Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws_secrets.py: add on_missing and on_denied option #122

Merged
merged 16 commits into from
Nov 20, 2020
Merged

aws_secrets.py: add on_missing and on_denied option #122

merged 16 commits into from
Nov 20, 2020
+88 −7

Conversation

rene1977
Copy link
Contributor

@rene1977 rene1977 commented Aug 4, 2020

SUMMARY

Add "on_missing" and "on_denied" option for aws_secret lookup.
This option controls how to handle a not existing secret (ResourceNotFoundException) or missing access rights (AccessDeniedException). The option naming is based on the "config" lookup.

At some places we are using aws secrets optional when they are configured or the running user has access to it. With the generic lookup error control we can not differentiate between such state and a regular error.

ISSUE TYPE
  • Feature Pull Request
COMPONENT NAME

aws_secret

ADDITIONAL INFORMATION

The option "on_missing" and "on_denied" can be set to:

  • 'error' - return a fatal error (default, old behavior)
  • 'warn' - return empty list and print a warning
  • 'skip' - return empty list

playbook:

---
- name: test read a secret
  hosts: localhost
  connection: local
  gather_facts: no
  vars:
    aws_access_key: <aws_access_key>
    aws_secret_key: <aws_secret_key>
  tasks:
    - name: secret successfull
      debug:
        var: bla
      vars:
        bla: "{{ lookup('amazon.aws.aws_secret','secret_test',region='eu-west-1',aws_access_key=aws_access_key,aws_secret_key=aws_secret_key) }}"
    - name: secret not found error
      debug:
        var: bla
      vars:
        bla: "{{ lookup('amazon.aws.aws_secret','secret_not_exist',region='eu-west-1',aws_access_key=aws_access_key,aws_secret_key=aws_secret_key) }}"
      ignore_errors: true
    - name: secret denied error
      debug:
        var: bla
      vars:
        bla: "{{ lookup('amazon.aws.aws_secret','secret_test',region='eu-west-1') }}"
      ignore_errors: true
    - name: secret not found warning
      debug:
        var: bla
      vars:
        bla: "{{ lookup('amazon.aws.aws_secret','secret_not_exist',region='eu-west-1',aws_access_key=aws_access_key,aws_secret_key=aws_secret_key,on_missing='warn') }}"
    - name: secret denied warning
      debug:
        var: bla
      vars:
        bla: "{{ lookup('amazon.aws.aws_secret','secret_test',region='eu-west-1',on_denied='warn') }}"
    - name: secret not found skipped
      debug:
        var: bla
      vars:
        bla: "{{ lookup('amazon.aws.aws_secret','secret_not_exist',region='eu-west-1',aws_access_key=aws_access_key,aws_secret_key=aws_secret_key,on_missing='skip') }}"
    - name: secret denied skipped
      debug:
        var: bla
      vars:
        bla: "{{ lookup('amazon.aws.aws_secret','secret_test',region='eu-west-1',on_denied='skip') }}"

output:

PLAY [test read a secret] ********************************************************************************************************************

TASK [secret successfull] ********************************************************************************************************************
ok: [localhost] => {
    "bla": {
        "secret_test": "secret_test_value"
    }
}

TASK [secret not found error] ****************************************************************************************************************
fatal: [localhost]: FAILED! => {"msg": "An unhandled exception occurred while templating '{{ lookup('amazon.aws.aws_secret','secret_not_exist',region='eu-west-1',aws_access_key=aws_access_key,aws_secret_key=aws_secret_key) }}'. Error was a <class 'ansible.errors.AnsibleError'>, original message: An unhandled exception occurred while running the lookup plugin 'amazon.aws.aws_secret'. Error was a <class 'ansible.errors.AnsibleError'>, original message: Failed to retrieve secret: An error occurred (ResourceNotFoundException) when calling the GetSecretValue operation: Secrets Manager can't find the specified secret."}
...ignoring

TASK [secret denied error] *******************************************************************************************************************
fatal: [localhost]: FAILED! => {"msg": "An unhandled exception occurred while templating '{{ lookup('amazon.aws.aws_secret','secret_test',region='eu-west-1') }}'. Error was a <class 'ansible.errors.AnsibleError'>, original message: An unhandled exception occurred while running the lookup plugin 'amazon.aws.aws_secret'. Error was a <class 'ansible.errors.AnsibleError'>, original message: Failed to retrieve secret: An error occurred (AccessDeniedException) when calling the GetSecretValue operation: User: arn:aws:sts::963812274078:assumed-role/AnsibleBTServiceZoneStandard/i-0d041a344eb853269 is not authorized to perform: secretsmanager:GetSecretValue on resource: arn:aws:secretsmanager:eu-west-1:963812274078:secret:secret_test-u3hpk5"}
...ignoring

TASK [secret not found warning] **************************************************************************************************************
[WARNING]: Skipping, did not find secret secret_not_exist
ok: [localhost] => {
    "bla": []
}

TASK [secret denied warning] *****************************************************************************************************************
[WARNING]: Skipping, access denied for secret secret_test
ok: [localhost] => {
    "bla": []
}

TASK [secret not found skipped] **************************************************************************************************************
ok: [localhost] => {
    "bla": []
}

TASK [secret denied skipped] *****************************************************************************************************************
ok: [localhost] => {
    "bla": []
}

PLAY RECAP ***********************************************************************************************************************************
localhost                  : ok=7    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=2

@ansibullbot ansibullbot added affects_2.10 community_review feature This issue/PR relates to a feature request lookup lookup plugin needs_triage new_contributor Help guide this first time contributor plugins plugin (any type) stale_ci CI is older than 7 days, rerun before merging labels Aug 27, 2020
@jillr jillr removed the stale_ci CI is older than 7 days, rerun before merging label Aug 28, 2020
jillr
jillr reviewed Oct 19, 2020
View reviewed changes
Copy link
Collaborator

@jillr jillr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for this change, the code looks good but could you please add unit tests to tests/unit/plugins/lookup/test_aws_secret.py to cover these new options?

