Add vault_kv2_delete module #304
Conversation
Adds vault_kv2_delete module Adds vault_kv2_delete unit tests
Docs Build 📝Thank you for contribution!✨ This PR has been merged and the docs are now incorporated into |
|
|
||
| try: | ||
| raw = client.secrets.kv.v2.delete_latest_version_of_secret(path=path, mount_point=engine_mount_point) | ||
| except hvac.exceptions.Forbidden as e: |
There was a problem hiding this comment.
You may want to check for some more exceptions, depending on what hvac might raise/handle (best to check the source there to get an idea what to handle here).
There was a problem hiding this comment.
Looks like hvac does not do any error handling for this. I also peeked at the Vault source, and it doesn't do anything special in the delete itself, just passing through any errors it gets such as any errors updating the metadata. If theres anything else you can think of, I'd be happy to add it.
- Set default engine path to secret - Add initial documentation
|
@briantist few questions, Is there any convention for adding policies to the integration tests by path or key? Should I create a policy on a new kv path for these tests rather than modifying an existing path permission? Also, I'm thinking maybe I should rename |
Yes, have a look at this file for the tasks, and this file for the policy definitions.
Feel it out and see what makes sense. A new path is probably the way to go, where the "setup" parts of the integration tests would create the secret(s) to be deleted in the tests. Also have a look at the test plugins, in case a new one needs to be added there for any reason (for example for creating/deleting the secrets).
I think I'm still leaning toward a single |
|
I don't think we really ever settled on going either way, thats probably my fault for venturing ahead :) I am fine implementing a single kv2_delete and adding an optional version parameter. |
- Adds versions as list[int]. Hvac call will vary based on wether versions is defined or not - Updated unit tests to check correct function call. - Fixes some docs
Codecov Report
@@ Coverage Diff @@
## main #304 +/- ##
==========================================
+ Coverage 98.52% 98.72% +0.19%
==========================================
Files 73 75 +2
Lines 3602 3854 +252
Branches 321 252 -69
==========================================
+ Hits 3549 3805 +256
+ Misses 44 40 -4
Partials 9 9
Flags with carried forward coverage won't be shown. Click here to find out more.
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. |
|
@briantist I believe this is about ready with the integration tests in place. Two of the tests failed with errors that lead me to believe they are re-using a vault session from a previous test? I setup some seed data in |
Ah! I'm sorry you hit that error, but I am happy to see that those tests are failing in exactly the right situation they were designed to!
They are doing that, intentionally. The key is that I want the tests to be able to run against a local instance of Vault that doesn't need setup on every single run, because it speeds up local iteration. So in your case, the problem, is that after you create those secret versions and delete some of them, those versions do not exist again. And if you tried to insert new versions, they would not "fill in" those missing ones either they would continue adding new versions to the end (versions 6, 7, 8, etc.). For a test like this, instead of setting up that secret in the "test-wide" re-usable secrets, you should set it up in
It should be removed from the general vault configure target. |
- Adds integration tests for module_vault_kv2_delete module. - Adds vault_ci_kv2_metadata_read for reading kv2 metadata in ci tests.
Moves the setup for vault_kv2_delete into a test specific setup instead of the general setup.
|
It looks like the change corrected one of the tests, but other timed out. Can that test be re-run without a push? |
There was a problem hiding this comment.
See the comment about check mode.
The rest are mostly small changes.
In case you haven't seen it before, you can commit multiple suggestions from review at once, if you view the comments in the Files tab. Then, there will be an option to add to batch, and then you can commit the batch at once.
|
|
||
| module = HashiVaultModule( | ||
| argument_spec=argspec, | ||
| supports_check_mode=True |
There was a problem hiding this comment.
At the moment, the module does not account for check mode, and so with this set to True, check mode would delete secrets 😱
One issue currently (same reason status is always changed) is that without checking the current status of the secret, check mode has nothing to do but return changed.
I'm mulling over the idea of using metadata reads to get current versions status/secret existence to be able to solve both of those, but their use should be optional (a client may have permission to delete but not to hit those other endpoints).
I'll look at this again tomorrow and think about whether that makes sense at all, and if so whether it should be in this PR or a follow-up.
The first thing we should do is add an integration test and unit test (example) for check mode before making any additional changes, and those tests should fail right now.
There was a problem hiding this comment.
Thank you, I think for now the empty result with no Vault connection is fine.
The unit tests are great! Please also add an integration test for check mode; it should be easy, just checking that the result is changed and that the deletion did not happen.
Even though the unit test covers this a little more thoroughly, it's always good to have it covered by integration too just to have the code actually invoked by ansible.
tests/integration/targets/module_vault_kv2_delete/tasks/module_vault_kv2_delete_setup.yml
Outdated
Show resolved
Hide resolved
briantist
added
the
hacktoberfest-accepted
Co-authored-by: Brian Scholer <[email protected]>
Updates vault_kv2_delete module and tests for check mode. Vault_kv2_delete will skip the hvac call on check mode and return an empty dictionary.
|
|
||
| module = HashiVaultModule( | ||
| argument_spec=argspec, | ||
| supports_check_mode=True |
There was a problem hiding this comment.
Thank you, I think for now the empty result with no Vault connection is fine.
The unit tests are great! Please also add an integration test for check mode; it should be easy, just checking that the result is changed and that the deletion did not happen.
Even though the unit test covers this a little more thoroughly, it's always good to have it covered by integration too just to have the code actually invoked by ansible.
tests/integration/targets/module_vault_kv2_delete/tasks/module_vault_kv2_delete_setup.yml
Outdated
Show resolved
Hide resolved
tests/integration/targets/module_vault_kv2_delete/tasks/module_vault_kv2_delete_test.yml
Outdated
Show resolved
Hide resolved
Co-authored-by: Brian Scholer <[email protected]>
tests/integration/targets/module_vault_kv2_delete/tasks/module_vault_kv2_delete_test.yml
Show resolved
Hide resolved
tests/integration/targets/module_vault_kv2_delete/tasks/module_vault_kv2_delete_test.yml
Outdated
Show resolved
Hide resolved
|
There is one more thing I forgot (#252 🤦): please add this module to the action group: |
…_vault_kv2_delete_test.yml Co-authored-by: Brian Scholer <[email protected]>
Updated integration test to fix invalid yaml anchors
|
@idwagner thanks so much for this contribution! It's now released in version 3.4.0! 🥳 |
SUMMARY
Implementation of vault_kv2_delete module (hvac delete_latest_version_of_secret)
Fixes #300
ISSUE TYPE
COMPONENT NAME
vault_kv2_delete
ADDITIONAL INFORMATION
This implements the delete latest version functionality of a KV v2 secret in Vault. This is a WIP and is missing: