New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Netbox secrets #48359

Open
wants to merge 8 commits into
base: devel
from

Conversation

Projects
None yet
6 participants
@ollybee

ollybee commented Nov 8, 2018

SUMMARY

A lookup plugin to fetch secrets from Netbox
Fixes #48354

ISSUE TYPE
  • Feature Pull Request
COMPONENT NAME

netbox-secrets

ANSIBLE VERSION
ansible 2.7.1
  config file = /etc/ansible/ansible.cfg
  configured module search path = [u'/home/monitoring/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python2.7/dist-packages/ansible
  executable location = /usr/bin/ansible
  python version = 2.7.15rc1 (default, Apr 15 2018, 21:51:34) [GCC 7.3.0]
ADDITIONAL INFORMATION
    - name: query  for Netbox secret
      debug: msg={{ lookup("netbox_secrets", netbox_host="https://netbox.hyperslice.net:443", private_key_file=".netbox-private-key.pem", token="<redacted>", device="someserver", secret_name="test_username")}}


~/ansible$ ansible-playbook lookup.yml -i ./netbox_inventory.yml --connection=local --limit someserver -vvvv
ansible-playbook 2.7.1
  config file = /etc/ansible/ansible.cfg
  configured module search path = [u'/home/monitoring/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python2.7/dist-packages/ansible
  executable location = /usr/bin/ansible-playbook
  python version = 2.7.15rc1 (default, Apr 15 2018, 21:51:34) [GCC 7.3.0]
Using /etc/ansible/ansible.cfg as config file
setting up inventory plugins
/home/monitoring/ansible/netbox_inventory.yml did not meet host_list requirements, check plugin documentation if this is unexpected
/home/monitoring/ansible/netbox_inventory.yml did not meet virtualbox requirements, check plugin documentation if this is unexpected
Fetching: https://netboxdev.hyperslice.net/api/dcim/regions/?limit=0
Fetching: https://netboxdev.hyperslice.net/api/tenancy/tenants/?limit=0
Fetching: https://netboxdev.hyperslice.net/api/dcim/racks/?limit=0
Fetching: https://netboxdev.hyperslice.net/api/dcim/sites/?limit=0
Fetching: https://netboxdev.hyperslice.net/api/dcim/device-roles/?limit=0
Fetching: https://netboxdev.hyperslice.net/api/dcim/device-types/?limit=0
Fetching: https://netboxdev.hyperslice.net/api/dcim/manufacturers/?limit=0
Fetching: https://netboxdev.hyperslice.net/api/dcim/devices/?limit=0&name=someserver
Fetching: https://netboxdev.hyperslice.net/api/virtualization/virtual-machines/?limit=0&name=someserver
Parsed /home/monitoring/ansible/netbox_inventory.yml inventory source with netbox plugin
Loading callback plugin default of type stdout, v2.0 from /usr/lib/python2.7/dist-packages/ansible/plugins/callback/default.pyc

PLAYBOOK: lookup.yml ********************************************************************************************************************************************************************************************************************************************************************************************************
1 plays in lookup.yml

PLAY [all] ******************************************************************************************************************************************************************************************************************************************************************************************************************
META: ran handlers

TASK [query  for Netbox secret] *********************************************************************************************************************************************************************************************************************************************************************************************
task path: /home/monitoring/ansible/lookup.yml:8
fatal: [someserver]: FAILED! => {
    "msg": "lookup plugin (netbox_secrets) not found"
}
        to retry, use: --limit @/home/monitoring/ansible/lookup.retry

PLAY RECAP ******************************************************************************************************************************************************************************************************************************************************************************************************************
someserver                 : ok=0    changed=0    unreachable=0    failed=1

~/ansible$ ansible-playbook lookup.yml -i ./netbox_inventory.yml --connection=local --limit someserver -vvvv
ansible-playbook 2.7.1
  config file = /etc/ansible/ansible.cfg
  configured module search path = [u'/home/monitoring/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python2.7/dist-packages/ansible
  executable location = /usr/bin/ansible-playbook
  python version = 2.7.15rc1 (default, Apr 15 2018, 21:51:34) [GCC 7.3.0]
Using /etc/ansible/ansible.cfg as config file
setting up inventory plugins
/home/monitoring/ansible/netbox_inventory.yml did not meet host_list requirements, check plugin documentation if this is unexpected
/home/monitoring/ansible/netbox_inventory.yml did not meet virtualbox requirements, check plugin documentation if this is unexpected
Fetching: https://netboxdev.hyperslice.net/api/dcim/sites/?limit=0
Fetching: https://netboxdev.hyperslice.net/api/dcim/regions/?limit=0
Fetching: https://netboxdev.hyperslice.net/api/tenancy/tenants/?limit=0
Fetching: https://netboxdev.hyperslice.net/api/dcim/device-roles/?limit=0
Fetching: https://netboxdev.hyperslice.net/api/dcim/device-types/?limit=0
Fetching: https://netboxdev.hyperslice.net/api/dcim/racks/?limit=0
Fetching: https://netboxdev.hyperslice.net/api/dcim/manufacturers/?limit=0
Fetching: https://netboxdev.hyperslice.net/api/dcim/devices/?limit=0&name=someserver
Fetching: https://netboxdev.hyperslice.net/api/virtualization/virtual-machines/?limit=0&name=someserver
Parsed /home/monitoring/ansible/netbox_inventory.yml inventory source with netbox plugin
Loading callback plugin default of type stdout, v2.0 from /usr/lib/python2.7/dist-packages/ansible/plugins/callback/default.pyc

