Vh0dZdZdZddlZ ddlZddlmZddlm Z ddl m Z ddl m Z dd l mZdd lmZdd lmZd ZGd deZy#e$rY@wxYw)a name: secretsmanager_secret author: - Aaron Smith (!UNKNOWN) short_description: Look up secrets stored in AWS Secrets Manager description: - Look up secrets stored in AWS Secrets Manager provided the caller has the appropriate permissions to read the secret. - Lookup is based on the secret's I(Name) value. - Optional parameters can be passed into this lookup; O(version_id) and O(version_stage). - Prior to release 6.0.0 this module was known as C(aws_ssm), the usage remains the same. options: _terms: description: Name of the secret to look up in AWS Secrets Manager. required: true bypath: description: A boolean to indicate whether the parameter is provided as a hierarchy. default: false type: bool version_added: 1.4.0 nested: description: A boolean to indicate the secret contains nested values. type: bool default: false version_added: 1.4.0 version_id: description: Version of the secret(s). required: false version_stage: description: Stage of the secret version. required: false join: description: - Join two or more entries to form an extended secret. - This is useful for overcoming the 4096 character limit imposed by AWS. - No effect when used with O(bypath). type: bool default: false on_deleted: description: - Action to take if the secret has been marked for deletion. - V(error) will raise a fatal error when the secret has been marked for deletion. - V(skip) will silently ignore the deleted secret. - V(warn) will skip over the deleted secret but issue a warning. default: "error" type: str choices: ["error", "skip", "warn"] version_added: 2.0.0 on_missing: description: - Action to take if the secret is missing. - C(error) will raise a fatal error when the secret is missing. - C(skip) will silently ignore the missing secret. - C(warn) will skip over the missing secret but issue a warning. default: "error" type: str choices: ["error", "skip", "warn"] on_denied: description: - Action to take if access to the secret is denied. - C(error) will raise a fatal error when access to the secret is denied. - C(skip) will silently ignore the denied secret. - C(warn) will skip over the denied secret but issue a warning. default: "error" type: str choices: ["error", "skip", "warn"] extends_documentation_fragment: - amazon.aws.boto3 - amazon.aws.common.plugins - amazon.aws.region.plugins aU - name: Lookup secretsmanager secret in the current region ansible.builtin.debug: msg="{{ lookup('amazon.aws.aws_secret', '/path/to/secrets', bypath=true) }}" - name: Create RDS instance with aws_secret lookup for password param amazon.aws.rds_instance: state: present db_instance_identifier: app-db engine: mysql instance_type: db.m1.small username: dbadmin password: "{{ lookup('amazon.aws.aws_secret', 'DbSecret') }}" tags: Environment: staging - name: Skip if secret does not exist ansible.builtin.debug: msg="{{ lookup('amazon.aws.aws_secret', 'secret-not-exist', on_missing='skip')}}" - name: Warn if access to the secret is denied ansible.builtin.debug: msg="{{ lookup('amazon.aws.aws_secret', 'secret-denied', on_denied='warn')}}" - name: Lookup secretsmanager secret in the current region using the nested feature ansible.builtin.debug: msg="{{ lookup('amazon.aws.aws_secret', 'secrets.environments.production.password', nested=true) }}" # The secret can be queried using the following syntax: `aws_secret_object_name.key1.key2.key3`. # If an object is of the form `{"key1":{"key2":{"key3":1}}}` the query would return the value `1`. - name: Lookup secretsmanager secret in a specific region using specified region and aws profile using nested feature ansible.builtin.debug: > msg="{{ lookup('amazon.aws.aws_secret', 