├── changelogs
├── fragments
│ ├── .keep
│ └── 488-db-keys-returns.yml
└── config.yaml
├── tests
├── unit
│ ├── compat
│ │ ├── __init__.py
│ │ ├── mock.py
│ │ ├── builtins.py
│ │ └── unittest.py
│ ├── fixtures
│ │ ├── vault-token
│ │ ├── kv1_get_response.json
│ │ ├── kv2_list_response.json
│ │ ├── policy_list_response.json
│ │ ├── userpass_list_response.json
│ │ ├── approle_secret_id_write_response.json
│ │ ├── database_connections_list_response.json
│ │ ├── database_static_roles_list_response.json
│ │ ├── database_roles_list_response.json
│ │ ├── gcp_login_response.json
│ │ ├── database_static_role_read_response.json
│ │ ├── kv2_get_response.json
│ │ ├── database_connection_read_response.json
│ │ ├── token_create_response.json
│ │ ├── lookup-self_without_meta.json
│ │ ├── database_role_read_response.json
│ │ ├── lookup-self_with_meta.json
│ │ ├── database_static_role_get_credentials_response.json
│ │ ├── ldap_login_response.json
│ │ ├── jwt_login_response.json
│ │ ├── userpass_login_response.json
│ │ ├── approle_login_response.json
│ │ ├── aws_iam_login_response.json
│ │ ├── azure_login_response.json
│ │ └── cert_login_response.json
│ ├── requirements.txt
│ └── plugins
│ │ ├── lookup
│ │ └── conftest.py
│ │ ├── plugin_utils
│ │ └── option_adapter
│ │ │ └── test_hashi_vault_option_adapter.py
│ │ └── module_utils
│ │ ├── authentication
│ │ └── test_auth_none.py
│ │ └── option_adapter
│ │ └── conftest.py
├── integration
│ ├── targets
│ │ ├── lookup_vault_list
│ │ │ ├── aliases
│ │ │ ├── meta
│ │ │ │ └── main.yml
│ │ │ └── tasks
│ │ │ │ ├── main.yml
│ │ │ │ └── lookup_vault_list_setup.yml
│ │ ├── lookup_vault_read
│ │ │ ├── aliases
│ │ │ ├── meta
│ │ │ │ └── main.yml
│ │ │ └── tasks
│ │ │ │ ├── main.yml
│ │ │ │ └── lookup_vault_read_setup.yml
│ │ ├── setup_cert_content
│ │ │ ├── aliases
│ │ │ ├── files
│ │ │ │ └── .gitignore
│ │ │ ├── defaults
│ │ │ │ └── main.yml
│ │ │ ├── README.md
│ │ │ └── tasks
│ │ │ │ └── main.yml
│ │ ├── lookup_hashi_vault
│ │ │ ├── aliases
│ │ │ ├── meta
│ │ │ │ └── main.yml
│ │ │ └── tasks
│ │ │ │ ├── lookup_setup.yml
│ │ │ │ └── main.yml
│ │ ├── lookup_vault_kv1_get
│ │ │ ├── aliases
│ │ │ ├── meta
│ │ │ │ └── main.yml
│ │ │ └── tasks
│ │ │ │ ├── main.yml
│ │ │ │ └── lookup_vault_kv1_get_setup.yml
│ │ ├── lookup_vault_kv2_get
│ │ │ ├── aliases
│ │ │ ├── meta
│ │ │ │ └── main.yml
│ │ │ └── tasks
│ │ │ │ ├── main.yml
│ │ │ │ └── lookup_vault_kv2_get_setup.yml
│ │ ├── lookup_vault_login
│ │ │ ├── aliases
│ │ │ ├── meta
│ │ │ │ └── main.yml
│ │ │ └── tasks
│ │ │ │ ├── main.yml
│ │ │ │ └── lookup_vault_login_setup.yml
│ │ ├── lookup_vault_write
│ │ │ ├── aliases
│ │ │ ├── meta
│ │ │ │ └── main.yml
│ │ │ └── tasks
│ │ │ │ ├── main.yml
│ │ │ │ └── lookup_vault_write_setup.yml
│ │ ├── setup_vault_server_cert
│ │ │ ├── aliases
│ │ │ ├── README.md
│ │ │ └── tasks
│ │ │ │ └── main.yml
│ │ ├── lookup_vault_token_create
│ │ │ ├── aliases
│ │ │ ├── meta
│ │ │ │ └── main.yml
│ │ │ └── tasks
│ │ │ │ ├── main.yml
│ │ │ │ └── lookup_vault_token_create_setup.yml
│ │ ├── module_vault_kv1_get
│ │ │ ├── aliases
│ │ │ ├── meta
│ │ │ │ └── main.yml
│ │ │ └── tasks
│ │ │ │ ├── main.yml
│ │ │ │ └── module_vault_kv1_get_setup.yml
│ │ ├── module_vault_kv2_get
│ │ │ ├── aliases
│ │ │ ├── meta
│ │ │ │ └── main.yml
│ │ │ └── tasks
│ │ │ │ ├── main.yml
│ │ │ │ └── module_vault_kv2_get_setup.yml
│ │ ├── module_vault_list
│ │ │ ├── aliases
│ │ │ ├── meta
│ │ │ │ └── main.yml
│ │ │ └── tasks
│ │ │ │ ├── main.yml
│ │ │ │ └── module_vault_list_setup.yml
│ │ ├── module_vault_login
│ │ │ ├── aliases
│ │ │ ├── meta
│ │ │ │ └── main.yml
│ │ │ └── tasks
│ │ │ │ ├── main.yml
│ │ │ │ └── module_vault_login_setup.yml
│ │ ├── module_vault_read
│ │ │ ├── aliases
│ │ │ ├── meta
│ │ │ │ └── main.yml
│ │ │ └── tasks
│ │ │ │ ├── main.yml
│ │ │ │ └── module_vault_read_setup.yml
│ │ ├── module_vault_write
│ │ │ ├── aliases
│ │ │ ├── meta
│ │ │ │ └── main.yml
│ │ │ └── tasks
│ │ │ │ ├── main.yml
│ │ │ │ └── module_vault_write_setup.yml
│ │ ├── setup_vault_test_plugins
│ │ │ ├── aliases
│ │ │ ├── README.md
│ │ │ ├── vars
│ │ │ │ └── main.yml
│ │ │ └── library
│ │ │ │ ├── vault_ci_policy_put.py
│ │ │ │ ├── vault_ci_read.py
│ │ │ │ ├── vault_ci_kv2_destroy_all.py
│ │ │ │ ├── vault_ci_token_create.py
│ │ │ │ ├── vault_ci_write.py
│ │ │ │ ├── vault_ci_kv2_metadata_read.py
│ │ │ │ └── vault_ci_kv_put.py
│ │ ├── lookup_vault_ansible_settings
│ │ │ ├── aliases
│ │ │ ├── meta
│ │ │ │ └── main.yml
│ │ │ └── tasks
│ │ │ │ ├── main.yml
│ │ │ │ └── lookup_vault_ansible_settings_configure.yml
│ │ ├── module_vault_kv2_delete
│ │ │ ├── aliases
│ │ │ ├── meta
│ │ │ │ └── main.yml
│ │ │ └── tasks
│ │ │ │ ├── main.yml
│ │ │ │ └── module_vault_kv2_delete_setup.yml
│ │ ├── module_vault_kv2_write
│ │ │ ├── aliases
│ │ │ ├── tasks
│ │ │ │ ├── main.yml
│ │ │ │ └── setup.yml
│ │ │ ├── meta
│ │ │ │ └── main.yml
│ │ │ └── vars
│ │ │ │ └── main.yml
│ │ ├── module_vault_token_create
│ │ │ ├── aliases
│ │ │ ├── meta
│ │ │ │ └── main.yml
│ │ │ └── tasks
│ │ │ │ ├── main.yml
│ │ │ │ └── module_vault_token_create_setup.yml
│ │ ├── auth_cert
│ │ │ ├── aliases
│ │ │ ├── meta
│ │ │ │ └── main.yml
│ │ │ ├── defaults
│ │ │ │ └── main.yml
│ │ │ ├── tasks
│ │ │ │ └── cert_setup.yml
│ │ │ └── files
│ │ │ │ ├── auth_cert_invalid.crt
│ │ │ │ ├── auth_cert.crt
│ │ │ │ ├── auth_cert.key
│ │ │ │ └── auth_cert_invalid.key
│ │ ├── auth_gcp
│ │ │ ├── aliases
│ │ │ ├── meta
│ │ │ │ └── main.yml
│ │ │ ├── defaults
│ │ │ │ └── main.yml
│ │ │ └── tasks
│ │ │ │ └── main.yml
│ │ ├── auth_jwt
│ │ │ ├── aliases
│ │ │ ├── meta
│ │ │ │ └── main.yml
│ │ │ ├── files
│ │ │ │ ├── token_invalid.jwt
│ │ │ │ ├── jwt_public.pem
│ │ │ │ ├── token.jwt
│ │ │ │ └── jwt_private.pem
│ │ │ ├── defaults
│ │ │ │ └── main.yml
│ │ │ └── tasks
│ │ │ │ ├── jwt_setup.yml
│ │ │ │ ├── jwt_test_target.yml
│ │ │ │ └── main.yml
│ │ ├── auth_ldap
│ │ │ ├── aliases
│ │ │ ├── meta
│ │ │ │ └── main.yml
│ │ │ ├── defaults
│ │ │ │ └── main.yml
│ │ │ └── tasks
│ │ │ │ ├── main.yml
│ │ │ │ ├── ldap_test_controller.yml
│ │ │ │ └── ldap_test_target.yml
│ │ ├── auth_none
│ │ │ ├── aliases
│ │ │ ├── meta
│ │ │ │ └── main.yml
│ │ │ ├── tasks
│ │ │ │ ├── main.yml
│ │ │ │ ├── target.yml
│ │ │ │ └── controller.yml
│ │ │ └── defaults
│ │ │ │ └── main.yml
│ │ ├── filter_vault_login_token
│ │ │ ├── aliases
│ │ │ └── tasks
│ │ │ │ └── main.yml
│ │ ├── auth_approle
│ │ │ ├── aliases
│ │ │ ├── meta
│ │ │ │ └── main.yml
│ │ │ ├── defaults
│ │ │ │ └── main.yml
│ │ │ └── tasks
│ │ │ │ └── approle_setup.yml
│ │ ├── auth_aws_iam
│ │ │ ├── aliases
│ │ │ ├── meta
│ │ │ │ └── main.yml
│ │ │ ├── defaults
│ │ │ │ └── main.yml
│ │ │ └── tasks
│ │ │ │ ├── main.yml
│ │ │ │ ├── aws_iam_test_controller.yml
│ │ │ │ └── aws_iam_test_target.yml
│ │ ├── auth_azure
│ │ │ ├── aliases
│ │ │ ├── meta
│ │ │ │ └── main.yml
│ │ │ ├── defaults
│ │ │ │ └── main.yml
│ │ │ └── tasks
│ │ │ │ └── main.yml
│ │ ├── auth_token
│ │ │ ├── aliases
│ │ │ ├── meta
│ │ │ │ └── main.yml
│ │ │ ├── defaults
│ │ │ │ └── main.yml
│ │ │ └── tasks
│ │ │ │ └── main.yml
│ │ ├── module_vault_database_role_create
│ │ │ ├── aliases
│ │ │ ├── meta
│ │ │ │ └── main.yml
│ │ │ └── tasks
│ │ │ │ ├── main.yml
│ │ │ │ └── module_vault_database_role_create_setup.yml
│ │ ├── module_vault_database_role_delete
│ │ │ ├── aliases
│ │ │ ├── meta
│ │ │ │ └── main.yml
│ │ │ └── tasks
│ │ │ │ ├── main.yml
│ │ │ │ └── module_vault_database_role_delete_setup.yml
│ │ ├── module_vault_database_role_read
│ │ │ ├── aliases
│ │ │ ├── meta
│ │ │ │ └── main.yml
│ │ │ └── tasks
│ │ │ │ ├── main.yml
│ │ │ │ └── module_vault_database_role_read_setup.yml
│ │ ├── module_vault_database_roles_list
│ │ │ ├── aliases
│ │ │ ├── meta
│ │ │ │ └── main.yml
│ │ │ └── tasks
│ │ │ │ ├── main.yml
│ │ │ │ └── module_vault_database_roles_list_setup.yml
│ │ ├── auth_userpass
│ │ │ ├── aliases
│ │ │ ├── meta
│ │ │ │ └── main.yml
│ │ │ ├── defaults
│ │ │ │ └── main.yml
│ │ │ └── tasks
│ │ │ │ ├── userpass_setup.yml
│ │ │ │ ├── userpass_test_controller.yml
│ │ │ │ ├── userpass_test_target.yml
│ │ │ │ └── main.yml
│ │ ├── connection_options
│ │ │ ├── aliases
│ │ │ ├── tasks
│ │ │ │ └── main.yml
│ │ │ ├── meta
│ │ │ │ └── main.yml
│ │ │ └── defaults
│ │ │ │ └── main.yml
│ │ ├── module_vault_database_connection_delete
│ │ │ ├── aliases
│ │ │ ├── meta
│ │ │ │ └── main.yml
│ │ │ └── tasks
│ │ │ │ ├── main.yml
│ │ │ │ └── module_vault_database_connection_delete_setup.yml
│ │ ├── module_vault_database_connection_read
│ │ │ ├── aliases
│ │ │ ├── meta
│ │ │ │ └── main.yml
│ │ │ └── tasks
│ │ │ │ ├── main.yml
│ │ │ │ └── module_vault_database_connection_read_setup.yml
│ │ ├── module_vault_database_connection_reset
│ │ │ ├── aliases
│ │ │ ├── meta
│ │ │ │ └── main.yml
│ │ │ └── tasks
│ │ │ │ ├── main.yml
│ │ │ │ └── module_vault_database_connection_reset_setup.yml
│ │ ├── module_vault_database_connections_list
│ │ │ ├── aliases
│ │ │ ├── meta
│ │ │ │ └── main.yml
│ │ │ └── tasks
│ │ │ │ ├── main.yml
│ │ │ │ └── module_vault_database_connection_list_setup.yml
│ │ ├── module_vault_database_rotate_root_creds
│ │ │ ├── aliases
│ │ │ ├── meta
│ │ │ │ └── main.yml
│ │ │ └── tasks
│ │ │ │ ├── main.yml
│ │ │ │ └── module_vault_db_rotate_root_creds_cleanup.yml
│ │ ├── module_vault_database_static_role_create
│ │ │ ├── aliases
│ │ │ ├── meta
│ │ │ │ └── main.yml
│ │ │ └── tasks
│ │ │ │ ├── main.yml
│ │ │ │ └── module_vault_database_static_role_create_setup.yml
│ │ ├── module_vault_database_static_role_read
│ │ │ ├── aliases
│ │ │ ├── meta
│ │ │ │ └── main.yml
│ │ │ └── tasks
│ │ │ │ ├── main.yml
│ │ │ │ └── module_vault_database_static_role_read_setup.yml
│ │ ├── module_vault_database_static_roles_list
│ │ │ ├── aliases
│ │ │ ├── meta
│ │ │ │ └── main.yml
│ │ │ └── tasks
│ │ │ │ ├── main.yml
│ │ │ │ └── module_vault_database_static_roles_list_setup.yml
│ │ ├── module_vault_pki_generate_certificate
│ │ │ ├── aliases
│ │ │ ├── meta
│ │ │ │ └── main.yml
│ │ │ └── tasks
│ │ │ │ ├── main.yml
│ │ │ │ ├── module_vault_pki_generate_certificate_setup.yml
│ │ │ │ └── module_vault_pki_generate_certificate_test.yml
│ │ ├── module_vault_database_connection_configure
│ │ │ ├── aliases
│ │ │ ├── meta
│ │ │ │ └── main.yml
│ │ │ └── tasks
│ │ │ │ ├── main.yml
│ │ │ │ └── module_vault_database_connection_configure_setup.yml
│ │ ├── module_vault_database_static_role_get_creds
│ │ │ ├── aliases
│ │ │ ├── meta
│ │ │ │ └── main.yml
│ │ │ └── tasks
│ │ │ │ ├── main.yml
│ │ │ │ └── module_vault_database_static_role_get_credentials_setup.yml
│ │ ├── setup_localenv_docker
│ │ │ ├── files
│ │ │ │ ├── .output
│ │ │ │ │ └── .gitignore
│ │ │ │ ├── playbooks
│ │ │ │ │ └── vault_docker.yml
│ │ │ │ ├── requirements
│ │ │ │ │ └── requirements.yml
│ │ │ │ └── sql
│ │ │ │ │ └── init.sql
│ │ │ ├── aliases
│ │ │ ├── templates
│ │ │ │ ├── integration_config.yml.j2
│ │ │ │ ├── mmock
│ │ │ │ │ ├── proxy.yml.j2
│ │ │ │ │ ├── ldap_login_bad_request.yml.j2
│ │ │ │ │ ├── gcp_login_bad_request.yml.j2
│ │ │ │ │ ├── azure_login_bad_request.yml.j2
│ │ │ │ │ ├── aws_iam_login_bad_request.yml.j2
│ │ │ │ │ ├── ldap_login_default_mount.yml.j2
│ │ │ │ │ ├── ldap_login_alt_mount.yml.j2
│ │ │ │ │ ├── aws_iam_login_default_mount.yml.j2
│ │ │ │ │ ├── aws_iam_login_alt_mount.yml.j2
│ │ │ │ │ ├── gcp_login_default.yml.j2
│ │ │ │ │ ├── gcp_login_alt_mount.yml.j2
│ │ │ │ │ ├── azure_login_default_mount.yml.j2
│ │ │ │ │ └── azure_login_alt_mount.yml.j2
│ │ │ │ ├── vault_config.hcl.j2
│ │ │ │ └── docker-compose.yml.j2
│ │ │ ├── setup.sh
│ │ │ ├── README.md
│ │ │ ├── tasks
│ │ │ │ └── docker.yml
│ │ │ ├── vars
│ │ │ │ ├── main.yml
│ │ │ │ └── local_client.yml
│ │ │ └── defaults
│ │ │ │ └── main.yml
│ │ ├── module_vault_database_static_role_rotate_creds
│ │ │ ├── aliases
│ │ │ ├── meta
│ │ │ │ └── main.yml
│ │ │ └── tasks
│ │ │ │ ├── main.yml
│ │ │ │ └── module_vault_db_static_role_rotate_creds_setup.yml
│ │ ├── setup_localenv_gha
│ │ │ ├── aliases
│ │ │ ├── files
│ │ │ │ ├── .gitignore
│ │ │ │ ├── playbooks
│ │ │ │ │ └── gha.yml
│ │ │ │ └── .output
│ │ │ │ │ └── vault_config
│ │ │ │ │ └── cert.pem
│ │ │ ├── templates
│ │ │ │ └── launch.sh.j2
│ │ │ ├── defaults
│ │ │ │ └── main.yml
│ │ │ ├── README.md
│ │ │ ├── setup.sh
│ │ │ └── tasks
│ │ │ │ └── main.yml
│ │ ├── setup_vault_configure
│ │ │ ├── aliases
│ │ │ ├── meta
│ │ │ │ └── main.yml
│ │ │ ├── README.md
│ │ │ └── tasks
│ │ │ │ └── main.yml
│ │ ├── setup_vault_configure_database
│ │ │ ├── aliases
│ │ │ ├── meta
│ │ │ │ └── main.yml
│ │ │ ├── README.md
│ │ │ ├── tasks
│ │ │ │ ├── main.yml
│ │ │ │ └── configure.yml
│ │ │ └── vars
│ │ │ │ └── main.yml
│ │ └── setup_vault_configure_engine_pki
│ │ │ ├── aliases
│ │ │ ├── meta
│ │ │ └── main.yml
│ │ │ ├── README.md
│ │ │ ├── vars
│ │ │ └── main.yml
│ │ │ └── tasks
│ │ │ ├── main.yml
│ │ │ └── configure.yml
│ ├── requirements.txt
│ ├── .ansible-lint
│ ├── integration.cfg
│ └── integration_config.yml.sample
└── sanity
│ └── ignore-2.21.txt
├── LICENSES
├── GPL-3.0-or-later.txt
└── BSD-2-Clause.txt
├── docs
├── docsite
│ ├── rst
│ │ └── CHANGELOG.rst
│ └── extra-docs.yml
└── preview
│ ├── .gitignore
│ ├── requirements.txt
│ ├── rst
│ └── index.rst
│ ├── build.sh
│ ├── antsibull-docs.cfg
│ └── conf.py
├── .github
├── actions
│ ├── docker-image-versions
│ │ ├── requirements.txt
│ │ └── action.yml
│ └── collection-via-git
│ │ └── action.yml
├── dependabot.yml
└── workflows
│ └── ansible-builder.yml
├── meta
├── execution-environment.yml
├── ee-requirements.txt
└── runtime.yml
├── .git-blame-ignore-revs
├── plugins
├── doc_fragments
│ ├── engine_mount.py
│ ├── wrapping.py
│ └── attributes.py
├── filter
│ └── vault_login_token.py
└── module_utils
│ ├── _auth_method_none.py
│ └── _auth_method_cert.py
└── galaxy.yml
/changelogs/fragments/.keep:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/tests/unit/compat/__init__.py:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/LICENSES/GPL-3.0-or-later.txt:
--------------------------------------------------------------------------------
1 | ../LICENSE
--------------------------------------------------------------------------------
/tests/unit/fixtures/vault-token:
--------------------------------------------------------------------------------
1 | token-value
2 |
--------------------------------------------------------------------------------
/docs/docsite/rst/CHANGELOG.rst:
--------------------------------------------------------------------------------
1 | ../../../CHANGELOG.rst
--------------------------------------------------------------------------------
/tests/integration/targets/lookup_vault_list/aliases:
--------------------------------------------------------------------------------
1 | # empty
2 |
--------------------------------------------------------------------------------
/tests/integration/targets/lookup_vault_read/aliases:
--------------------------------------------------------------------------------
1 | # empty
2 |
--------------------------------------------------------------------------------
/tests/integration/targets/setup_cert_content/aliases:
--------------------------------------------------------------------------------
1 | hidden
2 |
--------------------------------------------------------------------------------
/tests/integration/targets/lookup_hashi_vault/aliases:
--------------------------------------------------------------------------------
1 | # empty
2 |
--------------------------------------------------------------------------------
/tests/integration/targets/lookup_vault_kv1_get/aliases:
--------------------------------------------------------------------------------
1 | # empty
2 |
--------------------------------------------------------------------------------
/tests/integration/targets/lookup_vault_kv2_get/aliases:
--------------------------------------------------------------------------------
1 | # empty
2 |
--------------------------------------------------------------------------------
/tests/integration/targets/lookup_vault_login/aliases:
--------------------------------------------------------------------------------
1 | # empty
2 |
--------------------------------------------------------------------------------
/tests/integration/targets/lookup_vault_write/aliases:
--------------------------------------------------------------------------------
1 | # empty
2 |
--------------------------------------------------------------------------------
/tests/integration/targets/setup_vault_server_cert/aliases:
--------------------------------------------------------------------------------
1 | hidden
2 |
--------------------------------------------------------------------------------
/tests/unit/requirements.txt:
--------------------------------------------------------------------------------
1 | hvac
2 | urllib3
3 | azure-identity
4 |
--------------------------------------------------------------------------------
/tests/integration/targets/lookup_vault_token_create/aliases:
--------------------------------------------------------------------------------
1 | # empty
2 |
--------------------------------------------------------------------------------
/tests/integration/targets/module_vault_kv1_get/aliases:
--------------------------------------------------------------------------------
1 | context/target
2 |
--------------------------------------------------------------------------------
/tests/integration/targets/module_vault_kv2_get/aliases:
--------------------------------------------------------------------------------
1 | context/target
2 |
--------------------------------------------------------------------------------
/tests/integration/targets/module_vault_list/aliases:
--------------------------------------------------------------------------------
1 | context/target
2 |
--------------------------------------------------------------------------------
/tests/integration/targets/module_vault_login/aliases:
--------------------------------------------------------------------------------
1 | context/target
2 |
--------------------------------------------------------------------------------
/tests/integration/targets/module_vault_read/aliases:
--------------------------------------------------------------------------------
1 | context/target
2 |
--------------------------------------------------------------------------------
/tests/integration/targets/module_vault_write/aliases:
--------------------------------------------------------------------------------
1 | context/target
2 |
--------------------------------------------------------------------------------
/tests/integration/targets/setup_vault_test_plugins/aliases:
--------------------------------------------------------------------------------
1 | hidden
2 |
--------------------------------------------------------------------------------
/tests/integration/targets/lookup_vault_ansible_settings/aliases:
--------------------------------------------------------------------------------
1 | # empty
2 |
--------------------------------------------------------------------------------
/tests/integration/targets/module_vault_kv2_delete/aliases:
--------------------------------------------------------------------------------
1 | context/target
2 |
--------------------------------------------------------------------------------
/tests/integration/targets/module_vault_kv2_write/aliases:
--------------------------------------------------------------------------------
1 | context/target
2 |
--------------------------------------------------------------------------------
/tests/integration/targets/module_vault_token_create/aliases:
--------------------------------------------------------------------------------
1 | context/target
2 |
--------------------------------------------------------------------------------
/tests/integration/targets/auth_cert/aliases:
--------------------------------------------------------------------------------
1 | vault/auth/cert
2 | context/target
3 |
--------------------------------------------------------------------------------
/tests/integration/targets/auth_gcp/aliases:
--------------------------------------------------------------------------------
1 | vault/auth/gcp
2 | context/target
3 |
--------------------------------------------------------------------------------
/tests/integration/targets/auth_jwt/aliases:
--------------------------------------------------------------------------------
1 | vault/auth/jwt
2 | context/target
3 |
--------------------------------------------------------------------------------
/tests/integration/targets/auth_ldap/aliases:
--------------------------------------------------------------------------------
1 | vault/auth/ldap
2 | context/target
3 |
--------------------------------------------------------------------------------
/tests/integration/targets/auth_none/aliases:
--------------------------------------------------------------------------------
1 | vault/auth/none
2 | context/target
3 |
--------------------------------------------------------------------------------
/tests/integration/targets/filter_vault_login_token/aliases:
--------------------------------------------------------------------------------
1 | context/controller
2 |
--------------------------------------------------------------------------------
/tests/integration/targets/setup_cert_content/files/.gitignore:
--------------------------------------------------------------------------------
1 | *
2 | !.gitignore
3 |
--------------------------------------------------------------------------------
/tests/integration/targets/auth_approle/aliases:
--------------------------------------------------------------------------------
1 | vault/auth/approle
2 | context/target
3 |
--------------------------------------------------------------------------------
/tests/integration/targets/auth_aws_iam/aliases:
--------------------------------------------------------------------------------
1 | vault/auth/aws_iam
2 | context/target
3 |
--------------------------------------------------------------------------------
/tests/integration/targets/auth_azure/aliases:
--------------------------------------------------------------------------------
1 | vault/auth/azure
2 | context/target
3 |
--------------------------------------------------------------------------------
/tests/integration/targets/auth_token/aliases:
--------------------------------------------------------------------------------
1 | vault/auth/token
2 | context/target
3 |
--------------------------------------------------------------------------------
/tests/integration/targets/module_vault_database_role_create/aliases:
--------------------------------------------------------------------------------
1 | context/target
2 |
--------------------------------------------------------------------------------
/tests/integration/targets/module_vault_database_role_delete/aliases:
--------------------------------------------------------------------------------
1 | context/target
2 |
--------------------------------------------------------------------------------
/tests/integration/targets/module_vault_database_role_read/aliases:
--------------------------------------------------------------------------------
1 | context/target
2 |
--------------------------------------------------------------------------------
/tests/integration/targets/module_vault_database_roles_list/aliases:
--------------------------------------------------------------------------------
1 | context/target
2 |
--------------------------------------------------------------------------------
/tests/integration/targets/auth_userpass/aliases:
--------------------------------------------------------------------------------
1 | vault/auth/userpass
2 | context/target
3 |
--------------------------------------------------------------------------------
/tests/integration/targets/connection_options/aliases:
--------------------------------------------------------------------------------
1 | vault/connection
2 | context/target
3 |
--------------------------------------------------------------------------------
/tests/integration/targets/module_vault_database_connection_delete/aliases:
--------------------------------------------------------------------------------
1 | context/target
2 |
--------------------------------------------------------------------------------
/tests/integration/targets/module_vault_database_connection_read/aliases:
--------------------------------------------------------------------------------
1 | context/target
2 |
--------------------------------------------------------------------------------
/tests/integration/targets/module_vault_database_connection_reset/aliases:
--------------------------------------------------------------------------------
1 | context/target
2 |
--------------------------------------------------------------------------------
/tests/integration/targets/module_vault_database_connections_list/aliases:
--------------------------------------------------------------------------------
1 | context/target
2 |
--------------------------------------------------------------------------------
/tests/integration/targets/module_vault_database_rotate_root_creds/aliases:
--------------------------------------------------------------------------------
1 | context/target
2 |
--------------------------------------------------------------------------------
/tests/integration/targets/module_vault_database_static_role_create/aliases:
--------------------------------------------------------------------------------
1 | context/target
2 |
--------------------------------------------------------------------------------
/tests/integration/targets/module_vault_database_static_role_read/aliases:
--------------------------------------------------------------------------------
1 | context/target
2 |
--------------------------------------------------------------------------------
/tests/integration/targets/module_vault_database_static_roles_list/aliases:
--------------------------------------------------------------------------------
1 | context/target
2 |
--------------------------------------------------------------------------------
/tests/integration/targets/module_vault_pki_generate_certificate/aliases:
--------------------------------------------------------------------------------
1 | context/target
2 |
--------------------------------------------------------------------------------
/tests/integration/targets/module_vault_database_connection_configure/aliases:
--------------------------------------------------------------------------------
1 | context/target
2 |
--------------------------------------------------------------------------------
/tests/integration/targets/module_vault_database_static_role_get_creds/aliases:
--------------------------------------------------------------------------------
1 | context/target
2 |
--------------------------------------------------------------------------------
/tests/integration/targets/setup_localenv_docker/files/.output/.gitignore:
--------------------------------------------------------------------------------
1 | *
2 | !.gitignore
3 |
--------------------------------------------------------------------------------
/.github/actions/docker-image-versions/requirements.txt:
--------------------------------------------------------------------------------
1 | requests
2 | packaging
3 | urllib3 >= 1.15
4 |
--------------------------------------------------------------------------------
/tests/integration/requirements.txt:
--------------------------------------------------------------------------------
1 | hvac
2 | urllib3
3 | azure-identity
4 | psycopg[binary,pool]
5 |
--------------------------------------------------------------------------------
/tests/integration/targets/module_vault_database_static_role_rotate_creds/aliases:
--------------------------------------------------------------------------------
1 | context/target
2 |
--------------------------------------------------------------------------------
/tests/integration/targets/setup_localenv_gha/aliases:
--------------------------------------------------------------------------------
1 | hidden
2 | needs/target/setup_localenv_docker
3 |
--------------------------------------------------------------------------------
/tests/integration/targets/auth_none/meta/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | dependencies:
3 | - setup_vault_test_plugins
4 |
--------------------------------------------------------------------------------
/tests/integration/targets/setup_localenv_docker/aliases:
--------------------------------------------------------------------------------
1 | hidden
2 | needs/target/setup_vault_server_cert
3 |
--------------------------------------------------------------------------------
/tests/integration/targets/setup_localenv_gha/files/.gitignore:
--------------------------------------------------------------------------------
1 | .output/
2 | !.output/vault_config/*.pem
3 |
--------------------------------------------------------------------------------
/tests/integration/targets/setup_vault_configure/aliases:
--------------------------------------------------------------------------------
1 | hidden
2 | needs/target/setup_vault_test_plugins
3 |
--------------------------------------------------------------------------------
/meta/execution-environment.yml:
--------------------------------------------------------------------------------
1 | ---
2 | version: 1
3 | dependencies:
4 | python: meta/ee-requirements.txt
5 |
--------------------------------------------------------------------------------
/tests/integration/targets/lookup_vault_write/meta/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | dependencies:
3 | - setup_vault_test_plugins
4 |
--------------------------------------------------------------------------------
/tests/integration/targets/module_vault_write/meta/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | dependencies:
3 | - setup_vault_test_plugins
4 |
--------------------------------------------------------------------------------
/tests/integration/targets/setup_vault_configure_database/aliases:
--------------------------------------------------------------------------------
1 | hidden
2 | needs/target/setup_vault_test_plugins
3 |
--------------------------------------------------------------------------------
/tests/integration/targets/setup_vault_configure/meta/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | dependencies:
3 | - setup_vault_test_plugins
4 |
--------------------------------------------------------------------------------
/tests/integration/targets/setup_vault_configure_engine_pki/aliases:
--------------------------------------------------------------------------------
1 | hidden
2 | needs/target/setup_vault_test_plugins
3 |
--------------------------------------------------------------------------------
/tests/integration/targets/auth_none/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - import_tasks: target.yml
3 | - import_tasks: controller.yml
4 |
--------------------------------------------------------------------------------
/.git-blame-ignore-revs:
--------------------------------------------------------------------------------
1 | # .git-blame-ignore-revs
2 |
3 | # update license headers
4 | a1ab6601956eece531d46b3348a4e3b7adfa57e2
5 |
--------------------------------------------------------------------------------
/tests/integration/targets/module_vault_kv2_write/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - import_tasks: setup.yml
3 | - import_tasks: test.yml
4 |
--------------------------------------------------------------------------------
/tests/integration/targets/setup_vault_configure_database/meta/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | dependencies:
3 | - setup_vault_test_plugins
4 |
--------------------------------------------------------------------------------
/tests/integration/targets/setup_vault_configure_engine_pki/meta/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | dependencies:
3 | - setup_vault_test_plugins
4 |
--------------------------------------------------------------------------------
/tests/integration/targets/auth_jwt/meta/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | dependencies:
3 | - setup_vault_test_plugins
4 | - setup_vault_configure
5 |
--------------------------------------------------------------------------------
/tests/integration/targets/auth_ldap/meta/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | dependencies:
3 | - setup_vault_test_plugins
4 | - setup_vault_configure
5 |
--------------------------------------------------------------------------------
/tests/integration/targets/connection_options/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - include_tasks: controller.yml
3 | - include_tasks: target.yml
4 |
--------------------------------------------------------------------------------
/tests/integration/targets/auth_approle/meta/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | dependencies:
3 | - setup_vault_test_plugins
4 | - setup_vault_configure
5 |
--------------------------------------------------------------------------------
/tests/integration/targets/auth_aws_iam/meta/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | dependencies:
3 | - setup_vault_test_plugins
4 | - setup_vault_configure
5 |
--------------------------------------------------------------------------------
/tests/integration/targets/auth_token/meta/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | dependencies:
3 | - setup_vault_test_plugins
4 | - setup_vault_configure
5 |
--------------------------------------------------------------------------------
/tests/integration/targets/auth_userpass/meta/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | dependencies:
3 | - setup_vault_test_plugins
4 | - setup_vault_configure
5 |
--------------------------------------------------------------------------------
/tests/integration/targets/connection_options/meta/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | dependencies:
3 | - setup_vault_test_plugins
4 | - setup_cert_content
5 |
--------------------------------------------------------------------------------
/tests/integration/targets/lookup_hashi_vault/meta/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | dependencies:
3 | - setup_vault_test_plugins
4 | - setup_vault_configure
5 |
--------------------------------------------------------------------------------
/tests/integration/targets/lookup_vault_list/meta/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | dependencies:
3 | - setup_vault_test_plugins
4 | - setup_vault_configure
5 |
--------------------------------------------------------------------------------
/tests/integration/targets/lookup_vault_login/meta/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | dependencies:
3 | - setup_vault_test_plugins
4 | - setup_vault_configure
5 |
--------------------------------------------------------------------------------
/tests/integration/targets/lookup_vault_read/meta/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | dependencies:
3 | - setup_vault_test_plugins
4 | - setup_vault_configure
5 |
--------------------------------------------------------------------------------
/tests/integration/targets/module_vault_list/meta/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | dependencies:
3 | - setup_vault_test_plugins
4 | - setup_vault_configure
5 |
--------------------------------------------------------------------------------
/tests/integration/targets/module_vault_login/meta/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | dependencies:
3 | - setup_vault_test_plugins
4 | - setup_vault_configure
5 |
--------------------------------------------------------------------------------
/tests/integration/targets/module_vault_read/meta/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | dependencies:
3 | - setup_vault_test_plugins
4 | - setup_vault_configure
5 |
--------------------------------------------------------------------------------
/tests/integration/targets/setup_localenv_gha/templates/launch.sh.j2:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bash
2 | docker compose -f "{{ docker_compose_file }}" up -d
3 |
--------------------------------------------------------------------------------
/tests/integration/targets/lookup_vault_kv1_get/meta/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | dependencies:
3 | - setup_vault_test_plugins
4 | - setup_vault_configure
5 |
--------------------------------------------------------------------------------
/tests/integration/targets/lookup_vault_kv2_get/meta/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | dependencies:
3 | - setup_vault_test_plugins
4 | - setup_vault_configure
5 |
--------------------------------------------------------------------------------
/tests/integration/targets/module_vault_kv1_get/meta/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | dependencies:
3 | - setup_vault_test_plugins
4 | - setup_vault_configure
5 |
--------------------------------------------------------------------------------
/tests/integration/targets/module_vault_kv2_delete/meta/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | dependencies:
3 | - setup_vault_test_plugins
4 | - setup_vault_configure
5 |
--------------------------------------------------------------------------------
/tests/integration/targets/module_vault_kv2_get/meta/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | dependencies:
3 | - setup_vault_test_plugins
4 | - setup_vault_configure
5 |
--------------------------------------------------------------------------------
/tests/integration/targets/module_vault_kv2_write/meta/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | dependencies:
3 | - setup_vault_test_plugins
4 | - setup_vault_configure
5 |
--------------------------------------------------------------------------------
/tests/integration/targets/setup_vault_test_plugins/README.md:
--------------------------------------------------------------------------------
1 | # `setup_vault_test_plugins`
2 | Contains plugins/modules that are used only in testing.
3 |
--------------------------------------------------------------------------------
/tests/integration/targets/lookup_vault_ansible_settings/meta/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | dependencies:
3 | - setup_vault_test_plugins
4 | - setup_vault_configure
5 |
--------------------------------------------------------------------------------
/tests/integration/targets/lookup_vault_token_create/meta/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | dependencies:
3 | - setup_vault_test_plugins
4 | - setup_vault_configure
5 |
--------------------------------------------------------------------------------
/tests/integration/targets/module_vault_token_create/meta/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | dependencies:
3 | - setup_vault_test_plugins
4 | - setup_vault_configure
5 |
--------------------------------------------------------------------------------
/tests/integration/targets/auth_none/defaults/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | ansible_hashi_vault_url: '{{ vault_test_server_http }}'
3 | ansible_hashi_vault_auth_method: none
4 |
--------------------------------------------------------------------------------
/tests/integration/targets/lookup_vault_list/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - import_tasks: lookup_vault_list_setup.yml
3 | - import_tasks: lookup_vault_list_test.yml
4 |
--------------------------------------------------------------------------------
/tests/integration/targets/lookup_vault_read/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - import_tasks: lookup_vault_read_setup.yml
3 | - import_tasks: lookup_vault_read_test.yml
4 |
--------------------------------------------------------------------------------
/tests/integration/targets/module_vault_list/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - import_tasks: module_vault_list_setup.yml
3 | - import_tasks: module_vault_list_test.yml
4 |
--------------------------------------------------------------------------------
/tests/integration/targets/module_vault_read/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - import_tasks: module_vault_read_setup.yml
3 | - import_tasks: module_vault_read_test.yml
4 |
--------------------------------------------------------------------------------
/tests/integration/targets/setup_localenv_docker/templates/integration_config.yml.j2:
--------------------------------------------------------------------------------
1 | # {{ ansible_managed }}
2 | ---
3 | {{ integration_config | to_nice_yaml }}
4 |
--------------------------------------------------------------------------------
/tests/integration/targets/auth_cert/meta/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | dependencies:
3 | - setup_vault_test_plugins
4 | - setup_cert_content
5 | - setup_vault_configure
6 |
--------------------------------------------------------------------------------
/tests/integration/targets/auth_token/defaults/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | ansible_hashi_vault_url: '{{ vault_test_server_http }}'
3 | ansible_hashi_vault_auth_method: token
4 |
--------------------------------------------------------------------------------
/tests/integration/targets/lookup_vault_login/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - import_tasks: lookup_vault_login_setup.yml
3 | - import_tasks: lookup_vault_login_test.yml
4 |
--------------------------------------------------------------------------------
/tests/integration/targets/lookup_vault_write/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - import_tasks: lookup_vault_write_setup.yml
3 | - import_tasks: lookup_vault_write_test.yml
4 |
--------------------------------------------------------------------------------
/tests/integration/targets/module_vault_login/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - import_tasks: module_vault_login_setup.yml
3 | - import_tasks: module_vault_login_test.yml
4 |
--------------------------------------------------------------------------------
/tests/integration/targets/module_vault_write/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - import_tasks: module_vault_write_setup.yml
3 | - import_tasks: module_vault_write_test.yml
4 |
--------------------------------------------------------------------------------
/tests/integration/targets/setup_localenv_gha/files/playbooks/gha.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - hosts: localhost
3 | gather_facts: false
4 | roles:
5 | - setup_localenv_gha
6 |
--------------------------------------------------------------------------------
/tests/integration/targets/setup_vault_configure_database/README.md:
--------------------------------------------------------------------------------
1 | # `setup_vault_configure_database`
2 | Performs configuration of the database engine in Vault.
3 |
--------------------------------------------------------------------------------
/tests/integration/targets/setup_vault_configure_engine_pki/README.md:
--------------------------------------------------------------------------------
1 | # `setup_vault_configure_engine_pki`
2 | Performs configuration of the PKI engine in Vault.
3 |
--------------------------------------------------------------------------------
/tests/integration/targets/lookup_vault_kv1_get/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - import_tasks: lookup_vault_kv1_get_setup.yml
3 | - import_tasks: lookup_vault_kv1_get_test.yml
4 |
--------------------------------------------------------------------------------
/tests/integration/targets/lookup_vault_kv2_get/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - import_tasks: lookup_vault_kv2_get_setup.yml
3 | - import_tasks: lookup_vault_kv2_get_test.yml
4 |
--------------------------------------------------------------------------------
/tests/integration/targets/module_vault_database_role_create/meta/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | dependencies:
3 | - setup_vault_test_plugins
4 | - setup_vault_configure_database
5 |
--------------------------------------------------------------------------------
/tests/integration/targets/module_vault_database_role_delete/meta/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | dependencies:
3 | - setup_vault_test_plugins
4 | - setup_vault_configure_database
5 |
--------------------------------------------------------------------------------
/tests/integration/targets/module_vault_database_role_read/meta/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | dependencies:
3 | - setup_vault_test_plugins
4 | - setup_vault_configure_database
5 |
--------------------------------------------------------------------------------
/tests/integration/targets/module_vault_database_roles_list/meta/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | dependencies:
3 | - setup_vault_test_plugins
4 | - setup_vault_configure_database
5 |
--------------------------------------------------------------------------------
/tests/integration/targets/module_vault_kv1_get/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - import_tasks: module_vault_kv1_get_setup.yml
3 | - import_tasks: module_vault_kv1_get_test.yml
4 |
--------------------------------------------------------------------------------
/tests/integration/targets/module_vault_kv2_get/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - import_tasks: module_vault_kv2_get_setup.yml
3 | - import_tasks: module_vault_kv2_get_test.yml
4 |
--------------------------------------------------------------------------------
/tests/integration/targets/module_vault_database_connection_delete/meta/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | dependencies:
3 | - setup_vault_test_plugins
4 | - setup_vault_configure_database
5 |
--------------------------------------------------------------------------------
/tests/integration/targets/module_vault_database_connection_read/meta/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | dependencies:
3 | - setup_vault_test_plugins
4 | - setup_vault_configure_database
5 |
--------------------------------------------------------------------------------
/tests/integration/targets/module_vault_database_connection_reset/meta/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | dependencies:
3 | - setup_vault_test_plugins
4 | - setup_vault_configure_database
5 |
--------------------------------------------------------------------------------
/tests/integration/targets/module_vault_database_connections_list/meta/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | dependencies:
3 | - setup_vault_test_plugins
4 | - setup_vault_configure_database
5 |
--------------------------------------------------------------------------------
/tests/integration/targets/module_vault_database_rotate_root_creds/meta/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | dependencies:
3 | - setup_vault_test_plugins
4 | - setup_vault_configure_database
5 |
--------------------------------------------------------------------------------
/tests/integration/targets/module_vault_database_static_role_create/meta/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | dependencies:
3 | - setup_vault_test_plugins
4 | - setup_vault_configure_database
5 |
--------------------------------------------------------------------------------
/tests/integration/targets/module_vault_database_static_role_read/meta/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | dependencies:
3 | - setup_vault_test_plugins
4 | - setup_vault_configure_database
5 |
--------------------------------------------------------------------------------
/tests/integration/targets/module_vault_database_static_roles_list/meta/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | dependencies:
3 | - setup_vault_test_plugins
4 | - setup_vault_configure_database
5 |
--------------------------------------------------------------------------------
/tests/integration/targets/module_vault_pki_generate_certificate/meta/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | dependencies:
3 | - setup_vault_configure
4 | - setup_vault_configure_engine_pki
5 |
--------------------------------------------------------------------------------
/tests/integration/targets/module_vault_database_connection_configure/meta/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | dependencies:
3 | - setup_vault_test_plugins
4 | - setup_vault_configure_database
5 |
--------------------------------------------------------------------------------
/tests/integration/targets/module_vault_database_static_role_get_creds/meta/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | dependencies:
3 | - setup_vault_test_plugins
4 | - setup_vault_configure_database
5 |
--------------------------------------------------------------------------------
/tests/integration/targets/module_vault_kv2_delete/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - import_tasks: module_vault_kv2_delete_setup.yml
3 | - import_tasks: module_vault_kv2_delete_test.yml
4 |
--------------------------------------------------------------------------------
/tests/integration/targets/setup_localenv_docker/files/playbooks/vault_docker.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - hosts: localhost
3 | gather_facts: false
4 | roles:
5 | - setup_localenv_docker
6 |
--------------------------------------------------------------------------------
/tests/integration/targets/connection_options/defaults/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # when False the tests requiring a valid SSL connection to Vault will be skipped
3 | vault_run_https_tests: True
4 |
--------------------------------------------------------------------------------
/tests/integration/targets/lookup_vault_token_create/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - import_tasks: lookup_vault_token_create_setup.yml
3 | - import_tasks: lookup_vault_token_create_test.yml
4 |
--------------------------------------------------------------------------------
/tests/integration/targets/module_vault_database_static_role_rotate_creds/meta/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | dependencies:
3 | - setup_vault_test_plugins
4 | - setup_vault_configure_database
5 |
--------------------------------------------------------------------------------
/tests/integration/targets/module_vault_token_create/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - import_tasks: module_vault_token_create_setup.yml
3 | - import_tasks: module_vault_token_create_test.yml
4 |
--------------------------------------------------------------------------------
/tests/integration/targets/setup_localenv_gha/defaults/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | output_dir: '{{ role_path }}/files/.output'
3 | docker_compose_project_name: hashi_vault
4 | docker_compose: none
5 |
--------------------------------------------------------------------------------
/tests/integration/targets/lookup_vault_ansible_settings/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - import_tasks: lookup_vault_ansible_settings_configure.yml
3 | - import_tasks: lookup_vault_ansible_settings_test.yml
4 |
--------------------------------------------------------------------------------
/tests/integration/targets/module_vault_database_role_read/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - import_tasks: module_vault_database_role_read_setup.yml
3 | - import_tasks: module_vault_database_role_read_test.yml
4 |
--------------------------------------------------------------------------------
/tests/integration/targets/setup_cert_content/defaults/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | cert_output_dir: '{{ role_path }}'
3 | cert_file_name: cert.pem
4 | cert_location: '{{ cert_output_dir }}/{{ cert_file_name }}'
5 |
--------------------------------------------------------------------------------
/tests/integration/targets/module_vault_database_roles_list/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - import_tasks: module_vault_database_roles_list_setup.yml
3 | - import_tasks: module_vault_database_roles_list_test.yml
4 |
--------------------------------------------------------------------------------
/tests/integration/targets/module_vault_database_role_create/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - import_tasks: module_vault_database_role_create_setup.yml
3 | - import_tasks: module_vault_database_role_create_test.yml
4 |
--------------------------------------------------------------------------------
/tests/integration/targets/module_vault_database_role_delete/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - import_tasks: module_vault_database_role_delete_setup.yml
3 | - import_tasks: module_vault_database_role_delete_test.yml
4 |
--------------------------------------------------------------------------------
/tests/integration/targets/setup_vault_configure_engine_pki/vars/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | vault_configure_engine_pki_canary:
3 | path: cubbyhole/configure_engine_pki
4 | value: complete # value does not matter
5 |
--------------------------------------------------------------------------------
/tests/integration/targets/module_vault_database_connection_read/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - import_tasks: module_vault_database_connection_read_setup.yml
3 | - import_tasks: module_vault_database_connection_read_test.yml
4 |
--------------------------------------------------------------------------------
/tests/integration/targets/module_vault_database_connections_list/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - import_tasks: module_vault_database_connection_list_setup.yml
3 | - import_tasks: module_vault_database_connection_list_test.yml
4 |
--------------------------------------------------------------------------------
/tests/integration/targets/module_vault_pki_generate_certificate/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - import_tasks: module_vault_pki_generate_certificate_setup.yml
3 | - import_tasks: module_vault_pki_generate_certificate_test.yml
4 |
--------------------------------------------------------------------------------
/tests/integration/targets/module_vault_database_connection_delete/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - import_tasks: module_vault_database_connection_delete_setup.yml
3 | - import_tasks: module_vault_database_connection_delete_test.yml
4 |
--------------------------------------------------------------------------------
/tests/integration/targets/module_vault_database_connection_reset/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - import_tasks: module_vault_database_connection_reset_setup.yml
3 | - import_tasks: module_vault_database_connection_reset_test.yml
4 |
--------------------------------------------------------------------------------
/tests/integration/targets/module_vault_database_static_role_read/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - import_tasks: module_vault_database_static_role_read_setup.yml
3 | - import_tasks: module_vault_database_static_role_read_test.yml
4 |
--------------------------------------------------------------------------------
/tests/integration/targets/module_vault_database_static_roles_list/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - import_tasks: module_vault_database_static_roles_list_setup.yml
3 | - import_tasks: module_vault_database_static_roles_list_test.yml
4 |
--------------------------------------------------------------------------------
/tests/integration/targets/module_vault_database_static_role_create/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - import_tasks: module_vault_database_static_role_create_setup.yml
3 | - import_tasks: module_vault_database_static_role_create_test.yml
4 |
--------------------------------------------------------------------------------
/tests/integration/targets/module_vault_database_connection_configure/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - import_tasks: module_vault_database_connection_configure_setup.yml
3 | - import_tasks: module_vault_database_connection_configure_test.yml
4 |
--------------------------------------------------------------------------------
/tests/integration/targets/auth_jwt/files/token_invalid.jwt:
--------------------------------------------------------------------------------
1 | eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiIxMjM0IiwidXNlcl9jbGFpbSI6InVzZXJfY2xhaW0iLCJuYmYiOjE2MDQ4MzUxMDAsImV4cCI6MzI0OTkwNTEzNTl9.etc2WSH7kR3fHFlVt4wlBYFKNn7Z4DQcRVXUK4gGF-Q
2 |
--------------------------------------------------------------------------------
/tests/integration/targets/module_vault_database_static_role_get_creds/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - import_tasks: module_vault_database_static_role_get_credentials_setup.yml
3 | - import_tasks: module_vault_database_static_role_get_credentials_test.yml
4 |
--------------------------------------------------------------------------------
/tests/integration/targets/setup_localenv_docker/templates/mmock/proxy.yml.j2:
--------------------------------------------------------------------------------
1 | ---
2 | request:
3 | method: 'GET|HEAD|POST|PUT|DELETE|OPTIONS'
4 | path: '/v1/*'
5 | control:
6 | priority: 1
7 | proxyBaseUrl: '{{ integration_config.vault_test_server_http }}/v1'
8 |
--------------------------------------------------------------------------------
/docs/preview/.gitignore:
--------------------------------------------------------------------------------
1 | # Copyright (c) Ansible Project
2 | # GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
3 | # SPDX-License-Identifier: GPL-3.0-or-later
4 |
5 | /temp-rst
6 | /build
7 | /rst/collections
8 |
--------------------------------------------------------------------------------
/tests/integration/.ansible-lint:
--------------------------------------------------------------------------------
1 | # .ansible-lint file for integration tests
2 | ---
3 | skip_list:
4 | - unnamed-task
5 | - truthy
6 | - var-naming
7 | - meta-no-info
8 | - ignore-errors
9 | - risky-file-permissions
10 | - command-instead-of-shell
11 |
--------------------------------------------------------------------------------
/tests/integration/targets/setup_vault_server_cert/README.md:
--------------------------------------------------------------------------------
1 | # `setup_vault_server_cert`
2 | Generates and key and self-signed certificate for the Vault server.
3 |
4 | ## Notes
5 | * Requires the [`community.crypto` collection](https://galaxy.ansible.com/community/crypto).
6 |
--------------------------------------------------------------------------------
/tests/integration/targets/auth_aws_iam/defaults/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | ansible_hashi_vault_url: '{{ vault_mmock_server_http }}'
3 | ansible_hashi_vault_auth_method: aws_iam
4 |
5 | auth_paths:
6 | - aws
7 | - aws-alt
8 |
9 | aws_access_key: abc
10 | aws_secret_key: xyz
11 |
--------------------------------------------------------------------------------
/tests/integration/targets/auth_ldap/defaults/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | ansible_hashi_vault_url: '{{ vault_mmock_server_http }}'
3 | ansible_hashi_vault_auth_method: ldap
4 |
5 | auth_paths:
6 | - ldap
7 | - ldap-alt
8 |
9 | ldap_username: ldapuser
10 | ldap_password: ldappass
11 |
--------------------------------------------------------------------------------
/.github/dependabot.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
3 |
4 | version: 2
5 | updates:
6 | - package-ecosystem: "github-actions"
7 | directory: "/"
8 | schedule:
9 | interval: "weekly"
10 |
--------------------------------------------------------------------------------
/tests/integration/targets/setup_cert_content/README.md:
--------------------------------------------------------------------------------
1 | # `setup_cert_content`
2 | Tiny role used for writing out the certificate when it was supplied as a string in vars (usually from `integration_config.yml`). Any target testing TLS connectivity that needs to verify the cert will need this.
3 |
--------------------------------------------------------------------------------
/tests/integration/targets/module_vault_kv2_write/vars/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | write_data0:
3 | foo: bar
4 | key1: changeme
5 |
6 | write_data1:
7 | foo: bar
8 | key2: val2
9 |
10 | write_data2:
11 | foo: bar
12 | key2: value2
13 | key3: value3
14 |
15 | write_data3:
16 | foo: bar
17 |
--------------------------------------------------------------------------------
/tests/integration/targets/setup_vault_configure/README.md:
--------------------------------------------------------------------------------
1 | # `setup_vault_configure`
2 | Performs initial configuration of the Vault server with basic things intended to be used by many tests, such as a variety of kv secrets. Individual auth methods and other targets are responsible for their own setup.
3 |
--------------------------------------------------------------------------------
/tests/integration/targets/auth_jwt/defaults/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | ansible_hashi_vault_url: '{{ vault_test_server_http }}'
3 | ansible_hashi_vault_auth_method: jwt
4 |
5 | auth_paths:
6 | - jwt
7 | - jwt-alt
8 |
9 | vault_jwt_canary:
10 | path: cubbyhole/configure_jwt
11 | value: complete # value does not matter
12 |
--------------------------------------------------------------------------------
/tests/integration/integration.cfg:
--------------------------------------------------------------------------------
1 | # this is the ansible.cfg file used for integration tests
2 |
3 | [hashi_vault_collection]
4 | # if any connections are taking longer than this to complete there's probably something really wrong
5 | # with the integration tests, so it'd be better to fail faster than the 30s default
6 | timeout = 5
7 |
--------------------------------------------------------------------------------
/tests/integration/targets/auth_azure/meta/main.yml:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2022 Junrui Chen (@jchenship)
2 | # GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
3 | # SPDX-License-Identifier: GPL-3.0-or-later
4 | ---
5 | dependencies:
6 | - setup_vault_test_plugins
7 | - setup_vault_configure
8 |
--------------------------------------------------------------------------------
/tests/integration/targets/setup_localenv_docker/files/requirements/requirements.yml:
--------------------------------------------------------------------------------
1 | ---
2 | collections:
3 | # community.docker is not required if using docker_compose=none
4 | - name: community.docker
5 | version: '>=3.6.0'
6 | # community.crypto is not required the certificate and key files specified already exist
7 | - community.crypto
8 |
--------------------------------------------------------------------------------
/tests/integration/targets/auth_gcp/meta/main.yml:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2024 Michael Woodham (woodham@google.com)
2 | # GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
3 | # SPDX-License-Identifier: GPL-3.0-or-later
4 | ---
5 | dependencies:
6 | - setup_vault_test_plugins
7 | - setup_vault_configure
8 |
--------------------------------------------------------------------------------
/tests/integration/targets/lookup_hashi_vault/tasks/lookup_setup.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: Configuration tasks
3 | module_defaults:
4 | vault_ci_token_create: '{{ vault_plugins_module_defaults_common }}'
5 | block:
6 | - name: 'Create a test non-root token'
7 | vault_ci_token_create:
8 | policies: test-policy
9 | register: user_token_cmd
10 |
--------------------------------------------------------------------------------
/tests/unit/fixtures/kv1_get_response.json:
--------------------------------------------------------------------------------
1 | {
2 | "auth": null,
3 | "data": {
4 | "Key1": "val1",
5 | "Key2": "val2"
6 | },
7 | "lease_duration": 2764800,
8 | "lease_id": "",
9 | "renewable": false,
10 | "request_id": "e26a7521-e512-82f1-3998-7cc494f14e86",
11 | "warnings": null,
12 | "wrap_info": null
13 | }
14 |
--------------------------------------------------------------------------------
/docs/docsite/extra-docs.yml:
--------------------------------------------------------------------------------
1 | ---
2 | sections:
3 | - title: Changelog
4 | toctree:
5 | - CHANGELOG
6 | - title: Guides
7 | toctree:
8 | - filter_guide
9 | - user_guide
10 | - migration_hashi_vault_lookup
11 | - about_hashi_vault_lookup
12 | - lookup_guide
13 | - contributor_guide
14 | - localenv_developer_guide
15 |
--------------------------------------------------------------------------------
/tests/integration/targets/lookup_vault_list/tasks/lookup_vault_list_setup.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: Configuration tasks
3 | module_defaults:
4 | vault_ci_token_create: '{{ vault_plugins_module_defaults_common }}'
5 | block:
6 | - name: 'Create a test non-root token'
7 | vault_ci_token_create:
8 | policies: test-policy
9 | register: user_token_cmd
10 |
--------------------------------------------------------------------------------
/tests/integration/targets/lookup_vault_read/tasks/lookup_vault_read_setup.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: Configuration tasks
3 | module_defaults:
4 | vault_ci_token_create: '{{ vault_plugins_module_defaults_common }}'
5 | block:
6 | - name: 'Create a test non-root token'
7 | vault_ci_token_create:
8 | policies: test-policy
9 | register: user_token_cmd
10 |
--------------------------------------------------------------------------------
/tests/integration/targets/module_vault_list/tasks/module_vault_list_setup.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: Configuration tasks
3 | module_defaults:
4 | vault_ci_token_create: '{{ vault_plugins_module_defaults_common }}'
5 | block:
6 | - name: 'Create a test non-root token'
7 | vault_ci_token_create:
8 | policies: test-policy
9 | register: user_token_cmd
10 |
--------------------------------------------------------------------------------
/tests/integration/targets/module_vault_read/tasks/module_vault_read_setup.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: Configuration tasks
3 | module_defaults:
4 | vault_ci_token_create: '{{ vault_plugins_module_defaults_common }}'
5 | block:
6 | - name: 'Create a test non-root token'
7 | vault_ci_token_create:
8 | policies: test-policy
9 | register: user_token_cmd
10 |
--------------------------------------------------------------------------------
/tests/integration/targets/setup_localenv_docker/setup.sh:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bash
2 |
3 | set -ex
4 |
5 | pushd "${BASH_SOURCE%/*}"
6 |
7 | ANSIBLE_ROLES_PATH="../" \
8 | ansible-playbook files/playbooks/vault_docker.yml "${@}"
9 |
10 | # copy generated integration_config.yml if it doesn't exist
11 | cp -n files/.output/integration_config.yml ../../ || true
12 |
13 | popd
14 |
--------------------------------------------------------------------------------
/tests/integration/targets/lookup_vault_kv2_get/tasks/lookup_vault_kv2_get_setup.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: Configuration tasks
3 | module_defaults:
4 | vault_ci_token_create: '{{ vault_plugins_module_defaults_common }}'
5 | block:
6 | - name: 'Create a test non-root token'
7 | vault_ci_token_create:
8 | policies: [test-policy]
9 | register: user_token_cmd
10 |
--------------------------------------------------------------------------------
/tests/integration/targets/module_vault_kv2_get/tasks/module_vault_kv2_get_setup.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: Configuration tasks
3 | module_defaults:
4 | vault_ci_token_create: '{{ vault_plugins_module_defaults_common }}'
5 | block:
6 | - name: Create a test non-root token
7 | vault_ci_token_create:
8 | policies: [test-policy]
9 | register: user_token_cmd
10 |
--------------------------------------------------------------------------------
/tests/integration/targets/setup_localenv_gha/README.md:
--------------------------------------------------------------------------------
1 | # `setup_localenv_gha`
2 | A special case "localenv" role that isn't for end-user use, but rather specifically for use in the collection's GitHub Actions CI.
