From 664c6bdacaf853e93508cdfc20babba6164db752 Mon Sep 17 00:00:00 2001 From: Mickael Dangleterre Date: Tue, 13 Apr 2021 12:39:25 +0200 Subject: [PATCH 01/10] Add hashivault_googlecloud_configure with state presnet/absent and credentials_file conversion to string for 'credentials' keyword | tested OK --- .../hashivault_googlecloud_configure.py | 96 +++++++++++++++++++ 1 file changed, 96 insertions(+) create mode 100644 ansible/modules/hashivault/hashivault_googlecloud_configure.py diff --git a/ansible/modules/hashivault/hashivault_googlecloud_configure.py b/ansible/modules/hashivault/hashivault_googlecloud_configure.py new file mode 100644 index 00000000..95f74b02 --- /dev/null +++ b/ansible/modules/hashivault/hashivault_googlecloud_configure.py @@ -0,0 +1,96 @@ +#!/usr/bin/env python +from ansible.module_utils.hashivault import hashivault_argspec +from ansible.module_utils.hashivault import hashivault_auth_client +from ansible.module_utils.hashivault import hashivault_init +from ansible.module_utils.hashivault import hashiwrapper +import json + +DOCUMENTATION = ''' +module: hashivault_googlecloud_configure +version_added: "1.0.0" +short_description: Hashicorp Vault googlecloud management role module +description: + - Module to manage an googlecloud configuration from Hashicorp Vault. +options: + credentials: + description: + - A JSON string containing the contents of a GCP credentials file. + credentials_file: + description: + - A JSON string containing the contents of a GCP credentials file. + iam_alias: + description: + - role_id or unique_id + iam_metadata: + description: + - The metadata to include on the token returned by the login endpoint + default: default + gce_alias: + description: + - instance_id or role_id + gce_metadata: + description: + - The metadata to include on the token returned by the login endpoint + default: default + mount_point: + description: + - mount point for Google Cloud Configuration + default: gcp + state: + description: + - present or absent + default: present +''' + + +def main(): + argspec = hashivault_argspec() + argspec['credentials'] = dict(required=False, type='str') + argspec['credentials_file'] = dict(required=False, type='str') + argspec['iam_alias'] = dict(required=False, type='str', choices=['unique_id', 'role_id'], default='role_id') + argspec['iam_metadata'] = dict(required=False, type='str', default='default') + argspec['gce_alias'] = dict(required=False, type='str', choices=['instance_id', 'role_id'], default='role_id') + argspec['gce_metadata'] = dict(required=False, type='str', default='default') + argspec['mount_point'] = dict(required=False, type='str', default='gcp') + argspec['state'] = dict(required=False, type='str', choices=['present', 'absent'], default='present') + module = hashivault_init(argspec, supports_check_mode=True) + result = hashivault_googlecloud_configure(module) + if result.get('failed'): + module.fail_json(**result) + else: + module.exit_json(**result) + + +@hashiwrapper +def hashivault_googlecloud_configure(module): + params = module.params + state = params.get('state') + credentials = params.get('credentials') + credentials_file = params.get('credentials_file') + client = hashivault_auth_client(params) + mount_point = params.get('mount_point').strip('/') + desired_state = dict() + current_state = dict() + changed = False + + if credentials_file: + desired_state['credentials'] = json.dumps(json.load(open(params.get('credentials_file'), 'r'))) + elif credentials: + desired_state['credentials'] = params.get('credentials') + + try: + current_state = client.auth.gcp.read_config() + except Exception: + changed = True + + if changed and not module.check_mode and state == 'present': + client.auth.gcp.configure(mount_point=mount_point, **desired_state) + return {'changed': True} + else: + client.auth.gcp.delete_config(mount_point=mount_point) + return {'changed': True} + + +if __name__ == '__main__': + main() + From f2b5501f7abdfa143425343e468377ddc0646246 Mon Sep 17 00:00:00 2001 From: Mickael Dangleterre Date: Tue, 13 Apr 2021 14:49:14 +0200 Subject: [PATCH 02/10] Add hashivault_googlecloud_role with state present/absent and role_type/project_id + arguments keywords | tested OK --- .../hashivault/hashivault_googlecloud_role.py | 109 ++++++++++++++++++ 1 file changed, 109 insertions(+) create mode 100644 ansible/modules/hashivault/hashivault_googlecloud_role.py diff --git a/ansible/modules/hashivault/hashivault_googlecloud_role.py b/ansible/modules/hashivault/hashivault_googlecloud_role.py new file mode 100644 index 00000000..24787a27 --- /dev/null +++ b/ansible/modules/hashivault/hashivault_googlecloud_role.py @@ -0,0 +1,109 @@ +#!/usr/bin/env python +from ansible.module_utils.hashivault import hashivault_argspec +from ansible.module_utils.hashivault import hashivault_auth_client +from ansible.module_utils.hashivault import hashivault_init +from ansible.module_utils.hashivault import hashiwrapper + + +def main(): + argspec = hashivault_argspec() + argspec['name'] = dict(required=True, type='str') + argspec['project_id'] = dict(required=True, type='str') + argspec['role_type'] = dict(required=True, type='str', choices=['gce', 'iam']) + argspec['mount_point'] = dict(required=False, type='str', default='gcp') + argspec['bound_service_accounts'] = dict(required=False, type='list', default=[]) + argspec['bound_projects'] = dict(required=False, type='list', default=[]) + argspec['add_group_aliases'] = dict(required=False, type='bool') + argspec['token_ttl'] = dict(required=False, type='str') + argspec['token_max_ttl'] = dict(required=False, type='str') + argspec['token_policies'] = dict(required=False, type='list', default=[]) + argspec['token_bound_cidrs'] = dict(required=False, type='list', default=[]) + argspec['token_explicit_max_ttl'] = dict(required=False, type='str') + argspec['token_no_default_policy'] = dict(required=False, type='bool', default='false') + argspec['token_num_uses'] = dict(required=False, type='str') + argspec['token_period'] = dict(required=False, type='str') + argspec['token_type'] = dict(required=False, type='str', choices=['service', 'batch', 'default'], default='default') + argspec['max_jwt_exp'] = dict(required=False, type='str', default='15m') + argspec['allow_gce_inference'] = dict(required=False, type='bool', default=True) + argspec['bound_zones'] = dict(required=False, type='list', default=[]) + argspec['bound_regions'] = dict(required=False, type='list', default=[]) + argspec['bound_instance_groups'] = dict(required=False, type='list', default=[]) + argspec['bound_labels'] = dict(required=False, type='list', default=[]) + argspec['state'] = dict(required=False, type='str', default='present') + module = hashivault_init(argspec) + result = hashivault_googlecloud_role(module) + if result.get('failed'): + module.fail_json(**result) + else: + module.exit_json(**result) + + +@hashiwrapper +def hashivault_googlecloud_role(module): + params = module.params + client = hashivault_auth_client(params) + state = params.get('state') + name = params.get('name').strip('/') + mount_point = params.get('mount_point').strip('/') + project_id = params.get('project_id') + role_type = params.get('role_type') + changed = False + exists = False + desired_state = dict() + + if role_type == 'iam' and state == 'present': + args = [ + 'project_id', + 'bound_projects', + 'add_group_aliases', + 'token_ttl', + 'token_max_ttl', + 'token_policies', + 'token_bound_cidrs', + 'token_explicit_max_ttl', + 'token_no_default_policy', + 'token_num_uses', + 'token_period', + 'token_type', + 'bound_zones', + 'bound_regions', + 'bound_instance_groups', + 'bound_labels' + ] + desired_state = {} + elif role_type == 'gce' and state == 'present': + args = [ + 'project_id', + 'bound_projects', + 'add_group_aliases', + 'token_ttl', + 'token_max_ttl', + 'token_policies', + 'token_bound_cidrs', + 'token_explicit_max_ttl', + 'token_no_default_policy', + 'token_num_uses', + 'token_period', + 'token_type', + 'max_jwt_exp', + 'allow_gce_inference', + 'bound_service_accounts' + ] + desired_state = {} + + try: + current_state = client.auth.gcp.read_role() + except Exception: + changed = True + + if changed and state == 'present' and not module.check_mode: + client.auth.gcp.create_role(name=name, project_id=project_id, role_type=role_type, mount_point=mount_point, **desired_state) + + elif changed and state == 'absent' and not module.check_mode: + client.auth.gcp.delete_role(name=name, project_id=project_id, role_type=role_type, mount_point=mount_point) + + return {'changed': changed} + + +if __name__ == '__main__': + main() From 60e53506c5536718b07abfa81fc3a79b05b2a4b0 Mon Sep 17 00:00:00 2001 From: Mickael Dangleterre Date: Tue, 13 Apr 2021 15:10:45 +0200 Subject: [PATCH 03/10] Add hashivault_googlecloud_edit_service_account with role_name/project_id/add or remove arguments keywords | tested OK --- ...ivault_googlecloud_edit_service_account.py | 44 +++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 ansible/modules/hashivault/hashivault_googlecloud_edit_service_account.py diff --git a/ansible/modules/hashivault/hashivault_googlecloud_edit_service_account.py b/ansible/modules/hashivault/hashivault_googlecloud_edit_service_account.py new file mode 100644 index 00000000..2c2b3f53 --- /dev/null +++ b/ansible/modules/hashivault/hashivault_googlecloud_edit_service_account.py @@ -0,0 +1,44 @@ +#!/usr/bin/env python +from ansible.module_utils.hashivault import hashivault_argspec +from ansible.module_utils.hashivault import hashivault_auth_client +from ansible.module_utils.hashivault import hashivault_init +from ansible.module_utils.hashivault import hashiwrapper + + +def main(): + argspec = hashivault_argspec() + argspec['role_name'] = dict(required=True, type='str') + argspec['mount_point'] = dict(required=False, type='str', default='gcp') + argspec['add'] = dict(required=False, type='list', default=[]) + argspec['remove'] = dict(required=False, type='list', default=[]) + module = hashivault_init(argspec) + result = hashivault_googlecloud_edit_service_account(module) + if result.get('failed'): + module.fail_json(**result) + else: + module.exit_json(**result) + + +@hashiwrapper +def hashivault_googlecloud_edit_service_account(module): + params = module.params + client = hashivault_auth_client(params) + role_name = params.get('role_name').strip('/') + mount_point = params.get('mount_point').strip('/') + add = params.get('add') + remove = params.get('remove') + changed = False + desired_state = dict() + + if add: + desired_state['add'] = params.get('add') + if remove: + desired_state['remove'] = params.get('remove') + + client.auth.gcp.edit_service_accounts_on_iam_role(mount_point=mount_point, role_name=role_name, **desired_state) + + return {'changed': changed} + + +if __name__ == '__main__': + main() From a9501e5106825e9e1dde36757d7808c3adc7bc2e Mon Sep 17 00:00:00 2001 From: Mickael Dangleterre Date: Wed, 14 Apr 2021 09:23:42 +0200 Subject: [PATCH 04/10] =?UTF-8?q?update=20files=20and=20functions=20names?= =?UTF-8?q?=20to=20view=20more=20easily=20the=20diff=C3=A9rence=20between?= =?UTF-8?q?=20path=20of=20the=20API=20these=20commands=20apply=20to=20|=20?= =?UTF-8?q?auth=20and=20not=20secrets?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../hashivault_googlecloud_auth_configure.py | 96 +++++++++++++++ ...hashivault_googlecloud_auth_create_role.py | 109 ++++++++++++++++++ ...hivault_googlecloud_auth_edit_gce_roles.py | 44 +++++++ ...t_googlecloud_auth_edit_service_account.py | 44 +++++++ 4 files changed, 293 insertions(+) create mode 100644 ansible/modules/hashivault/hashivault_googlecloud_auth_configure.py create mode 100644 ansible/modules/hashivault/hashivault_googlecloud_auth_create_role.py create mode 100644 ansible/modules/hashivault/hashivault_googlecloud_auth_edit_gce_roles.py create mode 100644 ansible/modules/hashivault/hashivault_googlecloud_auth_edit_service_account.py diff --git a/ansible/modules/hashivault/hashivault_googlecloud_auth_configure.py b/ansible/modules/hashivault/hashivault_googlecloud_auth_configure.py new file mode 100644 index 00000000..badcab1d --- /dev/null +++ b/ansible/modules/hashivault/hashivault_googlecloud_auth_configure.py @@ -0,0 +1,96 @@ +#!