PLAYBOOK: lookup.yml ********************************************************************************************************************************************************************************************************************************************************************************************************
1 plays in lookup.yml

PLAY [all] ******************************************************************************************************************************************************************************************************************************************************************************************************************
META: ran handlers

TASK [query  for Netbox secret] *********************************************************************************************************************************************************************************************************************************************************************************************
task path: /home/monitoring/ansible/lookup.yml:8
ok: [someserver] => {
    "msg": "hunter2"
}
META: ran handlers
META: ran handlers

PLAY RECAP ******************************************************************************************************************************************************************************************************************************************************************************************************************
someserver                 : ok=1    changed=0    unreachable=0    failed=0


ollybee added some commits Nov 1, 2018

@ansibot

This comment has been minimized.

Contributor

ansibot commented Nov 8, 2018

Hi @ollybee, thank you for submitting this pull-request!

click here for bot help

@ansibot

This comment has been minimized.

Contributor

ansibot commented Nov 8, 2018

The test ansible-test sanity --test pylint [explain] failed with 3 errors:

lib/ansible/plugins/lookup/netbox_secrets.py:78:51: bad-whitespace Exactly one space required after comma         conn = nb.secrets.secrets.get(device=device,name=secret_name).plaintext                                                    ^
lib/ansible/plugins/lookup/netbox_secrets.py:80:4: return-outside-function Return outside function
lib/ansible/plugins/lookup/netbox_secrets.py:80:11: undefined-variable Undefined variable 'conn'

The test ansible-test sanity --test pep8 [explain] failed with 3 errors:

lib/ansible/plugins/lookup/netbox_secrets.py:30:61: W291 trailing whitespace
lib/ansible/plugins/lookup/netbox_secrets.py:73:11: E121 continuation line under-indented for hanging indent
lib/ansible/plugins/lookup/netbox_secrets.py:78:52: E231 missing whitespace after ','

click here for bot help

@gundalow

This comment has been minimized.

Contributor

gundalow commented Nov 8, 2018

@ollybee Thank you for the PR, your first I believe. FYI, we have out first NetBox modules in review as well #46936 would welcome your feedback on them

You can run test/runner/ansible-test sanity --test pylint from your Ansible checkout which will help you resolve the issues above

@FragmentedPacket I believe you've been looking at NetBox, would you be interested in taking a look at this

@FragmentedPacket

This comment has been minimized.

Contributor

FragmentedPacket commented Nov 13, 2018

@gundalow I can take a look. I don't use secrets, but I'm sure I can set up a test.

root
@ollybee

This comment has been minimized.

ollybee commented Nov 13, 2018

I used this today at work but I'm not sure if it's the best approach, I would be interested in feedback. My use case was that we had credentials for servers out of band management system stored in Netbox, I used Ansible to lookup those passwords and update an SNMP community string.

@ansibot

This comment has been minimized.

Contributor

ansibot commented Nov 13, 2018

The test ansible-test sanity --test pep8 [explain] failed with 2 errors:

lib/ansible/plugins/lookup/netbox_secrets.py:30:61: W291 trailing whitespace
lib/ansible/plugins/lookup/netbox_secrets.py:35:161: E501 line too long (196 > 160 characters)

click here for bot help

@ansibot

This comment has been minimized.

Contributor

ansibot commented Nov 16, 2018

The test ansible-test sanity --test pep8 [explain] failed with 2 errors:

lib/ansible/plugins/lookup/netbox_secrets.py:30:61: W291 trailing whitespace
lib/ansible/plugins/lookup/netbox_secrets.py:35:161: E501 line too long (196 > 160 characters)

click here for bot help

@FragmentedPacket

This comment has been minimized.

Contributor

FragmentedPacket commented Nov 16, 2018

@ollybee I'm not sure i'd be the best resource for this as it's not something we currently use. Your use case sounds fine. If you run your playbook using this lookup plugin using -vvvv does the password show up? That would be my main concern with this is any sensitive info in cleartext.

@ansibot ansibot added the stale_ci label Nov 24, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment