def hashivault_pki_url_get(module): params = module.params client = hashivault_auth_client(params) mount_point = params.get('mount_point').strip('/') # check if engine is enabled _, err = check_secrets_engines(module, client) if err: return err result = {"changed": False, "rc": 0} from hvac.exceptions import InvalidPath try: result['data'] = client.secrets.pki.read_urls( mount_point=mount_point).get('data') except InvalidPath: result['rc'] = 1 result['failed'] = True result['msg'] = u"URLs must be configured before beeng read" except Exception as e: result['rc'] = 1 result['failed'] = True result['msg'] = u"Exception: " + str(e) return result
def hashivault_pki_cert_issue(module): params = module.params client = hashivault_auth_client(params) role = params.get('role').strip('/') common_name = params.get('common_name') extra_params = params.get('extra_params') mount_point = params.get('mount_point').strip('/') # check if engine is enabled _, err = check_secrets_engines(module, client) if err: return err if not check_pki_role(name=role, mount_point=mount_point, client=client): return { 'failed': True, 'rc': 1, 'msg': 'role not found or permission denied' } result = {"changed": False, "rc": 0} try: result['data'] = client.secrets.pki.generate_certificate( name=role, common_name=common_name, extra_params=extra_params, mount_point=mount_point).get('data') except Exception as e: result['rc'] = 1 result['failed'] = True result['msg'] = u"Exception: " + str(e) return result
def hashivault_pki_ca_set(module): params = module.params client = hashivault_auth_client(params) mount_point = params.get('mount_point').strip('/') pem_bundle = params.get('pem_bundle') # check if engine is enabled changed, err = check_secrets_engines(module, client) if err: return err result = {'changed': changed} if module.check_mode: return result data = client.secrets.pki.submit_ca_information(pem_bundle=pem_bundle, mount_point=mount_point) if data: from requests.models import Response if isinstance(data, Response): result['data'] = data.text else: result['data'] = data return result
def hashivault_pki_url(module): params = module.params client = hashivault_auth_client(params) mount_point = params.get('mount_point').strip('/') desired_state = { 'issuing_certificates': params.get('issuing_certificates'), 'crl_distribution_points': params.get('crl_distribution_points'), 'ocsp_servers': params.get('ocsp_servers') } # check if engine is enabled changed, err = check_secrets_engines(module, client) if err: return err # check if config exists current_state = {} try: current_state = client.secrets.pki.read_urls(mount_point=mount_point).get('data') except Exception: # not configured yet. changed = True # compare current_state to desired_state if not changed: changed = not compare_state(desired_state, current_state) # make the changes! if changed and not module.check_mode: client.secrets.pki.set_urls(mount_point=mount_point, params=desired_state) return {'changed': changed}
def hashivault_pki_crl(module): params = module.params client = hashivault_auth_client(params) mount_point = params.get('mount_point').strip('/') desired_state = { 'disable': params.get('disable'), 'expiry': params.get('expiry') } # check if engine is enabled changed, err = check_secrets_engines(module, client) if err: return err # compare current_state to desired_state if not changed: from hvac.exceptions import InvalidPath try: current_state = client.secrets.pki.read_crl_configuration( mount_point=mount_point).get('data') changed = not compare_state(desired_state, current_state) except InvalidPath: changed = True # make the changes! if changed and not module.check_mode: client.secrets.pki.set_crl_configuration(mount_point=mount_point, extra_params=desired_state) return {'changed': changed}
def hashivault_pki_ca(module): params = module.params client = hashivault_auth_client(params) common_name = params.get('common_name') mount_point = params.get('mount_point').strip('/') state = params.get('state') kind = params.get('kind') type = params.get('type') config = params.get('config') exists = False # check if engine is enabled changed, err = check_secrets_engines(module, client) if err: return err # check if CA certificate exists if client.secrets.pki.read_ca_certificate(mount_point=mount_point): # WARNING: if king is `intermediate` and signed CSR have not been inported back to vault, module will regenerate # private key and create new CSR. This check will not see that CA exist although private key is generate, and # CSR might be in proccess to be signed. exists = True if (exists and state == 'absent') or (not exists and state == 'present'): changed = True result = {"changed": changed, "rc": 0} # make the changes! if changed and state == 'present' and not module.check_mode: if kind == 'root': resp = client.secrets.pki.generate_root(type=type, common_name=common_name, extra_params=config, mount_point=mount_point) result['data'] = resp.get('data') if resp.get('warnings'): result['warnings'] = resp.get('warnings') elif kind == 'intermediate': resp = client.secrets.pki.generate_intermediate( type=type, common_name=common_name, extra_params=config, mount_point=mount_point) result['data'] = resp.get('data') if resp.get('warnings'): result['warnings'] = resp.get('warnings') elif changed and state == 'absent' and not module.check_mode: client.secrets.pki.delete_root(mount_point=mount_point) return result
def hashivault_azure_secret_engine_role(module): params = module.params client = hashivault_auth_client(params) azure_role_file = params.get('azure_role_file') mount_point = params.get('mount_point').strip('/') azure_role = params.get('azure_role') name = params.get('name').strip('/') changed = False # if azure_role_file is set, set azure_role to contents # else assume azure_role is set and use that value if azure_role_file: azure_role = json.loads( open(params.get('azure_role_file'), 'r').read())['azure_role'] # check if engine is enabled changed, err = check_secrets_engines(module, client) if err: return err # check if role exists or any at all try: existing_roles = client.secrets.azure.list_roles( mount_point=mount_point) if name not in existing_roles['keys']: changed = True except Exception: changed = True # azure_role comes from json which is assigned as a str object type, convert to py objs azure_role = literal_eval(azure_role) if not changed: # check if role content == desired current = client.secrets.aws.read_role( name=name, mount_point=mount_point)['data']['azure_roles'] caught = 0 for i in azure_role: for i2 in current: if i.items() <= i2.items(): caught = caught + 1 if caught != len(azure_role) or caught != len(current): changed = True # make the changes! if changed and not module.check_mode: client.secrets.azure.create_or_update_role(name=name, azure_roles=azure_role) return {'changed': changed}
def hashivault_pki_cert_sign(module): supported_types = { 'certificate': certificate, 'intermediate': intermediate, 'verbatim': verbatim } params = module.params client = hashivault_auth_client(params) mount_point = params.get('mount_point').strip('/') # check if engine is enabled _, err = check_secrets_engines(module, client) if err: return err return supported_types[params.get('type')](params=params, mount_point=mount_point, client=client)
def hashivault_pki_ca_set(module): params = module.params client = hashivault_auth_client(params) mount_point = params.get('mount_point').strip('/') pem_bundle = params.get('pem_bundle') # check if engine is enabled changed, err = check_secrets_engines(module, client) if err: return err if module.check_mode: return {'changed': changed} data = client.secrets.pki.submit_ca_information(pem_bundle=pem_bundle, mount_point=mount_point) return {'changed': changed, 'data': data}
def hashivault_pki_role_list(module): params = module.params client = hashivault_auth_client(params) mount_point = params.get('mount_point').strip('/') # check if engine is enabled _, err = check_secrets_engines(module, client) if err: return err try: return { 'data': client.secrets.pki.list_roles( mount_point=mount_point).get('data').get('keys') } except Exception: return {'data': []}
def hashivault_azure_secret_engine_config(module): params = module.params client = hashivault_auth_client(params) changed = False config_file = params.get('config_file') mount_point = params.get('mount_point').strip('/') desired_state = dict() current_state = dict() # if config_file is set, set sub_id, ten_id, client_id, client_secret from file # else set from passed args if config_file: desired_state = json.loads(open(params.get('config_file'), 'r').read()) if 'environment' not in desired_state: desired_state['environment'] = 'AzurePublicCloud' else: desired_state['tenant_id'] = params.get('tenant_id') desired_state['subscription_id'] = params.get('subscription_id') desired_state['client_id'] = params.get('client_id') desired_state['client_secret'] = params.get('client_secret') desired_state['environment'] = params.get('environment') # check