Add GCP auth method and Secret Engine

ansible-modules-hashivault.iml

@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<module type="WEB_MODULE" version="4">
+  <component name="NewModuleRootManager" inherit-compiler-output="true">
+    <exclude-output />
+    <content url="file://$MODULE_DIR$" />
+    <orderEntry type="inheritedJdk" />
+    <orderEntry type="sourceFolder" forTests="false" />
+  </component>
+</module>

ansible/modules/hashivault/hashivault_googlecloud_auth_configure.py

@@ -0,0 +1,96 @@
+#!/usr/bin/env python
+from ansible.module_utils.hashivault import hashivault_argspec
+from ansible.module_utils.hashivault import hashivault_auth_client
+from ansible.module_utils.hashivault import hashivault_init
+from ansible.module_utils.hashivault import hashiwrapper
+import json
+
+DOCUMENTATION = '''
+module: hashivault_googlecloud_auth_configure
+version_added: "1.0.0"
+short_description: Hashicorp Vault googlecloud management role module
+description:
+    - Module to manage an googlecloud configuration from Hashicorp Vault.
+options:
+    credentials:
+        description:
+            - A JSON string containing the contents of a GCP credentials file.
+    credentials_file:
+        description:
+            - A JSON string containing the contents of a GCP credentials file.
+    iam_alias:
+        description:
+            - role_id or unique_id
+    iam_metadata:
+        description:
+            - The metadata to include on the token returned by the login endpoint
+        default: default
+    gce_alias:
+        description:
+            -   instance_id or role_id
+    gce_metadata:
+        description:
+            -  The metadata to include on the token returned by the login endpoint
+        default: default
+    mount_point:
+        description:
+            - mount point for Google Cloud Configuration
+        default: gcp
+    state:
+        description:
+            - present or absent
+        default: present
+'''
+
+
+def main():
+    argspec = hashivault_argspec()
+    argspec['credentials'] = dict(required=False, type='str')
+    argspec['credentials_file'] = dict(required=False, type='str')
+    argspec['iam_alias'] = dict(required=False, type='str', choices=['unique_id', 'role_id'], default='role_id')
+    argspec['iam_metadata'] = dict(required=False, type='str', default='default')
+    argspec['gce_alias'] = dict(required=False, type='str', choices=['instance_id', 'role_id'], default='role_id')
+    argspec['gce_metadata'] = dict(required=False, type='str', default='default')
+    argspec['mount_point'] = dict(required=False, type='str', default='gcp')
+    argspec['state'] = dict(required=False, type='str', choices=['present', 'absent'], default='present')
+    module = hashivault_init(argspec, supports_check_mode=True)
+    result = hashivault_googlecloud_auth_configure(module)
+    if result.get('failed'):
+        module.fail_json(**result)
+    else:
+        module.exit_json(**result)
+
+
+@hashiwrapper
+def hashivault_googlecloud_auth_configure(module):
+    params = module.params
+    state = params.get('state')
+    credentials = params.get('credentials')
+    credentials_file = params.get('credentials_file')
+    client = hashivault_auth_client(params)
+    mount_point = params.get('mount_point').strip('/')
+    desired_state = dict()
+    current_state = dict()
+    changed = False
+
+    if credentials_file:
+        desired_state['credentials'] = json.dumps(json.load(open(params.get('credentials_file'), 'r')))
+    elif credentials:
+        desired_state['credentials'] = params.get('credentials')
+
+    try:
+        current_state = client.auth.gcp.read_config()
+    except Exception:
+        changed = True
+
+    if changed and not module.check_mode and state == 'present':
+        client.auth.gcp.configure(mount_point=mount_point, **desired_state)
+        return {'changed': True}
+    else:
+        client.auth.gcp.delete_config(mount_point=mount_point)
+        return {'changed': True}
+
+
+if __name__ == '__main__':
+    main()
+

