Skip to content

Commit

Permalink
lookup/secretsmanager_secret - fix issue with missing nested secret a…
Browse files Browse the repository at this point in the history 
…nd on_missing=warn (#1972)

lookup/secretsmanager_secret - fix issue with missing nested secret and on_missing=warn

SUMMARY

Fixes #1781
The lookup was raising an error instead of a warning message

ISSUE TYPE


Bugfix Pull Request

COMPONENT NAME

lookup/secretsmanager_secret

Reviewed-by: Mandar Kulkarni <[email protected]>
Reviewed-by: Alina Buzachis
  • Loading branch information
@abikouo
abikouo authored Feb 14, 2024
1 parent 531fdd1 commit 08e7d70
Show file tree
Hide file tree
Showing 6 changed files with 432 additions and 6 deletions.
3 changes: 3 additions & 0 deletions ...secretsmanager_secret-fix-issue-when-nested-is-missing-and-on_missing-is-set-to-warn.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
---
bugfixes:
- lookup/secretsmanager_secret - fix the issue when the nested secret is missing and on_missing is set to warn, the lookup was raising an error instead of a warning message (https://github.com/ansible-collections/amazon.aws/issues/1781).
23 changes: 17 additions & 6 deletions plugins/lookup/secretsmanager_secret.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -136,6 +136,11 @@
from ansible_collections.amazon.aws.plugins.plugin_utils.lookup import AWSLookupBase


def _list_secrets(client, term):
paginator = client.get_paginator("list_secrets")
return paginator.paginate(Filters=[{"Key": "name", "Values": [term]}])


class LookupModule(AWSLookupBase):
def run(self, terms, variables, **kwargs):
"""
Expand Down Expand Up @@ -177,9 +182,7 @@ def run(self, terms, variables, **kwargs):
secrets = {}
for term in terms:
try:
paginator = client.get_paginator("list_secrets")
paginator_response = paginator.paginate(Filters=[{"Key": "name", "Values": [term]}])
for object in paginator_response:
for object in _list_secrets(client, term):
if "SecretList" in object:
for secret_obj in object["SecretList"]:
secrets.update(
Expand Down Expand Up @@ -247,14 +250,22 @@ def get_secret_value(
if "SecretString" in response:
if nested:
query = term.split(".")[1:]
path = None
secret_string = json.loads(response["SecretString"])
ret_val = secret_string
for key in query:
while query:
key = query.pop(0)
path = key if not path else path + "." + key
if key in ret_val:
ret_val = ret_val[key]
else:
elif on_missing == "warn":
self._display.warning(
f"Skipping, Successfully retrieved secret but there exists no key {path} in the secret"
)
return None
elif on_missing == "error":
raise AnsibleLookupError(
f"Successfully retrieved secret but there exists no key {key} in the secret"
f"Successfully retrieved secret but there exists no key {path} in the secret"
)
return str(ret_val)
else:
Expand Down
2 changes: 2 additions & 0 deletions tests/integration/targets/lookup_secretsmanager_secret/defaults/main.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
---
json_secret: '{"resource_prefix": "{{ resource_prefix }}"}'
3 changes: 3 additions & 0 deletions tests/integration/targets/lookup_secretsmanager_secret/tasks/main.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -110,6 +110,9 @@
that:
- get_deleted_secret is failed

# Test with nested secrets
- include_tasks: tasks/nested.yaml

always:
# delete secret created
- name: delete secret
Expand Down
59 changes: 59 additions & 0 deletions tests/integration/targets/lookup_secretsmanager_secret/tasks/nested.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
---
- vars:
json_secret_name: "ansible-test-{{ tiny_prefix }}-secret-json"
json_secret_value: "{{ json_secret | to_json }}"
block:
- name: create secret "{{ json_secret_name }}"
community.aws.secretsmanager_secret:
name: "{{ json_secret_name }}"
secret: "{{ json_secret_value }}"
state: present

- name: Validate nested secret value
assert:
that:
- lookup('amazon.aws.secretsmanager_secret', json_secret_name + '.resource_prefix', nested=True, **connection_args) == resource_prefix

- name: Read missing secret variable using 'on_missing==error'
set_fact:
missing_err_secret: "{{ lookup('amazon.aws.secretsmanager_secret', json_secret_name + '.missing_err_secret', nested=True, on_missing='error', **connection_args) }}"
register: on_missing_error
ignore_errors: true

- name: Ensure the lookup raised an error
assert:
that:
- on_missing_error is failed
- on_missing_error.msg == "Successfully retrieved secret but there exists no key missing_err_secret in the secret"
- missing_err_secret is undefined

- name: Read missing secret variable using 'on_missing==error'
set_fact:
resource_prefix_child: "{{ lookup('amazon.aws.secretsmanager_secret', json_secret_name + '.resource_prefix.child', nested=True, on_missing='error', **connection_args) }}"
register: nested_child
ignore_errors: true

- name: Ensure the lookup raised an error
assert:
that:
- nested_child is failed
- nested_child.msg == "Successfully retrieved secret but there exists no key resource_prefix.child in the secret"
- resource_prefix_child is undefined

- name: Read missing secret variable using 'on_missing==warn'
set_fact:
missing_wrn_secret: "{{ lookup('amazon.aws.secretsmanager_secret', json_secret_name + '.missing_wrn_secret', nested=True, on_missing='warn', **connection_args) }}"

- name: Ensure that the variable has not been defined
assert:
that:
- missing_wrn_secret == []

always:
# delete secret created
- name: Delete secret '{{ json_secret_name }}'
community.aws.secretsmanager_secret:
name: "{{ json_secret_name }}"
state: absent
recovery_window: 0
ignore_errors: true
Loading

0 comments on commit 08e7d70

Please sign in to comment.