Why Gemfury? Push, build, and install  RubyGems npm packages Python packages Maven artifacts PHP packages Go Modules Debian packages RPM packages NuGet packages

duality-group / ansible python

Repository URL to install this package:

Version: 
6.0.0  ▾
Details    
ansible / community / hashi_vault / plugins / modules / vault_token_create.py
Size: Mime: 
#!/usr/bin/python
# -*- coding: utf-8 -*-
# (c) 2022, Brian Scholer (@briantist)
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)

from __future__ import (absolute_import, division, print_function)
__metaclass__ = type

DOCUMENTATION = """
  module: vault_token_create
  version_added: 2.3.0
  author:
    - Brian Scholer (@briantist)
  short_description: Create a HashiCorp Vault token
  requirements:
    - C(hvac) (L(Python library,https://hvac.readthedocs.io/en/stable/overview.html))
    - For detailed requirements, see R(the collection requirements page,ansible_collections.community.hashi_vault.docsite.user_guide.requirements).
  description:
    - Creates a token in HashiCorp Vault, returning the response, including the token.
  seealso:
    - ref: community.hashi_vault.vault_token_create lookup <ansible_collections.community.hashi_vault.vault_token_create_lookup>
      description: The official documentation for the C(community.hashi_vault.vault_token_create) lookup plugin.
    - module: community.hashi_vault.vault_login
    - ref: community.hashi_vault.vault_login lookup <ansible_collections.community.hashi_vault.vault_login_lookup>
      description: The official documentation for the C(community.hashi_vault.vault_login) lookup plugin.
    - ref: community.hashi_vault.vault_login_token filter <ansible_collections.community.hashi_vault.docsite.filter_guide.vault_login_token>
      description: The official documentation for the C(community.hashi_vault.vault_login_token) filter plugin.
  extends_documentation_fragment:
    - community.hashi_vault.connection
    - community.hashi_vault.auth
    - community.hashi_vault.token_create
    - community.hashi_vault.wrapping
  notes:
    - Token creation is a write operation (creating a token persisted to storage), so this module always reports C(changed=True).
    - For the purposes of Ansible playbooks however,
      it may be more useful to set I(changed_when=false) if you are doing idempotency checks against the target system.
    - In check mode, this module will not create a token, and will instead return a basic structure with an empty token.
      However, this may not be useful if the token is required for follow on tasks.
      It may be better to use this module with I(check_mode=no) in order to have a valid token that can be used.
  options: {}
"""

EXAMPLES = """
- name: Login via userpass and create a child token
  community.hashi_vault.vault_token_create:
    url: https://vault:8201
    auth_method: userpass
    username: user
    password: '{{ passwd }}'
  register: token_data

- name: Retrieve an approle role ID using the child token (token via filter)
  community.hashi_vault.vault_read:
    url: https://vault:8201
    auth_method: token
    token: '{{ token_data | community.hashi_vault.vault_login_token }}'
    path: auth/approle/role/role-name/role-id
  register: approle_id

- name: Retrieve an approle role ID using the child token (token via direct dict access)
  community.hashi_vault.vault_read:
    url: https://vault:8201
    auth_method: token
    token: '{{ token_data.login.auth.client_token }}'
    path: auth/approle/role/role-name/role-id
  register: approle_id

# implicitly uses token auth with a token from the environment
- name: Create an orphaned token with a short TTL
  community.hashi_vault.vault_token_create:
    url: https://vault:8201
    orphan: true
    ttl: 60s
  register: token_data

- name: Display the full response
  ansible.builtin.debug:
    var: token_data.login
"""

RETURN = """
login:
  description: The result of the token creation operation.
  returned: success
  type: dict
  sample:
    auth:
      client_token: s.rlwajI2bblHAWU7uPqZhLru3
    data: null
  contains:
    auth:
      description: The C(auth) member of the token response.
      returned: success
      type: dict
      contains:
        client_token:
          description: Contains the newly created token.
          returned: success
          type: str
    data:
      description: The C(data) member of the token response.
      returned: success, when available
      type: dict
"""

import traceback

from ansible.module_utils._text import to_native

from ansible_collections.community.hashi_vault.plugins.module_utils._hashi_vault_module import HashiVaultModule
from ansible_collections.community.hashi_vault.plugins.module_utils._hashi_vault_common import HashiVaultValueError


PASS_THRU_OPTION_NAMES = [
    'no_parent',
    'no_default_policy',
    'policies',
    'id',
    'role_name',
    'meta',
    'renewable',
    'ttl',
    'type',
    'explicit_max_ttl',
    'display_name',
    'num_uses',
    'period',
    'entity_alias',
    'wrap_ttl',
]


LEGACY_OPTION_TRANSLATION = {
    'id': 'token_id',
    'role_name': 'role',
    'type': 'token_type',
}


def run_module():
    argspec = HashiVaultModule.generate_argspec(
        orphan=dict(type='bool', default=False),
        no_parent=dict(type='bool'),
        no_default_policy=dict(type='bool'),
        policies=dict(type='list', elements='str'),
        id=dict(type='str'),
        role_name=dict(type='str'),
        meta=dict(type='dict'),
        renewable=dict(type='bool'),
        ttl=dict(type='str'),
        type=dict(type='str', choices=['batch', 'service']),
        explicit_max_ttl=dict(type='str'),
        display_name=dict(type='str'),
        num_uses=dict(type='int'),
        period=dict(type='str'),
        entity_alias=dict(type='str'),
        wrap_ttl=dict(type='str'),
    )

    module = HashiVaultModule(
        argument_spec=argspec,
        supports_check_mode=True
    )

    module.connection_options.process_connection_options()
    client_args = module.connection_options.get_hvac_connection_options()
    client = module.helper.get_vault_client(**client_args)

    try:
        module.authenticator.validate()
        module.authenticator.authenticate(client)
    except (NotImplementedError, HashiVaultValueError) as e:
        module.fail_json(msg=to_native(e), exception=traceback.format_exc())

    pass_thru_options = module.adapter.get_filled_options(*PASS_THRU_OPTION_NAMES)

    if module.adapter.get_option('orphan'):
        pass_thru_options['no_parent'] = True

    legacy_options = pass_thru_options.copy()

    for key in pass_thru_options.keys():
        if key in LEGACY_OPTION_TRANSLATION:
            legacy_options[LEGACY_OPTION_TRANSLATION[key]] = legacy_options.pop(key)

    # token creation is a write operation, using storage and resources
    changed = True
    response = None

    if module.check_mode:
        module.exit_json(changed=changed, login={'auth': {'client_token': None}})

    if module.adapter.get_option('orphan'):
        # this method is deprecated, but it's the only way through hvac to get
        # at the /create-orphan endpoint at this time.
        # See: https://github.com/hvac/hvac/issues/758
        try:
            response = client.create_token(orphan=True, **legacy_options)
        except AttributeError:
            module.warn("'create_token' method was not found. Attempting method that requires root privileges.")
        except Exception as e:
            module.fail_json(msg=to_native(e), exception=traceback.format_exc())

    if response is None:
        try:
            response = client.auth.token.create(**pass_thru_options)
        except Exception as e:
            module.fail_json(msg=to_native(e), exception=traceback.format_exc())

    module.exit_json(changed=changed, login=response)


def main():
    run_module()


if __name__ == '__main__':
    main()

Products

About

Resources

Contact Gemfury