'secrets.environments.production.password', region=region, profile=aws_profile, access_key=aws_access_key, secret_key=aws_secret_key, nested=true) }}" # The secret can be queried using the following syntax: `aws_secret_object_name.key1.key2.key3`. # If an object is of the form `{"key1":{"key2":{"key3":1}}}` the query would return the value `1`. # Region is the AWS region where the AWS secret is stored. # AWS_profile is the aws profile to use, that has access to the AWS secret. zU _raw: description: Returns the value of the secret stored in AWS Secrets Manager. N)AnsibleLookupError) to_native) string_types)is_boto3_error_code)is_boto3_error_message)AWSRetry) AWSLookupBasecR|jd}|jd|gdgS)N list_secretsname)KeyValues)Filters) get_paginatorpaginate)clientterm paginators s/home/dcms/DCMS/lib/python3.12/site-packages/ansible_collections/amazon/aws/plugins/lookup/secretsmanager_secret.py _list_secretsrs0$$^4I   v$'H&I  JJc2eZdZfdZ ddZxZS) LookupModulec t|||fi||jd}|jd}|jd}|0t|tr|j dvrt d||0t|tr|j dvrt d||0t|tr|j dvrt d||jd tj}|jd r[i}|D]R} t|| D]=} d | vs| d D].} |j| d |j| d ||| i0?|g}T|Sg}|D]\} |j| ||jd|jd||||jd} | sL|j%| ^|jdr$g}|j%dj'||S|S#tjjtjj f$r} t dt#| d} ~ wwxYw)a :arg terms: a list of lookups to run. e.g. ['example_secret_name', 'example_secret_too' ] :variables: ansible variables active at the time of the lookup :returns: A list of parameter values or a list of dictionaries if bypath=True. on_missing on_denied on_deletedN)errorwarnskipzH"on_missing" must be a string and one of "error", "warn" or "skip", not zG"on_denied" must be a string and one of "error", "warn" or "skip", not zH"on_deleted" must be a string and one of "error", "warn" or "skip", not secretsmanagerbypath SecretListName)rrFailed to retrieve secret: version_stage version_idnested)r&r'rrrr(join)superrun get_option isinstancerlowerrrrjittered_backoffrupdateget_secret_valuebotocore exceptions ClientError BotoCoreErrorrappendr))selfterms variableskwargsrrrrsecretsrsecret_wrapper secret_objevalue joined_secret __class__s rr,zLookupModule.runs  E9//__\2 OOK0 __\2   !:|4 8H8H8JRk8k$Z[eZfg   9l3y7HPi7i$YZcYde   !:|4 8H8H8JRk8k$Z[eZfg -x/H/H/JK ??8 $G [[*7*E "'>9.<\.J" '(26(:DS]ir=R=*%&!"" " 'iG [H'G *--"&///"B#|<)')??84. NN5) *v& " $$RWWW%56$$-!++779L9L9Z9Z[[,/J9UV<.-YZZ[sH-;H7I=IIc i} || d<|r|| d<|r|| d<|rAt|jddkr td|jdd} | | d< |jddd i| } d | vr| d Sd | vr|r|jdd d} d} t j | d }|}| rc| j d}| s|n| dz|z} ||vr||}n9|d k(r |jjd| dy|dk(rtd| d| rct|S| d S y#td$r:|dk(rtd|d|d k(r|jjd|Yytd$r:|dk(rtd|d|d k(r|jjd|Yytd$r:|dk(rtd|d|d k(r|jjd|Yytjjtjjf$r}tdt!|d}~wwxYw)NSecretId VersionId VersionStage.zRNested query must use the following syntax: `aws_secret_name..r aws_retryT SecretBinary SecretStringrz@Skipping, Successfully retrieved secret but there exists no key z in the secretrz6Successfully retrieved secret but there exists no key zmarked for deletionzFailed to find secret z (marked for deletion)z4Skipping, did not find secret (marked for deletion) ResourceNotFoundExceptionz (ResourceNotFound)zSkipping, did not find secret AccessDeniedExceptionzFailed to access secret z (AccessDenied)z#Skipping, access denied for secret r%)lensplitrr2jsonloadspop_displaywarningstrrrr3r4r5r6r)r8rrr&r'rrrr(params secret_nameresponsequerypath secret_stringret_valkeyr?s rr2zLookupModule.get_secret_values!z ",F;  %2F> " 4::c?#a'(h**S/!,K!,F: . S.v..HHHH)//) JJsOAB/ED$(JJx/G$HM+G#iil*.sD3J4D'>&-clG'61 MM11"bcgbhhv w$('72"4"XY]X^^l m# w<'#N33-*X+&&;< eW$(+A$G])^__v% %%(\]a\b&cd"!##>? OW$(+A$GZ)[\\v% %%(Ftf&MN##:; TG#(+CD6)YZZf$ %%(KD6&RS    + +    - -  S%'B9Q<.%QR R  SsFD$7BD$;D$ D$D$$AI +AI 1AI 76I -II )NNNNNF)__name__ __module__ __qualname__r,r2 __classcell__)rBs@rrrs$J`Irr) DOCUMENTATIONEXAMPLESRETURNrRr3 ImportErroransible.errorsransible.module_utils._textransible.module_utils.sixrrnsi H T! F    .01\_PTK V=V%  sA AA