3 |
4 | It uses `setup_localenv_docker` but with pre-generated PKI and directly uses the `docker compose` CLI in CI, in order to avoid additional dependencies and cut down execution time.
5 |
--------------------------------------------------------------------------------
/tests/unit/fixtures/kv2_list_response.json:
--------------------------------------------------------------------------------
1 | {
2 | "auth": null,
3 | "data": {
4 | "keys": [
5 | "Secret1",
6 | "Secret2"
7 | ]
8 | },
9 | "lease_duration": 0,
10 | "lease_id": "",
11 | "renewable": false,
12 | "request_id": "02e4b52a-23b1-9a1c-cf2b-3799edb17fed",
13 | "warnings": null,
14 | "wrap_info": null
15 | }
16 |
--------------------------------------------------------------------------------
/tests/unit/fixtures/policy_list_response.json:
--------------------------------------------------------------------------------
1 | {
2 | "auth": null,
3 | "data": {
4 | "keys": [
5 | "Policy1",
6 | "Policy2"
7 | ]
8 | },
9 | "lease_duration": 0,
10 | "lease_id": "",
11 | "renewable": false,
12 | "request_id": "96f2857e-5e33-1957-ea7e-be58f483faa3",
13 | "warnings": null,
14 | "wrap_info": null
15 | }
16 |
--------------------------------------------------------------------------------
/tests/unit/fixtures/userpass_list_response.json:
--------------------------------------------------------------------------------
1 | {
2 | "auth": null,
3 | "data": {
4 | "keys": [
5 | "User1",
6 | "User2"
7 | ]
8 | },
9 | "lease_duration": 0,
10 | "lease_id": "",
11 | "renewable": false,
12 | "request_id": "8b18a5ca-9baf-eb7c-18a6-11be81ed95a6",
13 | "warnings": null,
14 | "wrap_info": null
15 | }
16 |
--------------------------------------------------------------------------------
/tests/integration/targets/lookup_vault_kv1_get/tasks/lookup_vault_kv1_get_setup.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: Configuration tasks
3 | module_defaults:
4 | vault_ci_token_create: '{{ vault_plugins_module_defaults_common }}'
5 | block:
6 | - name: 'Create a test non-root token'
7 | vault_ci_token_create:
8 | policies: [test-policy, invalid-kv2]
9 | register: user_token_cmd
10 |
--------------------------------------------------------------------------------
/tests/integration/targets/module_vault_kv1_get/tasks/module_vault_kv1_get_setup.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: Configuration tasks
3 | module_defaults:
4 | vault_ci_token_create: '{{ vault_plugins_module_defaults_common }}'
5 | block:
6 | - name: 'Create a test non-root token'
7 | vault_ci_token_create:
8 | policies: [test-policy, invalid-kv2]
9 | register: user_token_cmd
10 |
--------------------------------------------------------------------------------
/tests/integration/targets/lookup_vault_ansible_settings/tasks/lookup_vault_ansible_settings_configure.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: Configuration tasks
3 | module_defaults:
4 | vault_ci_token_create: '{{ vault_plugins_module_defaults_common }}'
5 | block:
6 | - name: Create a test non-root token
7 | vault_ci_token_create:
8 | policies: test-policy
9 | register: user_token_cmd
10 |
--------------------------------------------------------------------------------
/tests/integration/targets/setup_localenv_docker/README.md:
--------------------------------------------------------------------------------
1 | # `setup_localenv_docker`
2 | Uses `docker compose` to set up required external dependencies for integration tests.
3 |
4 | See the guides in the [devel documentation for the latest information](https://docs.ansible.com/ansible/devel/collections/community/hashi_vault/).
5 |
6 | ## Notes
7 | * For requirements, see the files in `files/requirements/`.
8 |
--------------------------------------------------------------------------------
/tests/integration/targets/module_vault_database_static_role_rotate_creds/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - ansible.builtin.set_fact:
3 | python_interpreter_minor: "{{ ansible_python_version | split('.') }}"
4 |
5 | - when: python_interpreter_minor[1] | int > 6
6 | block:
7 | - import_tasks: module_vault_db_static_role_rotate_creds_setup.yml
8 | - import_tasks: module_vault_db_static_role_rotate_creds_test.yml
9 |
--------------------------------------------------------------------------------
/tests/integration/targets/module_vault_database_role_read/tasks/module_vault_database_role_read_setup.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: Configuration tasks
3 | module_defaults:
4 | vault_ci_token_create: '{{ vault_plugins_module_defaults_common }}'
5 | block:
6 | - name: Create a test non-root token
7 | vault_ci_token_create:
8 | policies: [base-policy-database]
9 | register: user_token_cmd
10 |
--------------------------------------------------------------------------------
/tests/integration/targets/module_vault_database_roles_list/tasks/module_vault_database_roles_list_setup.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: Configuration tasks
3 | module_defaults:
4 | vault_ci_token_create: '{{ vault_plugins_module_defaults_common }}'
5 | block:
6 | - name: Create a test non-root token
7 | vault_ci_token_create:
8 | policies: [base-policy-database]
9 | register: user_token_cmd
10 |
--------------------------------------------------------------------------------
/tests/integration/targets/module_vault_pki_generate_certificate/tasks/module_vault_pki_generate_certificate_setup.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: Configuration tasks
3 | module_defaults:
4 | vault_ci_token_create: '{{ vault_plugins_module_defaults_common }}'
5 | block:
6 | - name: Create a test non-root token
7 | vault_ci_token_create:
8 | policies: test-pki-policy
9 | register: user_token_cmd
10 |
--------------------------------------------------------------------------------
/tests/integration/targets/setup_cert_content/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: "Cert Content Block"
3 | when: vault_cert_content is defined
4 | block:
5 | - name: "Write Certificate"
6 | copy:
7 | dest: '{{ cert_location }}'
8 | content: '{{ vault_cert_content }}'
9 |
10 | - name: "Register the Cert Location"
11 | set_fact:
12 | vault_cert_file: '{{ cert_location }}'
13 |
--------------------------------------------------------------------------------
/tests/integration/targets/auth_userpass/defaults/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | ansible_hashi_vault_url: '{{ vault_test_server_http }}'
3 | ansible_hashi_vault_auth_method: userpass
4 |
5 | auth_paths:
6 | - userpass
7 | - userpass-alt
8 |
9 | userpass_username: testuser
10 | userpass_password: testpass
11 |
12 | vault_userpass_canary:
13 | path: cubbyhole/configure_userpass
14 | value: complete # value does not matter
15 |
--------------------------------------------------------------------------------
/tests/integration/targets/lookup_hashi_vault/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | ####################################################################
3 | # WARNING: These are designed specifically for Ansible tests #
4 | # and should not be used as examples of how to write Ansible roles #
5 | ####################################################################
6 |
7 | - import_tasks: lookup_setup.yml
8 | - import_tasks: lookup_test.yml
9 |
--------------------------------------------------------------------------------
/tests/integration/targets/module_vault_database_connection_read/tasks/module_vault_database_connection_read_setup.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: Configuration tasks
3 | module_defaults:
4 | vault_ci_token_create: '{{ vault_plugins_module_defaults_common }}'
5 | block:
6 | - name: Create a test non-root token
7 | vault_ci_token_create:
8 | policies: [base-policy-database]
9 | register: user_token_cmd
10 |
--------------------------------------------------------------------------------
/tests/integration/targets/module_vault_database_connection_reset/tasks/module_vault_database_connection_reset_setup.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: Configuration tasks
3 | module_defaults:
4 | vault_ci_token_create: '{{ vault_plugins_module_defaults_common }}'
5 | block:
6 | - name: Create a test non-root token
7 | vault_ci_token_create:
8 | policies: [policy-database-all]
9 | register: user_token_cmd
10 |
--------------------------------------------------------------------------------
/tests/integration/targets/module_vault_database_connections_list/tasks/module_vault_database_connection_list_setup.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: Configuration tasks
3 | module_defaults:
4 | vault_ci_token_create: '{{ vault_plugins_module_defaults_common }}'
5 | block:
6 | - name: Create a test non-root token
7 | vault_ci_token_create:
8 | policies: [base-policy-database]
9 | register: user_token_cmd
10 |
--------------------------------------------------------------------------------
/tests/integration/targets/module_vault_database_static_role_read/tasks/module_vault_database_static_role_read_setup.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: Configuration tasks
3 | module_defaults:
4 | vault_ci_token_create: '{{ vault_plugins_module_defaults_common }}'
5 | block:
6 | - name: Create a test non-root token
7 | vault_ci_token_create:
8 | policies: [base-policy-database]
9 | register: user_token_cmd
10 |
--------------------------------------------------------------------------------
/tests/integration/targets/module_vault_database_static_roles_list/tasks/module_vault_database_static_roles_list_setup.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: Configuration tasks
3 | module_defaults:
4 | vault_ci_token_create: '{{ vault_plugins_module_defaults_common }}'
5 | block:
6 | - name: Create a test non-root token
7 | vault_ci_token_create:
8 | policies: [base-policy-database]
9 | register: user_token_cmd
10 |
--------------------------------------------------------------------------------
/tests/integration/targets/setup_localenv_gha/setup.sh:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bash
2 |
3 | set -ex
4 |
5 | pushd "${BASH_SOURCE%/*}"
6 |
7 | ANSIBLE_ROLES_PATH="../" \
8 | ansible-playbook files/playbooks/gha.yml "${@}"
9 |
10 | # launch containers
11 | files/.output/launch.sh
12 |
13 | # copy generated integration_config.yml if it doesn't exist
14 | cp -n files/.output/integration_config.yml ../../ || true
15 |
16 | popd
17 |
--------------------------------------------------------------------------------
/tests/integration/targets/auth_approle/defaults/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | ansible_hashi_vault_url: '{{ vault_test_server_http }}'
3 | ansible_hashi_vault_auth_method: approle
4 |
5 | auth_paths:
6 | - approle
7 | - approle-alt
8 |
9 | secret_id_role: req-secret-id-role
10 | no_secret_id_role: no-secret-id-role
11 |
12 | vault_approle_canary:
13 | path: cubbyhole/configure_approle
14 | value: complete # value does not matter
15 |
--------------------------------------------------------------------------------
/tests/integration/targets/auth_azure/defaults/main.yml:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2022 Junrui Chen (@jchenship)
2 | # GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
3 | # SPDX-License-Identifier: GPL-3.0-or-later
4 | ---
5 | ansible_hashi_vault_url: '{{ vault_mmock_server_http }}'
6 | ansible_hashi_vault_auth_method: azure
7 |
8 | auth_paths:
9 | - azure
10 | - azure-alt
11 |
--------------------------------------------------------------------------------
/tests/integration/targets/module_vault_database_connection_configure/tasks/module_vault_database_connection_configure_setup.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: Configuration tasks
3 | module_defaults:
4 | vault_ci_token_create: '{{ vault_plugins_module_defaults_common }}'
5 | block:
6 | - name: Create a test non-root token
7 | vault_ci_token_create:
8 | policies: [policy-database-all]
9 | register: user_token_cmd
10 |
--------------------------------------------------------------------------------
/tests/integration/targets/auth_gcp/defaults/main.yml:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2024 Michael Woodham (woodham@google.com)
2 | # GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
3 | # SPDX-License-Identifier: GPL-3.0-or-later
4 | ---
5 | ansible_hashi_vault_url: '{{ vault_mmock_server_http }}'
6 | ansible_hashi_vault_auth_method: gcp
7 |
8 | auth_paths:
9 | - gcp
10 | - gcp-alt
11 |
--------------------------------------------------------------------------------
/meta/ee-requirements.txt:
--------------------------------------------------------------------------------
1 | # ansible-builder doesn't seem to properly handle "; python_version" type of constraints
2 | # requirements here are assuming python 3.6 or higher
3 | hvac >= 1.2.1
4 | urllib3 >= 1.15
5 |
6 | boto3 # these are only needed if inferring AWS credentials or
7 | botocore # using a boto profile; including for completeness
8 |
9 | azure-identity # only needed when using a servide principal or managed identity
10 |
--------------------------------------------------------------------------------
/tests/integration/targets/setup_localenv_docker/templates/vault_config.hcl.j2:
--------------------------------------------------------------------------------
1 | # {{ ansible_managed }}
2 | listener "tcp" {
3 | tls_key_file = "/vault/config/{{ vault_key_file | basename }}"
4 | tls_cert_file = "/vault/config/{{ vault_cert_file | basename }}"
5 | tls_disable = false
6 | address = "{{
7 | integration_config.vault_test_server_https
8 | | regex_replace('^https://([^:]+):(\\d+).*?$', '\\1:\\2')
9 | }}"
10 | }
11 |
--------------------------------------------------------------------------------
/tests/integration/targets/auth_none/tasks/target.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # TODO: consider setting up a Vault agent in CI to provide a better test of the none method
3 | - name: "Perform a login with 'none' auth type"
4 | register: status
5 | vault_test_auth:
6 | url: '{{ ansible_hashi_vault_url }}'
7 | auth_method: '{{ ansible_hashi_vault_auth_method }}'
8 |
9 | - name: "Assert no login information is returned"
10 | assert:
11 | that:
12 | - status.login == None
13 |
--------------------------------------------------------------------------------
/docs/preview/requirements.txt:
--------------------------------------------------------------------------------
1 | # Copyright (c) Ansible Project
2 | # GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
3 | # SPDX-License-Identifier: GPL-3.0-or-later
4 |
5 | antsibull-docs >= 2.0.0, < 3.0.0
6 | ansible-pygments
7 | sphinx != 5.2.0.post0 # temporary, see https://github.com/ansible-community/antsibull-docs/issues/39, https://github.com/ansible-community/antsibull-docs/issues/40
8 | sphinx-ansible-theme >= 0.9.0
9 |
--------------------------------------------------------------------------------
/tests/integration/targets/setup_localenv_gha/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: "Persist defaults"
3 | set_fact:
4 | output_dir: '{{ output_dir }}'
5 | docker_compose: '{{ docker_compose }}'
6 | docker_compose_project_name: '{{ docker_compose_project_name }}'
7 |
8 | - import_role:
9 | name: setup_localenv_docker
10 |
11 | - name: "Template the launch script"
12 | template:
13 | src: launch.sh.j2
14 | dest: '{{ output_dir }}/launch.sh'
15 | mode: '+x'
16 |
--------------------------------------------------------------------------------
/tests/unit/fixtures/approle_secret_id_write_response.json:
--------------------------------------------------------------------------------
1 | {
2 | "auth": null,
3 | "data": {
4 | "secret_id": "41b12758-8c6f-0896-c761-92e05675023c",
5 | "secret_id_accessor": "b0ab25c8-a8eb-3b31-3830-663840d5f504",
6 | "secret_id_ttl": 3600
7 | },
8 | "lease_duration": 0,
9 | "lease_id": "",
10 | "renewable": false,
11 | "request_id": "5e461200-18f2-0f18-4601-6bf2b9368cb5",
12 | "warnings": null,
13 | "wrap_info": null
14 | }
15 |
--------------------------------------------------------------------------------
/tests/integration/targets/module_vault_database_rotate_root_creds/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: Get python minor version
3 | ansible.builtin.set_fact:
4 | python_interpreter_minor: "{{ ansible_python_version | split('.') }}"
5 |
6 | - when: python_interpreter_minor[1] | int > 6
7 | block:
8 | - import_tasks: module_vault_db_rotate_root_creds_setup.yml
9 | - import_tasks: module_vault_db_rotate_root_creds_test.yml
10 | - import_tasks: module_vault_db_rotate_root_creds_cleanup.yml
11 |
--------------------------------------------------------------------------------
/tests/sanity/ignore-2.21.txt:
--------------------------------------------------------------------------------
1 | plugins/modules/vault_database_connections_list.py validate-modules:bad-return-value-key # https://github.com/ansible-collections/community.hashi_vault/pull/488
2 | plugins/modules/vault_database_roles_list.py validate-modules:bad-return-value-key # https://github.com/ansible-collections/community.hashi_vault/pull/488
3 | plugins/modules/vault_database_static_roles_list.py validate-modules:bad-return-value-key # https://github.com/ansible-collections/community.hashi_vault/pull/488
4 |
--------------------------------------------------------------------------------
/tests/unit/fixtures/database_connections_list_response.json:
--------------------------------------------------------------------------------
1 | {
2 | "auth": null,
3 | "data": {
4 | "keys": [
5 | "con1",
6 | "con2",
7 | "con3"
8 | ]
9 | },
10 | "connections": [
11 | "con1",
12 | "con2",
13 | "con3"
14 | ],
15 | "lease_duration": 0,
16 | "lease_id": "",
17 | "renewable": false,
18 | "request_id": "91909ec0-cd89-489c-a7cf-2a82d2258b4d",
19 | "warnings": null,
20 | "wrap_info": null
21 | }
22 |
--------------------------------------------------------------------------------
/tests/unit/fixtures/database_static_roles_list_response.json:
--------------------------------------------------------------------------------
1 | {
2 | "auth": null,
3 | "data": {
4 | "keys": [
5 | "role1",
6 | "role2",
7 | "role3"
8 | ]
9 | },
10 | "roles": [
11 | "role1",
12 | "role2",
13 | "role3"
14 | ],
15 | "lease_duration": 0,
16 | "lease_id": "",
17 | "renewable": false,
18 | "request_id": "91909ec0-cd89-489c-a7cf-2a82d2258b4d",
19 | "warnings": null,
20 | "wrap_info": null
21 | }
22 |
--------------------------------------------------------------------------------
/tests/integration/targets/setup_localenv_docker/templates/mmock/ldap_login_bad_request.yml.j2:
--------------------------------------------------------------------------------
1 | #jinja2:variable_start_string:'[%', variable_end_string:'%]'
2 | ---
3 | request:
4 | method: POST|PUT
5 | path: "/v1/auth/ldap*/login/fail-me-username"
6 | control:
7 | priority: 11
8 | response:
9 | statusCode: 400
10 | headers:
11 | Content-Type:
12 | - application/json
13 | body: >-
14 | {
15 | "errors": [
16 | "ldap operation failed: failed to bind as user"
17 | ]
18 | }
19 |
--------------------------------------------------------------------------------
/tests/integration/targets/auth_jwt/files/jwt_public.pem:
--------------------------------------------------------------------------------
1 | -----BEGIN PUBLIC KEY-----
2 | MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnzyis1ZjfNB0bBgKFMSv
3 | vkTtwlvBsaJq7S5wA+kzeVOVpVWwkWdVha4s38XM/pa/yr47av7+z3VTmvDRyAHc
4 | aT92whREFpLv9cj5lTeJSibyr/Mrm/YtjCZVWgaOYIhwrXwKLqPr/11inWsAkfIy
5 | tvHWTxZYEcXLgAXFuUuaS3uF9gEiNQwzGTU1v0FqkqTBr4B8nW3HCN47XUu0t8Y0
6 | e+lf4s4OxQawWD79J9/5d3Ry0vbV3Am1FtGJiJvOwRsIfVChDpYStTcHTCMqtvWb
7 | V6L11BWkpzGXSW4Hv43qa+GSYOD2QU68Mb59oSk2OB+BtOLpJofmbGEGgvmwyCI9
8 | MwIDAQAB
9 | -----END PUBLIC KEY-----
10 |
--------------------------------------------------------------------------------
/tests/integration/targets/auth_jwt/files/token.jwt:
--------------------------------------------------------------------------------
1 | eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJ0ZXN0Iiwic3ViIjoiaGFzaGlfdmF1bHRAdGVzdC5hbnNpYmxlLmNvbSIsIm5iZiI6MTYwNDgzNTEwMCwiZXhwIjozMjQ5OTA1MTM1OX0.NEWQR_Eicw8Fa9gU9HPY2M9Rp1czNTUKrICwKe7l1edaZNtgxhMGdyqnBsPrHL_dw1ZIwdvwVAioi8bEyIDEWICls0lzHwM169rrea3WEFrB5CP17A6DkvYL0cnOnGutbwUrXInPCRUfvRogIKEI-w8X-ris9LX2FBPKhXX1K3U0D8uYi5_9t8YWywTe0NkYvY-nTzMugK1MXMoBJ3fCksweJiDp6BOo3v9OU03MLgwgri2UdsqVb7WSk4XvWG-lmbiiSAWVf9BI3mecVDUHpYxbEqjv1HDG_wdX8zy1ZlAFbjp3kIpMlDVK1Q5nu_VPDzQrEvPdTnOzU36LE4UF-w
2 |
--------------------------------------------------------------------------------
/tests/integration/targets/setup_localenv_docker/tasks/docker.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: "Shut down"
3 | when: docker_compose in ['clean', 'down']
4 | community.docker.docker_compose_v2:
5 | project_name: '{{ docker_compose_project_name }}'
6 | state: absent
7 | project_src: '{{ docker_compose_output }}'
8 |
9 | - name: "Bring up"
10 | when: docker_compose in ['clean', 'up']
11 | community.docker.docker_compose_v2:
12 | project_name: '{{ docker_compose_project_name }}'
13 | project_src: '{{ docker_compose_output }}'
14 |
--------------------------------------------------------------------------------
/tests/unit/fixtures/database_roles_list_response.json:
--------------------------------------------------------------------------------
1 | {
2 | "auth": null,
3 | "data": {
4 | "keys": [
5 | "dyn_role1",
6 | "dyn_role2",
7 | "dyn_role3"
8 | ]
9 | },
10 | "roles": [
11 | "dyn_role1",
12 | "dyn_role2",
13 | "dyn_role3"
14 | ],
15 | "lease_duration": 0,
16 | "lease_id": "",
17 | "renewable": false,
18 | "request_id": "91909ec0-cd89-489c-a7cf-2a82d2258b4d",
19 | "warnings": null,
20 | "wrap_info": null
21 | }
22 |
--------------------------------------------------------------------------------
/tests/integration/targets/lookup_vault_write/tasks/lookup_vault_write_setup.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: Configuration tasks
3 | module_defaults:
4 | vault_ci_token_create: '{{ vault_plugins_module_defaults_common }}'
5 | block:
6 | - name: 'Create a test non-root token'
7 | vault_ci_token_create:
8 | # we don't need test policy, but if we don't put something here
9 | # it will inherit the root token's capabilities which is what
10 | # we're trying to avoid.
11 | policies: test-policy
12 | register: user_token_cmd
13 |
--------------------------------------------------------------------------------
/tests/integration/targets/module_vault_write/tasks/module_vault_write_setup.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: Configuration tasks
3 | module_defaults:
4 | vault_ci_token_create: '{{ vault_plugins_module_defaults_common }}'
5 | block:
6 | - name: 'Create a test non-root token'
7 | vault_ci_token_create:
8 | # we don't need test policy, but if we don't put something here
9 | # it will inherit the root token's capabilities which is what
10 | # we're trying to avoid.
11 | policies: test-policy
12 | register: user_token_cmd
13 |
--------------------------------------------------------------------------------
/tests/integration/targets/module_vault_database_rotate_root_creds/tasks/module_vault_db_rotate_root_creds_cleanup.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: Drop users in PostgreSQL
3 | community.postgresql.postgresql_user:
4 | db: "{{ vault_postgres_db }}"
5 | name: "{{ item.username }}"
6 | password: "{{ item.password }}"
7 | login_user: "{{ vault_postgres_user }}"
8 | login_password: "{{ vault_postgres_password }}"
9 | port: "{{ vault_postgres_port }}"
10 | login_host: "{{ vault_postgres_host }}"
11 | state: absent
12 | loop: "{{ users_to_create }}"
13 |
--------------------------------------------------------------------------------
/tests/unit/fixtures/gcp_login_response.json:
--------------------------------------------------------------------------------
1 | {
2 | "auth": {
3 | "client_token": "f33f8c72-924e-11f8-cb43-ac59d697597c",
4 | "accessor": "0e9e354a-520f-df04-6867-ee81cae3d42d",
5 | "policies": ["default", "dev", "prod"],
6 | "metadata": {
7 | "project_id": "my-project",
8 | "role": "my-role",
9 | "service_account_email": "dev1@project-123456.iam.gserviceaccount.com",
10 | "service_account_id": "111111111111111111111"
11 | },
12 | "lease_duration": 2764800,
13 | "renewable": true
14 | }
15 | }
16 |
--------------------------------------------------------------------------------
/tests/integration/targets/lookup_vault_login/tasks/lookup_vault_login_setup.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: Configuration tasks
3 | module_defaults:
4 | vault_ci_token_create: '{{ vault_plugins_module_defaults_common }}'
5 | block:
6 | - name: Create a test non-root token
7 | vault_ci_token_create:
8 | policies: test-policy
9 | register: user_token_cmd
10 |
11 | - name: Create a test non-root token with no default policy
12 | vault_ci_token_create:
13 | policies: test-policy
14 | no_default_policy: true
15 | register: user_token_no_default_policy_cmd
16 |
--------------------------------------------------------------------------------
/tests/integration/targets/module_vault_login/tasks/module_vault_login_setup.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: Configuration tasks
3 | module_defaults:
4 | vault_ci_token_create: '{{ vault_plugins_module_defaults_common }}'
5 | block:
6 | - name: Create a test non-root token
7 | vault_ci_token_create:
8 | policies: test-policy
9 | register: user_token_cmd
10 |
11 | - name: Create a test non-root token with no default policy
12 | vault_ci_token_create:
13 | policies: test-policy
14 | no_default_policy: true
15 | register: user_token_no_default_policy_cmd
16 |
--------------------------------------------------------------------------------
/tests/unit/fixtures/database_static_role_read_response.json:
--------------------------------------------------------------------------------
1 | {
2 | "auth": null,
3 | "data": {
4 | "credential_type": "password",
5 | "db_name": "SomeConnection",
6 | "last_vault_rotation": "2024-01-01T09:00:00 +01:00",
7 | "rotation_period": 86400,
8 | "rotation_statements": [
9 | "ALTER USER \"{{name}}\" WITH PASSWORD '{{password}}';"
10 | ]
11 | },
12 | "lease_duration": 0,
13 | "lease_id": "",
14 | "renewable": false,
15 | "request_id": "91909ec0-cd89-489c-a7cf-2a82d2258b4d",
16 | "warnings": null,
17 | "wrap_info": null
18 | }
19 |
--------------------------------------------------------------------------------
/tests/integration/targets/setup_localenv_docker/files/sql/init.sql:
--------------------------------------------------------------------------------
1 | -- Create users to manage database connections
2 | CREATE USER con1 WITH PASSWORD 'con1';
3 | CREATE USER con2 WITH PASSWORD 'con2';
4 | CREATE USER con3 WITH PASSWORD 'con3';
5 | CREATE USER con4 WITH PASSWORD 'con4';
6 | CREATE USER con5 WITH PASSWORD 'con5';
7 |
8 | -- Create another user to manage credential rotation
9 | -- CREATE USER usr_to_rotate with PASSWORD 'SuperSecret' SUPERUSER;
10 |
11 | -- Create users to manage static roles
12 | CREATE USER role1;
13 | CREATE USER role2;
14 | CREATE USER role3;
15 | CREATE USER role4;
16 | CREATE USER role5;
17 |
--------------------------------------------------------------------------------
/tests/unit/plugins/lookup/conftest.py:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2022 Brian Scholer (@briantist)
2 | # GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
3 | # SPDX-License-Identifier: GPL-3.0-or-later
4 |
5 | from __future__ import (absolute_import, division, print_function)
6 | __metaclass__ = type
7 |
8 | import pytest
9 |
10 |
11 | @pytest.fixture
12 | def minimal_vars():
13 | return {
14 | 'ansible_hashi_vault_auth_method': 'token',
15 | 'ansible_hashi_vault_url': 'http://myvault',
16 | 'ansible_hashi_vault_token': 'throwaway',
17 | }
18 |
--------------------------------------------------------------------------------
/tests/unit/fixtures/kv2_get_response.json:
--------------------------------------------------------------------------------
1 | {
2 | "auth": null,
3 | "data": {
4 | "data": {
5 | "Key1": "val1",
6 | "Key2": "val2"
7 | },
8 | "metadata": {
9 | "created_time": "2022-04-21T15:56:58.8525402Z",
10 | "custom_metadata": null,
11 | "deletion_time": "",
12 | "destroyed": false,
13 | "version": 2
14 | }
15 | },
16 | "lease_duration": 0,
17 | "lease_id": "",
18 | "renewable": false,
19 | "request_id": "15538d55-0ad9-1c39-2f4b-dcbb982f13cc",
20 | "warnings": null,
21 | "wrap_info": null
22 | }
23 |
--------------------------------------------------------------------------------
/tests/integration/targets/auth_cert/defaults/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | vault_run_https_tests: True
3 |
4 | ansible_hashi_vault_url: '{{ vault_test_server_http }}'
5 | ansible_hashi_vault_auth_method: cert
6 |
7 | auth_paths:
8 | - cert
9 | - cert-alt
10 |
11 | vault_cert_canary:
12 | path: cubbyhole/configure_cert
13 | value: complete # value does not matter
14 |
15 | auth_cert_cn: vault-test
16 | auth_cert_cert: "{{ role_path }}/files/auth_cert.crt"
17 | auth_cert_key: "{{ role_path }}/files/auth_cert.key"
18 | invalid_auth_cert_cert: "{{ role_path }}/files/auth_cert_invalid.crt"
19 | invalid_auth_cert_key: "{{ role_path }}/files/auth_cert_invalid.key"
20 |
--------------------------------------------------------------------------------
/docs/preview/rst/index.rst:
--------------------------------------------------------------------------------
1 | # Copyright (c) Ansible Project
2 | # GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
3 | # SPDX-License-Identifier: GPL-3.0-or-later
4 |
5 | .. _docsite_root_index:
6 |
7 | Ansible collection documentation preview
8 | ========================================
9 |
10 | This docsite contains documentation for ``community.hashi_vault``.
