aws_secret lookup doesn't honor on_missing when using nested #1781

gionn · 2023-09-29T13:16:38Z

Summary

I am using multiple lookup calls to populate secret variables from a single AWS secret containing multiple (nested) secrets, however it seems that on_missing applies only to the aws secret itself while I was hoping to get the same behaviour only when the nested key is missing inside the aws secret.

Issue Type

Bug Report

Component Name

amazon.aws.aws_secret

Ansible Version

$ ansible --version
ansible [core 2.14.4]
  config file = /Users/Giovanni.Toraldo/src/alfresco/alfresco-ansible-deployment/ansible.cfg
  configured module search path = ['/Users/Giovanni.Toraldo/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /Users/Giovanni.Toraldo/.virtualenvs/alfresco-ansible-deployment-LdMEq9P-/lib/python3.10/site-packages/ansible
  ansible collection location = /Users/Giovanni.Toraldo/.ansible/collections:/usr/share/ansible/collections
  executable location = /Users/Giovanni.Toraldo/.virtualenvs/alfresco-ansible-deployment-LdMEq9P-/bin/ansible
  python version = 3.10.12 (main, Jul 28 2023, 18:44:44) [Clang 14.0.3 (clang-1403.0.22.14.1)] (/Users/Giovanni.Toraldo/.virtualenvs/alfresco-ansible-deployment-LdMEq9P-/bin/python)
  jinja version = 3.1.2
  libyaml = True

Collection Versions

$ ansible-galaxy collection list
Collection                     Version
------------------------------ -------
amazon.aws                     6.3.0  
ansible.posix                  1.5.4  
ansible.utils                  2.6.0  
community.aws                  6.3.0  
community.crypto               2.10.0 
community.docker               3.4.8  
community.general              7.4.0  
community.postgresql           2.1.0  
middleware_automation.common   1.1.2  
middleware_automation.keycloak 1.3.0

AWS SDK versions

$ pip show boto boto3 botocore
WARNING: Package(s) not found: boto
Name: boto3
Version: 1.26.9
Summary: The AWS SDK for Python
Home-page: https://github.com/boto/boto3
Author: Amazon Web Services
Author-email: 
License: Apache License 2.0
Location: /Users/Giovanni.Toraldo/.virtualenvs/alfresco-ansible-deployment-LdMEq9P-/lib/python3.10/site-packages
Requires: botocore, jmespath, s3transfer
Required-by: 
---
Name: botocore
Version: 1.29.165
Summary: Low-level, data-driven core of boto 3.
Home-page: https://github.com/boto/botocore
Author: Amazon Web Services
Author-email: 
License: Apache License 2.0
Location: /Users/Giovanni.Toraldo/.virtualenvs/alfresco-ansible-deployment-LdMEq9P-/lib/python3.10/site-packages
Requires: jmespath, python-dateutil, urllib3
Required-by: boto3, s3transfer

Configuration

$ ansible-config dump --only-changed

OS / Environment

Ubuntu

Steps to Reproduce

sync_db_password: "{{ lookup('amazon.aws.aws_secret', user_provided_project_name + '.sync_db_password', on_missing='warn', nested=true) }}"
identity_admin_password: "{{ lookup('amazon.aws.aws_secret', user_provided_project_name + '.identity_admin_password', on_missing='warn', nested=true) }}"

Expected Results

Expecting just a warning if the secret exists but doesn't contain identity_admin_password

Actual Results

fatal: [localhost]: FAILED! => {"msg": "An unhandled exception occurred while templating '{'sync_db_password': \"{{ lookup('amazon.aws.aws_secret', user_provided_project_name + '.sync_db_password', on_missing='warn', nested=true) }}\", 'identity_admin_password': \"{{ lookup('amazon.aws.aws_secret', user_provided_project_name + '.identity_admin_password', on_missing='warn', nested=true) }}\"}'. Error was a <class 'ansible.errors.AnsibleLookupError'>, original message: Successfully retrieved secret but there exists no key identity_admin_password in the secret"}

Code of Conduct

I agree to follow the Ansible Code of Conduct

The text was updated successfully, but these errors were encountered:

