ansible-modules-hashivault icon indicating copy to clipboard operation
ansible-modules-hashivault copied to clipboard

Published 20 hours ago verified publisher icon TerryHowe

Idempotency of hashivault_write

Open Roxyrob opened this issue 3 years ago • 3 comments

Should not module hashivault_write check if data to write is changed (desired_state != current_state) ?

For Example: for a kv put action probably it should possible to write only if data is changed instead of put on every run increasing version for the same data.

I'll try to use hashivault_read to compare data but I think integrated check inside write module better respects the idempotency paradigm.

Roxyrob avatar Feb 11 '22 13:02 Roxyrob

Similar to update, but as I recall update only changes values that are present in the request https://github.com/TerryHowe/ansible-modules-hashivault/blob/main/ansible/modules/hashivault/hashivault_write.py#L122

TerryHowe avatar Feb 11 '22 14:02 TerryHowe

I apologize but I didn't try from start as documentation says This option is deprecated. Effectively it seems to work. Why the documentation tells about deprecation ?

Note some possible issue here (evaluate if they seem useful to you):

  1. update variable doesn't seem to accept assignement like update: "{{var.value.update|default(true)}}" probably should be casted to bool inside code or will return error like this:
fatal: [localhost]: FAILED! => changed=false
  msg: 'argument ''update'' is of type  and we were unable to convert to bool: The value
'''' is not a valid boolean. Valid booleans include: 0, ********, ''0'',
 ''false'', ''f'', ''yes'', ''t'', ''off'', ''n'', ''no'', ''on'', ''y'', ''true'', ''********'''
  1. I think update is more equivalent to vault patch and patch will be different from secret write/overwrite as upadte/patch change only parts diff not the secret altogether and IMHO desired_state == current_state should always be an idempotent condition regardless update variable settings (after all if there are not change, no overwrite and no update will take place).

workaround Idempotency can be also reached externally to the module using code like this:

- name: kv_cfg | Get hashicorp vault kv (read/get)
  hashivault_read:
    token:          "..."
    url:            "..."
    key:            "..."
    mount_point:    "..."
    secret:         "..."
    secret_version: "..."
    version:        "..."
  register: item_current
  changed_when: false
  failed_when: false
  failed_when: >
    item_current.rc != 0
    and not item_current.msg is regex("Secret.*is not in vault")

- name: kv_cfg | Set hashicorp vault kv (write/post)
  hashivault_write:
    token:          "..."
    url:            "..."
    mount_point:    "..."
    secret:         "..."
    version:        "..."
    cas:            "..."
    alternate_data: "..."
    data:           "..."
  when: >
    ( item_current.rc != 0
      and item_current.msg is regex("Secret.*is not in vault") )
      or item_current.value|to_json != item_kv.value.data|to_json

Many ways to go... even if the main way is always the module own idempotency.

As soon I'll end this project for which the time is about to end, I'll try to see insiede the modules code, if I find some time slots and.

Roxyrob avatar Feb 11 '22 16:02 Roxyrob

For issue part (1.) as workaround casting to bool seems to work:

update: {{(myupdate|default(omit))|bool}}

Roxyrob avatar Feb 17 '22 14:02 Roxyrob