/usr/bin/env python +from ansible.module_utils.hashivault import hashivault_argspec +from ansible.module_utils.hashivault import hashivault_auth_client +from ansible.module_utils.hashivault import hashivault_init +from ansible.module_utils.hashivault import hashiwrapper +import json + +DOCUMENTATION = ''' +module: hashivault_googlecloud_auth_configure +version_added: "1.0.0" +short_description: Hashicorp Vault googlecloud management role module +description: + - Module to manage an googlecloud configuration from Hashicorp Vault. +options: + credentials: + description: + - A JSON string containing the contents of a GCP credentials file. + credentials_file: + description: + - A JSON string containing the contents of a GCP credentials file. + iam_alias: + description: + - role_id or unique_id + iam_metadata: + description: + - The metadata to include on the token returned by the login endpoint + default: default + gce_alias: + description: + - instance_id or role_id + gce_metadata: + description: + - The metadata to include on the token returned by the login endpoint + default: default + mount_point: + description: + - mount point for Google Cloud Configuration + default: gcp + state: + description: + - present or absent + default: present +''' + + +def main(): + argspec = hashivault_argspec() + argspec['credentials'] = dict(required=False, type='str') + argspec['credentials_file'] = dict(required=False, type='str') + argspec['iam_alias'] = dict(required=False, type='str', choices=['unique_id', 'role_id'], default='role_id') + argspec['iam_metadata'] = dict(required=False, type='str', default='default') + argspec['gce_alias'] = dict(required=False, type='str', choices=['instance_id', 'role_id'], default='role_id') + argspec['gce_metadata'] = dict(required=False, type='str', default='default') + argspec['mount_point'] = dict(required=False, type='str', default='gcp') + argspec['state'] = dict(required=False, type='str', choices=['present', 'absent'], default='present') + module = hashivault_init(argspec, supports_check_mode=True) + result = hashivault_googlecloud_auth_configure(module) + if result.get('failed'): + module.fail_json(**result) + else: + module.exit_json(**result) + + +@hashiwrapper +def hashivault_googlecloud_auth_configure(module): + params = module.params + state = params.get('state') + credentials = params.get('credentials') + credentials_file = params.get('credentials_file') + client = hashivault_auth_client(params) + mount_point = params.get('mount_point').strip('/') + desired_state = dict() + current_state = dict() + changed = False + + if credentials_file: + desired_state['credentials'] = json.dumps(json.load(open(params.get('credentials_file'), 'r'))) + elif credentials: + desired_state['credentials'] = params.get('credentials') + + try: + current_state = client.auth.gcp.read_config() + except Exception: + changed = True + + if changed and not module.check_mode and state == 'present': + client.auth.gcp.configure(mount_point=mount_point, **desired_state) + return {'changed': True} + else: + client.auth.gcp.delete_config(mount_point=mount_point) + return {'changed': True} + + +if __name__ == '__main__': + main() + diff --git a/ansible/modules/hashivault/hashivault_googlecloud_auth_create_role.py b/ansible/modules/hashivault/hashivault_googlecloud_auth_create_role.py new file mode 100644 index 00000000..f9a1b54f --- /dev/null +++ b/ansible/modules/hashivault/hashivault_googlecloud_auth_create_role.py @@ -0,0 +1,109 @@ +#!/usr/bin/env python +from ansible.module_utils.hashivault import hashivault_argspec +from ansible.module_utils.hashivault import hashivault_auth_client +from ansible.module_utils.hashivault import hashivault_init +from ansible.module_utils.hashivault import hashiwrapper + + +def main(): + argspec = hashivault_argspec() + argspec['name'] = dict(required=True, type='str') + argspec['project_id'] = dict(required=True, type='str') + argspec['role_type'] = dict(required=True, type='str', choices=['gce', 'iam']) + argspec['mount_point'] = dict(required=False, type='str', default='gcp') + argspec['bound_service_accounts'] = dict(required=False, type='list', default=[]) + argspec['bound_projects'] = dict(required=False, type='list', default=[]) + argspec['add_group_aliases'] = dict(required=False, type='bool') + argspec['token_ttl'] = dict(required=False, type='str') + argspec['token_max_ttl'] = dict(required=False, type='str') + argspec['token_policies'] = dict(required=False, type='list', default=[]) + argspec['token_bound_cidrs'] = dict(required=False, type='list', default=[]) + argspec['token_explicit_max_ttl'] = dict(required=False, type='str') + argspec['token_no_default_policy'] = dict(required=False, type='bool', default='false') + argspec['token_num_uses'] = dict(required=False, type='str') + argspec['token_period'] = dict(required=False, type='str') + argspec['token_type'] = dict(required=False, type='str', choices=['service', 'batch', 'default'], default='default') + argspec['max_jwt_exp'] = dict(required=False, type='str', default='15m') + argspec['allow_gce_inference'] = dict(required=False, type='bool', default=True) + argspec['bound_zones'] = dict(required=False, type='list', default=[]) + argspec['bound_regions'] = dict(required=False, type='list', default=[]) + argspec['bound_instance_groups'] = dict(required=False, type='list', default=[]) + argspec['bound_labels'] = dict(required=False, type='list', default=[]) + argspec['state'] = dict(required=False, type='str', default='present') + module = hashivault_init(argspec) + result = hashivault_googlecloud_auth_create_role(module) + if result.get('failed'): + module.fail_json(**result) + else: + module.exit_json(**result) + + +@hashiwrapper +def hashivault_googlecloud_auth_create_role(module): + params = module.params + client = hashivault_auth_client(params) + state = params.get('state') + name = params.get('name').strip('/') + mount_point = params.get('mount_point').strip('/') + project_id = params.get('project_id') + role_type = params.get('role_type') + changed = False + exists = False + desired_state = dict() + + if role_type == 'iam' and state == 'present': + args = [ + 'project_id', + 'bound_projects', + 'add_group_aliases', + 'token_ttl', + 'token_max_ttl', + 'token_policies', + 'token_bound_cidrs', + 'token_explicit_max_ttl', + 'token_no_default_policy', + 'token_num_uses', + 'token_period', + 'token_type', + 'bound_zones', + 'bound_regions', + 'bound_instance_groups', + 'bound_labels' + ] + desired_state = {} + elif role_type == 'gce' and state == 'present': + args = [ + 'project_id', + 'bound_projects', + 'add_group_aliases', + 'token_ttl', + 'token_max_ttl', + 'token_policies', + 