forked from TerryHowe/ansible-modules-hashivault
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathhashivault_policy.py
116 lines (104 loc) · 3.37 KB
/
hashivault_policy.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
#!/usr/bin/python
from ansible.module_utils.hashivault import hashivault_argspec
from ansible.module_utils.hashivault import hashivault_auth_client
from ansible.module_utils.hashivault import hashivault_init
from ansible.module_utils.hashivault import hashiwrapper
ANSIBLE_METADATA = ANSIBLE_METADATA = {'status': ['stableinterface'], 'supported_by': 'community', 'version': '1.1'}
DOCUMENTATION = '''
---
module: hashivault_policy
version_added: "2.1.0"
short_description: Hashicorp Vault policy set module
description:
- Module to set a policy in Hashicorp Vault. Use hashivault_policy instead.
options:
name:
description:
- policy name.
state:
type: str
choices: ["present", "absent"]
default: present
description:
- present or absent
rules:
description:
- policy rules.
rules_file:
description:
- name of local file to read for policy rules.
extends_documentation_fragment: hashivault
'''
EXAMPLES = '''
---
- hosts: localhost
tasks:
- hashivault_policy:
name: my_policy
rules: '{{rules}}'
'''
def main():
argspec = hashivault_argspec()
argspec['name'] = dict(required=True, type='str')
argspec['rules'] = dict(required=False, type='str')
argspec['rules_file'] = dict(required=False, type='str')
argspec['state'] = dict(required=False, choices=['present', 'absent'], default='present')
mutually_exclusive = [['rules', 'rules_file']]
module = hashivault_init(argspec, mutually_exclusive=mutually_exclusive, supports_check_mode=True)
result = hashivault_policy(module)
if result.get('failed'):
module.fail_json(**result)
else:
module.exit_json(**result)
@hashiwrapper
def hashivault_policy(module):
params = module.params
client = hashivault_auth_client(params)
state = params.get('state')
name = params.get('name')
exists = False
changed = False
current_state = {}
desired_state = {}
# get current policies
current_policies = client.sys.list_policies()
if isinstance(current_policies, dict):
current_policies = current_policies.get('policies', current_policies)
if name in current_policies:
exists = True
current_state = client.get_policy(name)
# Define desired rules
rules_file = params.get('rules_file')
if rules_file:
try:
desired_state = open(rules_file, 'r').read()
except Exception as e:
return {'changed': False,
'failed': True,
'msg': 'Error opening rules file <%s>: %s' % (rules_file, str(e))}
else:
desired_state = params.get('rules')
# Check required actions
if state == 'present' and not exists:
changed = True
elif state == 'absent' and exists:
changed = True
elif state == 'present' and exists:
if current_state != desired_state:
changed = True
if changed and not module.check_mode:
# create or update
if state == 'present':
client.sys.create_or_update_policy(name, desired_state)
# delete
elif state == 'absent':
client.sys.delete_policy(name)
return {
"changed": changed,
"diff": {
"before": current_state,
"after": desired_state,
},
}
if __name__ == '__main__':
main()