From 0dfc4571d9b15d6c5851dcc4b3dd5cba5459a68a Mon Sep 17 00:00:00 2001
From: Brian Scholer <1260690+briantist@users.noreply.github.com>
Date: Sun, 28 Aug 2022 15:50:04 -0400
Subject: [PATCH] update vault_token_create

---
 plugins/lookup/vault_token_create.py  | 14 +++++++++++++-
 plugins/modules/vault_token_create.py | 15 ++++++++++++++-
 2 files changed, 27 insertions(+), 2 deletions(-)

diff --git a/plugins/lookup/vault_token_create.py b/plugins/lookup/vault_token_create.py
index 9b19ae290..dfe1d2cba 100644
--- a/plugins/lookup/vault_token_create.py
+++ b/plugins/lookup/vault_token_create.py
@@ -30,6 +30,7 @@
     - In check mode, this module will not create a token, and will instead return a basic structure with an empty token.
       However, this may not be useful if the token is required for follow on tasks.
       It may be better to use this module with I(check_mode=no) in order to have a valid token that can be used.
+    - Ephemeral tokens B(will not be revoked) when I(revoke_ephemeral_token=true) unless I(orphan=true), otherwise the child tokens would also be revoked.
   extends_documentation_fragment:
     - community.hashi_vault.connection
     - community.hashi_vault.connection.plugins
@@ -166,6 +167,10 @@ def run(self, terms, variables=None, **kwargs):
 
         pass_thru_options = self._options_adapter.get_filled_options(*self.PASS_THRU_OPTION_NAMES)
 
+        orphan = self.get_option('orphan')
+        if orphan:
+            pass_thru_options['no_parent'] = True
+
         orphan_options = pass_thru_options.copy()
 
         for key in pass_thru_options.keys():
@@ -174,7 +179,11 @@ def run(self, terms, variables=None, **kwargs):
 
         response = None
 
-        if self.get_option('orphan'):
+        revoke_token = {}
+        if orphan:
+            revoke_token['revoke_token'] = None
+
+        if orphan:
             try:
                 try:
                     # this method was added in hvac 1.0.0
@@ -185,11 +194,14 @@ def run(self, terms, variables=None, **kwargs):
                     # See: https://github.com/hvac/hvac/issues/758
                     response = client.create_token(orphan=True, **orphan_options)
             except Exception as e:
+                self.authenticator.logout(client, **revoke_token)
                 raise AnsibleError(e)
         else:
             try:
                 response = client.auth.token.create(**pass_thru_options)
             except Exception as e:
+                self.authenticator.logout(client, **revoke_token)
                 raise AnsibleError(e)
 
+        self.authenticator.logout(client, **revoke_token)
         return [response]
diff --git a/plugins/modules/vault_token_create.py b/plugins/modules/vault_token_create.py
index 4fd757b06..044d75494 100644
--- a/plugins/modules/vault_token_create.py
+++ b/plugins/modules/vault_token_create.py
@@ -38,6 +38,7 @@
     - In check mode, this module will not create a token, and will instead return a basic structure with an empty token.
       However, this may not be useful if the token is required for follow on tasks.
       It may be better to use this module with I(check_mode=no) in order to have a valid token that can be used.
+    - Ephemeral tokens B(will not be revoked) when I(revoke_ephemeral_token=true) unless I(orphan=true), otherwise the child tokens would also be revoked.
   options: {}
 """
 
@@ -175,20 +176,29 @@ def run_module():
 
     pass_thru_options = module.adapter.get_filled_options(*PASS_THRU_OPTION_NAMES)
 
+    orphan = module.adapter.get_option('orphan')
+    if orphan:
+        pass_thru_options['no_parent'] = True
+
     orphan_options = pass_thru_options.copy()
 
     for key in pass_thru_options.keys():
         if key in ORPHAN_OPTION_TRANSLATION:
             orphan_options[ORPHAN_OPTION_TRANSLATION[key]] = orphan_options.pop(key)
 
+    revoke_token = {}
+    if orphan:
+        revoke_token['revoke_token'] = None
+
     # token creation is a write operation, using storage and resources
     changed = True
     response = None
 
     if module.check_mode:
+        module.authenticator.logout(client, **revoke_token)
         module.exit_json(changed=changed, login={'auth': {'client_token': None}})
 
-    if module.adapter.get_option('orphan'):
+    if orphan:
         try:
             try:
                 # this method was added in hvac 1.0.0
@@ -199,13 +209,16 @@ def run_module():
                 # See: https://github.com/hvac/hvac/issues/758
                 response = client.create_token(orphan=True, **orphan_options)
         except Exception as e:
+            module.authenticator.logout(client, **revoke_token)
             module.fail_json(msg=to_native(e), exception=traceback.format_exc())
     else:
         try:
             response = client.auth.token.create(**pass_thru_options)
         except Exception as e:
+            module.authenticator.logout(client, **revoke_token)
             module.fail_json(msg=to_native(e), exception=traceback.format_exc())
 
+    module.authenticator.logout(client, **revoke_token)
     module.exit_json(changed=changed, login=response)