failed to remove: {}".format(secret))
class AzureRMKeyVaultSecret(AzureRMModuleBase):
''' Module that creates or deletes secrets in Azure KeyVault '''
def __init__(self):
self.module_arg_spec = dict(secret_name=dict(type='str',
required=True),
secret_value=dict(type='str',
aliases=['secret'],
no_log=True),
keyvault_uri=dict(type='str',
required=True),
state=dict(type='str',
default='present',
choices=['present', 'absent']))
required_if = [('state', 'present', ['secret_value'])]
self.results = dict(changed=False, state=dict())
self.secret_name = None
self.secret_value = None
self.keyvault_uri = None
self.state = None
self.data_creds = None
self.client = None
self.tags = None
super(AzureRMKeyVaultSecret, self).__init__(self.module_arg_spec,
supports_check_mode=True,
required_if=required_if,
supports_tags=True)
def exec_module(self, **kwargs):
for key in list(self.module_arg_spec.keys()) + ['tags']:
setattr(self, key, kwargs[key])
# Create KeyVault Client using KeyVault auth class and auth_callback
self.client = KeyVaultClient(self.azure_credentials)
results = dict()
changed = False
try:
results['secret_id'] = self.get_secret(self.secret_name)
# Secret exists and will be deleted
if self.state == 'absent':
changed = True
except KeyVaultErrorException:
# Secret doesn't exist
if self.state == 'present':
changed = True
self.results['changed'] = changed
self.results['state'] = results
if not self.check_mode:
# Create secret
if self.state == 'present' and changed:
results['secret_id'] = self.create_secret(
self.secret_name, self.secret_value, self.tags)
self.results['state'] = results
self.results['state']['status'] = 'Created'
# Delete secret
elif self.state == 'absent' and changed:
results['secret_id'] = self.delete_secret(self.secret_name)
self.results['state'] = results
self.results['state']['status'] = 'Deleted'
else:
if self.state == 'present' and changed:
self.results['state']['status'] = 'Created'
elif self.state == 'absent' and changed:
self.results['state']['status'] = 'Deleted'
return self.results
def get_secret(self, name, version=''):
''' Gets an existing secret '''
secret_bundle = self.client.get_secret(self.keyvault_uri, name,
version)
if secret_bundle:
secret_id = KeyVaultId.parse_secret_id(secret_bundle.id)
return secret_id.id
def create_secret(self, name, secret, tags):
''' Creates a secret '''
secret_bundle = self.client.set_secret(self.keyvault_uri, name, secret,
tags)
secret_id = KeyVaultId.parse_secret_id(secret_bundle.id)
return secret_id.id
def delete_secret(self, name):
''' Deletes a secret '''
deleted_secret = self.client.delete_secret(self.keyvault_uri, name)
secret_id = KeyVaultId.parse_secret_id(deleted_secret.id)
return secret_id.id
class AzureRMKeyVaultSecret(AzureRMModuleBase):
''' Module that creates or deletes secrets in Azure KeyVault '''
def __init__(self):
self.module_arg_spec = dict(
secret_name=dict(type='str', required=True),
secret_value=dict(type='str', aliases=['secret'], no_log=True),
keyvault_uri=dict(type='str', required=True),
state=dict(type='str', default='present', choices=['present', 'absent'])
)
required_if = [
('state', 'present', ['secret_value'])
]
self.results = dict(
changed=False,
state=dict()
)
self.secret_name = None
self.secret_value = None
self.keyvault_uri = None
self.state = None
self.data_creds = None
self.client = None
self.tags = None
super(AzureRMKeyVaultSecret, self).__init__(self.module_arg_spec,
supports_check_mode=True,
required_if=required_if,
supports_tags=True)
def exec_module(self, **kwargs):
for key in list(self.module_arg_spec.keys()) + ['tags']:
setattr(self, key, kwargs[key])
# Create KeyVault Client using KeyVault auth class and auth_callback
self.client = KeyVaultClient(self.azure_credentials)
results = dict()
changed = False
try:
results['secret_id'] = self.get_secret(self.secret_name)
# Secret exists and will be deleted
if self.state == 'absent':
changed = True
except KeyVaultErrorException:
# Secret doesn't exist
if self.state == 'present':
changed = True
self.results['changed'] = changed
self.results['state'] = results
if not self.check_mode:
# Create secret
if self.state == 'present' and changed:
results['secret_id'] = self.create_secret(self.secret_name, self.secret_value, self.tags)
self.results['state'] = results
self.results['state']['status'] = 'Created'
# Delete secret
elif self.state == 'absent' and changed:
results['secret_id'] = self.delete_secret(self.secret_name)
self.results['state'] = results
self.results['state']['status'] = 'Deleted'
else:
if self.state == 'present' and changed:
self.results['state']['status'] = 'Created'
elif self.state == 'absent' and changed:
self.results['state']['status'] = 'Deleted'
return self.results
def get_secret(self, name, version=''):
''' Gets an existing secret '''
secret_bundle = self.client.get_secret(self.keyvault_uri, name, version)
if secret_bundle:
secret_id = KeyVaultId.parse_secret_id(secret_bundle.id)
return secret_id.id
def create_secret(self, name, secret, tags):
''' Creates a secret '''
secret_bundle = self.client.set_secret(self.keyvault_uri, name, secret, tags)
secret_id = KeyVaultId.parse_secret_id(secret_bundle.id)
return secret_id.id
def delete_secret(self, name):
''' Deletes a secret '''
deleted_secret = self.client.delete_secret(self.keyvault_uri, name)
secret_id = KeyVaultId.parse_secret_id(deleted_secret.id)
return secret_id.id
