diff --git a/ansible-modules-hashivault.iml b/ansible-modules-hashivault.iml new file mode 100644 index 00000000..d583ac32 --- /dev/null +++ b/ansible-modules-hashivault.iml @@ -0,0 +1,9 @@ + + + + + + + + + \ No newline at end of file diff --git a/ansible/modules/hashivault/hashivault_googlecloud_auth_configure.py b/ansible/modules/hashivault/hashivault_googlecloud_auth_configure.py new file mode 100644 index 00000000..badcab1d --- /dev/null +++ b/ansible/modules/hashivault/hashivault_googlecloud_auth_configure.py @@ -0,0 +1,96 @@ +#!/usr/bin/env python +from ansible.module_utils.hashivault import hashivault_argspec +from ansible.module_utils.hashivault import hashivault_auth_client +from ansible.module_utils.hashivault import hashivault_init +from ansible.module_utils.hashivault import hashiwrapper +import json + +DOCUMENTATION = ''' +module: hashivault_googlecloud_auth_configure +version_added: "1.0.0" +short_description: Hashicorp Vault googlecloud management role module +description: + - Module to manage an googlecloud configuration from Hashicorp Vault. +options: + credentials: + description: + - A JSON string containing the contents of a GCP credentials file. + credentials_file: + description: + - A JSON string containing the contents of a GCP credentials file. + iam_alias: + description: + - role_id or unique_id + iam_metadata: + description: + - The metadata to include on the token returned by the login endpoint + default: default + gce_alias: + description: + - instance_id or role_id + gce_metadata: + description: + - The metadata to include on the token returned by the login endpoint + default: default + mount_point: + description: + - mount point for Google Cloud Configuration + default: gcp + state: + description: + - present or absent + default: present +''' + + +def main(): + argspec = hashivault_argspec() + argspec['credentials'] = dict(required=False, type='str') + argspec['credentials_file'] = dict(required=False, type='str') + argspec['iam_alias'] = dict(required=False, type='str', choices=['unique_id', 'role_id'], default='role_id') + argspec['iam_metadata'] = dict(required=False, type='str', default='default') + argspec['gce_alias'] = dict(required=False, type='str', choices=['instance_id', 'role_id'], default='role_id') + argspec['gce_metadata'] = dict(required=False, type='str', default='default') + argspec['mount_point'] = dict(required=False, type='str', default='gcp') + argspec['state'] = dict(required=False, type='str', choices=['present', 'absent'], default='present') + module = hashivault_init(argspec, supports_check_mode=True) + result = hashivault_googlecloud_auth_configure(module) + if result.get('failed'): + module.fail_json(**result) + else: + module.exit_json(**result) + + +@hashiwrapper +def hashivault_googlecloud_auth_configure(module): + params = module.params + state = params.get('state') + credentials = params.get('credentials') + credentials_file = params.get('credentials_file') + client = hashivault_auth_client(params) + mount_point = params.get('mount_point').strip('/') + desired_state = dict() + current_state = dict() + changed = False + + if credentials_file: + desired_state['credentials'] = json.dumps(json.load(open(params.get('credentials_file'), 'r'))) + elif credentials: + desired_state['credentials'] = params.get('credentials') + + try: + current_state = client.auth.gcp.read_config() + except Exception: + changed = True + + if changed and not module.check_mode and state == 'present': + client.auth.gcp.configure(mount_point=mount_point, **desired_state) + return {'changed': True} + else: + client.auth.gcp.delete_config(mount_point=mount_point) + return {'changed': True} + + +if __name__ == '__main__': + main() + diff --git a/ansible/modules/hashivault/hashivault_googlecloud_auth_create_role.py b/ansible/modules/hashivault/hashivault_googlecloud_auth_create_role.py new file mode 100644 index 00000000..f9a1b54f --- /dev/null +++ b/ansible/modules/hashivault/hashivault_googlecloud_auth_create_role.py @@ -0,0 +1,109 @@ +#!/usr/bin/env python +from ansible.module_utils.hashivault import hashivault_argspec +from ansible.module_utils.hashivault import hashivault_auth_client +from ansible.module_utils.hashivault import hashivault_init +from ansible.module_utils.hashivault import hashiwrapper + + +def main(): + argspec = hashivault_argspec() + argspec['name'] = dict(required=True, type='str') + argspec['project_id'] = dict(required=True, type='str') + argspec['role_type'] = dict(required=True, type='str', choices=['gce', 'iam']) + argspec['mount_point'] = dict(required=False, type='str', default='gcp') + argspec['bound_service_accounts'] = dict(required=False, type='list', default=[]) + argspec['bound_projects'] = dict(required=False, type='list', default=[]) + argspec['add_group_aliases'] = dict(required=False, type='bool') + argspec['token_ttl'] = dict(required=False, type='str') + argspec['token_max_ttl'] = dict(required=False, type='str') + argspec['token_policies'] = dict(required=False, type='list', default=[]) + argspec['token_bound_cidrs'] = dict(required=False, type='list', default=[]) + argspec['token_explicit_max_ttl'] = dict(required=False, type='str') + argspec['token_no_default_policy'] = dict(required=False, type='bool', default='false') + argspec['token_num_uses'] = dict(required=False, type='str') + argspec['token_period'] = dict(required=False, type='str') + argspec['token_type'] = dict(required=False, type='str', choices=['service', 'batch', 'default'], default='default') + argspec['max_jwt_exp'] = dict(required=False, type='str', default='15m') + argspec['allow_gce_inference'] = dict(required=False, type='bool', default=True) + argspec['bound_zones'] = dict(required=False, type='list', default=[]) + argspec['bound_regions'] = dict(required=False, type='list', default=[]) + argspec['bound_instance_groups'] = dict(required=False, type='list', default=[]) + argspec['bound_labels'] = dict(required=False, type='list', default=[]) + argspec['state'] = dict(required=False, type='str', default='present') + module = hashivault_init(argspec) + result = hashivault_googlecloud_auth_create_role(module) + if result.get('failed'): + module.fail_json(**result) + else: + module.exit_json(**result) + + +@hashiwrapper +def hashivault_googlecloud_auth_create_role(module): + params = module.params + client = hashivault_auth_client(params) + state = params.get('state') + name = params.get('name').strip('/') + mount_point = params.get('mount_point').strip('/') + project_id = params.get('project_id') + role_type = params.get('role_type') + changed = False + exists = False + desired_state = dict() + + if role_type == 'iam' and state == 'present': + args = [ + 'project_id', + 'bound_projects', + 'add_group_aliases', + 'token_ttl', + 'token_max_ttl', + 'token_policies', + 'token_bound_cidrs', + 'token_explicit_max_ttl', + 'token_no_default_policy', + 'token_num_uses', + 'token_period', + 'token_type', + 'bound_zones', + 'bound_regions', + 'bound_instance_groups', + 'bound_labels' + ] + desired_state = {} + elif role_type == 'gce' and state == 'present': + args = [ + 'project_id', + 'bound_projects', + 'add_group_aliases', + 'token_ttl', + 'token_max_ttl', + 'token_policies', + 'token_bound_cidrs', + 'token_explicit_max_ttl', + 'token_no_default_policy', + 'token_num_uses', + 'token_period', + 'token_type', + 'max_jwt_exp', + 'allow_gce_inference', + 'bound_service_accounts' + ] + desired_state = {} + + try: + current_state = client.auth.gcp.read_role() + except Exception: + changed = True + + if changed and state == 'present' and not module.check_mode: + client.auth.gcp.create_role(name=name, project_id=project_id, role_type=role_type, mount_point=mount_point, **desired_state) + + elif changed and state == 'absent' and not module.check_mode: + client.auth.gcp.delete_role(name=name, project_id=project_id, role_type=role_type, mount_point=mount_point) + + return {'changed': changed} + + +if __name__ == '__main__': + main() diff --git a/ansible/modules/hashivault/hashivault_googlecloud_auth_edit_gce_roles.py b/ansible/modules/hashivault/hashivault_googlecloud_auth_edit_gce_roles.py new file mode 100644 index 00000000..b777d8bb --- /dev/null +++ b/ansible/modules/hashivault/hashivault_googlecloud_auth_edit_gce_roles.py @@ -0,0 +1,44 @@ +#!/usr/bin/env python +from ansible.module_utils.hashivault import hashivault_argspec +from ansible.module_utils.hashivault import hashivault_auth_client +from ansible.module_utils.hashivault import hashivault_init +from ansible.module_utils.hashivault import hashiwrapper + + +def main(): + argspec = hashivault_argspec() + argspec['role_name'] = dict(required=True, type='str') + argspec['mount_point'] = dict(required=False, type='str', default='gcp') + argspec['add'] = dict(required=False, type='list', default=[]) + argspec['remove'] = dict(required=False, type='list', default=[]) + module = hashivault_init(argspec) + result = hashivault_googlecloud_auth_edit_gce_roles(module) + if result.get('failed'): + module.fail_json(**result) + else: + module.exit_json(**result) + + +@hashiwrapper +def hashivault_googlecloud_auth_edit_gce_roles(module): + params = module.params + client = hashivault_auth_client(params) + role_name = params.get('role_name') + mount_point = params.get('mount_point').strip('/') + add = params.get('add') + remove = params.get('remove') + changed = False + desired_state = dict() + + if add: + desired_state['add'] = params.get('add') + if remove: + desired_state['remove'] = params.get('remove') + + client.auth.gcp.edit_labels_on_gce_role(mount_point=mount_point, name=role_name, **desired_state) + + return {'changed': changed} + + +if __name__ == '__main__': + main() diff --git a/ansible/modules/hashivault/hashivault_googlecloud_auth_edit_service_account.py b/ansible/modules/hashivault/hashivault_googlecloud_auth_edit_service_account.py new file mode 100644 index 00000000..71f0d285 --- /dev/null +++ b/ansible/modules/hashivault/hashivault_googlecloud_auth_edit_service_account.py @@ -0,0 +1,44 @@ +#!/usr/bin/env python +from ansible.module_utils.hashivault import hashivault_argspec +from ansible.module_utils.hashivault import hashivault_auth_client +from ansible.module_utils.hashivault import hashivault_init +from ansible.module_utils.hashivault import hashiwrapper + + +def main(): + argspec = hashivault_argspec() + argspec['role_name'] = dict(required=True, type='str') + argspec['mount_point'] = dict(required=False, type='str', default='gcp') + argspec['add'] = dict(required=False, type='list', default=[]) + argspec['remove'] = dict(required=False, type='list', default=[]) + module = hashivault_init(argspec) + result = hashivault_googlecloud_auth_edit_service_account(module) + if result.get('failed'): + module.fail_json(**result) + else: + module.exit_json(**result) + + +@hashiwrapper +def hashivault_googlecloud_auth_edit_service_account(module): + params = module.params + client = hashivault_auth_client(params) + role_name = params.get('role_name').strip('/') + mount_point = params.get('mount_point').strip('/') + add = params.get('add') + remove = params.get('remove') + changed = False + desired_state = dict() + + if add: + desired_state['add'] = params.get('add') + if remove: + desired_state['remove'] = params.get('remove') + + client.auth.gcp.edit_service_accounts_on_iam_role(mount_point=mount_point, name=role_name, **desired_state) + + return {'changed': changed} + + +if __name__ == '__main__': + main() diff --git a/ansible/modules/hashivault/hashivault_googlecloud_secrets_configure.py b/ansible/modules/hashivault/hashivault_googlecloud_secrets_configure.py new file mode 100644 index 00000000..45b6ba30 --- /dev/null +++ b/ansible/modules/hashivault/hashivault_googlecloud_secrets_configure.py @@ -0,0 +1,64 @@ +#!/usr/bin/env python +from ansible.module_utils.hashivault import hashivault_argspec +from ansible.module_utils.hashivault import hashivault_auth_client +from ansible.module_utils.hashivault import hashivault_init +from ansible.module_utils.hashivault import hashiwrapper +import json + + +def main(): + argspec = hashivault_argspec() + argspec['state'] = dict(required=False, type='str', default='present', choices=['present', 'absent']) + argspec['ttl'] = dict(required=False, type='int', default='3600') + argspec['max_ttl'] = dict(required=False, type='int') + argspec['mount_point'] = dict(required=False, type='str', default='gcp') + argspec['credentials'] = dict(required=False, type='str') + argspec['credentials_file'] = dict(required=False, type='str') + module = hashivault_init(argspec, supports_check_mode=True) + result = hashivault_googlecloud_secrets_configure(module) + + if result.get('failed'): + module.fail_json(**result) + else: + module.exit_json(**result) + + +@hashiwrapper +def hashivault_googlecloud_secrets_configure(module): + params = module.params + client = hashivault_auth_client(params) + state = params.get('state') + mount_point = params.get('mount_point').strip('/') + credentials = params.get('credentials') + credentials_file = params.get('credentials_file') + ttl = params.get('ttl') + max_ttl = params.get('max_ttl') + desired_state = dict() + current_state = dict() + changed = False + + if credentials_file: + with open(credentials_file) as creds: + data = json.load(creds) + credential = json.dumps(data) + desired_state['credentials'] = credential + desired_state['ttl'] = ttl + desired_state['max_ttl'] = max_ttl + elif credentials: + desired_state['credentials'] = credentials + desired_state['ttl'] = ttl + desired_state['max_ttl'] = max_ttl + + try: + current_state = client.secrets.gcp.read_config() + except Exception: + changed = True + + if changed and not module.check_mode and state == 'present': + client.secrets.gcp.configure(mount_point=mount_point, **desired_state) + + return {'changed': True} + + +if __name__ == '__main__': + main() diff --git a/ansible/modules/hashivault/hashivault_googlecloud_secrets_roleset.py b/ansible/modules/hashivault/hashivault_googlecloud_secrets_roleset.py new file mode 100644 index 00000000..dd4ef694 --- /dev/null +++ b/ansible/modules/hashivault/hashivault_googlecloud_secrets_roleset.py @@ -0,0 +1,63 @@ +#!