google.cloud Add Secret Manager Lookup plugins

Add Secret Manager Lookup plugins

Open levonet opened this issue 3 years ago • 9 comments

SUMMARY

I need to get the secret content and the resource id from GCP Secret Manager. Lookup plugins are used because this format allows embedding Secret Manager queries in templates and files with variables (external configuration contour).

ISSUE TYPE

New Module Pull Request

COMPONENT NAME

gcp_secret_access
gcp_secret_resource_id

ADDITIONAL INFORMATION

Examples:

- ansible.builtin.debug:
    msg: "{{ lookup('google.cloud.gcp_secret_access', secret='hola', project='test_project') }}"

- ansible.builtin.debug:
    msg: "{{ lookup('google.cloud.gcp_secret_access', 'hola', project='test_project') }}"

- name: using resource id instead of secret name
  ansible.builtin.debug:
    msg: "{{ lookup('google.cloud.gcp_secret_access', 'projects/112233445566/secrets/hola/versions/1') }}"

- name: using service account file
  ansible.builtin.debug:
    msg: "{{ lookup('google.cloud.gcp_secret_access', 'hola', project='test_project', service_account_file='/path/to/keyfile.json') }}"

- ansible.builtin.debug:
    msg: "{{ lookup('google.cloud.gcp_secret_resource_id', secret='hola', project='test_project') }}"
# Return 'projects/112233445566/secrets/hola/versions/1'

Dec 31 '20 00:12 levonet

This is awesome, but it doesnt look like PRs for this repo get merged :/

Jan 21 '21 10:01 whyman

Yes, it looks like this repo doesn't have a maintainer. Here is an example of how a critical one-character hotfix is still open #268

Jan 22 '21 15:01 levonet

it doesnt look like PRs for this repo get merged

not sure why the readme for this repo doesn't say that this repository is only the generated output of https://github.com/GoogleCloudPlatform/magic-modules

Jan 16 '22 04:01 smemsh

it doesnt look like PRs for this repo get merged

not sure why the readme for this repo doesn't say that this repository is only the generated output of https://github.com/GoogleCloudPlatform/magic-modules

Yes, but if you try to raise Ansible specific stuff (non generated like this) there they tell you to raise it here instead :shrug:

Jan 18 '22 13:01 whyman

if you try to raise Ansible specific stuff (non generated like this) there they tell you to raise it here instead

Right, as in GoogleCloudPlatform/magic-modules#3933, apparently we're to use this repo for bugs, but submit PRs to the upstream repo. Yet most have no idea about magic-modules and waste time looking for bugs in the Python here, and/or submitting PRs that will never be looked at.

Even worse, look here: hashicorp/terraform-provider-google#9588 via GoogleCloudPlatform/magic-modules#5069, to wit:

mmv1 has not been supporting ansible/inspec for some time - i.e. we would not do work to add support for new resources, update resources due to API changes, or fix bugs in those codebases.

So basically @levonet was right that this collection is basically abandonware and we're supposed to use Terraform for provisioning and/or GCP-native automation.

It's not very nice to not even notify people about this and have them waste their time filing bugs/PRs and looking through auto-generated python code which isn't even updated anymore. I guess they don't care because it's a small number of users. The situation has been like this for multiple years with this collection... wonder if Ansible core team even knows about the defunct status. There's an interesting clue here: