Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Idempotency of hashivault_write #394

Open
Roxyrob opened this issue Feb 11, 2022 · 3 comments
Open

Idempotency of hashivault_write #394

Roxyrob opened this issue Feb 11, 2022 · 3 comments

Comments

@Roxyrob
Copy link

Roxyrob commented Feb 11, 2022

Should not module hashivault_write check if data to write is changed (desired_state != current_state) ?

For Example: for a kv put action probably it should possible to write only if data is changed instead of put on every run increasing version for the same data.

I'll try to use hashivault_read to compare data but I think integrated check inside write module better respects the idempotency paradigm.
@TerryHowe
Copy link
Owner

Similar to update, but as I recall update only changes values that are present in the request https://github.com/TerryHowe/ansible-modules-hashivault/blob/main/ansible/modules/hashivault/hashivault_write.py#L122

@Roxyrob
Copy link
Author

Roxyrob commented Feb 11, 2022

I apologize but I didn't try from start as documentation says This option is deprecated. Effectively it seems to work.
Why the documentation tells about deprecation ?

Note some possible issue here (evaluate if they seem useful to you):

  1. update variable doesn't seem to accept assignement like update: "{{var.value.update|default(true)}}" probably should be casted to bool inside code or will return error like this:
fatal: [localhost]: FAILED! => changed=false
  msg: 'argument ''update'' is of type  and we were unable to convert to bool: The value
'''' is not a valid boolean. Valid booleans include: 0, ********, ''0'',
 ''false'', ''f'', ''yes'', ''t'', ''off'', ''n'', ''no'', ''on'', ''y'', ''true'', ''********'''
  1. I think update is more equivalent to vault patch and patch will be different from secret write/overwrite as upadte/patch change only parts diff not the secret altogether and IMHO desired_state == current_state should always be an idempotent condition regardless update variable settings (after all if there are not change, no overwrite and no update will take place).

workaround Idempotency can be also reached externally to the module using code like this:

- name: kv_cfg | Get hashicorp vault kv (read/get)
  hashivault_read:
    token:          "..."
    url:            "..."
    key:            "..."
    mount_point:    "..."
    secret:         "..."
    secret_version: "..."
    version:        "..."
  register: item_current
  changed_when: false
  failed_when: false
  failed_when: >
    item_current.rc != 0
    and not item_current.msg is regex("Secret.*is not in vault")

- name: kv_cfg | Set hashicorp vault kv (write/post)
  hashivault_write:
    token:          "..."
    url:            "..."
    mount_point:    "..."
    secret:         "..."
    version:        "..."
    cas:            "..."
    alternate_data: "..."
    data:           "..."
  when: >
    ( item_current.rc != 0
      and item_current.msg is regex("Secret.*is not in vault") )
      or item_current.value|to_json != item_kv.value.data|to_json

Many ways to go... even if the main way is always the module own idempotency.

As soon I'll end this project for which the time is about to end, I'll try to see insiede the modules code, if I find some time slots and.

@Roxyrob
Copy link
Author

Roxyrob commented Feb 17, 2022

For issue part (1.) as workaround casting to bool seems to work:

update: {{(myupdate|default(omit))|bool}}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@TerryHowe @Roxyrob