/usr/bin/env python +from ansible.module_utils.hashivault import hashivault_argspec +from ansible.module_utils.hashivault import hashivault_auth_client +from ansible.module_utils.hashivault import hashivault_init +from ansible.module_utils.hashivault import hashiwrapper + + +def main(): + argspec = hashivault_argspec() + argspec['name'] = dict(required=True, type='str') + argspec['state'] = dict(required=False, type='str', default='present', choices=['present', 'absent']) + argspec['project'] = dict(required=True, type='str') + argspec['secret_type'] = dict(required=True, type='str', default=None, + choices=['access_token', 'service_account_key']) + argspec['bindings'] = dict(required=True, type='str') + argspec['token_scopes'] = dict(required=False, type='list', default=[]) + argspec['mount_point'] = dict(required=False, type='str', default='gcp') + module = hashivault_init(argspec, supports_check_mode=True) + result = hashivault_googlecloud_secrets_roleset(module) + + if result.get('failed'): + module.fail_json(**result) + else: + module.exit_json(**result) + + +@hashiwrapper +def hashivault_googlecloud_secrets_roleset(module): + params = module.params + client = hashivault_auth_client(params) + state = params.get('state') + mount_point = params.get('mount_point').strip('/') + project = params.get('project') + bindings = params.get('bindings') + secret_type = params.get('secret_type') + name = params.get('name') + token_scopes = params.get('token_scopes') + desired_state = dict() + current_state = dict() + changed = False + + if secret_type == 'access_token': + desired_state['token_scopes'] = token_scopes + elif secret_type == 'service_account_key': + desired_state['bindings'] = bindings + elif secret_type is None: + desired_state['bindings'] = bindings + desired_state['token_scopes'] = token_scopes + + try: + current_state = client.secrets.gcp.read_roleset(name=name) + except Exception: + changed = True + + if changed and not module.check_mode and state == 'present': + client.secrets.gcp.create_or_update_roleset(mount_point=mount_point, name=name, project=project + , **desired_state) + + return {'changed': True} + + +if __name__ == '__main__': + main() diff --git a/ansible/modules/hashivault/hashivault_googlecloud_secrets_rotate_roleset.py b/ansible/modules/hashivault/hashivault_googlecloud_secrets_rotate_roleset.py new file mode 100644 index 00000000..30e71faf --- /dev/null +++ b/ansible/modules/hashivault/hashivault_googlecloud_secrets_rotate_roleset.py @@ -0,0 +1,34 @@ +#!/usr/bin/env python +from ansible.module_utils.hashivault import hashivault_argspec +from ansible.module_utils.hashivault import hashivault_auth_client +from ansible.module_utils.hashivault import hashivault_init +from ansible.module_utils.hashivault import hashiwrapper + + +def main(): + argspec = hashivault_argspec() + argspec['name'] = dict(required=True, type='str') + argspec['mount_point'] = dict(required=False, type='str', default='gcp') + module = hashivault_init(argspec, supports_check_mode=True) + result = hashivault_googlecloud_secrets_rotate_roleset(module) + + if result.get('failed'): + module.fail_json(**result) + else: + module.exit_json(**result) + + +@hashiwrapper +def hashivault_googlecloud_secrets_rotate_roleset(module): + params = module.params + client = hashivault_auth_client(params) + name = params.get('name') + mount_point = params.get('mount_point') + changed = False + + client.secrets.gcp.rotate_roleset_account(name=name, mount_point=mount_point) + return {'changed': True} + + +if __name__ == '__main__': + main() diff --git a/ansible/modules/hashivault/hashivault_googlecloud_secrets_rotate_roleset_account_key.py b/ansible/modules/hashivault/hashivault_googlecloud_secrets_rotate_roleset_account_key.py new file mode 100644 index 00000000..57ae447d --- /dev/null +++ b/ansible/modules/hashivault/hashivault_googlecloud_secrets_rotate_roleset_account_key.py @@ -0,0 +1,34 @@ +#!/usr/bin/env python +from ansible.module_utils.hashivault import hashivault_argspec +from ansible.module_utils.hashivault import hashivault_auth_client +from ansible.module_utils.hashivault import hashivault_init +from ansible.module_utils.hashivault import hashiwrapper + + +def main(): + argspec = hashivault_argspec() + argspec['name'] = dict(required=True, type='str') + argspec['mount_point'] = dict(required=False, type='str', default='gcp') + module = hashivault_init(argspec, supports_check_mode=True) + result = hashivault_googlecloud_secrets_rotate_roleset_account_key(module) + + if result.get('failed'): + module.fail_json(**result) + else: + module.exit_json(**result) + + +@hashiwrapper +def hashivault_googlecloud_secrets_rotate_roleset_account_key(module): + params = module.params + client = hashivault_auth_client(params) + name = params.get('name') + mount_point = params.get('mount_point') + changed = False + + client.secrets.gcp.rotate_roleset_account_key(name=name, mount_point=mount_point) + return {'changed': True} + + +if __name__ == '__main__': + main()