Try SpotterReturns plugin settings (options)
| "added in version" 2.5.0 of community.hashi_vault"
Authors: Brian Scholer (@briantist)
Install with ansible-galaxy collection install community.hashi_vault:==6.2.0
collections:
- name: community.hashi_vault
version: 6.2.0Returns a dictionary of options and their values for a given plugin.
This is most useful for using plugin settings in modules and C(module_defaults), especially when common settings are set in C(ansible.cfg), in Ansible vars, or via environment variables on the controller.
Options can be filtered by name, and can include or exclude defaults, unset options, and private options.
### In these examples, we assume an ansible.cfg like this:
# [hashi_vault_collection]
# url = https://config-based-vault.example.com
# retries = 5
### end ansible.cfg
### We assume some environment variables set as well
# ANSIBLE_HASHI_VAULT_URL: https://env-based-vault.example.com
# ANSIBLE_HASHI_VAULT_TOKEN: s.123456789
### end environment variables
# playbook - ansible-core 2.12 and higher
## set defaults for the collection group
- hosts: all
vars:
ansible_hashi_vault_auth_method: token
module_defaults:
group/community.hashi_vault.vault: "{{ lookup('community.hashi_vault.vault_ansible_settings') }}"
tasks:
- name: Get a secret from the remote host with settings from the controller
community.hashi_vault.vault_kv2_get:
path: app/some/secret
######
# playbook - ansible any version
## set defaults for a specific module
- hosts: all
vars:
ansible_hashi_vault_auth_method: token
module_defaults:
community.hashi_vault.vault_kv2_get: "{{ lookup('community.hashi_vault.vault_ansible_settings') }}"
tasks:
- name: Get a secret from the remote host with settings from the controller
community.hashi_vault.vault_kv2_get:
path: app/some/secret
######
# playbook - ansible any version
## set defaults for several modules
## do not use controller's auth
- hosts: all
vars:
ansible_hashi_vault_auth_method: aws_iam
settings: "{{ lookup('community.hashi_vault.vault_ansible_settings', '*', '!*token*') }}"
module_defaults:
community.hashi_vault.vault_kv2_get: '{{ settings }}'
community.hashi_vault.vault_kv1_get: '{{ settings }}'
tasks:
- name: Get a secret from the remote host with some settings from the controller, auth from remote
community.hashi_vault.vault_kv2_get:
path: app/some/secret
- name: Same with kv1
community.hashi_vault.vault_kv1_get:
path: app/some/secret
######
# playbook - ansible any version
## set defaults for several modules
## do not use controller's auth
## override returned settings
- hosts: all
vars:
ansible_hashi_vault_auth_method: userpass
plugin_settings: "{{ lookup('community.hashi_vault.vault_ansible_settings', '*', '!*token*') }}"
overrides:
auth_method: aws_iam
retries: '{{ (plugin_settings.retries | int) + 2 }}'
settings: >-
{{
plugin_settings
| combine(overrides)
}}
module_defaults:
community.hashi_vault.vault_kv2_get: '{{ settings }}'
community.hashi_vault.vault_kv1_get: '{{ settings }}'
tasks:
- name: Get a secret from the remote host with some settings from the controller, auth from remote
community.hashi_vault.vault_kv2_get:
path: app/some/secret
- name: Same with kv1
community.hashi_vault.vault_kv1_get:
path: app/some/secret
######
# using a block is similar
- name: Settings
vars:
ansible_hashi_vault_auth_method: aws_iam
settings: "{{ lookup('community.hashi_vault.vault_ansible_settings', '*', '!*token*') }}"
module_defaults:
community.hashi_vault.vault_kv2_get: '{{ settings }}'
community.hashi_vault.vault_kv1_get: '{{ settings }}'
block:
- name: Get a secret from the remote host with some settings from the controller, auth from remote
community.hashi_vault.vault_kv2_get:
path: app/some/secret
- name: Same with kv1
community.hashi_vault.vault_kv1_get:
path: app/some/secret
#####
# use settings from a different plugin
## when you need settings that are not in the default plugin (vault_login)
- name: Settings
vars:
ansible_hashi_vault_engine_mount_point: dept-secrets
settings: "{{ lookup('community.hashi_vault.vault_ansible_settings', plugin='community.hashi_vault.vault_kv2_get') }}"
module_defaults:
community.hashi_vault.vault_kv2_get: '{{ settings }}'
block:
- name: Get a secret from the remote host with some settings from the controller, auth from remote
community.hashi_vault.vault_kv2_get:
path: app/some/secret
#####
# use settings from a different plugin (on an indivdual call)
## short names assume community.hashi_vault
- name: Settings
vars:
ansible_hashi_vault_engine_mount_point: dept-secrets
settings: "{{ lookup('community.hashi_vault.vault_ansible_settings') }}"
module_defaults:
community.hashi_vault.vault_kv2_get: '{{ settings }}'
block:
- name: Get a secret from the remote host with some settings from the controller, auth from remote
community.hashi_vault.vault_kv2_get:
engine_mount_point: "{{ lookup('community.hashi_vault.vault_ansible_settings', plugin='vault_kv2_get') }}"
path: app/some/secret
#####
# normally, options with default values are not returned, but can be
- name: Settings
vars:
settings: "{{ lookup('community.hashi_vault.vault_ansible_settings') }}"
module_defaults:
# we usually want to use the remote host's IAM auth
community.hashi_vault.vault_kv2_get: >-
{{
settings
| combine({'auth_method': aws_iam})
}}
block:
- name: Use the plugin auth method instead, even if it is the default method
community.hashi_vault.vault_kv2_get:
auth_method: "{{ lookup('community.hashi_vault.vault_ansible_settings', 'auth_method', include_default=True) }}"
path: app/some/secret
#####
# normally, options with None/null values are not returned,
# nor are private options (names begin with underscore _),
# but they can be returned too if desired
- name: Show all plugin settings
ansible.builtin.debug:
msg: "{{ lookup('community.hashi_vault.vault_ansible_settings', include_none=True, include_private=True, include_default=True) }}"
#####
# dealing with low-precedence env vars and token sink loading
## here, VAULT_ADDR is usually used with plugins, but that will not work with vault_ansible_settings.
## additionally, the CLI `vault login` is used before running Ansible, so the token sink is usually used, which also will not work.
- hosts: all
vars:
plugin_settings: "{{ lookup('community.hashi_vault.vault_ansible_settings', 'url', 'token*', include_default=True) }}"
overrides:
url: "{{ plugin_settings.url | default(lookup('ansible.builtin.env', 'VAULT_ADDR')) }}"
token: >-
{{
plugin_settings.token
| default(
lookup(
'ansible.builtin.file',
(
plugin_settings.token_path | default(lookup('ansible.builtin.env', 'HOME')),
plugin_settings.token_file
) | path_join
)
)
}}
auth_method: token
settings: >-
{{
plugin_settings
| combine(overrides)
}}
module_defaults:
community.hashi_vault.vault_kv2_get: "{{ lookup('community.hashi_vault.vault_ansible_settings') }}"
tasks:
- name: Get a secret from the remote host with settings from the controller
community.hashi_vault.vault_kv2_get:
path: app/some/secret
_terms:
default:
- '*'
description:
- The names of the options to load.
- Supports C(fnmatch) L(style wildcards,https://docs.python.org/3/library/fnmatch.html).
- Prepend any name or pattern with C(!) to invert the match.
elements: str
required: false
type: list
plugin:
default: community.hashi_vault.vault_login
description:
- The name of the plugin whose options will be returned.
- Only lookups are supported.
- Short names (without a dot C(.)) will be fully qualified with C(community.hashi_vault).
type: str
include_none:
default: false
description: Include options whose value is C(None) (this usually means they are unset).
type: bool
include_default:
default: false
description: Include options whose value comes from a default.
type: bool
include_private:
default: false
description: Include options that begin with underscore C(_).
type: bool
_raw:
description:
- A dictionary of the options and their values.
- Only a single dictionary will be returned, even with multiple terms.
sample:
retries: 5
timeout: 20
token: s.jRHAoqElnJDx6J5ExYelCDYR
url: https://vault.example.com
type: dict