ansible/modules/hashivault/hashivault_googlecloud_auth_create_role.py

@@ -0,0 +1,109 @@
+#!/usr/bin/env python
+from ansible.module_utils.hashivault import hashivault_argspec
+from ansible.module_utils.hashivault import hashivault_auth_client
+from ansible.module_utils.hashivault import hashivault_init
+from ansible.module_utils.hashivault import hashiwrapper
+
+
+def main():
+    argspec = hashivault_argspec()
+    argspec['name'] = dict(required=True, type='str')
+    argspec['project_id'] = dict(required=True, type='str')
+    argspec['role_type'] = dict(required=True, type='str', choices=['gce', 'iam'])
+    argspec['mount_point'] = dict(required=False, type='str', default='gcp')
+    argspec['bound_service_accounts'] = dict(required=False, type='list', default=[])
+    argspec['bound_projects'] = dict(required=False, type='list', default=[])
+    argspec['add_group_aliases'] = dict(required=False, type='bool')
+    argspec['token_ttl'] = dict(required=False, type='str')
+    argspec['token_max_ttl'] = dict(required=False, type='str')
+    argspec['token_policies'] = dict(required=False, type='list', default=[])
+    argspec['token_bound_cidrs'] = dict(required=False, type='list', default=[])
+    argspec['token_explicit_max_ttl'] = dict(required=False, type='str')
+    argspec['token_no_default_policy'] = dict(required=False, type='bool', default='false')
+    argspec['token_num_uses'] = dict(required=False, type='str')
+    argspec['token_period'] = dict(required=False, type='str')
+    argspec['token_type'] = dict(required=False, type='str', choices=['service', 'batch', 'default'], default='default')
+    argspec['max_jwt_exp'] = dict(required=False, type='str', default='15m')
+    argspec['allow_gce_inference'] = dict(required=False, type='bool', default=True)
+    argspec['bound_zones'] = dict(required=False, type='list', default=[])
+    argspec['bound_regions'] = dict(required=False, type='list', default=[])
+    argspec['bound_instance_groups'] = dict(required=False, type='list', default=[])
+    argspec['bound_labels'] = dict(required=False, type='list', default=[])
+    argspec['state'] = dict(required=False, type='str', default='present')
+    module = hashivault_init(argspec)
+    result = hashivault_googlecloud_auth_create_role(module)
+    if result.get('failed'):
+        module.fail_json(**result)
+    else:
+        module.exit_json(**result)
+
+
+@hashiwrapper
+def hashivault_googlecloud_auth_create_role(module):
+    params = module.params
+    client = hashivault_auth_client(params)
+    state = params.get('state')
+    name = params.get('name').strip('/')
+    mount_point = params.get('mount_point').strip('/')
+    project_id = params.get('project_id')
+    role_type = params.get('role_type')
+    changed = False
+    exists = False
+    desired_state = dict()
+
+    if role_type == 'iam' and state == 'present':
+        args = [
+            'project_id',
+            'bound_projects',
+            'add_group_aliases',
+            'token_ttl',
+            'token_max_ttl',
+            'token_policies',
+            'token_bound_cidrs',
+            'token_explicit_max_ttl',
+            'token_no_default_policy',
+            'token_num_uses',
+            'token_period',
+            'token_type',
+            'bound_zones',
+            'bound_regions',
+            'bound_instance_groups',
+            'bound_labels'
+        ]
+        desired_state = {}
+    elif role_type == 'gce' and state == 'present':
+        args = [
+            'project_id',
+            'bound_projects',
+            'add_group_aliases',
+            'token_ttl',
+            'token_max_ttl',
+            'token_policies',
+            'token_bound_cidrs',
+            'token_explicit_max_ttl',
+            'token_no_default_policy',
+            'token_num_uses',
+            'token_period',
+            'token_type',
+            'max_jwt_exp',
+            'allow_gce_inference',
+            'bound_service_accounts'
+        ]
+        desired_state = {}
+
+    try:
+        current_state = client.auth.gcp.read_role()
+    except Exception:
+        changed = True
+
+    if changed and state == 'present' and not module.check_mode:
+        client.auth.gcp.create_role(name=name, project_id=project_id, role_type=role_type, mount_point=mount_point, **desired_state)
+
+    elif changed and state == 'absent' and not module.check_mode:
+        client.auth.gcp.delete_role(name=name, project_id=project_id, role_type=role_type, mount_point=mount_point)
+
+    return {'changed': changed}
+
+
+if __name__ == '__main__':
+    main()

ansible/modules/hashivault/hashivault_googlecloud_auth_edit_gce_roles.py

@@ -0,0 +1,44 @@
+#!/usr/bin/env python
+from ansible.module_utils.hashivault import hashivault_argspec
+from ansible.module_utils.hashivault import hashivault_auth_client
+from ansible.module_utils.hashivault import hashivault_init
+from ansible.module_utils.hashivault import hashiwrapper
+
+
+def main():
+    argspec = hashivault_argspec()
+    argspec['role_name'] = dict(required=True, type='str')
+    argspec['mount_point'] = dict(required=False, type='str', default='gcp')
+    argspec['add'] = dict(required=False, type='list', default=[])
+    argspec['remove'] = dict(required=False, type='list', default=[])
+    module = hashivault_init(argspec)
+    result = hashivault_googlecloud_auth_edit_gce_roles(module)
+    if result.get('failed'):
+        module.fail_json(**result)
+    else:
+        module.exit_json(**result)
+
+
+@hashiwrapper
+def hashivault_googlecloud_auth_edit_gce_roles(module):
+    params = module.params
+    client = hashivault_auth_client(params)
+    role_name = params.get('role_name')
+    mount_point = params.get('mount_point').strip('/')
+    add = params.get('add')
+    remove = params.get('remove')
+    changed = False
+    desired_state = dict()
+
+    if add:
+        desired_state['add'] = params.get('add')
+    if remove:
+        desired_state['remove'] = params.get('remove')
+
+    client.auth.gcp.edit_labels_on_gce_role(mount_point=mount_point, name=role_name, **desired_state)
+
+    return {'changed': changed}
+
+
+if __name__ == '__main__':
+    main()

