forked from TerryHowe/ansible-modules-hashivault
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathhashivault_auth_method.py
161 lines (146 loc) · 4.85 KB
/
hashivault_auth_method.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
#!/usr/bin/python
from ansible.module_utils.hashivault import is_state_changed
from ansible.module_utils.hashivault import hashivault_argspec
from ansible.module_utils.hashivault import hashivault_auth_client
from ansible.module_utils.hashivault import hashivault_init
from ansible.module_utils.hashivault import hashiwrapper
ANSIBLE_METADATA = {'status': ['stableinterface'], 'supported_by': 'community', 'version': '1.1'}
DOCUMENTATION = '''
---
module: hashivault_auth_method
version_added: "3.17.7"
short_description: Hashicorp Vault auth module
description:
- Module to enable or disable authentication methods in Hashicorp Vault.
options:
method_type:
description:
- name of auth method. [required]
description:
description:
- description of authenticator
mount_point:
description:
- location where this auth_method will be mounted. also known as "path"
state:
description:
- should auth mount be enabled or disabled
default: enabled
config:
description:
- configuration set on auth method. expects a dict
default: "{'default_lease_ttl': 2764800, 'max_lease_ttl': 2764800, 'force_no_cache':False,
'token_type': 'default-service'}"
extends_documentation_fragment: hashivault
'''
EXAMPLES = '''
---
- hosts: localhost
tasks:
- hashivault_auth_method:
method_type: userpass
'''
RETURN = r'''
path:
description: The path of the auth method.
type: str
returned: always
result:
description: The current configuration of the auth method if it exists.
type: dict
returned: always
'''
DEFAULT_TTL = 2764800
DEFAULT_CONFIG = {
'default_lease_ttl': DEFAULT_TTL,
'max_lease_ttl': DEFAULT_TTL,
'force_no_cache': False,
'token_type': 'default-service'
}
def main():
argspec = hashivault_argspec()
argspec['method_type'] = dict(required=True, type='str')
argspec['description'] = dict(required=False, type='str', default='')
argspec['state'] = dict(required=False, type='str', default='enabled',
choices=['enabled', 'disabled', 'enable', 'disable'])
argspec['mount_point'] = dict(required=False, type='str', default=None)
argspec['config'] = dict(required=False, type='dict',
default=DEFAULT_CONFIG)
module = hashivault_init(argspec, supports_check_mode=True)
result = hashivault_auth_method(module)
if result.get('failed'):
module.fail_json(**result)
else:
module.exit_json(**result)
@hashiwrapper
def hashivault_auth_method(module):
params = module.params
client = hashivault_auth_client(params)
method_type = params.get('method_type')
description = params.get('description')
mount_point = params.get('mount_point')
config = params.get('config')
if params.get('state') in ['enabled', 'enable']:
state = 'enabled'
else:
state = 'disabled'
exists = False
changed = False
create = False
current_state = {}
desired_state = {
'config': config,
'description': description
}
if mount_point is None:
mount_point = method_type
# Get current auth methods
try:
result = client.sys.list_auth_methods()
auth_methods = result.get('data', result)
if (mount_point + u"/") in auth_methods:
exists = True
except Exception:
pass
# Check required actions
if state == 'enabled' and not exists:
changed = True
create = True
elif state == 'disabled' and exists:
changed = True
elif exists and state == 'enabled':
auth_method = auth_methods[mount_point + u"/"]
current_state = {
'config': auth_method['config'],
'description': auth_method['description']
}
changed = description != auth_method['description'] or is_state_changed(config, auth_method['config'])
# create
if state == 'enabled' and changed and not module.check_mode:
if create:
client.sys.enable_auth_method(method_type, description=description, path=mount_point, config=config)
# update
else:
client.sys.tune_auth_method(description=description, path=mount_point, **config)
# delete
elif state == 'disabled' and changed and not module.check_mode:
client.sys.disable_auth_method(path=mount_point)
# Get resulting auth method
try:
final_result = client.sys.list_auth_methods()
retval = final_result['data'][mount_point + u"/"]
except Exception:
retval = {}
pass
return {
"changed": changed,
"created": create,
"path": mount_point,
"result": retval,
"diff": {
"before": current_state,
"after": desired_state,
},
}
if __name__ == '__main__':
main()