-
Notifications
You must be signed in to change notification settings - Fork 56
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add vault_kv2_write
module
#348
Add vault_kv2_write
module
#348
Conversation
Docs Build 📝Thank you for contribution!✨ This PR has been merged and the docs are now incorporated into |
Codecov Report
@@ Coverage Diff @@
## main #348 +/- ##
==========================================
+ Coverage 98.82% 98.86% +0.04%
==========================================
Files 80 82 +2
Lines 4086 4244 +158
Branches 258 269 +11
==========================================
+ Hits 4038 4196 +158
Misses 39 39
Partials 9 9
Flags with carried forward coverage won't be shown. Click here to find out more.
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. |
abfba96
to
2d69ef0
Compare
2d69ef0
to
6bfe1ed
Compare
@devon-mar welcome back and thanks for submitting this! I gave it a quick skim, I'll have to go over it in detail but a few small things I noticed so far:
anyway most of that is just ideas, I need to think about it a little when I'm more awake. Thanks again! |
Yeah I took a look at hvac and it also uses the read to get the version for
Yeah, I don't even need idempotency in my own use case haha. Let me know what you think. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As I look a little more closely, I think we'll definitely want an option that does straight writes without reading first (would not be compatible with Patch until hvac
has server-side patch support).
In addition to merely allowing for fewer roundtrips, it would support a "write-only" scenario where a token has write access to a path but not read access.
I'm also looking at the patch
parameter and wondering about changing it from a boolean to a string with choices. Although we can't support server-side patch just yet, I do think we will eventually, and because the permissions needed for the read-then-write method are different, we'll want to make that configurable probably, similar to how it is in the CLI: https://developer.hashicorp.com/vault/docs/secrets/kv/kv-v2
The
vault kv patch
command also supports a-method
flag which can be used to specify HTTPPATCH
or read-then-write. The supported values arepatch
andrw
for HTTPPATCH
and read-then-write, respectively.
The choices could look like none
, auto
, patch
, rw
maybe (we would exclude patch
method now).
It might be premature optimization, but I'm trying to avoid a scenario where we later want to do this and have to choose between 1) a breaking change on the patch
option's type (will take time to release due to deprecation), or 2) adding a second patch_method
option (cluttered options), or 3) converting patch
to a raw
option that takes either a method or a boolean (more complicated to maintain and test).
I suppose with option 2), we could deprecate the patch
option and then remove it.
I'm also open to splitting direct writes and patches to two different modules which could help in handling the various option interactions and reduce branching, though I'm having trouble at the moment deciding if splitting in two is even worse.
Anyway, thinking out loud, please let me know your thoughts!
tests/integration/targets/module_vault_kv2_write/tasks/test.yml
Outdated
Show resolved
Hide resolved
tests/integration/targets/module_vault_kv2_write/tasks/test.yml
Outdated
Show resolved
Hide resolved
tests/integration/targets/module_vault_kv2_write/tasks/test.yml
Outdated
Show resolved
Hide resolved
Co-authored-by: Brian Scholer <1260690+briantist@users.noreply.github.com>
Co-authored-by: Brian Scholer <1260690+briantist@users.noreply.github.com>
Co-authored-by: Brian Scholer <1260690+briantist@users.noreply.github.com>
btw if you want to accept multiple suggestions in one commit, you can do so by looking at the suggestions from the |
Co-authored-by: Brian Scholer <1260690+briantist@users.noreply.github.com>
3b3801a
to
52ca283
Compare
52ca283
to
d073d9e
Compare
Co-authored-by: Brian Scholer <1260690+briantist@users.noreply.github.com>
ec9f375
to
1758879
Compare
I've added the
What would the
I wouldn't even mind another option, leaving patch functionality out together and waiting for a feature request to add it back in. That way we can get an actual use case for it (unless you have one).
Yeah, I'm on the fence about this one. On one hand, I can't think of a scenario of the top of my head where I'd like to control whether I'd like to write/patch dynamically (i.e. jinja2 template). On the other, write/patch seem closely related and many other Ansible modules group different functionality together (see |
tests/integration/targets/module_vault_kv2_write/tasks/cleanup.yml
Outdated
Show resolved
Hide resolved
The implementation looks good thank you, I'm thinking about whether the option should have a slightly more specific name, like Other than that, I might want to make some changes to this depending on whether we keep patch mode or not, and depending on the other questions about patch implementation.
It would first try the
Sure, it's totally fine to leave out patch for now, and that puts aside a bunch of the open questions for the time being, and we can at least get the direct write functionality out the door. I'm not too worried about waiting for a feature request, I think it will be used if it's available, but I want to be respectful of your time and effort and if it's not functionality you need right now, it might not be worth the additional complication I'm adding to do it all at once. This will still be a very useful and welcome addition! So let me know what you think, if you'd like to get patch in at the same time, I'll put time into trying to resolve these questions to unblock you (and can add some commits myself as time allows to hep it along). If you'd rather take it out for now and get this landed first, please go ahead with the necessary updates, and then I'll continue reviewing from there.
Yeah, if we opt not to include patch in this iteration, we can open a discussion about separating it or adding it in (though it can be difficult to get input). |
Co-authored-by: Brian Scholer <1260690+briantist@users.noreply.github.com>
I think
Since patch needs some more planning I'll take it out of this PR. We can always add it back in another PR. |
Let me know what you want to rename |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think
read_before_write
is the better of the two since we may be creating a secret (so there isn't an "existing" one to read).
ok let's go with read_before_write
then, or I'm open to other suggestions, let me know if you have other ideas too
Thanks for sticking with this it's looking really great!
@briantist I've applied the requested changes. |
Thank you I'm AFK right now so I'll look later but before I forget, please add this module to the action group in runtime.yml |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi sorry for the delay here. This looks great! I have two small suggested changes and then I think that's it; I've looked at it thoroughly and don't expect any more changes after that. Looking forward to getting this merged
Co-authored-by: Brian Scholer <1260690+briantist@users.noreply.github.com>
@briantist changes applied! |
@devon-mar thanks again for contributing this module! It has been released in |
* Add `vault_kv2_write` module * Cleanup documentation * Update plugins/modules/vault_kv2_write.py Co-authored-by: Brian Scholer <1260690+briantist@users.noreply.github.com> * Update plugins/modules/vault_kv2_write.py Co-authored-by: Brian Scholer <1260690+briantist@users.noreply.github.com> * Update plugins/modules/vault_kv2_write.py Co-authored-by: Brian Scholer <1260690+briantist@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Brian Scholer <1260690+briantist@users.noreply.github.com> * Add test for create on cas_required mount * Apply suggestions from code review Co-authored-by: Brian Scholer <1260690+briantist@users.noreply.github.com> * Add permission to cas required path * Catch `InvalidRequest` * Fix error search * Fix path * Cleanup cas_required mount * Add `read` option * Apply suggestions from code review Co-authored-by: Brian Scholer <1260690+briantist@users.noreply.github.com> * Move cleanup tasks into setup * Remove patch * Add more tests * Use relative imports * Rename `read` option to `read_before_write` * Update examples * Use port 8200 in examples * Add `vault_kv2_write` to runtime.yml * Update plugins/modules/vault_kv2_write.py Co-authored-by: Brian Scholer <1260690+briantist@users.noreply.github.com> * Rename read to be consistent with option name --------- Co-authored-by: Brian Scholer <1260690+briantist@users.noreply.github.com>
SUMMARY
Fixes #331
ISSUE TYPE
COMPONENT NAME
vault_kv2_write
ADDITIONAL INFORMATION