'token_bound_cidrs', + 'token_explicit_max_ttl', + 'token_no_default_policy', + 'token_num_uses', + 'token_period', + 'token_type', + 'max_jwt_exp', + 'allow_gce_inference', + 'bound_service_accounts' + ] + desired_state = {} + + try: + current_state = client.auth.gcp.read_role() + except Exception: + changed = True + + if changed and state == 'present' and not module.check_mode: + client.auth.gcp.create_role(name=name, project_id=project_id, role_type=role_type, mount_point=mount_point, **desired_state) + + elif changed and state == 'absent' and not module.check_mode: + client.auth.gcp.delete_role(name=name, project_id=project_id, role_type=role_type, mount_point=mount_point) + + return {'changed': changed} + + +if __name__ == '__main__': + main() diff --git a/ansible/modules/hashivault/hashivault_googlecloud_auth_edit_gce_roles.py b/ansible/modules/hashivault/hashivault_googlecloud_auth_edit_gce_roles.py new file mode 100644 index 00000000..b777d8bb --- /dev/null +++ b/ansible/modules/hashivault/hashivault_googlecloud_auth_edit_gce_roles.py @@ -0,0 +1,44 @@ +#!/usr/bin/env python +from ansible.module_utils.hashivault import hashivault_argspec +from ansible.module_utils.hashivault import hashivault_auth_client +from ansible.module_utils.hashivault import hashivault_init +from ansible.module_utils.hashivault import hashiwrapper + + +def main(): + argspec = hashivault_argspec() + argspec['role_name'] = dict(required=True, type='str') + argspec['mount_point'] = dict(required=False, type='str', default='gcp') + argspec['add'] = dict(required=False, type='list', default=[]) + argspec['remove'] = dict(required=False, type='list', default=[]) + module = hashivault_init(argspec) + result = hashivault_googlecloud_auth_edit_gce_roles(module) + if result.get('failed'): + module.fail_json(**result) + else: + module.exit_json(**result) + + +@hashiwrapper +def hashivault_googlecloud_auth_edit_gce_roles(module): + params = module.params + client = hashivault_auth_client(params) + role_name = params.get('role_name') + mount_point = params.get('mount_point').strip('/') + add = params.get('add') + remove = params.get('remove') + changed = False + desired_state = dict() + + if add: + desired_state['add'] = params.get('add') + if remove: + desired_state['remove'] = params.get('remove') + + client.auth.gcp.edit_labels_on_gce_role(mount_point=mount_point, name=role_name, **desired_state) + + return {'changed': changed} + + +if __name__ == '__main__': + main() diff --git a/ansible/modules/hashivault/hashivault_googlecloud_auth_edit_service_account.py b/ansible/modules/hashivault/hashivault_googlecloud_auth_edit_service_account.py new file mode 100644 index 00000000..71f0d285 --- /dev/null +++ b/ansible/modules/hashivault/hashivault_googlecloud_auth_edit_service_account.py @@ -0,0 +1,44 @@ +#!/usr/bin/env python +from ansible.module_utils.hashivault import hashivault_argspec +from ansible.module_utils.hashivault import hashivault_auth_client +from ansible.module_utils.hashivault import hashivault_init +from ansible.module_utils.hashivault import hashiwrapper + + +def main(): + argspec = hashivault_argspec() + argspec['role_name'] = dict(required=True, type='str') + argspec['mount_point'] = dict(required=False, type='str', default='gcp') + argspec['add'] = dict(required=False, type='list', default=[]) + argspec['remove'] = dict(required=False, type='list', default=[]) + module = hashivault_init(argspec) + result = hashivault_googlecloud_auth_edit_service_account(module) + if result.get('failed'): + module.fail_json(**result) + else: + module.exit_json(**result) + + +@hashiwrapper +def hashivault_googlecloud_auth_edit_service_account(module): + params = module.params + client = hashivault_auth_client(params) + role_name = params.get('role_name').strip('/') + mount_point = params.get('mount_point').strip('/') + add = params.get('add') + remove = params.get('remove') + changed = False + desired_state = dict() + + if add: + desired_state['add'] = params.get('add') + if remove: + desired_state['remove'] = params.get('remove') + + client.auth.gcp.edit_service_accounts_on_iam_role(mount_point=mount_point, name=role_name, **desired_state) + + return {'changed': changed} + + +if __name__ == '__main__': + main() From 833117b252bd1ddf97fef4643a240e9b9ff1395a Mon Sep 17 00:00:00 2001 From: Mickael Dangleterre Date: Wed, 14 Apr 2021 18:07:10 +0200 Subject: [PATCH 05/10] rename files and new function for GCP Secrets --- ...ashivault_googlecloud_secrets_configure.py | 51 +++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 ansible/modules/hashivault/hashivault_googlecloud_secrets_configure.py diff --git a/ansible/modules/hashivault/hashivault_googlecloud_secrets_configure.py b/ansible/modules/hashivault/hashivault_googlecloud_secrets_configure.py new file mode 100644 index 00000000..37b2ddfe --- /dev/null +++ b/ansible/modules/hashivault/hashivault_googlecloud_secrets_configure.py @@ -0,0 +1,51 @@ +#!/usr/bin/env python +from ansible.module_utils.hashivault import hashivault_argspec +from ansible.module_utils.hashivault import hashivault_auth_client +from ansible.module_utils.hashivault import hashivault_init +from ansible.module_utils.hashivault import hashiwrapper +import json + + +def main(): + argspec = hashivault_argspec() + argspec['credentials_file'] = dict(required=False, type='str') + argspec['ttl'] = dict(required=False, type='int', default=0) + argspec['max_ttl'] = dict(required=False, type='int', default=0) + argspec['mount_point'] = dict(required=False, type='str', default='gcp') + argspec['state'] = dict(required=False, type='str', choices=['present', 'absent'], default='present') + module = hashivault_init(argspec, supports_check_mode=True) + result = hashivault_googlecloud_secrets_configure(module) + if result.get('failed'): + module.fail_json(**result) + else: + module.exit_json(**result) + + +@hashiwrapper +def hashivault_googlecloud_secrets_configure(module): + params = module.params + client = hashivault_auth_client(params) + credentials_file = params.get('credentials_file') + state = params.get('state') + desired_state = dict() + + desired_state['credentials'] = json.dumps(json.load(open(params.get(credentials_file)))) + desired_state['ttl'] = params.get('ttl') + desired_state['max_ttl'] = params.get('max_ttl') + + exists = False + current_state = {} + + try: + current_state = client.secrets.gcp.read_config(mount_point=params.get('mount_point')) + except Exception: + pass + + if state == 'present' and not module.check_mode: + client.secrets.gcp.configure(mount_point=params.get('mount_point'), **desired_state) + else: + client.secrets.gcp.read_config(mount_point=params.get('mount_point')) + + +if __name__ == '__main__': + main() From 5b8a5e1250578921a21e1e5161f5fc0313be6610 Mon Sep 17 00:00:00 2001 From: Mickael Dangleterre Date: Wed, 14 Apr 2021 18:53:58 +0200 Subject: [PATCH 06/10] update --- .../hashivault_googlecloud_secrets_roleset.py | 60 +++++++++++++++++++ 1 file changed, 60 insertions(+) create mode 100644 ansible/modules/hashivault/hashivault_googlecloud_secrets_roleset.py diff --git a/ansible/modules/hashivault/hashivault_googlecloud_secrets_roleset.py b/ansible/modules/hashivault/hashivault_googlecloud_secrets_roleset.py new file mode 100644 index 00000000..709c6401 --- /dev/null +++ b/ansible/modules/hashivault/hashivault_googlecloud_secrets_roleset.py @@ -0,0 +1,60 @@ +#!/usr/bin/env python +from ansible.module_utils.hashivault import hashivault_argspec +from ansible.module_utils.hashivault import hashivault_auth_client +from ansible.module_utils.hashivault import hashivault_init +from ansible.module_utils.hashivault import hashiwrapper +import json + + +def main(): + argspec = hashivault_argspec() + argspec['name'] = dict(required=True, type='str') + argspec['secret_type'] = dict(required=False, type='str', choices=['access_token', 'service_account'], + default='access_token') + argspec['project'] = dict(required=True, type='str') + argspec['bindings'] = dict(required=True, type='str') + argspec['token_scopes'] = dict(required=False, type='list', default=[]) + argspec['state'] = dict(required=False, type='str', choices=['present', 'update', 'absent'], default='present') + argspec['mount_point'] = dict(required=True, type='str') + module = hashivault_init(argspec, supports_check_mode=True) + result = hashivault_googlecloud_secrets_roleset(module) + if result.get('failed'): + module.fail_json(**result) + else: + module.exit_json(**result) + + +@hashiwrapper +def hashivault_googlecloud_secrets_roleset(module): + params = module.params + mount_point = params.get('mount_point') + desired_state = dict() + current_state = dict() + changed = False + client = hashivault_auth_client(params) + state = params.get('state') + name = params.get('name') + secret_type = params.get('secret_type') + project = params.get('project') + + desired_state['name'] = name + desired_state['secret_type'] = secret_type + desired_state['project'] = project + desired_state['bindings'] = params.get('bindings') + + if secret_type == 'access_token': + desired_state['token_scopes'] = params.get('token_scopes') + + try: + current_state = client.secrets.read_roleset() + except Exception: + changed = True + + if state == 'present' or state == 'update': + client.secrets.create_or_update_roleset(mount_point=mount_point, **desired_state) + else: + client.secrets.delete_roleset(mount_point=mount_point, name=name) + + +if __name__ == '__main__': + main() From dbbd84905f854fcd3aabb1fbf5afac9fb9b64ede Mon Sep 17 00:00:00 2001 From: root Date: Thu, 15 Apr 2021 16:11:23 +0200 Subject: [PATCH 07/10] update 'hashivault_googlecloud_secrets_configure' task for ansible and obsolete tasks related to google_auth --- ansible-modules-hashivault.iml | 9 ++ .../hashivault_googlecloud_configure.py | 96 --------------- ...ivault_googlecloud_edit_service_account.py | 44 ------- .../hashivault/hashivault_googlecloud_role.py | 109 ------------------ ...ashivault_googlecloud_secrets_configure.py | 4 +- 5 files changed, 12 insertions(+), 250 deletions(-) create mode 100644 ansible-modules-hashivault.iml delete mode 100644 ansible/modules/hashivault/hashivault_googlecloud_configure.py delete mode 100644 ansible/modules/hashivault/hashivault_googlecloud_edit_service_account.py delete mode 100644 ansible/modules/hashivault/hashivault_googlecloud_role.py diff --git a/ansible-modules-hashivault.iml b/ansible-modules-hashivault.iml new file mode 100644 index 00000000..d583ac32 --- /dev/null +++ b/ansible-modules-hashivault.iml @@ -0,0 +1,9 @@ + + + + + + + + + \ No newline at end of file diff --git a/ansible/modules/hashivault/hashivault_googlecloud_configure.py b/ansible/modules/hashivault/hashivault_googlecloud_configure.py deleted file mode 100644 index 95f74b02..00000000 --- a/ansible/modules/hashivault/hashivault_googlecloud_configure.py +++ /dev/null @@ -1,96 +0,0 @@ -#!/usr/bin/env python -from ansible.module_utils.hashivault import hashivault_argspec -from ansible.module_utils.hashivault import hashivault_auth_client -from ansible.module_utils.hashivault import hashivault_init -from ansible.module_utils.hashivault import hashiwrapper -import json - -DOCUMENTATION = ''' -module: hashivault_googlecloud_configure -version_added: "1.0.0" -short_description: Hashicorp Vault googlecloud management role module -description: - - Module to manage an googlecloud configuration from Hashicorp Vault. -options: - credentials: - description: - - A JSON string containing the contents of a GCP credentials file. - credentials_file: - description: - - A JSON string containing the contents of a GCP credentials file. - iam_alias: - description: - - role_id or unique_id - iam_metadata: - description: - - The metadata to include on the token returned by the login endpoint - default: default - gce_alias: - description: - - instance_id or role_id - gce_metadata: - description: - - The metadata to include on the token returned by the login endpoint - default: default - mount_point: - description: - - mount point for Google Cloud Configuration - default: gcp - state: - description: - - present or absent - default: present -''' - - -def main(): - argspec = hashivault_argspec() - argspec['credentials'] = dict(required=False, type='str') - argspec['credentials_file'] = dict(required=False, type='str') - argspec['iam_alias'] = dict(required=False, type='str', choices=['unique_id', 'role_id'], default='role_id') - argspec['iam_metadata'] = dict(required=False, type='str', default='default') - argspec['gce_alias'] = dict(required=False, type='str', choices=['instance_id', 'role_id'], default='role_id') - argspec['gce_metadata'] = dict(required=False, type='str', default='default') - argspec['mount_point'] = dict(required=False, type='str', default='gcp') - argspec['state'] = dict(required=False, type='str', choices=['present', 'absent'], default='present') - module = hashivault_init(argspec, supports_check_mode=True) - result = hashivault_googlecloud_configure(module) - if result.get('failed'): - module.fail_json(**result) - else: - module.exit_json(**result) - - -@hashiwrapper -def hashivault_googlecloud_configure(module): - params = module.params - state = params.get('state') - credentials = params.get('credentials') - credentials_file = params.get('credentials_file') - client = hashivault_auth_client(params) - mount_point = params.get('mount_point').strip('/') - desired_state = dict() - current_state = dict() - changed = False - - if credentials_file: - desired_state['credentials'] = json.dumps(json.load(open(params.get('credentials_file'), 'r'))) - elif credentials: - desired_state['credentials'] = params.get('credentials') - - try: - current_state = client.auth.gcp.read_config() - except Exception: - changed = True - - if changed and not module.check_mode and state == 'present': - client.auth.gcp.configure(mount_point=mount_point, **desired_state) - return {'changed': True} - else: - client.auth.gcp.delete_config(mount_point=mount_point) - return {'changed': True} - - -if __name__ == '__main__': - main() - diff --git a/ansible/modules/hashivault/hashivault_googlecloud_edit_service_account.py b/ansible/modules/hashivault/hashivault_googlecloud_edit_service_account.py deleted file mode 100644 index 2c2b3f53..00000000 --- a/ansible/modules/hashivault/hashivault_googlecloud_edit_service_account.py +++ /dev/null @@ -1,44 +0,0 @@ -#!/usr/bin/env python -from ansible.module_utils.hashivault import hashivault_argspec -from ansible.module_utils.hashivault import hashivault_auth_client -from ansible.module_utils.hashivault import hashivault_init -from ansible.module_utils.hashivault import hashiwrapper - - -def main(): - argspec = hashivault_argspec() - argspec['role_name'] = dict(required=True, type='str') - argspec['mount_point'] = dict(required=False, type='str', default='gcp') - argspec['add'] = dict(required=False, type='list', default=[]) - argspec['remove'] = dict(required=False, type='list', default=[]) - module = hashivault_init(argspec) - result = hashivault_googlecloud_edit_service_account(module) - if result.get('failed'): - module.fail_json(**result) - else: - module.exit_json(**result) - - -@hashiwrapper -def hashivault_googlecloud_edit_service_account(module): - params = module.params - client = hashivault_auth_client(params) - role_name = params.get('role_name').strip('/') - mount_point = params.get('mount_point').strip('/') - add = params.get('add') - remove = params.get('remove') - changed = False - desired_state = dict() - - if add: - desired_state['add'] = params.get('add') - if remove: - desired_state['remove'] = params.get('remove') - - client.auth.gcp.edit_service_accounts_on_iam_role(mount_point=mount_point, role_name=role_name, **desired_state) - - return {'changed': changed} - - -if __name__ == '__main__': - main() diff --git a/ansible/modules/hashivault/hashivault_googlecloud_role.py b/ansible/modules/hashivault/hashivault_googlecloud_role.py deleted file mode 100644 index 24787a27..00000000 --- a/ansible/modules/hashivault/hashivault_googlecloud_role.py +++ /dev/null @@ -1,109 +0,0 @@ -#!/usr/bin/env python -from ansible.module_utils.hashivault import hashivault_argspec -from ansible.module_utils.hashivault import hashivault_auth_client -from ansible.module_utils.hashivault import hashivault_init -from ansible.module_utils.hashivault import hashiwrapper - - -def main(): - argspec = hashivault_argspec() - argspec['name'] = dict(required=True, type='str') - argspec['project_id'] = dict(required=True, type='str') - argspec['role_type'] = dict(required=True, type='str', choices=['gce', 'iam']) - argspec['mount_point'] = dict(required=False, type='str', default='gcp') - argspec['bound_service_accounts'] = dict(required=False, type='list', default=[]) - argspec['bound_projects'] = dict(required=False, type='list', default=[]) - argspec['add_group_aliases'] = dict(required=False, type='bool') - argspec['token_ttl'] = dict(required=False, type='str') - argspec['token_max_ttl'] = dict(required=False, type='str') - argspec['token_policies'] = dict(required=False, type='list', default=[]) - argspec['token_bound_cidrs'] = dict(required=False, type='list', default=[]) - argspec['token_explicit_max_ttl'] = dict(required=False, type='str') - argspec['token_no_default_policy'] = dict(required=False, type='bool', default='false') - argspec['token_num_uses'] = dict(required=False, type='str') - argspec['token_period'] = dict(required=False, type='str') - argspec['token_type'] = dict(required=False, type='str', choices=['service', 'batch', 'default'], default='default') - argspec['max_jwt_exp'] = dict(required=False, type='str', default='15m') - argspec['allow_gce_inference'] = dict(required=False, type='bool', default=True) - argspec['bound_zones'] = dict(required=False, type='list', default=[]) - argspec['bound_regions'] = dict(required=False, type='list', default=[]) - argspec['bound_instance_groups'] = dict(required=False, type='list', default=[]) - argspec['bound_labels'] = dict(required=False, type='list', default=[]) - argspec['state'] = dict(required=False, type='str', default='present') - module = hashivault_init(argspec) - result = hashivault_googlecloud_role(module) - if result.get('failed'): - module.fail_json(**result) - else: - module.exit_json(**result) - - -@hashiwrapper -def hashivault_googlecloud_role(module): - params = module.params - client = hashivault_auth_client(params) - state = params.get('state') - name = params.get('name').strip('/') - mount_point = params.get('mount_point').strip('/') - project_id = params.get('project_id') - role_type = params.get('role_type') - changed = False - exists = False - desired_state = dict() - - if role_type == 'iam' and state == 'present': - args = [ - 'project_id', - 'bound_projects', - 'add_group_aliases', - 'token_ttl', - 'token_max_ttl', - 'token_policies', - 'token_bound_cidrs', - 'token_explicit_max_ttl', - 'token_no_default_policy', - 