Skip to content

Commit

Permalink
update vault_token_create
Browse files Browse the repository at this point in the history
  • Loading branch information
briantist authored and horazont committed Sep 27, 2022
1 parent 8d9221f commit 0dfc457
Show file tree
Hide file tree
Showing 2 changed files with 27 additions and 2 deletions.
14 changes: 13 additions & 1 deletion plugins/lookup/vault_token_create.py
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@
- In check mode, this module will not create a token, and will instead return a basic structure with an empty token.
However, this may not be useful if the token is required for follow on tasks.
It may be better to use this module with I(check_mode=no) in order to have a valid token that can be used.
- Ephemeral tokens B(will not be revoked) when I(revoke_ephemeral_token=true) unless I(orphan=true), otherwise the child tokens would also be revoked.
extends_documentation_fragment:
- community.hashi_vault.connection
- community.hashi_vault.connection.plugins
Expand Down Expand Up @@ -166,6 +167,10 @@ def run(self, terms, variables=None, **kwargs):

pass_thru_options = self._options_adapter.get_filled_options(*self.PASS_THRU_OPTION_NAMES)

orphan = self.get_option('orphan')
if orphan:
pass_thru_options['no_parent'] = True

orphan_options = pass_thru_options.copy()

for key in pass_thru_options.keys():
Expand All @@ -174,7 +179,11 @@ def run(self, terms, variables=None, **kwargs):

response = None

if self.get_option('orphan'):
revoke_token = {}
if orphan:
revoke_token['revoke_token'] = None

if orphan:
try:
try:
# this method was added in hvac 1.0.0
Expand All @@ -185,11 +194,14 @@ def run(self, terms, variables=None, **kwargs):
# See: https://github.com/hvac/hvac/issues/758
response = client.create_token(orphan=True, **orphan_options)
except Exception as e:
self.authenticator.logout(client, **revoke_token)
raise AnsibleError(e)
else:
try:
response = client.auth.token.create(**pass_thru_options)
except Exception as e:
self.authenticator.logout(client, **revoke_token)
raise AnsibleError(e)

self.authenticator.logout(client, **revoke_token)
return [response]
15 changes: 14 additions & 1 deletion plugins/modules/vault_token_create.py
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,7 @@
- In check mode, this module will not create a token, and will instead return a basic structure with an empty token.
However, this may not be useful if the token is required for follow on tasks.
It may be better to use this module with I(check_mode=no) in order to have a valid token that can be used.
- Ephemeral tokens B(will not be revoked) when I(revoke_ephemeral_token=true) unless I(orphan=true), otherwise the child tokens would also be revoked.
options: {}
"""

Expand Down Expand Up @@ -175,20 +176,29 @@ def run_module():

pass_thru_options = module.adapter.get_filled_options(*PASS_THRU_OPTION_NAMES)

orphan = module.adapter.get_option('orphan')
if orphan:
pass_thru_options['no_parent'] = True

orphan_options = pass_thru_options.copy()

for key in pass_thru_options.keys():
if key in ORPHAN_OPTION_TRANSLATION:
orphan_options[ORPHAN_OPTION_TRANSLATION[key]] = orphan_options.pop(key)

revoke_token = {}
if orphan:
revoke_token['revoke_token'] = None

# token creation is a write operation, using storage and resources
changed = True
response = None

if module.check_mode:
module.authenticator.logout(client, **revoke_token)
module.exit_json(changed=changed, login={'auth': {'client_token': None}})

if module.adapter.get_option('orphan'):
if orphan:
try:
try:
# this method was added in hvac 1.0.0
Expand All @@ -199,13 +209,16 @@ def run_module():
# See: https://github.com/hvac/hvac/issues/758
response = client.create_token(orphan=True, **orphan_options)
except Exception as e:
module.authenticator.logout(client, **revoke_token)
module.fail_json(msg=to_native(e), exception=traceback.format_exc())
else:
try:
response = client.auth.token.create(**pass_thru_options)
except Exception as e:
module.authenticator.logout(client, **revoke_token)
module.fail_json(msg=to_native(e), exception=traceback.format_exc())

module.authenticator.logout(client, **revoke_token)
module.exit_json(changed=changed, login=response)


Expand Down

0 comments on commit 0dfc457

Please sign in to comment.