…nsible-collections#1773) (ansible-collections#1781) eks_nodegroup - fixing remote access and added to integration tests SUMMARY This was incorrectly merged directly into stable-5 rather than main. Fixes ansible-collections#1771 Handling remote_access configuration the right way that boto understands it. Also included it to integration tests. ISSUE TYPE Bugfix Pull Request COMPONENT NAME eks_nodegroup ADDITIONAL INFORMATION This is pulling ansible-collections#1773 from stable-5 into main Reviewed-by: Markus Bergholz Reviewed-by: Thomas Bruckmann Reviewed-by: Mark Chappell Reviewed-by: Markus Bergholz <git@osuv.de>

abikouo · 2024-02-12T14:48:21Z

@gionn Thanks for raising the issue, I have created a Pull request to fix it. Could you please give a try with #1972
Thanks

…nd on_missing=warn (#1972) lookup/secretsmanager_secret - fix issue with missing nested secret and on_missing=warn SUMMARY Fixes #1781 The lookup was raising an error instead of a warning message ISSUE TYPE Bugfix Pull Request COMPONENT NAME lookup/secretsmanager_secret Reviewed-by: Mandar Kulkarni <mandar242@gmail.com> Reviewed-by: Alina Buzachis

…nd on_missing=warn (#1972) lookup/secretsmanager_secret - fix issue with missing nested secret and on_missing=warn SUMMARY Fixes #1781 The lookup was raising an error instead of a warning message ISSUE TYPE Bugfix Pull Request COMPONENT NAME lookup/secretsmanager_secret Reviewed-by: Mandar Kulkarni <mandar242@gmail.com> Reviewed-by: Alina Buzachis (cherry picked from commit 08e7d70)

…nd on_missing=warn (#1972) (#1975) [PR #1972/08e7d700 backport][stable-7] lookup/secretsmanager_secret - fix issue with missing nested secret and on_missing=warn This is a backport of PR #1972 as merged into main (08e7d70). SUMMARY Fixes #1781 The lookup was raising an error instead of a warning message ISSUE TYPE Bugfix Pull Request COMPONENT NAME lookup/secretsmanager_secret Reviewed-by: Alina Buzachis Reviewed-by: Mark Chappell

…nd on_missing=warn (ansible-collections#1972) lookup/secretsmanager_secret - fix issue with missing nested secret and on_missing=warn SUMMARY Fixes ansible-collections#1781 The lookup was raising an error instead of a warning message ISSUE TYPE Bugfix Pull Request COMPONENT NAME lookup/secretsmanager_secret Reviewed-by: Mandar Kulkarni <mandar242@gmail.com> Reviewed-by: Alina Buzachis

github-actions bot added the needs_triage label Sep 29, 2023

hakbailey added needs_verified Some one might want to take a look at this and reproduce it to confirm and removed needs_triage labels Oct 3, 2023

abikouo mentioned this issue Feb 12, 2024

lookup/secretsmanager_secret - fix issue with missing nested secret and on_missing=warn #1972

Merged

abikouo added bug This issue/PR relates to a bug and removed needs_verified Some one might want to take a look at this and reproduce it to confirm labels Feb 12, 2024

abikouo added the needs_info This issue requires further information. Please answer any outstanding questions label Feb 12, 2024

softwarefactory-project-zuul bot closed this as completed in #1972 Feb 14, 2024

patchback bot mentioned this issue Feb 14, 2024

[PR #1972/08e7d700 backport][stable-6] lookup/secretsmanager_secret - fix issue with missing nested secret and on_missing=warn #1974

Closed

patchback bot mentioned this issue Feb 14, 2024

[PR #1972/08e7d700 backport][stable-7] lookup/secretsmanager_secret - fix issue with missing nested secret and on_missing=warn #1975

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

aws_secret lookup doesn't honor on_missing when using nested #1781

aws_secret lookup doesn't honor on_missing when using nested #1781

gionn commented Sep 29, 2023

abikouo commented Feb 12, 2024

aws_secret lookup doesn't honor on_missing when using nested #1781

aws_secret lookup doesn't honor on_missing when using nested #1781

Comments

gionn commented Sep 29, 2023

Summary

Issue Type

Component Name

Ansible Version

Collection Versions

AWS SDK versions

Configuration

OS / Environment

Steps to Reproduce

Expected Results

Actual Results

Code of Conduct

abikouo commented Feb 12, 2024