'token_num_uses', - 'token_period', - 'token_type', - 'bound_zones', - 'bound_regions', - 'bound_instance_groups', - 'bound_labels' - ] - desired_state = {} - elif role_type == 'gce' and state == 'present': - args = [ - 'project_id', - 'bound_projects', - 'add_group_aliases', - 'token_ttl', - 'token_max_ttl', - 'token_policies', - 'token_bound_cidrs', - 'token_explicit_max_ttl', - 'token_no_default_policy', - 'token_num_uses', - 'token_period', - 'token_type', - 'max_jwt_exp', - 'allow_gce_inference', - 'bound_service_accounts' - ] - desired_state = {} - - try: - current_state = client.auth.gcp.read_role() - except Exception: - changed = True - - if changed and state == 'present' and not module.check_mode: - client.auth.gcp.create_role(name=name, project_id=project_id, role_type=role_type, mount_point=mount_point, **desired_state) - - elif changed and state == 'absent' and not module.check_mode: - client.auth.gcp.delete_role(name=name, project_id=project_id, role_type=role_type, mount_point=mount_point) - - return {'changed': changed} - - -if __name__ == '__main__': - main() diff --git a/ansible/modules/hashivault/hashivault_googlecloud_secrets_configure.py b/ansible/modules/hashivault/hashivault_googlecloud_secrets_configure.py index 37b2ddfe..b6d63aa7 100644 --- a/ansible/modules/hashivault/hashivault_googlecloud_secrets_configure.py +++ b/ansible/modules/hashivault/hashivault_googlecloud_secrets_configure.py @@ -29,7 +29,7 @@ def hashivault_googlecloud_secrets_configure(module): state = params.get('state') desired_state = dict() - desired_state['credentials'] = json.dumps(json.load(open(params.get(credentials_file)))) + desired_state['credentials'] = json.dumps(json.load(open(params.get('credentials_file'), 'r'))) desired_state['ttl'] = params.get('ttl') desired_state['max_ttl'] = params.get('max_ttl') @@ -46,6 +46,8 @@ def hashivault_googlecloud_secrets_configure(module): else: client.secrets.gcp.read_config(mount_point=params.get('mount_point')) + return { **desired_state } + if __name__ == '__main__': main() From 020dd4e6f1bb93667d4efc748eef167aa1843446 Mon Sep 17 00:00:00 2001 From: Mickael Dangleterre Date: Wed, 12 May 2021 12:11:56 +0200 Subject: [PATCH 08/10] Update for hashivault_googlecloud_secrets_configure task --- ...ashivault_googlecloud_secrets_configure.py | 47 ++++++++++++------- 1 file changed, 29 insertions(+), 18 deletions(-) diff --git a/ansible/modules/hashivault/hashivault_googlecloud_secrets_configure.py b/ansible/modules/hashivault/hashivault_googlecloud_secrets_configure.py index b6d63aa7..45b6ba30 100644 --- a/ansible/modules/hashivault/hashivault_googlecloud_secrets_configure.py +++ b/ansible/modules/hashivault/hashivault_googlecloud_secrets_configure.py @@ -8,13 +8,15 @@ def main(): argspec = hashivault_argspec() - argspec['credentials_file'] = dict(required=False, type='str') - argspec['ttl'] = dict(required=False, type='int', default=0) - argspec['max_ttl'] = dict(required=False, type='int', default=0) + argspec['state'] = dict(required=False, type='str', default='present', choices=['present', 'absent']) + argspec['ttl'] = dict(required=False, type='int', default='3600') + argspec['max_ttl'] = dict(required=False, type='int') argspec['mount_point'] = dict(required=False, type='str', default='gcp') - argspec['state'] = dict(required=False, type='str', choices=['present', 'absent'], default='present') + argspec['credentials'] = dict(required=False, type='str') + argspec['credentials_file'] = dict(required=False, type='str') module = hashivault_init(argspec, supports_check_mode=True) result = hashivault_googlecloud_secrets_configure(module) + if result.get('failed'): module.fail_json(**result) else: @@ -25,28 +27,37 @@ def main(): def hashivault_googlecloud_secrets_configure(module): params = module.params client = hashivault_auth_client(params) - credentials_file = params.get('credentials_file') state = params.get('state') + mount_point = params.get('mount_point').strip('/') + credentials = params.get('credentials') + credentials_file = params.get('credentials_file') + ttl = params.get('ttl') + max_ttl = params.get('max_ttl') desired_state = dict() + current_state = dict() + changed = False - desired_state['credentials'] = json.dumps(json.load(open(params.get('credentials_file'), 'r'))) - desired_state['ttl'] = params.get('ttl') - desired_state['max_ttl'] = params.get('max_ttl') - - exists = False - current_state = {} + if credentials_file: + with open(credentials_file) as creds: + data = json.load(creds) + credential = json.dumps(data) + desired_state['credentials'] = credential + desired_state['ttl'] = ttl + desired_state['max_ttl'] = max_ttl + elif credentials: + desired_state['credentials'] = credentials + desired_state['ttl'] = ttl + desired_state['max_ttl'] = max_ttl try: - current_state = client.secrets.gcp.read_config(mount_point=params.get('mount_point')) + current_state = client.secrets.gcp.read_config() except Exception: - pass + changed = True - if state == 'present' and not module.check_mode: - client.secrets.gcp.configure(mount_point=params.get('mount_point'), **desired_state) - else: - client.secrets.gcp.read_config(mount_point=params.get('mount_point')) + if changed and not module.check_mode and state == 'present': + client.secrets.gcp.configure(mount_point=mount_point, **desired_state) - return { **desired_state } + return {'changed': True} if __name__ == '__main__': From ea4193dcd2710bafe8885c7fd53104abf3ad8745 Mon Sep 17 00:00:00 2001 From: Mickael Dangleterre Date: Wed, 12 May 2021 13:30:14 +0200 Subject: [PATCH 09/10] Update for hashivault_googlecloud_secrets_roleset task New task : hashivault_googlecloud_secrets_roleset --- .../hashivault_googlecloud_secrets_roleset.py | 47 ++++++++++--------- ...ault_googlecloud_secrets_rotate_roleset.py | 34 ++++++++++++++ 2 files changed, 59 insertions(+), 22 deletions(-) create mode 100644 ansible/modules/hashivault/hashivault_googlecloud_secrets_rotate_roleset.py diff --git a/ansible/modules/hashivault/hashivault_googlecloud_secrets_roleset.py b/ansible/modules/hashivault/hashivault_googlecloud_secrets_roleset.py index 709c6401..dd4ef694 100644 --- a/ansible/modules/hashivault/hashivault_googlecloud_secrets_roleset.py +++ b/ansible/modules/hashivault/hashivault_googlecloud_secrets_roleset.py @@ -3,21 +3,21 @@ from