@rene1977
Copy link
Contributor Author

@jillr

Yes, i will add some unit tests.

@rene1977
Copy link
Contributor Author

/rebuild

@rene1977 rene1977 closed this Nov 19, 2020
@rene1977 rene1977 reopened this Nov 19, 2020
tremble
tremble requested changes Nov 19, 2020
View reviewed changes
Copy link
Contributor

@tremble tremble left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for this. A couple of minor things.

Please see https://docs.ansible.com/ansible/latest/dev_guide/developing_modules_documenting.html#linking-and-other-format-macros-within-module-documentation and https://docs.ansible.com/ansible/latest/community/development_process.html#changelogs-how-to for more info.

plugins/lookup/aws_secret.py Outdated Show resolved Hide resolved
plugins/lookup/aws_secret.py Outdated Show resolved Hide resolved
plugins/lookup/aws_secret.py Outdated Show resolved Hide resolved
plugins/lookup/aws_secret.py Outdated Show resolved Hide resolved
plugins/lookup/aws_secret.py Outdated Show resolved Hide resolved
plugins/lookup/aws_secret.py Outdated Show resolved Hide resolved
plugins/lookup/aws_secret.py Outdated Show resolved Hide resolved
tests/unit/plugins/lookup/test_aws_secret.py Show resolved Hide resolved
changelogs/fragments/122-aws_secret-add-on_missing-and-on_denied-option.yml Outdated Show resolved Hide resolved
rene1977 and others added 8 commits November 19, 2020 11:06
@rene1977 @tremble
Update plugins/lookup/aws_secret.py
e54ec46 
adjust comment

Co-authored-by: Mark Chappell <[email protected]>
@rene1977 @tremble
Update plugins/lookup/aws_secret.py
1c5d770 
adjust comment

Co-authored-by: Mark Chappell <[email protected]>
@rene1977 @tremble
Update plugins/lookup/aws_secret.py
77b72d4 
adjust comment

Co-authored-by: Mark Chappell <[email protected]>
@rene1977 @tremble
Update plugins/lookup/aws_secret.py
91f78ca 
adjust comment

Co-authored-by: Mark Chappell <[email protected]>
@rene1977 @tremble
Update plugins/lookup/aws_secret.py
e08511c 
adjust example

Co-authored-by: Mark Chappell <[email protected]>
@rene1977 @tremble
Update changelogs/fragments/122-aws_secret-add-on_missing-and-on_deni…
a5a48d8 
…ed-option.yml

Co-authored-by: Mark Chappell <[email protected]>
@rene1977
- use is_boto3_error_code helper
5b940d7
@rene1977
- add requested changes to on_denied info
0b17176
tremble
tremble approved these changes Nov 19, 2020
View reviewed changes
Copy link
Contributor

@tremble tremble left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Assuming the tests pass, LGTM

@rene1977 rene1977 closed this Nov 19, 2020
@rene1977 rene1977 reopened this Nov 19, 2020
tremble
tremble reviewed Nov 19, 2020
View reviewed changes
plugins/lookup/aws_secret.py Outdated Show resolved Hide resolved
plugins/lookup/aws_secret.py Outdated Show resolved Hide resolved
@rene1977 rene1977 closed this Nov 20, 2020
@rene1977 rene1977 reopened this Nov 20, 2020
@tremble tremble merged commit 50c4d5f into ansible-collections:main Nov 20, 2020
@tremble
Copy link
Contributor

tremble commented Nov 20, 2020

Thank you for your contribution.

@rene1977 rene1977 deleted the aws_secrets branch November 20, 2020 10:35
@tremble tremble mentioned this pull request Dec 7, 2020
Closed
alinabuzachis pushed a commit to alinabuzachis/amazon.aws that referenced this pull request Sep 9, 2022
@jillr @alinabuzachis
Cleanup renamed docs (ansible-collections#122)
bb6ebd4 
The add_docs script uses a new rst filename, which was missed in ansible-collections#116.
So there's a bunch of duplicated docs files which should be cleaned up.

This commit was initially merged in https://github.com/ansible-collections/community.aws
See: ansible-collections/community.aws@1a1be5f
alinabuzachis pushed a commit to alinabuzachis/amazon.aws that referenced this pull request Sep 9, 2022
@jillr @alinabuzachis
Cleanup renamed docs (ansible-collections#122)
4acb22e 
The add_docs script uses a new rst filename, which was missed in ansible-collections#116.
So there's a bunch of duplicated docs files which should be cleaned up.

This commit was initially merged in https://github.com/ansible-collections/community.aws
See: ansible-collections/community.aws@1a1be5f
abikouo pushed a commit to abikouo/amazon.aws that referenced this pull request Oct 24, 2023
@jillr
Cleanup renamed docs (ansible-collections#122)
1a1be5f 
The add_docs script uses a new rst filename, which was missed in ansible-collections#116.
So there's a bunch of duplicated docs files which should be cleaned up.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jillr jillr jillr left review comments

@tremble tremble tremble approved these changes

Assignees
No one assigned
Labels
affects_2.10 community_review feature This issue/PR relates to a feature request lookup lookup plugin needs_triage new_contributor Help guide this first time contributor plugins plugin (any type)
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@rene1977 @tremble @jillr @ansibullbot