ansible/modules/hashivault/hashivault_googlecloud_auth_edit_service_account.py

@@ -0,0 +1,44 @@
+#!/usr/bin/env python
+from ansible.module_utils.hashivault import hashivault_argspec
+from ansible.module_utils.hashivault import hashivault_auth_client
+from ansible.module_utils.hashivault import hashivault_init
+from ansible.module_utils.hashivault import hashiwrapper
+
+
+def main():
+    argspec = hashivault_argspec()
+    argspec['role_name'] = dict(required=True, type='str')
+    argspec['mount_point'] = dict(required=False, type='str', default='gcp')
+    argspec['add'] = dict(required=False, type='list', default=[])
+    argspec['remove'] = dict(required=False, type='list', default=[])
+    module = hashivault_init(argspec)
+    result = hashivault_googlecloud_auth_edit_service_account(module)
+    if result.get('failed'):
+        module.fail_json(**result)
+    else:
+        module.exit_json(**result)
+
+
+@hashiwrapper
+def hashivault_googlecloud_auth_edit_service_account(module):
+    params = module.params
+    client = hashivault_auth_client(params)
+    role_name = params.get('role_name').strip('/')
+    mount_point = params.get('mount_point').strip('/')
+    add = params.get('add')
+    remove = params.get('remove')
+    changed = False
+    desired_state = dict()
+
+    if add:
+        desired_state['add'] = params.get('add')
+    if remove:
+        desired_state['remove'] = params.get('remove')
+
+    client.auth.gcp.edit_service_accounts_on_iam_role(mount_point=mount_point, name=role_name, **desired_state)
+
+    return {'changed': changed}
+
+
+if __name__ == '__main__':
+    main()

ansible/modules/hashivault/hashivault_googlecloud_secrets_configure.py

@@ -0,0 +1,64 @@
+#!/usr/bin/env python
+from ansible.module_utils.hashivault import hashivault_argspec
+from ansible.module_utils.hashivault import hashivault_auth_client
+from ansible.module_utils.hashivault import hashivault_init
+from ansible.module_utils.hashivault import hashiwrapper
+import json
+
+
+def main():
+    argspec = hashivault_argspec()
+    argspec['state'] = dict(required=False, type='str', default='present', choices=['present', 'absent'])
+    argspec['ttl'] = dict(required=False, type='int', default='3600')
+    argspec['max_ttl'] = dict(required=False, type='int')
+    argspec['mount_point'] = dict(required=False, type='str', default='gcp')
+    argspec['credentials'] = dict(required=False, type='str')
+    argspec['credentials_file'] = dict(required=False, type='str')
+    module = hashivault_init(argspec, supports_check_mode=True)
+    result = hashivault_googlecloud_secrets_configure(module)
+
+    if result.get('failed'):
+        module.fail_json(**result)
+    else:
+        module.exit_json(**result)
+
+
+@hashiwrapper
+def hashivault_googlecloud_secrets_configure(module):
+    params = module.params
+    client = hashivault_auth_client(params)
+    state = params.get('state')
+    mount_point = params.get('mount_point').strip('/')
+    credentials = params.get('credentials')
+    credentials_file = params.get('credentials_file')
+    ttl = params.get('ttl')
+    max_ttl = params.get('max_ttl')
+    desired_state = dict()
+    current_state = dict()
+    changed = False
+
+    if credentials_file:
+        with open(credentials_file) as creds:
+            data = json.load(creds)
+            credential = json.dumps(data)
+        desired_state['credentials'] = credential
+        desired_state['ttl'] = ttl
+        desired_state['max_ttl'] = max_ttl
+    elif credentials:
+        desired_state['credentials'] = credentials
+        desired_state['ttl'] = ttl
+        desired_state['max_ttl'] = max_ttl
+
+    try:
+        current_state = client.secrets.gcp.read_config()
+    except Exception:
+        changed = True
+
+    if changed and not module.check_mode and state == 'present':
+        client.secrets.gcp.configure(mount_point=mount_point, **desired_state)
+
+    return {'changed': True}
+
+
+if __name__ == '__main__':
+    main()