ansible.module_utils.hashivault import hashivault_auth_client from ansible.module_utils.hashivault import hashivault_init from ansible.module_utils.hashivault import hashiwrapper -import json def main(): argspec = hashivault_argspec() argspec['name'] = dict(required=True, type='str') - argspec['secret_type'] = dict(required=False, type='str', choices=['access_token', 'service_account'], - default='access_token') + argspec['state'] = dict(required=False, type='str', default='present', choices=['present', 'absent']) argspec['project'] = dict(required=True, type='str') + argspec['secret_type'] = dict(required=True, type='str', default=None, + choices=['access_token', 'service_account_key']) argspec['bindings'] = dict(required=True, type='str') argspec['token_scopes'] = dict(required=False, type='list', default=[]) - argspec['state'] = dict(required=False, type='str', choices=['present', 'update', 'absent'], default='present') - argspec['mount_point'] = dict(required=True, type='str') + argspec['mount_point'] = dict(required=False, type='str', default='gcp') module = hashivault_init(argspec, supports_check_mode=True) result = hashivault_googlecloud_secrets_roleset(module) + if result.get('failed'): module.fail_json(**result) else: @@ -27,33 +27,36 @@ def main(): @hashiwrapper def hashivault_googlecloud_secrets_roleset(module): params = module.params - mount_point = params.get('mount_point') - desired_state = dict() - current_state = dict() - changed = False client = hashivault_auth_client(params) state = params.get('state') - name = params.get('name') - secret_type = params.get('secret_type') + mount_point = params.get('mount_point').strip('/') project = params.get('project') - - desired_state['name'] = name - desired_state['secret_type'] = secret_type - desired_state['project'] = project - desired_state['bindings'] = params.get('bindings') + bindings = params.get('bindings') + secret_type = params.get('secret_type') + name = params.get('name') + token_scopes = params.get('token_scopes') + desired_state = dict() + current_state = dict() + changed = False if secret_type == 'access_token': - desired_state['token_scopes'] = params.get('token_scopes') + desired_state['token_scopes'] = token_scopes + elif secret_type == 'service_account_key': + desired_state['bindings'] = bindings + elif secret_type is None: + desired_state['bindings'] = bindings + desired_state['token_scopes'] = token_scopes try: - current_state = client.secrets.read_roleset() + current_state = client.secrets.gcp.read_roleset(name=name) except Exception: changed = True - if state == 'present' or state == 'update': - client.secrets.create_or_update_roleset(mount_point=mount_point, **desired_state) - else: - client.secrets.delete_roleset(mount_point=mount_point, name=name) + if changed and not module.check_mode and state == 'present': + client.secrets.gcp.create_or_update_roleset(mount_point=mount_point, name=name, project=project + , **desired_state) + + return {'changed': True} if __name__ == '__main__': diff --git a/ansible/modules/hashivault/hashivault_googlecloud_secrets_rotate_roleset.py b/ansible/modules/hashivault/hashivault_googlecloud_secrets_rotate_roleset.py new file mode 100644 index 00000000..30e71faf --- /dev/null +++ b/ansible/modules/hashivault/hashivault_googlecloud_secrets_rotate_roleset.py @@ -0,0 +1,34 @@ +#!/usr/bin/env python +from ansible.module_utils.hashivault import hashivault_argspec +from ansible.module_utils.hashivault import hashivault_auth_client +from ansible.module_utils.hashivault import hashivault_init +from ansible.module_utils.hashivault import hashiwrapper + + +def main(): + argspec = hashivault_argspec() + argspec['name'] = dict(required=True, type='str') + argspec['mount_point'] = dict(required=False, type='str', default='gcp') + module = hashivault_init(argspec, supports_check_mode=True) + result = hashivault_googlecloud_secrets_rotate_roleset(module) + + if result.get('failed'): + module.fail_json(**result) + else: + module.exit_json(**result) + + +@hashiwrapper +def hashivault_googlecloud_secrets_rotate_roleset(module): + params = module.params + client = hashivault_auth_client(params) + name = params.get('name') + mount_point = params.get('mount_point') + changed = False + + client.secrets.gcp.rotate_roleset_account(name=name, mount_point=mount_point) + return {'changed': True} + + +if __name__ == '__main__': + main() From a749a3f2299b8949c6674472a8db2a4cce48f76f Mon Sep 17 00:00:00 2001 From: Mickael Dangleterre Date: Wed, 12 May 2021 13:32:31 +0200 Subject: [PATCH 10/10] Update for hashivault_googlecloud_secrets_roleset task New task : hashivault_googlecloud_secrets_rotate_roleset_account_key --- ...loud_secrets_rotate_roleset_account_key.py | 34 +++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 ansible/modules/hashivault/hashivault_googlecloud_secrets_rotate_roleset_account_key.py diff --git a/ansible/modules/hashivault/hashivault_googlecloud_secrets_rotate_roleset_account_key.py b/ansible/modules/hashivault/hashivault_googlecloud_secrets_rotate_roleset_account_key.py new file mode 100644 index 00000000..57ae447d --- /dev/null +++ b/ansible/modules/hashivault/hashivault_googlecloud_secrets_rotate_roleset_account_key.py @@ -0,0 +1,34 @@ +#!/usr/bin/env python +from ansible.module_utils.hashivault import hashivault_argspec +from ansible.module_utils.hashivault import hashivault_auth_client +from ansible.module_utils.hashivault import hashivault_init +from ansible.module_utils.hashivault import hashiwrapper + + +def main(): + argspec = hashivault_argspec() + argspec['name'] = dict(required=True, type='str') + argspec['mount_point'] = dict(required=False, type='str', default='gcp') + module = hashivault_init(argspec, supports_check_mode=True) + result = hashivault_googlecloud_secrets_rotate_roleset_account_key(module) + + if result.get('failed'): + module.fail_json(**result) + else: + module.exit_json(**result) + + +@hashiwrapper +def hashivault_googlecloud_secrets_rotate_roleset_account_key(module): + params = module.params + client = hashivault_auth_client(params) + name = params.get('name') + mount_point = params.get('mount_point') + changed = False + + client.secrets.gcp.rotate_roleset_account_key(name=name, mount_point=mount_point) + return {'changed': True} + + +if __name__ == '__main__': + main()