11 |
12 |
13 | .. toctree::
14 | :maxdepth: 2
15 | :caption: Collections:
16 |
17 | collections/index
18 |
19 |
20 | .. toctree::
21 | :maxdepth: 1
22 | :caption: Plugin indexes:
23 | :glob:
24 |
25 | collections/index_*
26 |
--------------------------------------------------------------------------------
/tests/integration/targets/lookup_vault_token_create/tasks/lookup_vault_token_create_setup.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: Configuration tasks
3 | module_defaults:
4 | vault_ci_token_create: '{{ vault_plugins_module_defaults_common }}'
5 | block:
6 | - name: Create a token that can create child tokens
7 | vault_ci_token_create:
8 | policies:
9 | - test-policy
10 | - token-creator
11 | register: child_token_cmd
12 |
13 | - name: Create a token that can create orphan tokens
14 | vault_ci_token_create:
15 | policies:
16 | - test-policy
17 | - orphan-creator
18 | register: orphan_token_cmd
19 |
--------------------------------------------------------------------------------
/tests/integration/targets/module_vault_token_create/tasks/module_vault_token_create_setup.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: Configuration tasks
3 | module_defaults:
4 | vault_ci_token_create: '{{ vault_plugins_module_defaults_common }}'
5 | block:
6 | - name: Create a token that can create child tokens
7 | vault_ci_token_create:
8 | policies:
9 | - test-policy
10 | - token-creator
11 | register: child_token_cmd
12 |
13 | - name: Create a token that can create orphan tokens
14 | vault_ci_token_create:
15 | policies:
16 | - test-policy
17 | - orphan-creator
18 | register: orphan_token_cmd
19 |
--------------------------------------------------------------------------------
/tests/integration/targets/module_vault_database_role_create/tasks/module_vault_database_role_create_setup.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: Configuration tasks
3 | module_defaults:
4 | vault_ci_token_create: '{{ vault_plugins_module_defaults_common }}'
5 | vault_ci_enable_engine: '{{ vault_plugins_module_defaults_common }}'
6 | vault_ci_read: '{{ vault_plugins_module_defaults_common }}'
7 | vault_ci_write: '{{ vault_plugins_module_defaults_common }}'
8 | vault_ci_policy_put: '{{ vault_plugins_module_defaults_common }}'
9 | block:
10 | - name: Create a test non-root token
11 | vault_ci_token_create:
12 | policies: [policy-database-all]
13 | register: user_token_cmd
14 |
--------------------------------------------------------------------------------
/tests/integration/targets/module_vault_database_static_role_create/tasks/module_vault_database_static_role_create_setup.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: Configuration tasks
3 | module_defaults:
4 | vault_ci_token_create: '{{ vault_plugins_module_defaults_common }}'
5 | vault_ci_enable_engine: '{{ vault_plugins_module_defaults_common }}'
6 | vault_ci_read: '{{ vault_plugins_module_defaults_common }}'
7 | vault_ci_write: '{{ vault_plugins_module_defaults_common }}'
8 | vault_ci_policy_put: '{{ vault_plugins_module_defaults_common }}'
9 | block:
10 | - name: Create a test non-root token
11 | vault_ci_token_create:
12 | policies: [policy-database-all]
13 | register: user_token_cmd
14 |
--------------------------------------------------------------------------------
/tests/integration/targets/module_vault_database_static_role_get_creds/tasks/module_vault_database_static_role_get_credentials_setup.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: Configuration tasks
3 | module_defaults:
4 | vault_ci_token_create: '{{ vault_plugins_module_defaults_common }}'
5 | vault_ci_enable_engine: '{{ vault_plugins_module_defaults_common }}'
6 | vault_ci_read: '{{ vault_plugins_module_defaults_common }}'
7 | vault_ci_write: '{{ vault_plugins_module_defaults_common }}'
8 | vault_ci_policy_put: '{{ vault_plugins_module_defaults_common }}'
9 | block:
10 | - name: Create a test non-root token
11 | vault_ci_token_create:
12 | policies: [base-policy-database]
13 | register: user_token_cmd
14 |
--------------------------------------------------------------------------------
/tests/unit/fixtures/database_connection_read_response.json:
--------------------------------------------------------------------------------
1 | {
2 | "auth": null,
3 | "data": {
4 | "allowed_roles": [],
5 | "connection_details": {
6 | "connection_url": "postgresql://{{username}}:{{password}}@postgres:5432/postgres?sslmode=disable",
7 | "username": "UserName"
8 | },
9 | "password_policy": "",
10 | "plugin_name": "postgresql-database-plugin",
11 | "plugin_version": "",
12 | "root_credentials_rotate_statements": []
13 | },
14 | "lease_duration": 0,
15 | "lease_id": "",
16 | "renewable": false,
17 | "request_id": "91909ec0-cd89-489c-a7cf-2a82d2258b4d",
18 | "warnings": null,
19 | "wrap_info": null
20 | }
21 |
--------------------------------------------------------------------------------
/tests/unit/fixtures/token_create_response.json:
--------------------------------------------------------------------------------
1 | {
2 | "auth": {
3 | "accessor": "ag7UbiKYw1HNvkUlz0EAmJF1",
4 | "client_token": "s.rlwajI2bblHAWU7uPqZhLru3",
5 | "entity_id": "44133048-b0f9-c0b1-29dc-5d2e62f73b0c",
6 | "lease_duration": 60,
7 | "metadata": null,
8 | "orphan": false,
9 | "policies": [
10 | "test",
11 | "default"
12 | ],
13 | "renewable": true,
14 | "token_policies": [
15 | "test",
16 | "default"
17 | ],
18 | "token_type": "service"
19 | },
20 | "data": null,
21 | "lease_duration": 0,
22 | "lease_id": "",
23 | "renewable": false,
24 | "request_id": "61138ea3-a6ff-8735-102f-4e0087e1b3f4",
25 | "warnings": null,
26 | "wrap_info": null
27 | }
28 |
--------------------------------------------------------------------------------
/plugins/doc_fragments/engine_mount.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 |
3 | # Copyright: (c) 2022, Brian Scholer (@briantist)
4 | # GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
5 | # SPDX-License-Identifier: GPL-3.0-or-later
6 |
7 | from __future__ import (absolute_import, division, print_function)
8 | __metaclass__ = type
9 |
10 |
11 | class ModuleDocFragment(object):
12 |
13 | DOCUMENTATION = r'''
14 | options:
15 | engine_mount_point:
16 | description: The path where the secret backend is mounted.
17 | type: str
18 | '''
19 |
20 | PLUGINS = r'''
21 | options:
22 | engine_mount_point:
23 | vars:
24 | - name: ansible_hashi_vault_engine_mount_point
25 | '''
26 |
--------------------------------------------------------------------------------
/tests/integration/integration_config.yml.sample:
--------------------------------------------------------------------------------
1 | # Running integration tests requires you set up an integration_config.yml that
2 | # tells the tests where to find Vault and other dependencies.
3 | # See the contributor guide at:
4 | # https://docs.ansible.com/ansible/devel/collections/community/hashi_vault/docsite/contributor_guide.html#integration-tests
5 | ---
6 | # this is just a small sample of what the file looks like,
7 | # this file is not valid on its own. See the guide for details.
8 |
9 | vault_version: latest
10 |
11 | vault_dev_root_token_id: 47542cbc-6bf8-4fba-8eda-02e0a0d29a0a
12 |
13 | vault_proxy_server: 'http://127.0.0.1:8001'
14 |
15 | vault_test_server_http: http://localhost:8200
16 | vault_test_server_https: https://localhost:8300
17 |
--------------------------------------------------------------------------------
/tests/integration/targets/filter_vault_login_token/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - vars:
3 | token: token_value
4 | login_result:
5 | auth:
6 | client_token: '{{ token }}'
7 | module_login_result:
8 | login: '{{ login_result }}'
9 | alternate_field_result:
10 | alt: '{{ login_result }}'
11 | block:
12 | - assert:
13 | that:
14 | - login_result | community.hashi_vault.vault_login_token == token
15 | - login_result | community.hashi_vault.vault_login_token(optional_field='missing') == token
16 | - module_login_result | community.hashi_vault.vault_login_token == token
17 | - alternate_field_result | community.hashi_vault.vault_login_token(optional_field='alt') == token
18 |
--------------------------------------------------------------------------------
/tests/integration/targets/setup_localenv_docker/templates/mmock/gcp_login_bad_request.yml.j2:
--------------------------------------------------------------------------------
1 | #jinja2:variable_start_string:'[%', variable_end_string:'%]'
2 | # Copyright (c) 2024 Michael Woodham (woodham@google.com)
3 | # GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
4 | # SPDX-License-Identifier: GPL-3.0-or-later
5 | ---
6 | request:
7 | method: POST|PUT
8 | path: "/v1/auth/gcp*/login"
9 | body: '*fail-me-role*'
10 | control:
11 | priority: 11
12 | response:
13 | statusCode: 400
14 | headers:
15 | Content-Type:
16 | - application/json
17 | body: >-
18 | {
19 | "errors": [
20 | "unable to log in with GCP auth: /v1/auth/gcp"
21 | ]
22 | }
23 |
--------------------------------------------------------------------------------
/plugins/doc_fragments/wrapping.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 |
3 | # Copyright: (c) 2022, Brian Scholer (@briantist)
4 | # GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
5 | # SPDX-License-Identifier: GPL-3.0-or-later
6 |
7 | from __future__ import (absolute_import, division, print_function)
8 | __metaclass__ = type
9 |
10 |
11 | class ModuleDocFragment(object):
12 |
13 | DOCUMENTATION = r'''
14 | options:
15 | wrap_ttl:
16 | description: Specifies response wrapping token creation with duration. For example C(15s), C(20m), C(25h).
17 | type: str
18 | '''
19 |
20 | PLUGINS = r'''
21 | options:
22 | wrap_ttl:
23 | vars:
24 | - name: ansible_hashi_vault_wrap_ttl
25 | '''
26 |
--------------------------------------------------------------------------------
/tests/unit/fixtures/lookup-self_without_meta.json:
--------------------------------------------------------------------------------
1 | {
2 | "auth": null,
3 | "data": {
4 | "accessor": "8609694a-cdbc-db9b-d345-e782dbb562ed",
5 | "creation_time": 1523979354,
6 | "creation_ttl": 2764800,
7 | "display_name": "ldap2-tesla",
8 | "entity_id": "7d2e3179-f69b-450c-7179-ac8ee8bd8ca9",
9 | "expire_time": "2018-05-19T11:35:54.466476215-04:00",
10 | "explicit_max_ttl": 0,
11 | "id": "cf64a70f-3a12-3f6c-791d-6cef6d390eed",
12 | "identity_policies": ["dev-group-policy"],
13 | "issue_time": "2018-04-17T11:35:54.466476078-04:00",
14 | "num_uses": 0,
15 | "orphan": true,
16 | "path": "auth/ldap2/login/tesla",
17 | "policies": ["default", "testgroup2-policy"],
18 | "renewable": true,
19 | "ttl": 2764790
20 | }
21 | }
22 |
--------------------------------------------------------------------------------
/docs/preview/build.sh:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bash
2 | # Copyright (c) Ansible Project
3 | # GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
4 | # SPDX-License-Identifier: GPL-3.0-or-later
5 |
6 | set -e
7 | pushd "${BASH_SOURCE%/*}"
8 |
9 | # Create collection documentation into temporary directory
10 | rm -rf temp-rst
11 | mkdir -p temp-rst
12 | antsibull-docs \
13 | --config-file antsibull-docs.cfg \
14 | collection \
15 | --use-current \
16 | --dest-dir temp-rst \
17 | community.hashi_vault
18 |
19 | # Copy collection documentation into source directory
20 | rsync -cprv --delete-after temp-rst/collections/ rst/collections/
21 |
22 | # Build Sphinx site
23 | sphinx-build -M html rst build -c . -W --keep-going
24 |
25 | popd
26 |
--------------------------------------------------------------------------------
/tests/integration/targets/setup_localenv_docker/templates/mmock/azure_login_bad_request.yml.j2:
--------------------------------------------------------------------------------
1 | #jinja2:variable_start_string:'[%', variable_end_string:'%]'
2 | # Copyright (c) 2022 Junrui Chen (@jchenship)
3 | # GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
4 | # SPDX-License-Identifier: GPL-3.0-or-later
5 | ---
6 | request:
7 | method: POST|PUT
8 | path: "/v1/auth/azure*/login"
9 | body: '*fail-me-role*'
10 | control:
11 | priority: 11
12 | response:
13 | statusCode: 400
14 | headers:
15 | Content-Type:
16 | - application/json
17 | body: >-
18 | {
19 | "errors": [
20 | "oidc: expected audience \"https://management.azure.com/\" got [\"https://management.azure.com\"]"
21 | ]
22 | }
23 |
--------------------------------------------------------------------------------
/tests/integration/targets/auth_none/tasks/controller.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # task vars are not templated when used as vars, so we'll need to set_fact this evaluate the template
3 | # see: https://github.com/ansible/ansible/issues/73268
4 | - name: Persist defaults
5 | set_fact:
6 | '{{ item.key }}': "{{ lookup('vars', item.key) }}"
7 | loop: "{{ lookup('file', role_path ~ '/defaults/main.yml') | from_yaml | dict2items }}"
8 | loop_control:
9 | label: '{{ item.key }}'
10 |
11 | # TODO: consider setting up a Vault agent in CI to provide a better test of the none method
12 | - name: "Perform a login with 'none' auth type"
13 | set_fact:
14 | status: "{{ lookup('vault_test_auth') }}"
15 |
16 | - name: "Assert no login information is returned"
17 | assert:
18 | that:
19 | - status.login == None
20 |
--------------------------------------------------------------------------------
/tests/integration/targets/setup_vault_configure_engine_pki/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: Configuration tasks
3 | module_defaults:
4 | vault_ci_enable_engine: '{{ vault_plugins_module_defaults_common }}'
5 | vault_ci_read: '{{ vault_plugins_module_defaults_common }}'
6 | vault_ci_write: '{{ vault_plugins_module_defaults_common }}'
7 | vault_ci_policy_put: '{{ vault_plugins_module_defaults_common }}'
8 | vault_ci_token_create: '{{ vault_plugins_module_defaults_common }}'
9 | block:
10 | - name: Canary for Vault PKI engine setup
11 | vault_ci_read:
12 | path: '{{ vault_configure_engine_pki_canary.path }}'
13 | register: canary
14 |
15 | - name: Configure Vault PKI engine basic setup
16 | include_tasks: configure.yml
17 | when: canary.result is none
18 |
--------------------------------------------------------------------------------
/tests/unit/fixtures/database_role_read_response.json:
--------------------------------------------------------------------------------
1 | {
2 | "auth": null,
3 | "data": {
4 | "creation_statements": [
5 | "CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';",
6 | "GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";"
7 | ],
8 | "credential_type": "password",
9 | "db_name": "SomeConnection",
10 | "default_ttl": 3600,
11 | "max_ttl": 86400,
12 | "renew_statements": [],
13 | "revocation_statements": [],
14 | "rollback_statements": []
15 | },
16 | "lease_duration": 0,
17 | "lease_id": "",
18 | "renewable": false,
19 | "request_id": "91909ec0-cd89-489c-a7cf-2a82d2258b4d",
20 | "warnings": null,
21 | "wrap_info": null
22 | }
23 |
--------------------------------------------------------------------------------
/tests/integration/targets/setup_vault_configure_database/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: Configuration tasks
3 | module_defaults:
4 | vault_ci_enable_engine: '{{ vault_plugins_module_defaults_common }}'
5 | vault_ci_read: '{{ vault_plugins_module_defaults_common }}'
6 | vault_ci_write: '{{ vault_plugins_module_defaults_common }}'
7 | vault_ci_policy_put: '{{ vault_plugins_module_defaults_common }}'
8 | vault_ci_token_create: '{{ vault_plugins_module_defaults_common }}'
9 | block:
10 | - name: Canary for Vault Database engine setup
11 | vault_ci_read:
12 | path: '{{ vault_configure_engine_database_canary.path }}'
13 | register: canary
14 |
15 | - name: Configure Vault Database engine basic setup
16 | include_tasks: configure.yml
17 | when: canary.result is none
18 |
--------------------------------------------------------------------------------
/changelogs/fragments/488-db-keys-returns.yml:
--------------------------------------------------------------------------------
1 | ---
2 | trivial:
3 | - database modules - ignored new sanity test since it has no provision for describing the natural keys returned by an upstream API (https://github.com/ansible-collections/community.hashi_vault/pull/488).
4 |
5 | bugfixes:
6 | - vault_database_connections_list module - tweaked documentation about the ``keys`` field returned from the API (https://github.com/ansible-collections/community.hashi_vault/pull/488).
7 | - vault_database_roles_list module - tweaked documentation about the ``keys`` field returned from the API (https://github.com/ansible-collections/community.hashi_vault/pull/488).
8 | - vault_database_static_roles_list module - tweaked documentation about the ``keys`` field returned from the API (https://github.com/ansible-collections/community.hashi_vault/pull/488).
9 |
--------------------------------------------------------------------------------
/tests/unit/fixtures/lookup-self_with_meta.json:
--------------------------------------------------------------------------------
1 | {
2 | "auth": null,
3 | "data": {
4 | "accessor": "8609694a-cdbc-db9b-d345-e782dbb562ed",
5 | "creation_time": 1523979354,
6 | "creation_ttl": 2764800,
7 | "display_name": "ldap2-tesla",
8 | "entity_id": "7d2e3179-f69b-450c-7179-ac8ee8bd8ca9",
9 | "expire_time": "2018-05-19T11:35:54.466476215-04:00",
10 | "explicit_max_ttl": 0,
11 | "id": "cf64a70f-3a12-3f6c-791d-6cef6d390eed",
12 | "identity_policies": ["dev-group-policy"],
13 | "issue_time": "2018-04-17T11:35:54.466476078-04:00",
14 | "meta": {
15 | "username": "tesla"
16 | },
17 | "num_uses": 0,
18 | "orphan": true,
19 | "path": "auth/ldap2/login/tesla",
20 | "policies": ["default", "testgroup2-policy"],
21 | "renewable": true,
22 | "ttl": 2764790
23 | }
24 | }
25 |
--------------------------------------------------------------------------------
/tests/integration/targets/setup_vault_configure/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: Configuration tasks
3 | module_defaults:
4 | vault_ci_enable_engine: '{{ vault_plugins_module_defaults_common }}'
5 | vault_ci_kv_put: '{{ vault_plugins_module_defaults_common }}'
6 | vault_ci_kv2_destroy_all: '{{ vault_plugins_module_defaults_common }}'
7 | vault_ci_policy_put: '{{ vault_plugins_module_defaults_common }}'
8 | vault_ci_read: '{{ vault_plugins_module_defaults_common }}'
9 | vault_ci_write: '{{ vault_plugins_module_defaults_common }}'
10 | block:
11 | - name: 'Canary for Vault basic setup'
12 | vault_ci_read:
13 | path: '{{ vault_configure_canary.path }}'
14 | register: canary
15 |
16 | - name: 'Configure Vault basic setup'
17 | include_tasks: configure.yml
18 | when: canary.result is none
19 |
--------------------------------------------------------------------------------
/tests/unit/fixtures/database_static_role_get_credentials_response.json:
--------------------------------------------------------------------------------
1 | {
2 | "data": {
3 | "last_vault_rotation": "2024-01-01T09:00:00+01:00",
4 | "password": "Th3_$3cr3t_P@ss!",
5 | "rotation_period": 86400,
6 | "ttl": 123456,
7 | "username": "SomeUser"
8 | },
9 | "raw": {
10 | "auth": null,
11 | "data": {
12 | "last_vault_rotation": "2024-01-01T09:00:00+01:00",
13 | "password": "Th3_$3cr3t_P@ss!",
14 | "rotation_period": 86400,
15 | "ttl": 123456,
16 | "username": "SomeUser"
17 | },
18 | "lease_duration": 0,
19 | "lease_id": "",
20 | "renewable": false,
21 | "request_id": "91909ec0-cd89-489c-a7cf-2a82d2258b4d",
22 | "warnings": null,
23 | "wrap_info": null
24 | }
25 | }
26 |
--------------------------------------------------------------------------------
/tests/integration/targets/setup_localenv_docker/vars/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | integration_config:
3 | vault_version: '{{ vault_version }}'
4 | vault_test_server_http: 'http://{{ vault_target_name }}:{{ vault_port_http }}'
5 | vault_test_server_https: 'https://{{ vault_target_name }}:{{ vault_port_https}}'
6 | vault_dev_root_token_id: '{{ vault_dev_root_token_id }}'
7 | vault_proxy_server: 'http://{{ proxy_target_name }}:{{ proxy_port }}'
8 | vault_cert_content: "{{ lookup('file', vault_cert_file) }}"
9 | vault_mmock_server_http: 'http://{{ mmock_target_name }}:{{ mmock_server_port }}'
10 | vault_postgres_host: '{{ postgres_container_name }}'
11 | vault_postgres_port: '{{ postgres_sql_port }}'
12 | vault_postgres_db: '{{ postgres_db_name }}'
13 | vault_postgres_user: '{{ postgres_db_user }}'
14 | vault_postgres_password: '{{ postgres_db_password }}'
15 |
--------------------------------------------------------------------------------
/tests/unit/fixtures/ldap_login_response.json:
--------------------------------------------------------------------------------
1 | {
2 | "request_id": "30fd9f34-83af-4921-be0c-b93e41dc3959",
3 | "lease_id": "",
4 | "lease_duration": 0,
5 | "renewable": false,
6 | "data": {},
7 | "warnings": null,
8 | "auth": {
9 | "client_token": "s.fjXSOvsGY3Q95XGyJKnDw7OC",
10 | "accessor": "VnnNWBasAnVn1YO4cVL9jJei",
11 | "policies": [
12 | "default",
13 | "test-policy"
14 | ],
15 | "token_policies": [
16 | "default",
17 | "test-policy"
18 | ],
19 | "identity_policies": null,
20 | "metadata": {
21 | "username": "ldapuser"
22 | },
23 | "orphan": true,
24 | "entity_id": "08e5b262-7dc2-4edd-8fc7-77882ca7cc1b",
25 | "lease_duration": 3600,
26 | "renewable": true
27 | }
28 | }
29 |
--------------------------------------------------------------------------------
/tests/integration/targets/setup_localenv_docker/templates/mmock/aws_iam_login_bad_request.yml.j2:
--------------------------------------------------------------------------------
1 | #jinja2:variable_start_string:'[%', variable_end_string:'%]'
2 | ---
3 | request:
4 | method: POST|PUT
5 | path: "/v1/auth/aws*/login"
6 | body: '*fail-me-role*'
7 | control:
8 | priority: 11
9 | response:
10 | statusCode: 400
11 | headers:
12 | Content-Type:
13 | - application/json
14 | body: >-
15 | {
16 | "error": "error making upstream request: received error code 403 from STS:
17 |
18 |
19 | Sender
20 | ExpiredToken
21 | The security token included in the request is expired
22 |
23 | {{fake.UUID}}
24 | "
25 | }
26 |
--------------------------------------------------------------------------------
/tests/integration/targets/setup_localenv_docker/vars/local_client.yml:
--------------------------------------------------------------------------------
1 | # WIP: experimental/broken
2 | # a configuration for running the tests locally (outside the container network)
3 | ---
4 | vault_target_name: localhost
5 | proxy_target_name: localhost
6 |
7 | integration_config:
8 | vault_version: '{{ vault_version }}'
9 | vault_test_server_http: 'http://{{ vault_target_name }}:{{ vault_port_http }}'
10 | vault_test_server_https: 'https://{{ vault_target_name }}:{{ vault_port_https}}'
11 | vault_dev_root_token_id: '{{ vault_dev_root_token_id }}'
12 | vault_proxy_server: 'http://{{ proxy_target_name }}:{{ proxy_port }}'
13 | vault_cert_content: "{{ lookup('file', vault_cert_file) }}"
14 | vault_proxy_alt_vault_http: 'http://{{ vault_container_name }}:{{ vault_port_http }}'
15 | vault_proxy_alt_vault_https: 'https://{{ vault_container_name }}:{{ vault_port_https }}'
16 |
--------------------------------------------------------------------------------
/tests/integration/targets/auth_ldap/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # task vars are not templated when used as vars, so we'll need to set_fact this evaluate the template
3 | # see: https://github.com/ansible/ansible/issues/73268
4 | - name: Persist defaults
5 | set_fact:
6 | '{{ item.key }}': "{{ lookup('vars', item.key) }}"
7 | loop: "{{ lookup('file', role_path ~ '/defaults/main.yml') | from_yaml | dict2items }}"
8 | loop_control:
9 | label: '{{ item.key }}'
10 |
11 | # there's no setup for this auth method because its API is mocked
12 |
13 | - name: Run ldap tests
14 | loop: '{{ auth_paths | product(["target", "controller"]) | list }}'
15 | include_tasks:
16 | file: ldap_test_{{ item[1] }}.yml
17 | apply:
18 | vars:
19 | default_path: ldap
20 | this_path: '{{ item[0] }}'
21 | module_defaults:
22 | assert:
23 | quiet: true
24 |
--------------------------------------------------------------------------------
/tests/unit/fixtures/jwt_login_response.json:
--------------------------------------------------------------------------------
1 | {
2 | "auth": {
3 | "accessor": "3QbZdd50wZFaUqBVb6v6vXhG",
4 | "client_token": "s.8PtJkzREM9ZIYWQ28cSGqtP6",
5 | "entity_id": "b708d9c6-38fa-2f45-0cfd-1f36c11f3acb",
6 | "lease_duration": 3600,
7 | "metadata": {
8 | "role": "test-role"
9 | },
10 | "orphan": true,
11 | "policies": [
12 | "default",
13 | "test-policy"
14 | ],
15 | "renewable": true,
16 | "token_policies": [
17 | "default",
18 | "test-policy"
19 | ],
20 | "token_type": "service"
21 | },
22 | "data": null,
23 | "lease_duration": 0,
24 | "lease_id": "",
25 | "renewable": false,
26 | "request_id": "797bbe1d-4a95-c078-ecd2-2eff4c4fdaed",
27 | "warnings": null,
28 | "wrap_info": null
29 | }
30 |
--------------------------------------------------------------------------------
/tests/integration/targets/auth_aws_iam/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # task vars are not templated when used as vars, so we'll need to set_fact this evaluate the template
3 | # see: https://github.com/ansible/ansible/issues/73268
4 | - name: Persist defaults
5 | set_fact:
6 | '{{ item.key }}': "{{ lookup('vars', item.key) }}"
7 | loop: "{{ lookup('file', role_path ~ '/defaults/main.yml') | from_yaml | dict2items }}"
8 | loop_control:
9 | label: '{{ item.key }}'
10 |
11 | # there's no setup for this auth method because its API is mocked
12 |
13 | - name: Run aws_iam tests
14 | loop: '{{ auth_paths | product(["target", "controller"]) | list }}'
15 | include_tasks:
16 | file: aws_iam_test_{{ item[1] }}.yml
17 | apply:
18 | vars:
19 | default_path: aws
20 | this_path: '{{ item[0] }}'
21 | module_defaults:
22 | assert:
23 | quiet: true
24 |
--------------------------------------------------------------------------------
/changelogs/config.yaml:
--------------------------------------------------------------------------------
1 | changelog_filename_template: ../CHANGELOG.rst
2 | changelog_filename_version_depth: 0
3 | changes_file: changelog.yaml
4 | changes_format: combined
5 | keep_fragments: false
6 | mention_ancestor: true
7 | new_plugins_after_name: removed_features
8 | notesdir: fragments
9 | prelude_section_name: release_summary
10 | prelude_section_title: Release Summary
11 | sections:
12 | - - major_changes
13 | - Major Changes
14 | - - minor_changes
15 | - Minor Changes
16 | - - breaking_changes
17 | - Breaking Changes / Porting Guide
18 | - - deprecated_features
19 | - Deprecated Features
20 | - - removed_features
21 | - Removed Features (previously deprecated)
22 | - - security_fixes
23 | - Security Fixes
24 | - - bugfixes
25 | - Bugfixes
26 | - - known_issues
27 | - Known Issues
28 | title: community.hashi_vault
29 | trivial_section_name: trivial
30 | output_formats: [rst, md]
31 |
--------------------------------------------------------------------------------
/tests/unit/plugins/plugin_utils/option_adapter/test_hashi_vault_option_adapter.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 | # Copyright (c) 2021 Brian Scholer (@briantist)
3 | # GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
4 | # SPDX-License-Identifier: GPL-3.0-or-later
5 |
6 | from __future__ import (absolute_import, division, print_function)
7 | __metaclass__ = type
8 |
9 | # this file is here just to run the exact same tests as written in the imported file, with the main difference
10 | # being the fixtures defined in conftest.py (this version can run tests that rely on controller-side code)
11 | # and the supported python versions being different.
12 | # So we really do want to import * and so we disable lint failure on wildcard imports.
13 | #
14 | # pylint: disable=wildcard-import,unused-wildcard-import
15 | from ...module_utils.option_adapter.test_hashi_vault_option_adapter import *
16 |
--------------------------------------------------------------------------------
/tests/unit/fixtures/userpass_login_response.json:
--------------------------------------------------------------------------------
1 | {
2 | "auth": {
3 | "accessor": "mQewzgKRx5Yui1h1eMemJlMu",
4 | "client_token": "s.drgLxu6ZtttSVn5Zkoy0huMR",
5 | "entity_id": "8a74ffd3-f71b-8ebe-7942-610428051ea9",
6 | "lease_duration": 3600,
7 | "metadata": {
8 | "username": "testuser"
9 | },
10 | "orphan": true,
11 | "policies": [
12 | "alt-policy",
13 | "default",
14 | "userpass-policy"
15 | ],
16 | "renewable": true,
17 | "token_policies": [
18 | "alt-policy",
19 | "default",
20 | "userpass-policy"
21 | ],
22 | "token_type": "service"
23 | },
24 | "data": null,
25 | "lease_duration": 0,
26 | "lease_id": "",
27 | "renewable": false,
28 | "request_id": "511e8fba-83f0-4b7e-95ea-770aa19c1957",
29 | "warnings": null,
30 | "wrap_info": null
31 | }
32 |
--------------------------------------------------------------------------------
/tests/unit/fixtures/approle_login_response.json:
--------------------------------------------------------------------------------
1 | {
2 | "auth": {
3 | "accessor": "zFP4VJtZFNGuzRsbYH8ham5E",
4 | "client_token": "s.urjjEppAAXAOL2EWLCXgS4CY",
5 | "entity_id": "fa3741ea-ad23-6557-9bc7-18a86dcaf3eb",
6 | "lease_duration": 3600,
7 | "metadata": {
8 | "role_name": "req-secret-id-role"
9 | },
10 | "orphan": true,
11 | "policies": [
12 | "alt-policy",
13 | "approle-policy",
14 | "default"
15 | ],
16 | "renewable": true,
17 | "token_policies": [
18 | "alt-policy",
19 | "approle-policy",
20 | "default"
21 | ],
22 | "token_type": "service"
23 | },
24 | "data": null,
25 | "lease_duration": 0,
26 | "lease_id": "",
27 | "renewable": false,
28 | "request_id": "b35b7ff6-c1ce-f61d-deef-805ac3ae13dc",
29 | "warnings": null,
30 | "wrap_info": null
31 | }
32 |
--------------------------------------------------------------------------------
/tests/unit/fixtures/aws_iam_login_response.json:
--------------------------------------------------------------------------------
1 | {
2 | "request_id": "ec0d300f-ac44-4f5b-9feb-282d3a6686a7",
3 | "lease_id": "",
4 | "lease_duration": 0,
5 | "renewable": false,
6 | "data": null,
7 | "warnings": null,
8 | "auth": {
9 | "client_token": "s.YXZDqrOgv3mhlcPXpRBrS2cE",
10 | "accessor": "Xkad5E1bHRBJApR03pGrp1a0",
11 | "policies": [
12 | "default",
13 | "aws-sample-policy"
14 | ],
15 | "token_policies": [
16 | "default",
17 | "aws-sample-policy"
18 | ],
19 | "identity_policies": null,
20 | "metadata": {
21 | "account_id": "064281349855",
22 | "auth_type": "iam",
23 | "role_id": "b9462e71-e600-418d-b14e-fa69627470ec"
24 | },
25 | "orphan": true,
26 | "entity_id": "e23d3bad-7485-4330-bf74-d64fc1e774e4",
27 | "lease_duration": 1800,
28 | "renewable": true
29 | }
30 | }
31 |
--------------------------------------------------------------------------------
/meta/runtime.yml:
--------------------------------------------------------------------------------
1 | ---
2 | requires_ansible: '>=2.17.0'
3 | action_groups:
4 | # let's keep this in alphabetical order
5 | vault:
6 | - vault_database_connection_configure
7 | - vault_database_connection_delete
8 | - vault_database_connection_read
9 | - vault_database_connection_reset
10 | - vault_database_connections_list
11 | - vault_database_role_create
12 | - vault_database_role_delete
13 | - vault_database_roles_list
14 | - vault_database_rotate_root_credentials
15 | - vault_database_static_role_create
16 | - vault_database_static_role_get_credentials
17 | - vault_database_static_role_read
18 | - vault_database_static_role_rotate_credentials
19 | - vault_database_static_roles_list
20 | - vault_kv1_get
21 | - vault_kv2_delete
22 | - vault_kv2_get
23 | - vault_kv2_write
24 | - vault_list
25 | - vault_login
26 | - vault_pki_generate_certificate
27 | - vault_read
28 | - vault_token_create
29 | - vault_write
30 |
--------------------------------------------------------------------------------
/tests/integration/targets/module_vault_database_static_role_rotate_creds/tasks/module_vault_db_static_role_rotate_creds_setup.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: Configuration tasks
3 | module_defaults:
4 | vault_ci_token_create: "{{ vault_plugins_module_defaults_common }}"
5 | vault_ci_enable_engine: "{{ vault_plugins_module_defaults_common }}"
6 | vault_ci_read: "{{ vault_plugins_module_defaults_common }}"
7 | vault_ci_write: "{{ vault_plugins_module_defaults_common }}"
8 | vault_ci_policy_put: "{{ vault_plugins_module_defaults_common }}"
9 | block:
10 | - name: Create a test non-root token
11 | vault_ci_token_create:
12 | policies: [policy-database-all]
13 | register: user_token_cmd
14 |
15 | - name: Set roles data
16 | ansible.builtin.set_fact:
17 | roles_to_rotate: ["role4", "role5"]
18 |
19 | - name: Read users
20 | vault_ci_read:
21 | path: "database/static-creds/{{ item }}"
22 | register: roles_data_before
23 | loop: "{{ roles_to_rotate }}"
24 |
--------------------------------------------------------------------------------
/tests/integration/targets/auth_userpass/tasks/userpass_setup.yml:
--------------------------------------------------------------------------------
1 | - name: "Setup block"
2 | vars:
3 | is_default_path: "{{ this_path == default_path }}"
4 | block:
5 | - name: 'Enable the userpass auth method'
6 | vault_ci_enable_auth:
7 | method_type: userpass
8 | path: '{{ omit if is_default_path else this_path }}'
9 | config:
10 | default_lease_ttl: 60m
11 |
12 | - name: 'Create a userpass policy'
13 | vault_ci_policy_put:
14 | name: userpass-policy
15 | policy: |
16 | path "auth/{{ this_path }}/login" {
17 | capabilities = [ "create", "read" ]
18 | }
19 |
20 | - name: 'Create a named role'
21 | vault_ci_write:
22 | path: 'auth/{{ this_path }}/users/{{ userpass_username }}'
23 | data:
24 | # in docs, this is token_policies (changed in Vault 1.2)
25 | # use 'policies' to support older versions
26 | policies: "{{ 'test-policy' if is_default_path else 'alt-policy' }},userpass-policy"
27 | password: '{{ userpass_password }}'
28 |
--------------------------------------------------------------------------------
/tests/integration/targets/auth_azure/tasks/main.yml:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2022 Junrui Chen (@jchenship)
2 | # GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
3 | # SPDX-License-Identifier: GPL-3.0-or-later
4 | ---
5 | # task vars are not templated when used as vars, so we'll need to set_fact this evaluate the template
6 | # see: https://github.com/ansible/ansible/issues/73268
7 | - name: Persist defaults
8 | set_fact:
9 | '{{ item.key }}': "{{ lookup('vars', item.key) }}"
10 | loop: "{{ lookup('file', role_path ~ '/defaults/main.yml') | from_yaml | dict2items }}"
11 | loop_control:
12 | label: '{{ item.key }}'
13 |
14 | # there's no setup for this auth method because its API is mocked
15 |
16 | - name: Run azure tests
17 | loop: '{{ auth_paths | product(["target", "controller"]) | list }}'
18 | include_tasks:
19 | file: azure_test_{{ item[1] }}.yml
20 | apply:
21 | vars:
22 | default_path: azure
23 | this_path: '{{ item[0] }}'
24 | module_defaults:
25 | assert:
26 | quiet: true
27 |
--------------------------------------------------------------------------------
/tests/integration/targets/auth_gcp/tasks/main.yml:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2024 Michael Woodham (woodham@google.com)
2 | # GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
3 | # SPDX-License-Identifier: GPL-3.0-or-later
4 | ---
5 | # task vars are not templated when used as vars, so we'll need to set_fact this evaluate the template
6 | # see: https://github.com/ansible/ansible/issues/73268
7 | - name: Persist defaults
8 | set_fact:
9 | '{{ item.key }}': "{{ lookup('vars', item.key) }}"
10 | loop: "{{ lookup('file', role_path ~ '/defaults/main.yml') | from_yaml | dict2items }}"
11 | loop_control:
12 | label: '{{ item.key }}'
13 |
14 | # there's no setup for this auth method because its API is mocked
15 |
16 | - name: Run GCP tests
17 | loop: '{{ auth_paths | product(["target", "controller"]) | list }}'
18 | include_tasks:
19 | file: gcp_test_{{ item[1] }}.yml
20 | apply:
21 | vars:
22 | default_path: gcp
23 | this_path: '{{ item[0] }}'
24 | module_defaults:
25 | assert:
26 | quiet: true
27 |
--------------------------------------------------------------------------------
/docs/preview/antsibull-docs.cfg:
--------------------------------------------------------------------------------
1 | # Copyright (c) Ansible Project
2 | # GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
3 | # SPDX-License-Identifier: GPL-3.0-or-later
4 |
5 | breadcrumbs = true
6 | indexes = true
7 | use_html_blobs = false
8 |
9 | # You can specify ways to convert a collection name (.) to an URL here.
10 | # You can replace either of or by "*" to match all values in that place,
11 | # or use "*" for the collection name to match all collections. In the URL, you can use
12 | # {namespace} and {name} for the two components of the collection name. If you want to use
13 | # "{" or "}" in the URL, write "{{" or "}}" instead. Basically these are Python format
14 | # strings (https://docs.python.org/3.8/library/string.html#formatstrings).
15 | collection_url = {
16 | * = "https://galaxy.ansible.com/{namespace}/{name}"
17 | }
18 |
19 | # The same wildcard rules and formatting rules as for collection_url apply.
20 | collection_install = {
21 | * = "ansible-galaxy collection install {namespace}.{name}"
22 | }
23 |
--------------------------------------------------------------------------------
/tests/integration/targets/setup_vault_server_cert/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: "Cert generation tasks"
3 | vars:
4 | vault_csr_file: '{{ vault_key_file | dirname }}/csr.csr'
5 | block:
6 | - name: Generate privatekey
7 | community.crypto.openssl_privatekey:
8 | mode: 'o=r'
9 | path: '{{ vault_key_file }}'
10 |
11 | - name: Generate CSR
12 | vars:
13 | vault_dns_names: '{{ [vault_hostname] + (vault_alternate_hostnames | default([])) }}'
14 | community.crypto.openssl_csr:
15 | mode: 'o=r'
16 | path: '{{ vault_csr_file }}'
17 | privatekey_path: '{{ vault_key_file }}'
18 | subject_alt_name: "{{ vault_dns_names | map('regex_replace', '^', 'DNS:') | list }}"
19 |
20 | - name: Generate selfsigned certificate
21 | community.crypto.x509_certificate:
22 | mode: 'o=r'
23 | path: '{{ vault_cert_file }}'
24 | csr_path: '{{ vault_csr_file }}'
25 | privatekey_path: '{{ vault_key_file }}'
26 | provider: selfsigned
27 | selfsigned_digest: sha256
28 | register: selfsigned_certificate
29 |
--------------------------------------------------------------------------------
/tests/integration/targets/setup_vault_test_plugins/vars/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | vault_plugins_module_defaults_common:
3 | url: '{{ vault_test_server_http | default(omit) }}'
4 | token: '{{ vault_dev_root_token_id | default(omit) }}'
5 |
6 | # As of https://github.com/ansible/ansible/pull/74039 ::
7 | # we can't use this dictionary directly in module_defaults anymore 😢
8 | # but keeping it here and updated as it's a handy copy/paste source
9 | vault_plugins_module_defaults:
10 | vault_ci_enable_auth: '{{ vault_plugins_module_defaults_common }}'
11 | vault_ci_enable_engine: '{{ vault_plugins_module_defaults_common }}'
12 | vault_ci_kv_put: '{{ vault_plugins_module_defaults_common }}'
13 | vault_ci_kv2_destroy_all: '{{ vault_plugins_module_defaults_common }}'
14 | vault_ci_kv2_metadata_read: '{{ vault_plugins_module_defaults_common }}'
15 | vault_ci_policy_put: '{{ vault_plugins_module_defaults_common }}'
16 | vault_ci_read: '{{ vault_plugins_module_defaults_common }}'
17 | vault_ci_token_create: '{{ vault_plugins_module_defaults_common }}'
18 | vault_ci_write: '{{ vault_plugins_module_defaults_common }}'
19 |
--------------------------------------------------------------------------------
/tests/unit/compat/mock.py:
--------------------------------------------------------------------------------
1 | # Copyright (c) 2014, Toshio Kuratomi
2 | # GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
3 | # SPDX-License-Identifier: GPL-3.0-or-later
4 |
5 | # Make coding more python3-ish
6 | from __future__ import (absolute_import, division, print_function)
7 | __metaclass__ = type
8 |
9 | '''
10 | Compat module for Python3.x's unittest.mock module
11 | '''
12 | # Python 2.7
13 |
14 | # Note: Could use the pypi mock library on python3.x as well as python2.x. It
15 | # is the same as the python3 stdlib mock library
16 |
17 | try:
18 | # Allow wildcard import because we really do want to import all of mock's
19 | # symbols into this compat shim
20 | # pylint: disable=wildcard-import,unused-wildcard-import
21 | from unittest.mock import *
22 | except ImportError:
23 | # Python 2
24 | # pylint: disable=wildcard-import,unused-wildcard-import
25 | try:
26 | from mock import *
27 | except ImportError:
28 | print('You need the mock library installed on python2.x to run tests')
29 |
--------------------------------------------------------------------------------
/tests/unit/fixtures/azure_login_response.json:
--------------------------------------------------------------------------------
1 | {
2 | "request_id": "cbfb16b9-4cf6-917d-182b-170801fc5a4e",
3 | "lease_id": "",
4 | "renewable": false,
5 | "lease_duration": 0,
6 | "data": null,
7 | "wrap_info": null,
8 | "warnings": null,
9 | "auth": {
10 | "client_token": "hvs.CAESIH6iy4yyvKMpk-vcaaVvU8nGfZFRCcH92hVa24lGNxHNGh4KHGh2cy5qU29Ua1FscTJIQ3BBY1AwTDM4dzNpR0E",
11 | "accessor": "60U0DvUOIMOIGI7kzAneeD2x",
12 | "policies": [
13 | "default",
14 | "azure-sample-policy"
15 | ],
16 | "token_policies": [
17 | "default",
18 | "azure-sample-policy"
19 | ],
20 | "metadata": {
21 | "resource_group_name": "",
22 | "role": "msi-vault",
23 | "subscription_id": ""
24 | },
25 | "lease_duration": 2764800,
26 | "renewable": true,
27 | "entity_id": "ff6a9d66-c2eb-6b78-e463-b3192243b5c1",
28 | "token_type": "service",
29 | "orphan": true,
30 | "mfa_requirement": null,
31 | "num_uses": 0
32 | }
33 | }
34 |
--------------------------------------------------------------------------------
/tests/integration/targets/module_vault_kv2_delete/tasks/module_vault_kv2_delete_setup.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: Configuration tasks
3 | module_defaults:
4 | vault_ci_token_create: '{{ vault_plugins_module_defaults_common }}'
5 | block:
6 | - name: Create a test non-root token
7 | vault_ci_token_create:
8 | policies: [test-policy]
9 | register: user_token_cmd
10 |
11 | - name: Configuration tasks
12 | module_defaults:
13 | vault_ci_kv2_destroy_all: '{{ vault_plugins_module_defaults_common }}'
14 | vault_ci_kv_put: '{{ vault_plugins_module_defaults_common }}'
15 | block:
16 | - name: Remove existing multi-version secret
17 | vault_ci_kv2_destroy_all:
18 | mount_point: '{{ vault_kv2_mount_point }}'
19 | path: '{{ vault_kv2_versioned_path }}/secret6'
20 |
21 | - name: Set up a multi versioned secret for delete (v2)
22 | vault_ci_kv_put:
23 | version: 2
24 | mount_point: '{{ vault_kv2_mount_point }}'
25 | path: '{{ vault_kv2_versioned_path }}/secret6'
26 | secret:
27 | v: value{{ item }}
28 | loop: ["1", "2", "3", "4", "5"]
29 |
--------------------------------------------------------------------------------
/tests/integration/targets/setup_vault_test_plugins/library/vault_ci_policy_put.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 | # Copyright (c) 2021 Brian Scholer (@briantist)
3 | # Simplified BSD License (see LICENSES/BSD-2-Clause.txt or https://opensource.org/licenses/BSD-2-Clause)
4 | # SPDX-License-Identifier: BSD-2-Clause
5 |
6 | from __future__ import absolute_import, division, print_function
7 | __metaclass__ = type
8 |
9 | from ansible.module_utils.basic import AnsibleModule
10 | import hvac
11 |
12 |
13 | def main():
14 | module = AnsibleModule(
15 | argument_spec=dict(
16 | url=dict(type='str', required=True),
17 | token=dict(type='str', required=True),
18 | name=dict(type='str', required=True),
19 | policy=dict(type='raw', required=True),
20 | ),
21 | )
22 |
23 | p = module.params
24 |
25 | client = hvac.Client(url=p['url'], token=p['token'])
26 |
27 | client.sys.create_or_update_policy(
28 | name=p['name'],
29 | policy=p['policy'],
30 | )
31 |
32 | module.exit_json(changed=True)
33 |
34 |
35 | if __name__ == '__main__':
36 | main()
37 |
--------------------------------------------------------------------------------
/tests/integration/targets/module_vault_kv2_write/tasks/setup.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: Configuration tasks
3 | module_defaults:
4 | vault_ci_token_create: "{{ vault_plugins_module_defaults_common }}"
5 | vault_ci_write: "{{ vault_plugins_module_defaults_common }}"
6 | vault_ci_kv2_destroy_all: "{{ vault_plugins_module_defaults_common }}"
7 | block:
8 | - name: Ensure test secrets are deleted
9 | vault_ci_kv2_destroy_all:
10 | path: "{{ item.path }}"
11 | mount_point: "{{ item.mount | default(vault_kv2_mount_point) }}"
12 | loop:
13 | - path: "{{ vault_kv2_path }}/write1"
14 | - path: "{{ vault_kv2_path }}/readonly"
15 | - path: "{{ vault_kv2_path }}/writeonly"
16 | - path: "write1"
17 | mount: "{{ cas_required_vault_kv2_mount_point }}"
18 |
19 | - name: Create a test non-root token
20 | vault_ci_token_create:
21 | policies: [test-policy]
22 | register: user_token_cmd
23 |
24 | - name: Write to readonly
25 | vault_ci_write:
26 | path: "{{ vault_kv2_api_path }}/readonly"
27 | data:
28 | data:
29 | foo: bar
30 |
--------------------------------------------------------------------------------
/galaxy.yml:
--------------------------------------------------------------------------------
1 | # See https://docs.ansible.com/ansible/latest/dev_guide/collections_galaxy_meta.html
2 |
3 | namespace: community
4 | name: hashi_vault
5 | version: 7.2.0
6 | readme: README.md
7 | authors:
8 | - Julie Davila (@juliedavila)
9 | - Brian Scholer (@briantist)
10 | description: Plugins related to HashiCorp Vault
11 | license:
12 | - GPL-3.0-or-later
13 | - BSD-2-Clause
14 | tags:
15 | # tags so people can search for collections https://galaxy.ansible.com/search
16 | # tags are all lower-case, no spaces, no dashes.
17 | - vault
18 | - hashicorp
19 | - secret
20 | - secrets
21 | - password
22 | - passwords
23 | repository: https://github.com/ansible-collections/community.hashi_vault
24 | documentation: https://docs.ansible.com/ansible/devel/collections/community/hashi_vault
25 | homepage: https://github.com/ansible-collections/community.hashi_vault
26 | issues: https://github.com/ansible-collections/community.hashi_vault/issues
27 | build_ignore:
28 | # https://docs.ansible.com/ansible/devel/dev_guide/developing_collections.html#ignoring-files-and-folders
29 | - .gitignore
30 | - changelogs/.plugin-cache.yaml
31 |
--------------------------------------------------------------------------------
/tests/integration/targets/setup_vault_test_plugins/library/vault_ci_read.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 | # Copyright (c) 2021 Brian Scholer (@briantist)
3 | # Simplified BSD License (see LICENSES/BSD-2-Clause.txt or https://opensource.org/licenses/BSD-2-Clause)
4 | # SPDX-License-Identifier: BSD-2-Clause
5 |
6 | from __future__ import absolute_import, division, print_function
7 | __metaclass__ = type
8 |
9 | import traceback
10 |
11 | from ansible.module_utils.basic import AnsibleModule
12 | import hvac
13 |
14 |
15 | def main():
16 | module = AnsibleModule(
17 | argument_spec=dict(
18 | url=dict(type='str', required=True),
19 | token=dict(type='str', required=True),
20 | path=dict(type='str', required=True),
21 | ),
22 | )
23 |
24 | p = module.params
25 |
26 | client = hvac.Client(url=p['url'], token=p['token'])
27 |
28 | try:
29 | result = client.read(path=p['path'])
30 | except Exception as e:
31 | module.fail_json(msg=str(e), exception=traceback.format_exc())
32 |
33 | module.exit_json(changed=True, result=result)
34 |
35 |
36 | if __name__ == '__main__':
37 | main()
38 |
--------------------------------------------------------------------------------
/tests/integration/targets/setup_vault_configure_database/vars/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | vault_configure_engine_database_canary:
3 | path: cubbyhole/configure_engine_database
4 | value: complete # value does not matter
5 |
6 | vault_database_engine_mount_point: database
7 | vault_database_connection_name: my-postgresql-database
8 | vault_database_db_name: hcvault
9 | vault_database_connection_url: "postgresql://{{ '{{username}}' }}:{{ '{{password}}' }}@postgres:5432/{{ vault_database_db_name }}?sslmode=disable"
10 | vault_database_plugin_name: postgresql-database-plugin
11 | vault_database_connection_user: postgres
12 | vault_database_connection_password: postgres
13 |
14 | vault_database_dynamic_user_sql: |
15 | CREATE ROLE {{ "{{name}}" }} WITH LOGIN PASSWORD {{ '{{password}}' }} VALID UNTIL {{ '{{expiration}}' }} INHERIT;
16 | GRANT ro TO {{ "{{name}}" }};
17 |
18 | vault_base_policy_db: |
19 | path "{{ vault_database_engine_mount_point }}/*" {
20 | capabilities = ["read", "list"]
21 | }
22 |
23 | vault_policy_db_all: |
24 | {{ vault_base_policy_db }}
25 | path "{{ vault_database_engine_mount_point }}/*" {
26 | capabilities = ["create", "update", "patch", "delete"]
27 | }
28 |
--------------------------------------------------------------------------------
/tests/integration/targets/auth_token/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # task vars are not templated when used as vars, so we'll need to set_fact this evaluate the template
3 | # see: https://github.com/ansible/ansible/issues/73268
4 | - name: Persist defaults
5 | set_fact:
6 | '{{ item.key }}': "{{ lookup('vars', item.key) }}"
7 | loop: "{{ lookup('file', role_path ~ '/defaults/main.yml') | from_yaml | dict2items }}"
8 | loop_control:
9 | label: '{{ item.key }}'
10 |
11 | - name: Configuration tasks
12 | module_defaults:
13 | vault_ci_token_create: '{{ vault_plugins_module_defaults_common }}'
14 | block:
15 | - name: 'Create a test non-root token'
16 | vault_ci_token_create:
17 | policies: test-policy
18 | register: user_token_cmd
19 |
20 | - name: 'Create a test non-root token with no default policy'
21 | vault_ci_token_create:
22 | policies: test-policy
23 | no_default_policy: true
24 | register: user_token_no_default_policy_cmd
25 |
26 | - import_tasks: token_test_target.yml
27 | module_defaults:
28 | assert:
29 | quiet: true
30 |
31 | - import_tasks: token_test_controller.yml
32 | module_defaults:
33 | assert:
34 | quiet: true
35 |
--------------------------------------------------------------------------------
/plugins/doc_fragments/attributes.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 |
3 | # Copyright: (c) 2022, Brian Scholer (@briantist)
4 | # GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
5 | # SPDX-License-Identifier: GPL-3.0-or-later
6 |
7 | from __future__ import (absolute_import, division, print_function)
8 | __metaclass__ = type
9 |
10 |
11 | class ModuleDocFragment(object):
12 |
13 | DOCUMENTATION = r'''
14 | options: {}
15 | attributes:
16 | check_mode:
17 | description: Can run in C(check_mode) and return changed status prediction without modifying target.
18 | '''
19 |
20 | ACTION_GROUP = r'''
21 | options: {}
22 | attributes:
23 | action_group:
24 | description: Use C(group/community.hashi_vault.vault) in C(module_defaults) to set defaults for this module.
25 | support: full
26 | membership:
27 | - community.hashi_vault.vault
28 | '''
29 |
30 | # Should be used together with the standard fragment
31 | CHECK_MODE_READ_ONLY = r'''
32 | options: {}
33 | attributes:
34 | check_mode:
35 | support: full
36 | details:
37 | - This module is "read only" and operates the same regardless of check mode.