if engine is enabled changed, err = check_secrets_engines(module, client) if err: return err # check if current config matches desired config values, if they match, set changed to false to prevent action try: current_state = client.secrets.azure.read_config() except Exception: changed = True for k, v in current_state.items(): if v != desired_state[k]: changed = True # if configs dont match and checkmode is off, complete the change if changed and not module.check_mode: client.secrets.azure.configure(mount_point=mount_point, **desired_state) return {'changed': changed}
def hashivault_pki_tidy(module): params = module.params client = hashivault_auth_client(params) config = params.get('config') mount_point = params.get('mount_point').strip('/') # check if engine is enabled _, err = check_secrets_engines(module, client) if err: return err result = {"changed": False, "rc": 0} try: client.secrets.pki.tidy(extra_params=config, mount_point=mount_point) except Exception as e: result['rc'] = 1 result['failed'] = True result['msg'] = u"Exception: " + str(e) return result
def hashivault_pki_cert_get(module): params = module.params client = hashivault_auth_client(params) serial = params.get('serial') mount_point = params.get('mount_point').strip('/') # check if engine is enabled _, err = check_secrets_engines(module, client) if err: return err try: return { 'data': client.secrets.pki.read_certificate( serial=serial, mount_point=mount_point).get('data') } except Exception: return {'data': {}}
def hashivault_pki_cert_revoke(module): params = module.params client = hashivault_auth_client(params) serial = params.get('serial') mount_point = params.get('mount_point').strip('/') # check if engine is enabled _, err = check_secrets_engines(module, client) if err: return err result = {"changed": False, "rc": 0} try: result['data'] = client.secrets.pki.revoke_certificate(serial_number=serial, mount_point=mount_point).get('data') except Exception as e: result['rc'] = 1 result['failed'] = True result['msg'] = u"Exception: " + str(e) return result
def hashivault_pki_set_signed(module): params = module.params client = hashivault_auth_client(params) certificate = params.get('certificate') mount_point = params.get('mount_point').strip('/') # check if engine is enabled _, err = check_secrets_engines(module, client) if err: return err result = {"changed": False, "rc": 0} try: result['changed'] = client.secrets.pki.set_signed_intermediate( certificate=certificate, mount_point=mount_point).ok except Exception as e: result['rc'] = 1 result['failed'] = True result['msg'] = u"Exception: " + str(e) return result
def hashivault_pki_crl_rotate(module): params = module.params client = hashivault_auth_client(params) mount_point = params.get('mount_point').strip('/') failed = False # check if engine is enabled _, err = check_secrets_engines(module, client) if err: return err # make the changes! if not module.check_mode: failed = not client.secrets.pki.rotate_crl( mount_point=mount_point).get('data').get('success') return { 'failed': failed, 'changed': not failed, 'msg': 'oops, something went wrong.' if failed else '', 'rc': 1 if failed else 0 }
def hashivault_db_secret_engine_config(module): params = module.params client = hashivault_auth_client(params) config_file = params.get('config_file') mount_point = params.get('mount_point').strip('/') state = params.get('state') name = params.get('name') desired_state = dict() exists = False # if config_file is set value from file # else set from passed args if config_file: desired_state = json.loads(open(params.get('config_file'), 'r').read()) else: desired_state['plugin_name'] = params.get('plugin_name') desired_state['allowed_roles'] = params.get('allowed_roles') desired_state['verify_connection'] = params.get('verify_connection') desired_state['root_credentials_rotate_statements'] = params.get( 'root_credentials_rotate_statements') connection_details = params.get('connection_details') desired_state.update(connection_details) del connection_details["password"] # not a required param but must ensure a value for current vs desired object comparison if 'root_credentials_rotate_statements' not in desired_state: desired_state['root_credentials_rotate_statements'] = [] # check if engine is enabled changed, err = check_secrets_engines(module, client) if err: return err # check if any