forked from TerryHowe/ansible-modules-hashivault
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathhashivault_acl_policy.py
118 lines (106 loc) · 3.53 KB
/
hashivault_acl_policy.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
#!/usr/bin/python
# -*- coding: utf-8 -*-
from ansible.module_utils.hashivault import hashivault_argspec
from ansible.module_utils.hashivault import hashivault_auth_client
from ansible.module_utils.hashivault import hashivault_init
from ansible.module_utils.hashivault import hashiwrapper
ANSIBLE_METADATA = ANSIBLE_METADATA = {'status': ['stableinterface'], 'supported_by': 'community', 'version': '1.1'}
DOCUMENTATION = '''
---
module: hashivault_acl_policy
version_added: "2.1.0"
short_description: Hashicorp Vault acl policy set module
description:
- Module to set an ACL policy in Hashicorp Vault.
options:
name:
description:
- policy name.
state:
type: str
choices: ["present", "absent"]
default: present
description:
- present or absent
rules:
description:
- policy rules.
rules_file:
description:
- name of local file to read for policy rules.
extends_documentation_fragment: hashivault
'''
EXAMPLES = '''
---
- hosts: localhost
tasks:
- hashivault_acl_policy:
name: my_policy
rules: '{{rules}}'
'''
def main():
argspec = hashivault_argspec()
argspec['name'] = dict(required=True, type='str')
argspec['rules'] = dict(required=False, type='str')
argspec['rules_file'] = dict(required=False, type='str')
argspec['state'] = dict(required=False, choices=['present', 'absent'], default='present')
mutually_exclusive = [['rules', 'rules_file']]
module = hashivault_init(argspec, mutually_exclusive=mutually_exclusive, supports_check_mode=True)
result = hashivault_acl_policy(module)
if result.get('failed'):
module.fail_json(**result)
else:
module.exit_json(**result)
@hashiwrapper
def hashivault_acl_policy(module):
params = module.params
client = hashivault_auth_client(params)
state = params.get('state')
name = params.get('name')
exists = False
changed = False
current_state = {}
desired_state = {}
# get current policies
current_policies = client.sys.list_acl_policies()
if isinstance(current_policies, dict):
current_policies = current_policies.get('data', current_policies).get('keys', current_policies)
if name in current_policies:
exists = True
current_state = client.sys.read_acl_policy(name)
current_state = current_state.get('data', current_state).get('policy', current_state)
# Define desired rules
rules_file = params.get('rules_file')
if rules_file:
try:
desired_state = open(rules_file, 'r').read()
except Exception as e:
return {'changed': False,
'failed': True,
'msg': 'Error opening rules file <%s>: %s' % (rules_file, str(e))}
else:
desired_state = params.get('rules')
# Check required actions
if state == 'present' and not exists:
changed = True
elif state == 'absent' and exists:
changed = True
elif state == 'present' and exists:
if current_state != desired_state:
changed = True
if changed and not module.check_mode:
# create or update
if state == 'present':
client.sys.create_or_update_acl_policy(name, desired_state)
# delete
elif state == 'absent':
client.sys.delete_acl_policy(name)
return {
"changed": changed,
"diff": {
"before": current_state,
"after": desired_state,
},
}
if __name__ == '__main__':
main()