38 | '''
39 |
--------------------------------------------------------------------------------
/tests/integration/targets/auth_cert/tasks/cert_setup.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: "Setup block"
3 | vars:
4 | is_default_path: "{{ this_path == default_path }}"
5 | block:
6 | - name: "Enable the cert auth method"
7 | vault_ci_enable_auth:
8 | method_type: '{{ ansible_hashi_vault_auth_method }}'
9 | path: "{{ omit if is_default_path else this_path }}"
10 | config:
11 | default_lease_ttl: 60m
12 |
13 | - name: Create a cert policy
14 | vault_ci_policy_put:
15 | name: cert-policy
16 | policy: |
17 | path "auth/{{ this_path }}/login" {
18 | capabilities = [ "create", "read" ]
19 | }
20 |
21 | - name: "Create a named role"
22 | vault_ci_write:
23 | path: "auth/{{ this_path }}/certs/vault_test"
24 | data:
25 | certificate: "{{ _auth_cert }}"
26 | allowed_common_names: "{{ auth_cert_cn }}"
27 | # in docs, this is token_policies (changed in Vault 1.2)
28 | # use 'policies' to support older versions
29 | policies: "{{ 'test-policy' if is_default_path else 'alt-policy' }},cert-policy"
30 | vars:
31 | _auth_cert: '{{ lookup("file", auth_cert_cert) }}'
32 |
--------------------------------------------------------------------------------
/tests/integration/targets/auth_cert/files/auth_cert_invalid.crt:
--------------------------------------------------------------------------------
1 | -----BEGIN CERTIFICATE-----
2 | MIIDDTCCAfWgAwIBAgIUWprzykl5M9p8NmcaS8v7mTQqCZEwDQYJKoZIhvcNAQEL
3 | BQAwFTETMBEGA1UEAwwKdmF1bHQtdGVzdDAgFw0yMTEwMTkwMjE1MThaGA8yMTIx
4 | MDkyNTAyMTUxOFowFTETMBEGA1UEAwwKdmF1bHQtdGVzdDCCASIwDQYJKoZIhvcN
5 | AQEBBQADggEPADCCAQoCggEBAM6Aha5bUcWwuikIFZUAccJXYAC5oczybwN6VDHD
6 | dDugikic/AT1AkaRYAhJiLWAD0XeOHghf1eCpeC+ZYcbZssXr7NZ/fUmR28ni1Nt
7 | QRTcZ0bEBBYaEjEoNHenwAOsuBhJuawvfNI+Jns6ejoLIC3nUgQabWp4gPbfrC5y
8 | WWrPRzXZEMp9hFppxHRIHzW3yqxlOXO2hUC5UtVElYkh0ojBSCVXe8iFfWTBnZrc
9 | uTIm85y1x+k1kD7oyWxTZiPaUtTd9UM6pG1iYq5Tfbzx7rx5ntiTMwSZL4Y3lUWv
10 | kQ7WCXPV7L0p7NpRyIQQH6McBZiuatv8kEGRKqDtNhF5kDECAwEAAaNTMFEwHQYD
11 | VR0OBBYEFL04vjdsoUCPoZ64btbGam88REPQMB8GA1UdIwQYMBaAFL04vjdsoUCP
12 | oZ64btbGam88REPQMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
13 | AMaL/01nXbYzlzy6Vrn6R6wcHAsrSWC1syvQTaJzHQFmp3bxs7XUu3ZQdRbppxCK
14 | INDXtrzupxpsBV2qSdwrPsn79umkSb51NFtHz7cMcmK18cuayviPpEPNN3IZuznU
15 | 3MFNd+sKoxX2udp12tGwjkerRrgPcG44aWch18QQ7H/jPld51uaujRs6fsA4lUNF
16 | E2uPdiUNridbnxIw7bUgz9Vcq5d+XzHFvaF5QGp/mqmY6tsp/rMJCOME/dpBh27/
17 | Y/xh1qG92gSeT57IPNvd7M/yvKmcG2lRVv2rwm1oruYYaaHgqrai90sFDN+ttfVT
18 | hqcx3qhE67dlFGLN03ico/8=
19 | -----END CERTIFICATE-----
20 |
--------------------------------------------------------------------------------
/tests/integration/targets/setup_vault_test_plugins/library/vault_ci_kv2_destroy_all.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 | # Copyright (c) 2021 Brian Scholer (@briantist)
3 | # Simplified BSD License (see LICENSES/BSD-2-Clause.txt or https://opensource.org/licenses/BSD-2-Clause)
4 | # SPDX-License-Identifier: BSD-2-Clause
5 |
6 | from __future__ import absolute_import, division, print_function
7 | __metaclass__ = type
8 |
9 | from ansible.module_utils.basic import AnsibleModule
10 | import hvac
11 |
12 |
13 | def main():
14 | module = AnsibleModule(
15 | argument_spec=dict(
16 | url=dict(type='str', required=True),
17 | token=dict(type='str', required=True),
18 | path=dict(type='str'),
19 | mount_point=dict(type='str'),
20 | ),
21 | )
22 |
23 | p = module.params
24 |
25 | client = hvac.Client(url=p['url'], token=p['token'])
26 |
27 | extra = {}
28 | if p['mount_point'] is not None:
29 | extra['mount_point'] = p['mount_point']
30 |
31 | client.secrets.kv.v2.delete_metadata_and_all_versions(
32 | path=p['path'],
33 | **extra
34 | )
35 |
36 | module.exit_json(changed=True)
37 |
38 |
39 | if __name__ == '__main__':
40 | main()
41 |
--------------------------------------------------------------------------------
/LICENSES/BSD-2-Clause.txt:
--------------------------------------------------------------------------------
1 | Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
2 |
3 | 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
4 |
5 | 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
6 |
7 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
8 |
--------------------------------------------------------------------------------
/tests/integration/targets/auth_cert/files/auth_cert.crt:
--------------------------------------------------------------------------------
1 | -----BEGIN CERTIFICATE-----
2 | MIIDIjCCAgqgAwIBAgIUcyvqaCXttUgXhdmM8QJgCmaqsK4wDQYJKoZIhvcNAQEL
3 | BQAwFTETMBEGA1UEAwwKdmF1bHQtdGVzdDAgFw0yMTEwMTkwNjAyMzFaGA8yMTIx
4 | MDkyNTA2MDIzMVowFTETMBEGA1UEAwwKdmF1bHQtdGVzdDCCASIwDQYJKoZIhvcN
5 | AQEBBQADggEPADCCAQoCggEBAMnAUmlSnZk3RBSs7iW5TPXAkUgdYhOlJKT4xRE1
6 | Ta3rZo1NaPas6rh0fl4lkNHB/OvzaVhNjgptkTXarccMOMhGiQUxhQEfKW+KzqIy
7 | qsXXk68aj/xIgVWu1/IoVUYx89LUHE2Xdd5aO95w1a6goox96spVZp7UaWSb8/V9
8 | SGUexgAJMDGrGTPGbXD2pSsBfDWg5ysxiptZmUfeMWtZ/1OJJ9eFuHjW+tDCuOHe
9 | HcekiKwM90CjvqeEhGdgEtLGVDkT4ud2u7YKeZXxIe5UTML20paCzd12v/LOIlM2
10 | ZEqhySVrBvl+Wzv5BLmffW62UPWXlRDZa9FaCAWG/94F/CMCAwEAAaNoMGYwHQYD
11 | VR0OBBYEFGZFLq7ROcjYDf3n2A+KSe73zFOuMB8GA1UdIwQYMBaAFGZFLq7ROcjY
12 | Df3n2A+KSe73zFOuMA8GA1UdEwEB/wQFMAMBAf8wEwYDVR0lBAwwCgYIKwYBBQUH
13 | AwIwDQYJKoZIhvcNAQELBQADggEBAIe65BTFlTOFtUkxV1Zf3eOE6Lq6HZqzvNmK
14 | 1sCDdT1kL080P5Y6pcIeG99+mikN8b9Csh9CB/AqB5WjAF3Hfdg2EHd4d6gwjUwB
15 | t5+hw83FQvckxEQ80ZVn2C83aZ9xIOgLqB2QnWJKGWp47816+/IqNo07NWvttLgM
16 | L5e2cX6Ass1nT4Bjh8P4NQgg2lMDCzwwAZBR5D0mCSO8MbO1Ud8KRfaSIUczemlJ
17 | PFNl3r3hI6efKCVfsbVcbnopuvPgcW4BH1KXZOLEnZm1lUdKCAYjA5g1rCGhKSTC
18 | p/d72HTzqSHlgyEish7ueEeY0Z1sMDWvUZLu46GCGOf5pozxoQo=
19 | -----END CERTIFICATE-----
20 |
--------------------------------------------------------------------------------
/tests/unit/compat/builtins.py:
--------------------------------------------------------------------------------
1 | # (c) 2014, Toshio Kuratomi
2 | #
3 | # This file is part of Ansible
4 | #
5 | # Ansible is free software: you can redistribute it and/or modify
6 | # it under the terms of the GNU General Public License as published by
7 | # the Free Software Foundation, either version 3 of the License, or
8 | # (at your option) any later version.
9 | #
10 | # Ansible is distributed in the hope that it will be useful,
11 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
12 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 | # GNU General Public License for more details.
14 | #
15 | # You should have received a copy of the GNU General Public License
16 | # along with Ansible. If not, see .
17 |
18 | # Make coding more python3-ish
19 | from __future__ import (absolute_import, division, print_function)
20 | __metaclass__ = type
21 |
22 | #
23 | # Compat for python2.7
24 | #
25 |
26 | # One unittest needs to import builtins via __import__() so we need to have
27 | # the string that represents it
28 | try:
29 | import __builtin__ # pylint: disable=unused-import
30 | except ImportError:
31 | BUILTINS = 'builtins'
32 | else:
33 | BUILTINS = '__builtin__'
34 |
--------------------------------------------------------------------------------
/tests/integration/targets/setup_vault_test_plugins/library/vault_ci_token_create.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 | # Copyright (c) 2021 Brian Scholer (@briantist)
3 | # Simplified BSD License (see LICENSES/BSD-2-Clause.txt or https://opensource.org/licenses/BSD-2-Clause)
4 | # SPDX-License-Identifier: BSD-2-Clause
5 |
6 | from __future__ import absolute_import, division, print_function
7 | __metaclass__ = type
8 |
9 | from ansible.module_utils.basic import AnsibleModule
10 | import hvac
11 |
12 |
13 | def main():
14 | module = AnsibleModule(
15 | argument_spec=dict(
16 | url=dict(type='str', required=True),
17 | token=dict(type='str', required=True),
18 | no_default_policy=dict(type='bool', default=False),
19 | policies=dict(type='list'),
20 | ttl=dict(type=str, default='1h'),
21 | ),
22 | )
23 |
24 | p = module.params
25 |
26 | client = hvac.Client(url=p['url'], token=p['token'])
27 |
28 | result = client.auth.token.create(
29 | policies=p['policies'],
30 | no_default_policy=p.get('no_default_policy'),
31 | ttl=p.get('ttl'),
32 | )
33 |
34 | module.exit_json(changed=True, result=result)
35 |
36 |
37 | if __name__ == '__main__':
38 | main()
39 |
--------------------------------------------------------------------------------
/tests/unit/fixtures/cert_login_response.json:
--------------------------------------------------------------------------------
1 | {
2 | "auth": {
3 | "accessor": "f69aXFTLzAE1e5pPDpAqNAFW",
4 | "client_token": "s.bJ8UmS3NbYH3XJD7P70Yiyml",
5 | "entity_id": "84590d6b-54a2-7d81-201c-6107353169fb",
6 | "lease_duration": 3600,
7 | "metadata": {
8 | "authority_key_id": "66:45:2e:ae:d1:39:c8:d8:0d:fd:e7:d8:0f:8a:49:ee:f7:cc:53:ae",
9 | "cert_name": "vault_test",
10 | "common_name": "vault-test",
11 | "serial_number": "657513290402968240784573665154053221879835701422",
12 | "subject_key_id": "66:45:2e:ae:d1:39:c8:d8:0d:fd:e7:d8:0f:8a:49:ee:f7:cc:53:ae"
13 | },
14 | "orphan": true,
15 | "policies": [
16 | "approle-policy",
17 | "default",
18 | "test-policy"
19 | ],
20 | "renewable": true,
21 | "token_policies": [
22 | "approle-policy",
23 | "default",
24 | "test-policy"
25 | ],
26 | "token_type": "service"
27 | },
28 | "data": null,
29 | "lease_duration": 0,
30 | "lease_id": "",
31 | "renewable": false,
32 | "request_id": "9016334e-8bbb-4390-5512-c9b526b39bd3",
33 | "warnings": null,
34 | "wrap_info": null
35 | }
36 |
--------------------------------------------------------------------------------
/tests/integration/targets/setup_localenv_docker/templates/mmock/ldap_login_default_mount.yml.j2:
--------------------------------------------------------------------------------
1 | #jinja2:variable_start_string:'[%', variable_end_string:'%]'
2 | ---
3 | request:
4 | method: POST|PUT
5 | path: "/v1/auth/ldap/login/:user"
6 | control:
7 | priority: 10
8 | response:
9 | statusCode: 200
10 | headers:
11 | Content-Type:
12 | - application/json
13 | body: >-
14 | {
15 | "request_id": "{{fake.UUID}}",
16 | "lease_id": "",
17 | "lease_duration": 0,
18 | "renewable": false,
19 | "data": {},
20 | "warnings": null,
21 | "auth": {
22 | "client_token": "s.{{fake.CharactersN(24)}}",
23 | "accessor": "{{fake.CharactersN(24)}}",
24 | "policies": [
25 | "default",
26 | "ldap-sample-policy"
27 | ],
28 | "token_policies": [
29 | "default",
30 | "ldap-sample-policy"
31 | ],
32 | "identity_policies": null,
33 | "metadata": {
34 | "username": "{{request.path.user}}"
35 | },
36 | "orphan": true,
37 | "entity_id": "{{fake.UUID}}",
38 | "lease_duration": 3600,
39 | "renewable": true
40 | }
41 | }
42 |
--------------------------------------------------------------------------------
/tests/integration/targets/setup_localenv_docker/templates/mmock/ldap_login_alt_mount.yml.j2:
--------------------------------------------------------------------------------
1 | #jinja2:variable_start_string:'[%', variable_end_string:'%]'
2 | ---
3 | request:
4 | method: POST|PUT
5 | path: "/v1/auth/ldap-alt/login/:user"
6 | control:
7 | priority: 10
8 | response:
9 | statusCode: 200
10 | headers:
11 | Content-Type:
12 | - application/json
13 | body: >-
14 | {
15 | "request_id": "{{fake.UUID}}",
16 | "lease_id": "",
17 | "lease_duration": 0,
18 | "renewable": false,
19 | "data": {},
20 | "warnings": null,
21 | "auth": {
22 | "client_token": "s.{{fake.CharactersN(24)}}",
23 | "accessor": "{{fake.CharactersN(24)}}",
24 | "policies": [
25 | "default",
26 | "ldap-alt-sample-policy"
27 | ],
28 | "token_policies": [
29 | "default",
30 | "ldap-alt-sample-policy"
31 | ],
32 | "identity_policies": null,
33 | "metadata": {
34 | "username": "{{request.path.user}}"
35 | },
36 | "orphan": true,
37 | "entity_id": "{{fake.UUID}}",
38 | "lease_duration": 3600,
39 | "renewable": true
40 | }
41 | }
42 |
--------------------------------------------------------------------------------
/tests/integration/targets/setup_vault_test_plugins/library/vault_ci_write.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 | # Copyright (c) 2021 Brian Scholer (@briantist)
3 | # Simplified BSD License (see LICENSES/BSD-2-Clause.txt or https://opensource.org/licenses/BSD-2-Clause)
4 | # SPDX-License-Identifier: BSD-2-Clause
5 |
6 | from __future__ import absolute_import, division, print_function
7 | __metaclass__ = type
8 |
9 | from ansible.module_utils.basic import AnsibleModule
10 | import hvac
11 | import json
12 |
13 |
14 | def main():
15 | module = AnsibleModule(
16 | argument_spec=dict(
17 | url=dict(type='str', required=True),
18 | token=dict(type='str', required=True),
19 | path=dict(type='str', required=True),
20 | data=dict(type='dict', required=True),
21 | ),
22 | )
23 |
24 | p = module.params
25 |
26 | client = hvac.Client(url=p['url'], token=p['token'])
27 |
28 | result = client.write(path=p['path'], **p['data'])
29 |
30 | dictified = json.loads(
31 | json.dumps(
32 | result,
33 | skipkeys=True,
34 | default=lambda o: getattr(o, '__dict__', str(o)),
35 | )
36 | )
37 |
38 | module.exit_json(changed=True, result=dictified)
39 |
40 |
41 | if __name__ == '__main__':
42 | main()
43 |
--------------------------------------------------------------------------------
/tests/unit/plugins/module_utils/authentication/test_auth_none.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 | # Copyright (c) 2021 Brian Scholer (@briantist)
3 | # GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
4 | # SPDX-License-Identifier: GPL-3.0-or-later
5 |
6 | from __future__ import (absolute_import, division, print_function)
7 | __metaclass__ = type
8 |
9 | import pytest
10 |
11 | from ......plugins.module_utils._auth_method_none import HashiVaultAuthMethodNone
12 | from ......plugins.module_utils._hashi_vault_common import HashiVaultAuthMethodBase
13 |
14 |
15 | @pytest.fixture
16 | def auth_none(adapter, warner, deprecator):
17 | return HashiVaultAuthMethodNone(adapter, warner, deprecator)
18 |
19 |
20 | class TestAuthNone(object):
21 |
22 | def test_auth_none_is_auth_method_base(self, auth_none):
23 | assert issubclass(type(auth_none), HashiVaultAuthMethodBase)
24 |
25 | def test_auth_none_validate(self, auth_none):
26 | auth_none.validate()
27 |
28 | @pytest.mark.parametrize('use_token', [True, False])
29 | def test_auth_none_authenticate(self, auth_none, client, use_token):
30 | result = auth_none.authenticate(client, use_token=use_token)
31 |
32 | assert result is None
33 | assert client.token is None
34 |
--------------------------------------------------------------------------------
/plugins/filter/vault_login_token.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 | # (c) 2021, Brian Scholer (@briantist)
3 | # GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
4 | # SPDX-License-Identifier: GPL-3.0-or-later
5 |
6 | from __future__ import (absolute_import, division, print_function)
7 | __metaclass__ = type
8 |
9 | from ansible.errors import AnsibleError
10 |
11 |
12 | def vault_login_token(login_response, optional_field='login'):
13 | '''Extracts the token value from a Vault login response.
14 | Meant to be used with the vault_login module and lookup plugin.
15 | '''
16 |
17 | try:
18 | deref = login_response[optional_field]
19 | except TypeError:
20 | raise AnsibleError("The 'vault_login_token' filter expects a dictionary.")
21 | except KeyError:
22 | deref = login_response
23 |
24 | try:
25 | token = deref['auth']['client_token']
26 | except KeyError:
27 | raise AnsibleError("Could not find 'auth' or 'auth.client_token' fields. Input may not be a Vault login response.")
28 |
29 | return token
30 |
31 |
32 | class FilterModule(object):
33 | '''Ansible jinja2 filters'''
34 |
35 | def filters(self):
36 | return {
37 | 'vault_login_token': vault_login_token,
38 | }
39 |
--------------------------------------------------------------------------------
/tests/integration/targets/setup_vault_configure_engine_pki/tasks/configure.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: Create PKI secrets engine
3 | vault_ci_enable_engine:
4 | backend_type: pki
5 |
6 | - name: Generate self-signed root CA
7 | vault_ci_write:
8 | path: /pki/root/generate/internal
9 | data:
10 | common_name: ca.example.org
11 |
12 | - name: Configure URL values for issue certificate endpoints
13 | vault_ci_write:
14 | path: /pki/config/urls
15 | data:
16 | issuing_certificates: http://myvault:8200/v1/pki/ca
17 | crl_distribution_points: http://myvault:8200/v1/pki/crl
18 |
19 | - name: Creating test role
20 | vault_ci_write:
21 | path: /pki/roles/test.example.org
22 | data:
23 | allowed_domains: test.example.org
24 | allow_subdomains: true
25 | max_ttl: 24h
26 |
27 | - name: Create a test policy
28 | vault_ci_policy_put:
29 | name: test-pki-policy
30 | policy: |-
31 | path "pki/issue/*" {
32 | capabilities = ["read", "update"]
33 | }
34 |
35 | - name: Create a test non-root token
36 | vault_ci_token_create:
37 | policies: test-pki-policy
38 | register: user_token_cmd
39 |
40 | - name: 'Write Canary'
41 | vault_ci_write:
42 | path: '{{ vault_configure_engine_pki_canary.path }}'
43 | data:
44 | value: '{{ vault_configure_engine_pki_canary.value }}'
45 |
--------------------------------------------------------------------------------
/tests/integration/targets/auth_jwt/tasks/jwt_setup.yml:
--------------------------------------------------------------------------------
1 | - name: "Setup block"
2 | vars:
3 | is_default_path: "{{ this_path == default_path }}"
4 | block:
5 | - name: 'Enable the JWT auth method'
6 | vault_ci_enable_auth:
7 | method_type: jwt
8 | path: '{{ omit if is_default_path else this_path }}'
9 | config:
10 | default_lease_ttl: 60m
11 |
12 | - name: 'Configure the JWT auth method'
13 | vars:
14 | jwt_public_key: '{{ lookup("file", "jwt_public.pem") }}'
15 | vault_ci_write:
16 | path: 'auth/{{ this_path }}/config'
17 | data:
18 | # in docs, this is token_policies (changed in Vault 1.2)
19 | # use 'policies' to support older versions
20 | policies: "{{ 'test-policy' if is_default_path else 'alt-policy' }},approle-policy"
21 | jwt_validation_pubkeys: '{{ jwt_public_key }}'
22 |
23 | - name: 'Create a named role'
24 | vault_ci_write:
25 | path: 'auth/{{ this_path }}/role/test-role'
26 | data:
27 | # in docs, this is token_policies (changed in Vault 1.2)
28 | # use 'policies' to support older versions
29 | policies: "{{ 'test-policy' if is_default_path else 'alt-policy' }},approle-policy"
30 | role_type: jwt
31 | user_claim: sub
32 | bound_audiences: test
33 |
--------------------------------------------------------------------------------
/tests/integration/targets/setup_vault_test_plugins/library/vault_ci_kv2_metadata_read.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 | # Copyright (c) 2022 Isaac Wagner (@idwagner)
3 | # Simplified BSD License (see LICENSES/BSD-2-Clause.txt or https://opensource.org/licenses/BSD-2-Clause)
4 | # SPDX-License-Identifier: BSD-2-Clause
5 |
6 | from __future__ import absolute_import, division, print_function
7 | __metaclass__ = type
8 |
9 | import traceback
10 |
11 | from ansible.module_utils.basic import AnsibleModule
12 | import hvac
13 |
14 |
15 | def main():
16 | module = AnsibleModule(
17 | argument_spec=dict(
18 | url=dict(type='str', required=True),
19 | token=dict(type='str', required=True),
20 | path=dict(type='str'),
21 | mount_point=dict(type='str'),
22 | ),
23 | )
24 |
25 | p = module.params
26 |
27 | client = hvac.Client(url=p['url'], token=p['token'])
28 |
29 | extra = {}
30 | if p['mount_point'] is not None:
31 | extra['mount_point'] = p['mount_point']
32 |
33 | try:
34 | result = client.secrets.kv.v2.read_secret_metadata(path=p['path'], **extra)
35 | except Exception as e:
36 | module.fail_json(msg=str(e), exception=traceback.format_exc())
37 |
38 | module.exit_json(changed=True, result=result)
39 |
40 |
41 | if __name__ == '__main__':
42 | main()
43 |
--------------------------------------------------------------------------------
/tests/integration/targets/setup_localenv_docker/templates/mmock/aws_iam_login_default_mount.yml.j2:
--------------------------------------------------------------------------------
1 | #jinja2:variable_start_string:'[%', variable_end_string:'%]'
2 | ---
3 | request:
4 | method: POST|PUT
5 | path: "/v1/auth/aws/login"
6 | control:
7 | priority: 10
8 | response:
9 | statusCode: 200
10 | headers:
11 | Content-Type:
12 | - application/json
13 | body: >-
14 | {
15 | "request_id": "{{fake.UUID}}",
16 | "lease_id": "",
17 | "lease_duration": 0,
18 | "renewable": false,
19 | "data": null,
20 | "warnings": null,
21 | "auth": {
22 | "client_token": "s.{{fake.CharactersN(24)}}",
23 | "accessor": "{{fake.CharactersN(24)}}",
24 | "policies": [
25 | "default",
26 | "aws-sample-policy"
27 | ],
28 | "token_policies": [
29 | "default",
30 | "aws-sample-policy"
31 | ],
32 | "identity_policies": null,
33 | "metadata": {
34 | "account_id": "{{fake.digitsN(12)}}",
35 | "auth_type": "iam",
36 | "role_id": "{{fake.UUID}}"
37 | },
38 | "orphan": true,
39 | "entity_id": "{{fake.UUID}}",
40 | "lease_duration": 1800,
41 | "renewable": true
42 | }
43 | }
44 |
--------------------------------------------------------------------------------
/.github/workflows/ansible-builder.yml:
--------------------------------------------------------------------------------
1 | ---
2 | name: ansible-builder
3 | on:
4 | push:
5 | paths:
6 | - '.github/workflows/ansible-builder.yml'
7 | - 'meta/execution-environment.yml'
8 | - 'meta/ee-requirements.txt'
9 | pull_request:
10 | paths:
11 | - '.github/workflows/ansible-builder.yml'
12 | - 'meta/execution-environment.yml'
13 | - 'meta/ee-requirements.txt'
14 | schedule:
15 | - cron: '0 13 * * *'
16 |
17 | env:
18 | NAMESPACE: community
19 | COLLECTION_NAME: hashi_vault
20 |
21 | jobs:
22 | builder:
23 | name: ansible-builder requirements
24 | runs-on: ubuntu-latest
25 | steps:
26 | - name: Check out code
27 | uses: actions/checkout@v5
28 | with:
29 | show-progress: false
30 | path: ansible_collections/${{ env.NAMESPACE }}/${{ env.COLLECTION_NAME }}
31 |
32 | - name: Set up Python
33 | uses: actions/setup-python@v6
34 | with:
35 | python-version: 3.13
36 |
37 | - name: Install ansible-builder
38 | run: pip install ansible-builder
39 |
40 | # this is kind of a naive check, since we aren't comparing the output to anything to verify
41 | # so the only we'll catch with this is an egregious error that causes builder to exit nonzero
42 | - name: Verify Requirements
43 | run: ansible-builder introspect --sanitize .
44 |
--------------------------------------------------------------------------------
/tests/integration/targets/setup_localenv_docker/templates/mmock/aws_iam_login_alt_mount.yml.j2:
--------------------------------------------------------------------------------
1 | #jinja2:variable_start_string:'[%', variable_end_string:'%]'
2 | ---
3 | request:
4 | method: POST|PUT
5 | path: "/v1/auth/aws-alt/login"
6 | control:
7 | priority: 10
8 | response:
9 | statusCode: 200
10 | headers:
11 | Content-Type:
12 | - application/json
13 | body: >-
14 | {
15 | "request_id": "{{fake.UUID}}",
16 | "lease_id": "",
17 | "lease_duration": 0,
18 | "renewable": false,
19 | "data": null,
20 | "warnings": null,
21 | "auth": {
22 | "client_token": "s.{{fake.CharactersN(24)}}",
23 | "accessor": "{{fake.CharactersN(24)}}",
24 | "policies": [
25 | "default",
26 | "aws-alt-sample-policy"
27 | ],
28 | "token_policies": [
29 | "default",
30 | "aws-alt-sample-policy"
31 | ],
32 | "identity_policies": null,
33 | "metadata": {
34 | "account_id": "{{fake.digitsN(12)}}",
35 | "auth_type": "iam",
36 | "role_id": "{{fake.UUID}}"
37 | },
38 | "orphan": true,
39 | "entity_id": "{{fake.UUID}}",
40 | "lease_duration": 1800,
41 | "renewable": true
42 | }
43 | }
44 |
--------------------------------------------------------------------------------
/tests/integration/targets/setup_vault_test_plugins/library/vault_ci_kv_put.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 | # Copyright (c) 2021 Brian Scholer (@briantist)
3 | # Simplified BSD License (see LICENSES/BSD-2-Clause.txt or https://opensource.org/licenses/BSD-2-Clause)
4 | # SPDX-License-Identifier: BSD-2-Clause
5 |
6 | from __future__ import absolute_import, division, print_function
7 | __metaclass__ = type
8 |
9 | from ansible.module_utils.basic import AnsibleModule
10 | import hvac
11 |
12 |
13 | def main():
14 | module = AnsibleModule(
15 | argument_spec=dict(
16 | url=dict(type='str', required=True),
17 | token=dict(type='str', required=True),
18 | path=dict(type='str'),
19 | mount_point=dict(type='str'),
20 | secret=dict(type='dict', required=True),
21 | version=dict(type='int', default=2)
22 | ),
23 | )
24 |
25 | p = module.params
26 |
27 | client = hvac.Client(url=p['url'], token=p['token'])
28 |
29 | client.secrets.kv.default_kv_version = p['version']
30 |
31 | extra = {}
32 | if p['mount_point'] is not None:
33 | extra['mount_point'] = p['mount_point']
34 |
35 | client.secrets.kv.create_or_update_secret(
36 | path=p['path'],
37 | secret=p['secret'],
38 | **extra
39 | )
40 |
41 | module.exit_json(changed=True)
42 |
43 |
44 | if __name__ == '__main__':
45 | main()
46 |
--------------------------------------------------------------------------------
/plugins/module_utils/_auth_method_none.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 | # Copyright (c) 2021 Brian Scholer (@briantist)
3 | # Simplified BSD License (see LICENSES/BSD-2-Clause.txt or https://opensource.org/licenses/BSD-2-Clause)
4 | # SPDX-License-Identifier: BSD-2-Clause
5 |
6 | '''Python versions supported: >=3.8'''
7 |
8 | # FOR INTERNAL COLLECTION USE ONLY
9 | # The interfaces in this file are meant for use within the community.hashi_vault collection
10 | # and may not remain stable to outside uses. Changes may be made in ANY release, even a bugfix release.
11 | # See also: https://github.com/ansible/community/issues/539#issuecomment-780839686
12 | # Please open an issue if you have questions about this.
13 |
14 | from __future__ import absolute_import, division, print_function
15 | __metaclass__ = type
16 |
17 | from ansible_collections.community.hashi_vault.plugins.module_utils._hashi_vault_common import HashiVaultAuthMethodBase
18 |
19 |
20 | class HashiVaultAuthMethodNone(HashiVaultAuthMethodBase):
21 | '''HashiVault option group class for auth: none'''
22 |
23 | NAME = 'none'
24 | OPTIONS = []
25 |
26 | def __init__(self, option_adapter, warning_callback, deprecate_callback):
27 | super(HashiVaultAuthMethodNone, self).__init__(option_adapter, warning_callback, deprecate_callback)
28 |
29 | def validate(self):
30 | pass
31 |
32 | def authenticate(self, client, use_token=False):
33 | return None
34 |
--------------------------------------------------------------------------------
/tests/integration/targets/module_vault_database_role_delete/tasks/module_vault_database_role_delete_setup.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: Configuration tasks
3 | module_defaults:
4 | vault_ci_token_create: "{{ vault_plugins_module_defaults_common }}"
5 | vault_ci_enable_engine: "{{ vault_plugins_module_defaults_common }}"
6 | vault_ci_read: "{{ vault_plugins_module_defaults_common }}"
7 | vault_ci_write: "{{ vault_plugins_module_defaults_common }}"
8 | vault_ci_policy_put: "{{ vault_plugins_module_defaults_common }}"
9 | block:
10 | - name: Create a test non-root token
11 | vault_ci_token_create:
12 | policies: [policy-database-all]
13 | register: user_token_cmd
14 |
15 | - name: Set roles to be deleted
16 | ansible.builtin.set_fact:
17 | static_role_name: role5
18 | dynamic_role_name: dynamic_role
19 |
20 | - name: Create a static role
21 | vault_ci_write:
22 | path: "database/static-roles/{{ static_role_name }}"
23 | data:
24 | db_name: "{{ vault_database_connection_name }}"
25 | username: "{{ static_role_name }}"
26 |
27 | - name: Create a readonly dynamic role
28 | vault_ci_write:
29 | path: "database/roles/{{ dynamic_role_name }}"
30 | data:
31 | db_name: "{{ vault_database_connection_name }}"
32 | creation_statements: "{{ vault_database_dynamic_user_sql }}"
33 | default_ttl: 1h
34 | max_ttl: 24h
35 |
--------------------------------------------------------------------------------
/tests/integration/targets/setup_localenv_docker/templates/mmock/gcp_login_default.yml.j2:
--------------------------------------------------------------------------------
1 | #jinja2:variable_start_string:'[%', variable_end_string:'%]'
2 | # Copyright (c) 2024 Michael Woodham (woodham@google.com)
3 | # GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
4 | # SPDX-License-Identifier: GPL-3.0-or-later
5 | ---
6 | request:
7 | method: POST|PUT
8 | path: "/v1/auth/gcp/login"
9 | control:
10 | priority: 10
11 | response:
12 | statusCode: 200
13 | headers:
14 | Content-Type:
15 | - application/json
16 | body: >-
17 | {
18 | "request_id": "{{fake.UUID}}",
19 | "lease_id": "",
20 | "lease_duration": 0,
21 | "renewable": false,
22 | "data": null,
23 | "warnings": null,
24 | "auth": {
25 | "client_token": "s.{{fake.CharactersN(24)}}",
26 | "accessor": "{{fake.CharactersN(24)}}",
27 | "policies": [
28 | "default",
29 | "gcp-sample-policy"
30 | ],
31 | "metadata": {
32 | "project_id": "{{fake.digitsN(12)}}",
33 | "role": "my-role",
34 | "service_account_email": "dev1@{{fake.digitsN(12)}}.iam.gserviceaccount.com",
35 | "service_account_id": "{{fake.digitsN(12)}}"
36 | },
37 | "lease_duration": 1800,
38 | "renewable": true
39 | }
40 | }
41 |
--------------------------------------------------------------------------------
/tests/unit/compat/unittest.py:
--------------------------------------------------------------------------------
1 | # (c) 2014, Toshio Kuratomi
2 | #
3 | # This file is part of Ansible
4 | #
5 | # Ansible is free software: you can redistribute it and/or modify
6 | # it under the terms of the GNU General Public License as published by
7 | # the Free Software Foundation, either version 3 of the License, or
8 | # (at your option) any later version.
9 | #
10 | # Ansible is distributed in the hope that it will be useful,
11 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
12 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 | # GNU General Public License for more details.
14 | #
15 | # You should have received a copy of the GNU General Public License
16 | # along with Ansible. If not, see .
17 |
18 | # Make coding more python3-ish
19 | from __future__ import (absolute_import, division, print_function)
20 | __metaclass__ = type
21 |
22 | '''
23 | Compat module for Python2.7's unittest module
24 | '''
25 |
26 | import sys
27 |
28 | # Allow wildcard import because we really do want to import all of
29 | # unittests's symbols into this compat shim
30 | # pylint: disable=wildcard-import,unused-wildcard-import
31 | if sys.version_info < (2, 7):
32 | try:
33 | # Need unittest2 on python2.6
34 | from unittest2 import *
35 | except ImportError:
36 | print('You need unittest2 installed on python2.6.x to run tests')
37 | else:
38 | from unittest import *
39 |
--------------------------------------------------------------------------------
/tests/integration/targets/setup_localenv_docker/templates/mmock/gcp_login_alt_mount.yml.j2:
--------------------------------------------------------------------------------
1 | #jinja2:variable_start_string:'[%', variable_end_string:'%]'
2 | # Copyright (c) 2024 Michael Woodham (woodham@google.com)
3 | # GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
4 | # SPDX-License-Identifier: GPL-3.0-or-later
5 | ---
6 | request:
7 | method: POST|PUT
8 | path: "/v1/auth/gcp-alt/login"
9 | control:
10 | priority: 10
11 | response:
12 | statusCode: 200
13 | headers:
14 | Content-Type:
15 | - application/json
16 | body: >-
17 | {
18 | "request_id": "{{fake.UUID}}",
19 | "lease_id": "",
20 | "lease_duration": 0,
21 | "renewable": false,
22 | "data": null,
23 | "warnings": null,
24 | "auth": {
25 | "client_token": "s.{{fake.CharactersN(24)}}",
26 | "accessor": "{{fake.CharactersN(24)}}",
27 | "policies": [
28 | "default",
29 | "gcp-alt-sample-policy"
30 | ],
31 | "metadata": {
32 | "project_id": "{{fake.digitsN(12)}}",
33 | "role": "my-role",
34 | "service_account_email": "dev1@{{fake.digitsN(12)}}.iam.gserviceaccount.com",
35 | "service_account_id": "{{fake.digitsN(12)}}"
36 | },
37 | "lease_duration": 1800,
38 | "renewable": true
39 | }
40 | }
41 |
--------------------------------------------------------------------------------
/tests/integration/targets/module_vault_pki_generate_certificate/tasks/module_vault_pki_generate_certificate_test.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: Var block
3 | vars:
4 | user_token: '{{ user_token_cmd.result.auth.client_token }}'
5 | module_defaults:
6 | community.hashi_vault.vault_pki_generate_certificate:
7 | url: '{{ vault_test_server_http }}'
8 | auth_method: token
9 | token: '{{ user_token }}'
10 | timeout: 5
11 | block:
12 | - name: Generate a throwaway certificate
13 | register: cert_data
14 | community.hashi_vault.vault_pki_generate_certificate:
15 | role_name: test.example.org
16 | common_name: throwaway.test.example.org
17 | alt_names:
18 | - throwaway2.test.example.org
19 | - throwaway3.test.example.org
20 |
21 | - assert:
22 | that:
23 | - cert_data is changed
24 | - "'data' in cert_data"
25 | - "'data' in cert_data['data']"
26 | - "'certificate' in cert_data['data']['data']"
27 | fail_msg: Return value did not contain expected fields.
28 |
29 | - name: Generate certificate (check mode)
30 | register: result
31 | community.hashi_vault.vault_pki_generate_certificate:
32 | role_name: test.example.org
33 | common_name: throwaway.test.example.org
34 | check_mode: true
35 |
36 | - assert:
37 | that:
38 | - result is changed
39 | - "'data' in result"
40 | - result.data == {}
41 | fail_msg: "Unexpected result from check mode: {{ result }}"
42 |
--------------------------------------------------------------------------------
/tests/integration/targets/setup_localenv_docker/templates/mmock/azure_login_default_mount.yml.j2:
--------------------------------------------------------------------------------
1 | #jinja2:variable_start_string:'[%', variable_end_string:'%]'
2 | # Copyright (c) 2022 Junrui Chen (@jchenship)
3 | # GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
4 | # SPDX-License-Identifier: GPL-3.0-or-later
5 | ---
6 | request:
7 | method: POST|PUT
8 | path: "/v1/auth/azure/login"
9 | control:
10 | priority: 10
11 | response:
12 | statusCode: 200
13 | headers:
14 | Content-Type:
15 | - application/json
16 | body: >-
17 | {
18 | "request_id": "{{fake.UUID}}",
19 | "lease_id": "",
20 | "lease_duration": 0,
21 | "renewable": false,
22 | "data": null,
23 | "warnings": null,
24 | "auth": {
25 | "client_token": "s.{{fake.CharactersN(24)}}",
26 | "accessor": "{{fake.CharactersN(24)}}",
27 | "policies": [
28 | "default",
29 | "azure-sample-policy"
30 | ],
31 | "token_policies": [
32 | "default",
33 | "azure-sample-policy"
34 | ],
35 | "identity_policies": null,
36 | "metadata": {
37 | "role": "vault-role",
38 | "resource_group_name": "",
39 | "subscription_id": ""
40 | },
41 | "orphan": true,
42 | "entity_id": "{{fake.UUID}}",
43 | "lease_duration": 1800,
44 | "renewable": true
45 | }
46 | }
47 |
--------------------------------------------------------------------------------
/tests/integration/targets/setup_localenv_docker/templates/mmock/azure_login_alt_mount.yml.j2:
--------------------------------------------------------------------------------
1 | #jinja2:variable_start_string:'[%', variable_end_string:'%]'
2 | # Copyright (c) 2022 Junrui Chen (@jchenship)
3 | # GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
4 | # SPDX-License-Identifier: GPL-3.0-or-later
5 | ---
6 | request:
7 | method: POST|PUT
8 | path: "/v1/auth/azure-alt/login"
9 | control:
10 | priority: 10
11 | response:
12 | statusCode: 200
13 | headers:
14 | Content-Type:
15 | - application/json
16 | body: >-
17 | {
18 | "request_id": "{{fake.UUID}}",
19 | "lease_id": "",
20 | "lease_duration": 0,
21 | "renewable": false,
22 | "data": null,
23 | "warnings": null,
24 | "auth": {
25 | "client_token": "s.{{fake.CharactersN(24)}}",
26 | "accessor": "{{fake.CharactersN(24)}}",
27 | "policies": [
28 | "default",
29 | "azure-alt-sample-policy"
30 | ],
31 | "token_policies": [
32 | "default",
33 | "azure-alt-sample-policy"
34 | ],
35 | "identity_policies": null,
36 | "metadata": {
37 | "role": "vault-role",
38 | "resource_group_name": "",
39 | "subscription_id": ""
40 | },
41 | "orphan": true,
42 | "entity_id": "{{fake.UUID}}",
43 | "lease_duration": 1800,
44 | "renewable": true
45 | }
46 | }
47 |
--------------------------------------------------------------------------------
/tests/integration/targets/auth_approle/tasks/approle_setup.yml:
--------------------------------------------------------------------------------
1 | - name: "Setup block"
2 | vars:
3 | is_default_path: "{{ this_path == default_path }}"
4 | block:
5 | - name: 'Enable the approle auth method'
6 | vault_ci_enable_auth:
7 | method_type: approle
8 | path: '{{ omit if is_default_path else this_path }}'
9 | config:
10 | default_lease_ttl: 60m
11 |
12 | - name: 'Create an approle policy'
13 | vault_ci_policy_put:
14 | name: approle-policy
15 | policy: |
16 | path "auth/{{ this_path }}/login" {
17 | capabilities = [ "create", "read" ]
18 | }
19 |
20 | - name: 'Create a named role (secret ID required)'
21 | vault_ci_write:
22 | path: 'auth/{{ this_path }}/role/{{ secret_id_role }}'
23 | data:
24 | # in docs, this is token_policies (changed in Vault 1.2)
25 | # use 'policies' to support older versions
26 | policies: "{{ 'test-policy' if is_default_path else 'alt-policy' }},approle-policy"
27 | secret_id_ttl: 60m
28 |
29 | - name: 'Create a named role (without secret id)'
30 | vault_ci_write:
31 | path: 'auth/{{ this_path }}/role/{{ no_secret_id_role }}'
32 | data:
33 | # in docs, this is token_policies (changed in Vault 1.2)
34 | # use 'policies' to support older versions
35 | policies: "{{ 'test-policy' if is_default_path else 'alt-policy' }},approle-policy"
36 | secret_id_ttl: 60m
37 | bind_secret_id: false
38 | secret_id_bound_cidrs: '0.0.0.0/0'
39 |
--------------------------------------------------------------------------------
/docs/preview/conf.py:
--------------------------------------------------------------------------------
1 | # Copyright (c) Ansible Project
2 | # GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
3 | # SPDX-License-Identifier: GPL-3.0-or-later
4 |
5 | # This file only contains a selection of the most common options. For a full list see the
6 | # documentation:
7 | # http://www.sphinx-doc.org/en/master/config
8 |
9 | project = 'Ansible collections'
10 | copyright = 'Ansible contributors'
11 |
12 | title = 'Ansible Collections Documentation'
13 | html_short_title = 'Ansible Collections Documentation'
14 |
15 | extensions = ['sphinx.ext.autodoc', 'sphinx.ext.intersphinx', 'sphinx_antsibull_ext']
16 |
17 | pygments_style = 'ansible'
18 |
19 | highlight_language = 'YAML+Jinja'
20 |
21 | html_theme = 'sphinx_ansible_theme'
22 | html_show_sphinx = False
23 |
24 | display_version = False
25 |
26 | html_use_smartypants = True
27 | html_use_modindex = False
28 | html_use_index = False
29 | html_copy_source = False
30 |
31 | intersphinx_mapping = {
32 | 'python': ('https://docs.python.org/2/', (None, '../python2.inv')),
33 | 'python3': ('https://docs.python.org/3/', (None, '../python3.inv')),
34 | 'jinja2': ('http://jinja.palletsprojects.com/', (None, '../jinja2.inv')),
35 | 'ansible_devel': ('https://docs.ansible.com/ansible/devel/', (None, '../ansible_devel.inv')),
36 | # If you want references to resolve to a released Ansible version (say, `5`), uncomment and replace X by this version:
37 | # 'ansibleX': ('https://docs.ansible.com/ansible/X/', (None, '../ansibleX.inv')),
38 | }
39 |
40 | default_role = 'any'
41 |
42 | nitpicky = True
43 |
--------------------------------------------------------------------------------
/tests/integration/targets/setup_localenv_docker/templates/docker-compose.yml.j2:
--------------------------------------------------------------------------------
1 | # {{ ansible_managed }}
2 | ---
3 | services:
4 | vault:
5 | image: '{{ vault_container_image }}:{{ vault_version }}'
6 | container_name: '{{ vault_container_name }}'
7 | ports:
8 | - '{{ vault_port_http }}:{{ vault_port_http }}'
9 | - '{{ vault_port_https }}:{{ vault_port_https }}'
10 | volumes:
11 | - '{{ vault_config_output }}:/vault/config'
12 | environment:
13 | VAULT_DEV_ROOT_TOKEN_ID: '{{ vault_dev_root_token_id }}'
14 | SKIP_CHOWN: 1
15 | tinyproxy:
16 | image: '{{ proxy_container_image }}'
17 | container_name: '{{ proxy_container_name }}'
18 | ports:
19 | - '{{ proxy_port }}:{{ proxy_port }}'
20 | command: ANY
21 | mmock:
22 | image: '{{ mmock_container_image }}'
23 | container_name: '{{ mmock_container_name }}'
24 | ports:
25 | - '{{ mmock_server_port }}:{{ mmock_server_port }}'
26 | - '{{ mmock_console_port }}:{{ mmock_console_port }}'
27 | volumes:
28 | - '{{ mmock_config_path }}:/config'
29 | command: >-
30 | -console-port {{ mmock_console_port }}
31 | -server-port {{ mmock_server_port }}
32 | postgres:
33 | image: '{{ postgres_container_image }}'
34 | container_name: '{{ postgres_container_name }}'
35 | environment:
36 | POSTGRES_DB: '{{ postgres_db_name }}'
37 | POSTGRES_PASSWORD: '{{ postgres_db_password }}'
38 | POSTGRES_USER: '{{ postgres_db_user }}'
39 | ports:
40 | - '{{ postgres_sql_port }}:{{ postgres_sql_port }}'
41 | volumes:
42 | - '{{ postgres_config_path}}/init.sql:/docker-entrypoint-initdb.d/init.sql'
43 |
--------------------------------------------------------------------------------
/tests/integration/targets/module_vault_database_connection_delete/tasks/module_vault_database_connection_delete_setup.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: Configuration tasks
3 | module_defaults:
4 | vault_ci_token_create: "{{ vault_plugins_module_defaults_common }}"
5 | vault_ci_enable_engine: "{{ vault_plugins_module_defaults_common }}"
6 | vault_ci_read: "{{ vault_plugins_module_defaults_common }}"
7 | vault_ci_write: "{{ vault_plugins_module_defaults_common }}"
8 | vault_ci_policy_put: "{{ vault_plugins_module_defaults_common }}"
9 | vars:
10 | connection_names: ["test-connection-delete-1", "test-connection-delete-2"]
11 | usernames: ["con2", "con2"]
12 | passwords: ["con2", "con2"]
13 | block:
14 | - name: Create a test non-root token
15 | vault_ci_token_create:
16 | policies: [policy-database-all]
17 | register: user_token_cmd
18 |
19 | - name: Define database connection data
20 | ansible.builtin.set_fact:
21 | db_sample_data: "{{ db_sample_data | default([]) + [ {'connection_name': item.0, 'username': item.1, 'password': item.2 } ] }}"
22 | with_together:
23 | - "{{ connection_names }}"
24 | - "{{ usernames }}"
25 | - "{{ passwords }}"
26 |
27 | - name: Create database connections that can be deleted in the following test
28 | vault_ci_write:
29 | path: "database/config/{{ item.connection_name }}"
30 | data:
31 | plugin_name: "{{ vault_database_plugin_name }}"
32 | connection_url: "{{ vault_database_connection_url }}"
33 | allowed_roles: "*"
34 | username: "{{ item.username }}"
35 | password: "{{ item.password }}"
36 | loop: "{{ db_sample_data }}"
37 |
--------------------------------------------------------------------------------
/tests/integration/targets/setup_localenv_docker/defaults/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | vault_version: latest
3 | vault_dev_root_token_id: 47542cbc-6bf8-4fba-8eda-02e0a0d29a0a
4 |
5 | docker_compose: clean
6 | # clean - down, then up
7 | # up - bring up the configuration
8 | # down - destroy the configuration
9 | # none - do not take any docker actions (templating of docker-compose.yml still happens)
10 |
11 | docker_compose_project_name: hashi_vault
12 |
13 | vault_port_http: 8200
14 | vault_port_https: 8300
15 | vault_container_name: vault
16 | vault_container_image: hashicorp/vault
17 | vault_target_name: '{{ vault_container_name }}'
18 |
19 | proxy_port: 8888
20 | proxy_container_name: tinyproxy
21 | proxy_container_image: monokal/tinyproxy
22 | proxy_target_name: '{{ proxy_container_name }}'
23 |
24 | mmock_server_port: 8900
25 | mmock_console_port: 8901
26 | mmock_container_name: mmock
27 | mmock_container_image: jordimartin/mmock
28 | mmock_target_name: '{{ mmock_container_name }}'
29 | mmock_config_path: '{{ output_dir }}/mmock_config'
30 |
31 | postgres_container_name: postgres
32 | postgres_container_image: postgres
33 | postgres_target_name: '{{ postgres_container_name }}'
34 | postgres_config_path: '{{ output_dir }}/postgres'
35 | postgres_sql_port: 5432
36 | postgres_db_name: hcvault
37 | postgres_db_user: postgres
38 | postgres_db_password: postgres
39 |
40 | output_dir: '{{ role_path }}/files/.output'
41 |
42 | docker_compose_output: '{{ output_dir }}/{{ docker_compose_project_name }}'
43 | docker_compose_file: '{{ docker_compose_output }}/docker-compose.yml'
44 |
45 | vault_config_output: '{{ output_dir }}/vault_config'
46 |
47 | vault_cert_file: '{{ vault_config_output }}/cert.pem'
48 | vault_key_file: '{{ vault_config_output }}/key.pem'
49 |
50 | vault_crypto_force: false
51 |
--------------------------------------------------------------------------------
/tests/integration/targets/auth_userpass/tasks/userpass_test_controller.yml:
--------------------------------------------------------------------------------
1 | - name: "Test block"
2 | vars:
3 | is_default_path: "{{ this_path == default_path }}"
4 | kwargs_mount: "{{ {} if is_default_path else {'mount_point': this_path} }}"
5 | kwargs_common:
6 | username: '{{ userpass_username }}'
7 | kwargs: "{{ kwargs_common | combine(kwargs_mount) }}"
8 | block:
9 | # the purpose of this test is to catch when the plugin accepts mount_point but does not pass it into hvac
10 | # we set the policy of the default mount to deny access to this secret and so we expect failure when the mount
11 | # is default, and success when the mount is alternate
12 | - name: Check auth mount differing result
13 | set_fact:
14 | response: "{{ lookup('vault_test_auth', password=userpass_password, **kwargs) }}"
15 |
16 | - assert:
17 | fail_msg: "A token from mount path '{{ this_path }}' had the wrong policy: {{ response.login.auth.policies }}"
18 | that:
19 | - ('test-policy' in response.login.auth.policies) | bool == is_default_path
20 | - ('test-policy' not in response.login.auth.policies) | bool != is_default_path
21 | - ('alt-policy' in response.login.auth.policies) | bool != is_default_path
22 | - ('alt-policy' not in response.login.auth.policies) | bool == is_default_path
23 |
24 | - name: Failure expected when erroneous credentials are used
25 | set_fact:
26 | response: "{{ lookup('vault_test_auth', password='fake', want_exception=true, **kwargs) }}"
27 |
28 | - assert:
29 | fail_msg: "An invalid password somehow did not cause a failure."
30 | that:
31 | - response is failed
32 | - response.msg is search('invalid username or password')
33 |
--------------------------------------------------------------------------------
/tests/integration/targets/setup_vault_configure_database/tasks/configure.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: Create database secrets engine
3 | vault_ci_enable_engine:
4 | backend_type: database
5 |
6 | - name: Create a database connection
7 | vault_ci_write:
8 | path: "/{{ vault_database_engine_mount_point }}/config/{{ vault_database_connection_name }}"
9 | data:
10 | plugin_name: "{{ vault_database_plugin_name }}"
11 | connection_url: "{{ vault_database_connection_url }}"
12 | allowed_roles: "*"
13 | username: "{{ vault_database_connection_user }}"
14 | password: "{{ vault_database_connection_password }}"
15 |
16 | - name: Create some static roles
17 | vault_ci_write:
18 | path: "{{ vault_database_engine_mount_point }}/static-roles/role{{ item }}"
19 | data:
20 | db_name: "{{ vault_database_connection_name }}"
21 | username: "role{{ item }}"
22 | rotation_period: 24h
23 | loop: [1, 2, 3, 4, 5]
24 |
25 | - name: Create a readonly dynamic role
26 | vault_ci_write:
27 | path: "{{ vault_database_engine_mount_point }}/roles/readonly"
28 | data:
29 | db_name: "{{ vault_database_connection_name }}"
30 | creation_statements: "{{ vault_database_dynamic_user_sql }}"
31 | default_ttl: 1h
32 | max_ttl: 24h
33 |
34 | - name: Create a database base policy
35 | vault_ci_policy_put:
36 | name: base-policy-database
37 | policy: "{{ vault_base_policy_db }}"
38 |
39 | - name: Create a database all policy
40 | vault_ci_policy_put:
41 | name: policy-database-all
42 | policy: "{{ vault_policy_db_all }}"
43 |
44 | - name: Write Canary
45 | vault_ci_write:
46 | path: "{{ vault_configure_engine_database_canary.path }}"
47 | data:
48 | value: "{{ vault_configure_engine_database_canary.value }}"
49 |
--------------------------------------------------------------------------------
/tests/integration/targets/auth_jwt/files/jwt_private.pem:
--------------------------------------------------------------------------------
1 | -----BEGIN RSA PRIVATE KEY-----
2 | MIIEogIBAAKCAQEAnzyis1ZjfNB0bBgKFMSvvkTtwlvBsaJq7S5wA+kzeVOVpVWw
3 | kWdVha4s38XM/pa/yr47av7+z3VTmvDRyAHcaT92whREFpLv9cj5lTeJSibyr/Mr
4 | m/YtjCZVWgaOYIhwrXwKLqPr/11inWsAkfIytvHWTxZYEcXLgAXFuUuaS3uF9gEi
5 | NQwzGTU1v0FqkqTBr4B8nW3HCN47XUu0t8Y0e+lf4s4OxQawWD79J9/5d3Ry0vbV
6 | 3Am1FtGJiJvOwRsIfVChDpYStTcHTCMqtvWbV6L11BWkpzGXSW4Hv43qa+GSYOD2
7 | QU68Mb59oSk2OB+BtOLpJofmbGEGgvmwyCI9MwIDAQABAoIBACiARq2wkltjtcjs
8 | kFvZ7w1JAORHbEufEO1Eu27zOIlqbgyAcAl7q+/1bip4Z/x1IVES84/yTaM8p0go
9 | amMhvgry/mS8vNi1BN2SAZEnb/7xSxbflb70bX9RHLJqKnp5GZe2jexw+wyXlwaM
10 | +bclUCrh9e1ltH7IvUrRrQnFJfh+is1fRon9Co9Li0GwoN0x0byrrngU8Ak3Y6D9
11 | D8GjQA4Elm94ST3izJv8iCOLSDBmzsPsXfcCUZfmTfZ5DbUDMbMxRnSo3nQeoKGC
12 | 0Lj9FkWcfmLcpGlSXTO+Ww1L7EGq+PT3NtRae1FZPwjddQ1/4V905kyQFLamAA5Y
13 | lSpE2wkCgYEAy1OPLQcZt4NQnQzPz2SBJqQN2P5u3vXl+zNVKP8w4eBv0vWuJJF+
14 | hkGNnSxXQrTkvDOIUddSKOzHHgSg4nY6K02ecyT0PPm/UZvtRpWrnBjcEVtHEJNp
15 | bU9pLD5iZ0J9sbzPU/LxPmuAP2Bs8JmTn6aFRspFrP7W0s1Nmk2jsm0CgYEAyH0X
16 | +jpoqxj4efZfkUrg5GbSEhf+dZglf0tTOA5bVg8IYwtmNk/pniLG/zI7c+GlTc9B
17 | BwfMr59EzBq/eFMI7+LgXaVUsM/sS4Ry+yeK6SJx/otIMWtDfqxsLD8CPMCRvecC
18 | 2Pip4uSgrl0MOebl9XKp57GoaUWRWRHqwV4Y6h8CgYAZhI4mh4qZtnhKjY4TKDjx
19 | QYufXSdLAi9v3FxmvchDwOgn4L+PRVdMwDNms2bsL0m5uPn104EzM6w1vzz1zwKz
20 | 5pTpPI0OjgWN13Tq8+PKvm/4Ga2MjgOgPWQkslulO/oMcXbPwWC3hcRdr9tcQtn9
21 | Imf9n2spL/6EDFId+Hp/7QKBgAqlWdiXsWckdE1Fn91/NGHsc8syKvjjk1onDcw0
22 | NvVi5vcba9oGdElJX3e9mxqUKMrw7msJJv1MX8LWyMQC5L6YNYHDfbPF1q5L4i8j
23 | 8mRex97UVokJQRRA452V2vCO6S5ETgpnad36de3MUxHgCOX3qL382Qx9/THVmbma
24 | 3YfRAoGAUxL/Eu5yvMK8SAt/dJK6FedngcM3JEFNplmtLYVLWhkIlNRGDwkg3I5K
25 | y18Ae9n7dHVueyslrb6weq7dTkYDi3iOYRW8HRkIQh06wEdbxt0shTzAJvvCQfrB
26 | jg/3747WSsf/zBTcHihTRBdAv6OmdhV4/dD5YBfLAkLrd+mX7iE=
27 | -----END RSA PRIVATE KEY-----
28 |
--------------------------------------------------------------------------------
/tests/integration/targets/auth_userpass/tasks/userpass_test_target.yml:
--------------------------------------------------------------------------------
1 | - name: "Test block"
2 | vars:
3 | is_default_path: "{{ this_path == default_path }}"
4 | module_defaults:
5 | vault_test_auth:
6 | url: '{{ ansible_hashi_vault_url }}'
7 | auth_method: '{{ ansible_hashi_vault_auth_method }}'
8 | mount_point: '{{ omit if is_default_path else this_path }}'
9 | username: '{{ userpass_username }}'
10 | password: '{{ userpass_password }}'
11 | block:
12 | # the purpose of this test is to catch when the plugin accepts mount_point but does not pass it into hvac
13 | # we set the policy of the default mount to deny access to this secret and so we expect failure when the mount
14 | # is default, and success when the mount is alternate
15 | - name: Check auth mount differing result
16 | register: response
17 | vault_test_auth:
18 |
19 | - assert:
20 | fail_msg: "A token from mount path '{{ this_path }}' had the wrong policy: {{ response.login.auth.policies }}"
21 | that:
22 | - ('test-policy' in response.login.auth.policies) | bool == is_default_path
23 | - ('test-policy' not in response.login.auth.policies) | bool != is_default_path
24 | - ('alt-policy' in response.login.auth.policies) | bool != is_default_path
25 | - ('alt-policy' not in response.login.auth.policies) | bool == is_default_path
26 |
27 | - name: Failure expected when erroneous credentials are used
28 | register: response
29 | vault_test_auth:
30 | password: fake
31 | want_exception: true
32 |
33 | - assert:
34 | fail_msg: "An invalid password somehow did not cause a failure."
35 | that:
36 | - response.inner is failed
37 | - response.msg is search('invalid username or password')
38 |
--------------------------------------------------------------------------------
/tests/unit/plugins/module_utils/option_adapter/conftest.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 | # Copyright (c) 2021 Brian Scholer (@briantist)
3 | # GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
4 | # SPDX-License-Identifier: GPL-3.0-or-later
5 |
6 | from __future__ import (absolute_import, division, print_function)
7 | __metaclass__ = type
8 |
9 | # this file must define the "adapter" fixture at a minimum,
10 | # and anything else that it needs or depends on that isn't already defined in in the test files themselves.
11 |
12 | # Keep in mind that this one is for module_utils and so it cannot depend on or import any controller-side code.
13 |
14 | from ansible_collections.community.hashi_vault.plugins.module_utils._hashi_vault_common import HashiVaultOptionAdapter
15 |
16 | import pytest
17 |
18 |
19 | class FakeAnsibleModule:
20 | '''HashiVaultOptionAdapter.from_ansible_module() only cares about the AnsibleModule.params dict'''
21 |
22 | def __init__(self, params):
23 | self.params = params
24 |
25 |
26 | @pytest.fixture
27 | def ansible_module(sample_dict):
28 | return FakeAnsibleModule(sample_dict)
29 |
30 |
31 | @pytest.fixture
32 | def adapter_from_ansible_module(ansible_module):
33 | def _create_adapter_from_ansible_module():
34 | return HashiVaultOptionAdapter.from_ansible_module(ansible_module)
35 |
36 | return _create_adapter_from_ansible_module
37 |
38 |
39 | @pytest.fixture(params=['dict', 'dict_defaults', 'ansible_module'])
40 | def adapter(request, adapter_from_dict, adapter_from_dict_defaults, adapter_from_ansible_module):
41 | return {
42 | 'dict': adapter_from_dict,
43 | 'dict_defaults': adapter_from_dict_defaults,
44 | 'ansible_module': adapter_from_ansible_module,
45 | }[request.param]()
46 |
--------------------------------------------------------------------------------
/plugins/module_utils/_auth_method_cert.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 | # Copyright (c) 2021 Devon Mar (@devon-mar)
3 | # Simplified BSD License (see LICENSES/BSD-2-Clause.txt or https://opensource.org/licenses/BSD-2-Clause)
4 | # SPDX-License-Identifier: BSD-2-Clause
5 |
6 | from __future__ import absolute_import, division, print_function
7 | __metaclass__ = type
8 |
9 | from ansible_collections.community.hashi_vault.plugins.module_utils._hashi_vault_common import HashiVaultAuthMethodBase
10 |
11 |
12 | class HashiVaultAuthMethodCert(HashiVaultAuthMethodBase):
13 | """HashiVault option group class for auth: cert"""
14 |
15 | NAME = "cert"
16 | OPTIONS = ["cert_auth_public_key", "cert_auth_private_key", "mount_point", "role_id"]
17 |
18 | def __init__(self, option_adapter, warning_callback, deprecate_callback):
19 | super(HashiVaultAuthMethodCert, self).__init__(option_adapter, warning_callback, deprecate_callback)
20 |
21 | def validate(self):
22 | self.validate_by_required_fields("cert_auth_public_key", "cert_auth_private_key")
23 |
24 | def authenticate(self, client, use_token=True):
25 | options = self._options.get_filled_options(*self.OPTIONS)
26 |
27 | params = {
28 | "cert_pem": options["cert_auth_public_key"],
29 | "key_pem": options["cert_auth_private_key"],
30 | }
31 |
32 | if "mount_point" in options:
33 | params["mount_point"] = options["mount_point"]
34 | if "role_id" in options:
35 | params["name"] = options["role_id"]
36 |
37 | try:
38 | response = client.auth.cert.login(use_token=use_token, **params)
39 | except NotImplementedError:
40 | raise NotImplementedError("cert authentication requires HVAC version 0.10.12 or higher.")