config exists try: current_state = client.secrets.database.read_connection(name=name) exists = True except Exception: # does not exist pass if (exists and state == 'absent') or (not exists and state == 'present'): changed = True # check if current config matches desired config values if not changed and state == 'present': for k, v in current_state['data'].items(): # connection_url is passed as a nested item if k == 'connection_details': if v['username'] != desired_state['username']: changed = True if v['connection_url'] != desired_state['connection_url']: changed = True else: if v != desired_state[k]: changed = True # if configs dont match and checkmode is off, complete the change if changed and state == 'present' and not module.check_mode: client.secrets.database.configure(name=name, mount_point=mount_point, **desired_state) elif changed and state == 'absent' and not module.check_mode: client.secrets.database.delete_connection(name=name, mount_point=mount_point) return {'changed': changed}
def hashivault_pki_role(module): params = module.params client = hashivault_auth_client(params) name = params.get('name').strip('/') mount_point = params.get('mount_point').strip('/') state = params.get('state') role_file = params.get('role_file') config = params.get('config') desired_state = {} exists = False if role_file: import json desired_state = json.loads(open(role_file, 'r').read()) elif config: import yaml doc = yaml.safe_load(DOCUMENTATION) args = doc.get('options').get('config').get('suboptions').items() for key, value in args: arg = config.get(key) if arg is not None: try: desired_state[key] = normalize[value.get('type')](arg) except Exception: return { 'changed': False, 'failed': True, 'msg': 'config item \'{}\' has wrong data fromat'.format(key) } # check if engine is enabled changed, err = check_secrets_engines(module, client) if err: return err current_state = check_pki_role(name=name, mount_point=mount_point, client=client) if current_state: exists = True if (exists and state == 'absent') or (not exists and state == 'present'): changed = True # compare current_state to desired_state if exists and state == 'present' and not changed: changed = not compare_state(desired_state, current_state) # make the changes! if changed and state == 'present' and not module.check_mode: client.secrets.pki.create_or_update_role(name=name, mount_point=mount_point, extra_params=desired_state) elif changed and state == 'absent' and not module.check_mode: client.secrets.pki.delete_role(name=name, mount_point=mount_point) return {'changed': changed}
def hashivault_db_secret_engine_role(module): params = module.params client = hashivault_auth_client(params) mount_point = params.get('mount_point').strip('/') role_file = params.get('role_file') name = params.get('name').strip('/') state = params.get('state') desired_state = dict() exists = False changed = False # if role_file is set, set desired_state to contents # else take values from ansible play if role_file: desired_state = json.loads(open(params.get('role_file'), 'r').read()) else: desired_state['default_ttl'] = params.get('token_ttl') desired_state['max_ttl'] = params.get('token_max_ttl') desired_state['creation_statements'] = params.get( 'creation_statements') desired_state['revocation_statements'] = params.get( 'revocation_statements') desired_state['rollback_statements'] = params.get( 'rollback_statements') desired_state['db_name'] = params.get('db_name') # check if engine is enabled changed, err = check_secrets_engines(module, client) if err: return err # check if role exists try: client.secrets.database.read_role(name=name, mount_point=mount_point) # this role exists exists = True except Exception: # no roles exist yet pass if (exists and state == 'absent') or (not exists and state == 'present'): changed = True # compare current_state to desired_state if exists and state == 'present' and not changed: current_state = client.secrets.database.read_role( name=name, mount_point=mount_point)['data'] for k, v in desired_state.items(): if v != current_state[k]: changed = True elif exists and state == 'absent': changed = True # make the changes! if changed and state == 'present' and not module.check_mode: client.secrets.database.create_role(name=name, mount_point=mount_point, **desired_state) elif changed and state == 'absent' and not module.check_mode: client.secrets.database.delete_role(name=name, mount_point=mount_point) return {'changed': changed}