41 |
42 | return response
43 |
--------------------------------------------------------------------------------
/tests/integration/targets/auth_ldap/tasks/ldap_test_controller.yml:
--------------------------------------------------------------------------------
1 | - name: "Test block"
2 | vars:
3 | is_default_path: "{{ this_path == default_path }}"
4 | kwargs_mount: "{{ {} if is_default_path else {'mount_point': this_path} }}"
5 | kwargs_common:
6 | password: '{{ ldap_password }}'
7 | kwargs: "{{ kwargs_common | combine(kwargs_mount) }}"
8 | block:
9 | # the purpose of this test is to catch when the plugin accepts mount_point but does not pass it into hvac
10 | # we set the policy of the default mount to deny access to this secret and so we expect failure when the mount
11 | # is default, and success when the mount is alternate
12 | - name: Check auth mount differing result
13 | set_fact:
14 | response: "{{ lookup('vault_test_auth', username=ldap_username, **kwargs) }}"
15 |
16 | - assert:
17 | fail_msg: "A token from mount path '{{ this_path }}' had the wrong policy: {{ response.login.auth.policies }}"
18 | that:
19 | - ('ldap-sample-policy' in response.login.auth.policies) | bool == is_default_path
20 | - ('ldap-sample-policy' not in response.login.auth.policies) | bool != is_default_path
21 | - ('ldap-alt-sample-policy' in response.login.auth.policies) | bool != is_default_path
22 | - ('ldap-alt-sample-policy' not in response.login.auth.policies) | bool == is_default_path
23 |
24 | - name: Failure expected when something goes wrong (simulated)
25 | set_fact:
26 | response: "{{ lookup('vault_test_auth', username='fail-me-username', want_exception=true, **kwargs) }}"
27 |
28 | - assert:
29 | fail_msg: "An invalid request somehow did not cause a failure."
30 | that:
31 | - response is failed
32 | - "response.msg is search('ldap operation failed: failed to bind as user')"
33 |
--------------------------------------------------------------------------------
/tests/integration/targets/auth_cert/files/auth_cert.key:
--------------------------------------------------------------------------------
1 | -----BEGIN PRIVATE KEY-----
2 | MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDJwFJpUp2ZN0QU
3 | rO4luUz1wJFIHWITpSSk+MURNU2t62aNTWj2rOq4dH5eJZDRwfzr82lYTY4KbZE1
4 | 2q3HDDjIRokFMYUBHylvis6iMqrF15OvGo/8SIFVrtfyKFVGMfPS1BxNl3XeWjve
5 | cNWuoKKMferKVWae1Glkm/P1fUhlHsYACTAxqxkzxm1w9qUrAXw1oOcrMYqbWZlH
6 | 3jFrWf9TiSfXhbh41vrQwrjh3h3HpIisDPdAo76nhIRnYBLSxlQ5E+Lndru2CnmV
7 | 8SHuVEzC9tKWgs3ddr/yziJTNmRKocklawb5fls7+QS5n31utlD1l5UQ2WvRWggF
8 | hv/eBfwjAgMBAAECggEAXhehF9fdAokg6legld1vBCp0V2LEzA64IWyYVCc8/EEO
9 | ShZxPqJ0seQ6z2PLv9guQkj6t6Er/rcNA0XiyDNuBBHJc6+drWFALPJa3pCszqp1
10 | CTRlNK8ICtMJibm/04YWhhxAuvtJkJMa2upa7h+iz80mBImB28+K+840ICj265lz
11 | lua32UCMXw0lDPUm8Ud9lVYKy1tTy9IMOxnwsplXFxtARlxoyn0/f4e1v+4MT1zQ
12 | gm3EXkr7xNK8gEnYB87RZBphpS1QPah3ZQZc81imgeZLEW+bxSKHlTp6qk9OMZYa
13 | VfMNM5WeDEZw7aWaOSrWn2Vc2K2eCZpbV99FAMzDYQKBgQDlMWD9yoCYh46x1C5N
14 | A4DCMkpcoPxQkFSWevUnLVxlvMybKleUrL9EUzJ58Ps2d2Yn5KfS8xjxwrBEF7DW
15 | ReMtEmUhx3PeF3GdIUnsE6ePUgVysbtXHjPcj8LiRXsOrDIQ6g55qNrVczngGqmV
16 | e8UP6fx15QbnTho00aU17K+J0wKBgQDhWUU/7gjtk1Z+3Qeyu5Rm65RirVWJ2lM/
17 | NluLX132uL831+X9v22r8o1P40cXJJ05baX2VCoR88Z6oVxD5g4eOS+scwwTSmIK
18 | 3n07awPDffw/Em3I3zhUN26ExM5Ed3IOngf5WLBw2r3gavGV2FDc/RDn28GTgM8I
19 | Bo54MB+CcQKBgQCSuRjRgCjw/J8SIrZ9YQe1yoImaHz+ildMemyk5vomu0X085db
20 | u3c6o1RGEkqQJMHGOjBh8HSAmNVE0jHICreTbBpIFKqNfE6ke+IZ+r8jFiwcr8Ex
21 | 1Uj4IyRsvHQ6AWyPvXcE1V86lGhxmkAETVbriCyxwKu5uhs2wxtTuTDrNwKBgCmt
22 | khI92ybdfjzecmMLMGpMndgWSODDIWxqiEnhrIZKKwuQAbiJpCYOKTaiSW6tVere
23 | Lbi+Xj2NwaLCn0brkKbkWr3hVVVoB3QNLEpGA58veOzNYsKpDkj9K5Kgt6mQEedE
24 | MSNb1N46hq2v+diF9oa4w1yul0HJrADG/aia9ejxAoGAU3yES6OdE5QHyuiLHKfy
25 | x5OOcQkTItk9IhxboSjYVB5GsBuKR+RloRZXmR9HhnzAjvbe0FVqGjdr5nHfICdE
26 | 8KsYpVf2c6x9NNbHSzqBARRg7x+H+uhfymgXfI4R3eL945ukFMC+qOU57kPvwriF
27 | OvQYefm/1PN7vuLKsZ7g7iQ=
28 | -----END PRIVATE KEY-----
29 |
--------------------------------------------------------------------------------
/tests/integration/targets/auth_cert/files/auth_cert_invalid.key:
--------------------------------------------------------------------------------
1 | -----BEGIN PRIVATE KEY-----
2 | MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDOgIWuW1HFsLop
3 | CBWVAHHCV2AAuaHM8m8DelQxw3Q7oIpInPwE9QJGkWAISYi1gA9F3jh4IX9XgqXg
4 | vmWHG2bLF6+zWf31JkdvJ4tTbUEU3GdGxAQWGhIxKDR3p8ADrLgYSbmsL3zSPiZ7
5 | Ono6CyAt51IEGm1qeID236wucllqz0c12RDKfYRaacR0SB81t8qsZTlztoVAuVLV
6 | RJWJIdKIwUglV3vIhX1kwZ2a3LkyJvOctcfpNZA+6MlsU2Yj2lLU3fVDOqRtYmKu
7 | U3288e68eZ7YkzMEmS+GN5VFr5EO1glz1ey9KezaUciEEB+jHAWYrmrb/JBBkSqg
8 | 7TYReZAxAgMBAAECggEAFAfJb8kx3GAxHovHNCXP4w8Ao/FdrXiSph62jgEshCAl
9 | abe4hm6RovC1BPjFBv39/UP57EUrifyFRJCTXpCc3vRUOaxwAtiMs059qED/wBtE
10 | 9UtMLiynORdyR20BJhoZ3VlBZl9Q1z/qEafxdTHhFDLM9NLvbBV2RPwbQoIbBE4c
11 | LDz02ISvvX/2TQvCzXV723XhAWPAmXDfK0sxONJ2adlp5LdNOBmwbGzHIymTVFFR
12 | yJh9fk67hSi6KBbvVw+AuTXhaZ48hBTfD7aG2PF0knZRug4qlL840u4h+YD/PRb4
13 | FBs26XTzgX/fi4tTfR+fr43tbl/61JVOhV6PgmZqAQKBgQDxnP+aEQ6Lw4FuPFbf
14 | ahwi/kJsng8GR7PfTLE9oOeCErmL2h8BdLqwoFNbUocrxzc7AnYQ2qLi6C+ord2j
15 | huKcqvC4uV9EcBtm5PzszpsmvcYPdlMoJ2uUlpf4gNMw4QAQsdVkBl4dS1RmqfOF
16 | nlB1Qr2fI13KxcTBLnIyF78eEQKBgQDazE9fY3mC859Vkuk90C/1cebb2D3JQ5+p
17 | uyQOFzIrj4dIY9FtleuPG8T6pMRG0+VJdY0m2y25yWddrkR987d9HKdC6+O+7z9d
18 | 3K9Cdwudl+UgJDKRAjwpASSW8cN/tRinKqdLMaB7LG6zqjw2c6fPrJQDUpkqYQNW
19 | Nf2oe3uwIQKBgGGUKpaqdNl1Z/yBWgR48kwfq+v6Gc9LfhWc/6gIJ/ecYFtfCE6q
20 | OgvDdGbZecXwexnV8KD16/sAEt9o+K5md3cWgonYM+WL8UUpDg0FlBudYTQ1cXgy
21 | E3y7JT0zqhd/h2s2pxvyhmgGWFvuH2/DdHMnNTXkLqkKHmB2xZ/9fy5BAoGAA4uo
22 | BZ2xDGQyQsq8qNnEzS9pVEquxaIo5jE4JlpN39LVmGC1thbl2E3U5VLiM1ufrY8Q
23 | GH8YwJf46tW2GmxmnspmE3mLGT77QeQfmu4e7BDYD6tGfn8QxoFUPHXyexFOMvdH
24 | +rn1JcnUiWjKzP8WyxC63UrrXHpx+WWqlJ5bpMECgYEAjWUgQyAzep38gVSdwtIc
25 | mrxOVUXHNPgts4DjIcu5Rbxy6E4CQ4jBiBdxNnVNEYgkyNPfKqjOtb4dEOEwO+XC
26 | vz1ZCozUms0ALjbba6/zIHiowBOo8ORIngK4+zMx3fx+2wSfkeZ2kKOTFflvNOBk
27 | QItFtv0Xwa/UhMWmnJ5uAW8=
28 | -----END PRIVATE KEY-----
29 |
--------------------------------------------------------------------------------
/tests/integration/targets/auth_aws_iam/tasks/aws_iam_test_controller.yml:
--------------------------------------------------------------------------------
1 | - name: "Test block"
2 | vars:
3 | is_default_path: "{{ this_path == default_path }}"
4 | kwargs_mount: "{{ {} if is_default_path else {'mount_point': this_path} }}"
5 | kwargs_common:
6 | aws_access_key: '{{ aws_access_key }}'
7 | aws_secret_key: '{{ aws_secret_key }}'
8 | kwargs: "{{ kwargs_common | combine(kwargs_mount) }}"
9 | block:
10 | # the purpose of this test is to catch when the plugin accepts mount_point but does not pass it into hvac
11 | # we set the policy of the default mount to deny access to this secret and so we expect failure when the mount
12 | # is default, and success when the mount is alternate
13 | - name: Check auth mount differing result
14 | set_fact:
15 | response: "{{ lookup('vault_test_auth', role_id='not-important', **kwargs) }}"
16 |
17 | - assert:
18 | fail_msg: "A token from mount path '{{ this_path }}' had the wrong policy: {{ response.login.auth.policies }}"
19 | that:
20 | - ('aws-sample-policy' in response.login.auth.policies) | bool == is_default_path
21 | - ('aws-sample-policy' not in response.login.auth.policies) | bool != is_default_path
22 | - ('aws-alt-sample-policy' in response.login.auth.policies) | bool != is_default_path
23 | - ('aws-alt-sample-policy' not in response.login.auth.policies) | bool == is_default_path
24 |
25 | - name: Failure expected when something goes wrong (simulated)
26 | set_fact:
27 | response: "{{ lookup('vault_test_auth', role_id='fail-me-role', want_exception=true, **kwargs) }}"
28 |
29 | - assert:
30 | fail_msg: "An invalid request somehow did not cause a failure."
31 | that:
32 | - response is failed
33 | - response.msg is search('')
34 |
--------------------------------------------------------------------------------
/.github/actions/collection-via-git/action.yml:
--------------------------------------------------------------------------------
1 | ---
2 | name: Ansible Collection via GitHub
3 | description: Install Ansible collections direct from GitHub repositories without using ansible-galaxy.
4 | branding:
5 | icon: git-branch
6 | color: yellow
7 | inputs:
8 | collection:
9 | description: The name of the collection in namespace.collection_name form.
10 | required: true
11 | ref:
12 | description: The git ref to install. Defaults to the latest release as listed in GitHub releases. Only supports branches and tags.
13 | required: false
14 | path:
15 | description: The path to clone it to. Defaults to ansible_collections/namespace/collection_name.
16 | required: false
17 | runs:
18 | using: composite
19 | steps:
20 | - shell: bash
21 | run: |
22 | COLLECTION="${{ inputs.collection }}"
23 | P_PATH="${{ inputs.path }}"
24 | P_REF="${{ inputs.ref }}"
25 |
26 | NS="${COLLECTION%.*}"
27 | CN="${COLLECTION#*.}"
28 |
29 | # only collections in the ansible-collections organization are supported right now
30 | URLBASE="https://github.com/ansible-collections/${COLLECTION}"
31 | URLCLONE="${URLBASE}.git"
32 | URLLATEST="${URLBASE}/releases/latest"
33 |
34 | if [[ -n "${P_PATH}" ]]
35 | then
36 | OUTPATH="${P_PATH}"
37 | else
38 | OUTPATH="ansible_collections/${NS}/${CN}"
39 | fi
40 |
41 | if [[ -n "${P_REF}" ]]
42 | then
43 | REF="${P_REF}"
44 | else
45 | # credit to https://gist.github.com/lukechilds/a83e1d7127b78fef38c2914c4ececc3c#gistcomment-3294173
46 | latest=$(curl -fs -o/dev/null -w %{redirect_url} "${URLLATEST}")
47 | REF=$(basename ${latest})
48 | fi
49 |
50 | git clone --depth=1 --branch "${REF}" "${URLCLONE}" "${OUTPATH}"
51 |
--------------------------------------------------------------------------------
/tests/integration/targets/auth_ldap/tasks/ldap_test_target.yml:
--------------------------------------------------------------------------------
1 | - name: "Test block"
2 | vars:
3 | is_default_path: "{{ this_path == default_path }}"
4 | module_defaults:
5 | vault_test_auth:
6 | url: '{{ ansible_hashi_vault_url }}'
7 | auth_method: '{{ ansible_hashi_vault_auth_method }}'
8 | mount_point: '{{ omit if is_default_path else this_path }}'
9 | username: '{{ ldap_username }}'
10 | password: '{{ ldap_password }}'
11 | block:
12 | # the purpose of this test is to catch when the plugin accepts mount_point but does not pass it into hvac
13 | # we set the policy of the default mount to deny access to this secret and so we expect failure when the mount
14 | # is default, and success when the mount is alternate
15 | - name: Check auth mount differing result
16 | register: response
17 | vault_test_auth:
18 |
19 | - assert:
20 | fail_msg: "A token from mount path '{{ this_path }}' had the wrong policy: {{ response.login.auth.policies }}"
21 | that:
22 | - ('ldap-sample-policy' in response.login.auth.policies) | bool == is_default_path
23 | - ('ldap-sample-policy' not in response.login.auth.policies) | bool != is_default_path
24 | - ('ldap-alt-sample-policy' in response.login.auth.policies) | bool != is_default_path
25 | - ('ldap-alt-sample-policy' not in response.login.auth.policies) | bool == is_default_path
26 |
27 | - name: Failure expected when something goes wrong (simulated)
28 | register: response
29 | vault_test_auth:
30 | username: fail-me-username
31 | want_exception: true
32 |
33 | - assert:
34 | fail_msg: "An invalid request somehow did not cause a failure."
35 | that:
36 | - response.inner is failed
37 | - "response.msg is search('ldap operation failed: failed to bind as user')"
38 |
--------------------------------------------------------------------------------
/tests/integration/targets/auth_aws_iam/tasks/aws_iam_test_target.yml:
--------------------------------------------------------------------------------
1 | - name: "Test block"
2 | vars:
3 | is_default_path: "{{ this_path == default_path }}"
4 | module_defaults:
5 | vault_test_auth:
6 | url: '{{ ansible_hashi_vault_url }}'
7 | auth_method: '{{ ansible_hashi_vault_auth_method }}'
8 | mount_point: '{{ omit if is_default_path else this_path }}'
9 | aws_access_key: '{{ aws_access_key }}'
10 | aws_secret_key: '{{ aws_secret_key }}'
11 | role_id: not-important
12 | block:
13 | # the purpose of this test is to catch when the plugin accepts mount_point but does not pass it into hvac
14 | # we set the policy of the default mount to deny access to this secret and so we expect failure when the mount
15 | # is default, and success when the mount is alternate
16 | - name: Check auth mount differing result
17 | register: response
18 | vault_test_auth:
19 |
20 | - assert:
21 | fail_msg: "A token from mount path '{{ this_path }}' had the wrong policy: {{ response.login.auth.policies }}"
22 | that:
23 | - ('aws-sample-policy' in response.login.auth.policies) | bool == is_default_path
24 | - ('aws-sample-policy' not in response.login.auth.policies) | bool != is_default_path
25 | - ('aws-alt-sample-policy' in response.login.auth.policies) | bool != is_default_path
26 | - ('aws-alt-sample-policy' not in response.login.auth.policies) | bool == is_default_path
27 |
28 | - name: Failure expected when something goes wrong (simulated)
29 | register: response
30 | vault_test_auth:
31 | role_id: fail-me-role
32 | want_exception: true
33 |
34 | - assert:
35 | fail_msg: "An invalid request somehow did not cause a failure."
36 | that:
37 | - response.inner is failed
38 | - response.msg is search('')
39 |
--------------------------------------------------------------------------------
/tests/integration/targets/setup_localenv_gha/files/.output/vault_config/cert.pem:
--------------------------------------------------------------------------------
1 | -----BEGIN CERTIFICATE-----
2 | MIIE4TCCAsmgAwIBAgIUIL77ChgfiJcegZViZh8TV9KviB8wDQYJKoZIhvcNAQEL
3 | BQAwEDEOMAwGA1UEAwwFdmF1bHQwHhcNMjEwNzAxMTgyNjIzWhcNMzEwNjI5MTgy
4 | NjIzWjAQMQ4wDAYDVQQDDAV2YXVsdDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCC
5 | AgoCggIBAK1mI97qE0Pijd0vYrepaoZen/7yuayVslJ1uKzNQWCwHCpaAG9QuGof
6 | ym2N4UnCnBAmpcOH8N+xVzFR5oQVJwYLodfPeI8VDcHvN6Cj011Lb40o2fAbQz+v
7 | 2Xz4MOpEzRbCrSlMZa7M10+iiZJpU379Yqn6JDiCkwrq4dIBVUnp8Wg5ykV+qdUz
8 | ypB6jJF67WRisXqYp7hACL67FRlj/r8+76FSUg/oAo7g0rkrahWb+SvNMPWS1hS7
9 | Tk8Tjf6qb2ZO2Iwx0eEY2GNoziUzQu1xTkZQhbQt3vt8ZiWvddCRxCz5W1cfKWO/
10 | 0XQlMlqlW2RmfxEouMUqhQlH1NSYCKas12RFxxSaiPI2Idq2Kve2xDLwQuIOoCLD
11 | joqSQmyF88f9Jxb0l2sXXsro/YwmYJ+qwz81QW4BO5LzX7BHT7EuiV97m8kLuBzE
12 | 0pjat0XVJ9fzmfGYX89uiwnO/fb7jZubjQLus0cmZXHMB6wK0fo8bTXgi9TLXwbi
13 | wymDG+A+jlSShf7aE3vZtr6fRcacjwh6Y6DFbfxdVV9Vxzv1aHaMUYwtIu+d+uVC
14 | cTQbwou6B7hS0BUdXQKtM1mjPDAwcdgz//TLzk26tIsx69AXtOREKb9W1ffIbfGh
15 | B8nrdmI6+80tlc8KL6s+/cMLEMya3K2GZPloAw+CO00ihO7SGC6VAgMBAAGjMzAx
16 | MBAGA1UdEQQJMAeCBXZhdWx0MB0GA1UdDgQWBBRbYPX83fHK2QUTsWExMQESmS6B
17 | yTANBgkqhkiG9w0BAQsFAAOCAgEAc9slz9up7xd3bsr+q/kCoDt+w6rm/dc6ONSJ
18 | PITZAbuWtRBtCJStQuie5ZICnh1X0IajhczIFVcD9CjxOIxfxA7S49gL9vDHVpiJ
19 | K4nW0KR3Zviq2XwtHYAs99CZH63EUTVqz0nEuMu10H/0PCFPtTHcXFpgovCLRAGH
20 | HqnM7LVeM7a0g85Zt+HXuPJ2MThlEyIBy64MBPIczSiGDVx0cQwe1LJREkQJgB4F
21 | +3iAOPIsHAWkApFfx2cyq+L4sEd0EdxUFk1mw4sni/VFzK8wcd3L7gEgseKSk2Kz
22 | Z3JZiAXessjoa26JL0/KBSN6LTB3/pdn/dG7lz7DUr17PymbggRLVjdbSsbAFD9S
23 | BTGgt3kFjrXIeNAyqGodK673R5jACXjz0vuEePJh4Vk/ffl953bH8Xhs/BZyNXBC
24 | meOu/sU93MGPi0vqE+Jdjplvj5smLzOW9Y6HAAitDqHTQ0sNdZP2DdT6FkSLSzMx
25 | ErPFBePgxhQFXvQt8h11Gadox5vsm1Ca2nLGClKWRt458goFEWgmmDA+mOD2/sJ0
26 | eYdGfBgN/ZnTzD2y2z18Sd9H2Zb4HZbfpPvvFwR+5oYMqE72Rz3oj8APt2f/Eq5B
27 | WYNpi1fRCGPXhM2wNr2DKPKcoqbRcIVTxD/E0MATmxQRGtPaO/JbFcY5v37qcLWf
28 | Jb3iD/U=
29 | -----END CERTIFICATE-----
30 |
--------------------------------------------------------------------------------
/tests/integration/targets/auth_jwt/tasks/jwt_test_target.yml:
--------------------------------------------------------------------------------
1 | - name: "Test block"
2 | vars:
3 | jwt: '{{ lookup("file", "token.jwt") }}'
4 | jwt_invalid: '{{ lookup("file", "token_invalid.jwt") }}'
5 | is_default_path: "{{ this_path == default_path }}"
6 | module_defaults:
7 | vault_test_auth:
8 | url: '{{ ansible_hashi_vault_url }}'
9 | auth_method: '{{ ansible_hashi_vault_auth_method }}'
10 | role_id: test-role
11 | mount_point: '{{ omit if is_default_path else this_path }}'
12 | jwt: '{{ jwt }}'
13 | block:
14 | # the purpose of this test is to catch when the plugin accepts mount_point but does not pass it into hvac
15 | # we set the policy of the default mount to deny access to this secret and so we expect failure when the mount
16 | # is default, and success when the mount is alternate
17 | - name: Check auth mount differing result
18 | register: response
19 | vault_test_auth:
20 |
21 | - assert:
22 | fail_msg: "A token from mount path '{{ this_path }}' had the wrong policy: {{ response.login.auth.policies }}"
23 | that:
24 | - ('test-policy' in response.login.auth.policies) | bool == is_default_path
25 | - ('test-policy' not in response.login.auth.policies) | bool != is_default_path
26 | - ('alt-policy' in response.login.auth.policies) | bool != is_default_path
27 | - ('alt-policy' not in response.login.auth.policies) | bool == is_default_path
28 |
29 | - name: Failure expected when erroneous credentials are used
30 | register: response
31 | vault_test_auth:
32 | jwt: '{{ jwt_invalid }}'
33 | want_exception: true
34 |
35 | - assert:
36 | fail_msg: "An invalid JWT somehow did not cause a failure."
37 | that:
38 | - response.inner is failed
39 | - response.msg is search('no known key successfully validated the token signature')
40 |
--------------------------------------------------------------------------------
/tests/integration/targets/auth_jwt/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # task vars are not templated when used as vars, so we'll need to set_fact this evaluate the template
3 | # see: https://github.com/ansible/ansible/issues/73268
4 | - name: Persist defaults
5 | set_fact:
6 | '{{ item.key }}': "{{ lookup('vars', item.key) }}"
7 | loop: "{{ lookup('file', role_path ~ '/defaults/main.yml') | from_yaml | dict2items }}"
8 | loop_control:
9 | label: '{{ item.key }}'
10 |
11 | - name: Configuration tasks
12 | module_defaults:
13 | vault_ci_enable_auth: '{{ vault_plugins_module_defaults_common }}'
14 | vault_ci_write: '{{ vault_plugins_module_defaults_common }}'
15 | vault_ci_read: '{{ vault_plugins_module_defaults_common }}'
16 | block:
17 | - name: Canary for JWT auth
18 | vault_ci_read:
19 | path: '{{ vault_jwt_canary.path }}'
20 | register: canary
21 |
22 | - name: Configure JWT
23 | when: canary.result is none
24 | loop: '{{ auth_paths }}'
25 | include_tasks:
26 | file: jwt_setup.yml
27 | apply:
28 | vars:
29 | default_path: '{{ ansible_hashi_vault_auth_method }}'
30 | this_path: '{{ item }}'
31 |
32 | - name: Write Canary
33 | when: canary.result is none
34 | vault_ci_write:
35 | path: '{{ vault_jwt_canary.path }}'
36 | data:
37 | value: '{{ vault_jwt_canary.value }}'
38 |
39 |
40 | - name: Run JWT tests (controller)
41 | loop: '{{ auth_paths }}'
42 | include_tasks:
43 | file: jwt_test_controller.yml
44 | apply: &test_apply
45 | vars:
46 | default_path: '{{ ansible_hashi_vault_auth_method }}'
47 | this_path: '{{ item }}'
48 | module_defaults:
49 | assert:
50 | quiet: true
51 |
52 | - name: Run JWT tests (target)
53 | loop: '{{ auth_paths }}'
54 | include_tasks:
55 | file: jwt_test_target.yml
56 | apply: *test_apply
57 |
--------------------------------------------------------------------------------
/.github/actions/docker-image-versions/action.yml:
--------------------------------------------------------------------------------
1 | ---
2 | name: Get a list of docker image versions
3 | description: Gets a list of docker image versions (via tags), limited to a specified number of major, minor, and micro combinations.
4 | outputs:
5 | versions:
6 | description: JSON encoded list of versions.
7 | value: ${{ steps.versions.outputs.versions }}
8 | inputs:
9 | image:
10 | description: The docker image name.
11 | required: true
12 | num_major_versions:
13 | description: Number of unique major versions to return.
14 | required: false
15 | default: '1'
16 | num_minor_versions:
17 | description: Number of unique minor versions to return.
18 | required: false
19 | default: '1'
20 | num_micro_versions:
21 | description: Number of unique micro versions to return.
22 | required: false
23 | default: '1'
24 | include_prerelease:
25 | description: If 'true' then pre-release versions are included. Any value other than 'true' will be treated as false.
26 | required: false
27 | include_postrelease:
28 | description: If 'true' then post-release versions are included. Any value other than 'true' will be treated as false.
29 | required: false
30 | runs:
31 | using: composite
32 | steps:
33 | - name: Requirements
34 | shell: bash
35 | run: pip install -r "${{ github.action_path }}/requirements.txt"
36 |
37 | - shell: bash
38 | id: versions
39 | run: >-
40 | python -u "${{ github.action_path }}/versions.py"
41 | --image "${{ inputs.image }}"
42 | --num_major_versions "${{ inputs.num_major_versions }}"
43 | --num_minor_versions "${{ inputs.num_minor_versions }}"
44 | --num_micro_versions "${{ inputs.num_micro_versions }}"
45 | ${{ inputs.include_prerelease == 'true' && '--include_prerelease' || '' }}
46 | ${{ inputs.include_postrelease == 'true' && '--include_postrelease' || '' }}
47 |
--------------------------------------------------------------------------------
/tests/integration/targets/auth_userpass/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # task vars are not templated when used as vars, so we'll need to set_fact this evaluate the template
3 | # see: https://github.com/ansible/ansible/issues/73268
4 | - name: Persist defaults
5 | set_fact:
6 | '{{ item.key }}': "{{ lookup('vars', item.key) }}"
7 | loop: "{{ lookup('file', role_path ~ '/defaults/main.yml') | from_yaml | dict2items }}"
8 | loop_control:
9 | label: '{{ item.key }}'
10 |
11 | - name: Configuration tasks
12 | module_defaults:
13 | vault_ci_enable_auth: '{{ vault_plugins_module_defaults_common }}'
14 | vault_ci_policy_put: '{{ vault_plugins_module_defaults_common }}'
15 | vault_ci_write: '{{ vault_plugins_module_defaults_common }}'
16 | vault_ci_read: '{{ vault_plugins_module_defaults_common }}'
17 | block:
18 | - name: Canary for userpass auth
19 | vault_ci_read:
20 | path: '{{ vault_userpass_canary.path }}'
21 | register: canary
22 |
23 | - name: Configure userpass
24 | when: canary.result is none
25 | loop: '{{ auth_paths }}'
26 | include_tasks:
27 | file: userpass_setup.yml
28 | apply:
29 | vars:
30 | default_path: '{{ ansible_hashi_vault_auth_method }}'
31 | this_path: '{{ item }}'
32 |
33 | - name: Write Canary
34 | when: canary.result is none
35 | vault_ci_write:
36 | path: '{{ vault_userpass_canary.path }}'
37 | data:
38 | value: '{{ vault_userpass_canary.value }}'
39 |
40 | - name: Run userpass tests
41 | loop: '{{ auth_paths | product(["target", "controller"]) | list }}'
42 | include_tasks:
43 | file: userpass_test_{{ item[1] }}.yml
44 | apply:
45 | vars:
46 | default_path: '{{ ansible_hashi_vault_auth_method }}'
47 | this_path: '{{ item[0] }}'
48 | module_defaults:
49 | assert:
50 | quiet: true
51 |
--------------------------------------------------------------------------------