From 033d3d637136d3dc03804c6578308c8fb5546616 Mon Sep 17 00:00:00 2001 From: aleidk Date: Wed, 28 May 2025 16:21:12 -0400 Subject: [PATCH] feat: add rbw plugin for secret management --- .justfile | 4 --- ansible.cfg | 4 +-- lookup_plugins/rbw.py | 50 ++++++++++++++++++++++++++++++++++++ playbooks/initial-setup.yaml | 8 ++++++ 4 files changed, 60 insertions(+), 6 deletions(-) create mode 100644 lookup_plugins/rbw.py create mode 100644 playbooks/initial-setup.yaml diff --git a/.justfile b/.justfile index 62409ff..9a9a9d2 100644 --- a/.justfile +++ b/.justfile @@ -1,10 +1,6 @@ # Repo management tasks -mod repo '.devfiles/justfile' set dotenv-load := true -export ANSIBLE_VAULT_PASSWORD_FILE := justfile_directory() + "/.decrypt-pass.txt" -export ANSIBLE_BECOME_PASSWORD_FILE := justfile_directory() + "/.become-pass.txt" - # Debug output, disabled in CI export ANSIBLE_DISPLAY_ARGS_TO_STDOUT := if env('CI', '') == 'true' { 'false' } else { 'true' } diff --git a/ansible.cfg b/ansible.cfg index c45dec5..6f1c6a8 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -170,7 +170,7 @@ inventory=/etc/ansible/hosts,./hosts/inventory.yaml ;log_path= # (pathspec) Colon separated paths in which Ansible will search for Lookup Plugins. -;lookup_plugins=/home/aleidk/.ansible/plugins/lookup:/usr/share/ansible/plugins/lookup +lookup_plugins=/home/aleidk/.ansible/plugins/lookup:/usr/share/ansible/plugins/lookup:./lookup_plugins/ # (string) Sets the macro for the 'ansible_managed' variable available for :ref:`ansible_collections.ansible.builtin.template_module` and :ref:`ansible_collections.ansible.windows.win_template_module`. This is only relevant for those two modules. ;ansible_managed=Ansible managed @@ -185,7 +185,7 @@ inventory=/etc/ansible/hosts,./hosts/inventory.yaml ;module_name=command # (pathspec) Colon separated paths in which Ansible will search for Modules. -;library=/home/aleidk/.ansible/plugins/modules:/usr/share/ansible/plugins/modules +# library=/home/aleidk/.ansible/plugins/modules:/usr/share/ansible/plugins/modules:./modules # (pathspec) Colon separated paths in which Ansible will search for Module utils files, which are shared by modules. ;module_utils=/home/aleidk/.ansible/plugins/module_utils:/usr/share/ansible/plugins/module_utils diff --git a/lookup_plugins/rbw.py b/lookup_plugins/rbw.py new file mode 100644 index 0000000..55c59d4 --- /dev/null +++ b/lookup_plugins/rbw.py @@ -0,0 +1,50 @@ +# python 3 headers, required if submitting to Ansible +from __future__ import absolute_import, division, print_function + +__metaclass__ = type + +import json +import subprocess + +from ansible.errors import AnsibleError, AnsibleParserError +from ansible.plugins.lookup import LookupBase +from ansible.utils.display import Display +from jinja2 import Environment + +DOCUMENTATION = r""" + name: rbw + short_description: get secrets using rbw + options: + _terms: + description: Name of the secret to get + required: True +""" + +display = Display() + + +def rbw(name: str): + sub = subprocess.run(["rbw", "get", name, "--raw"], capture_output=True) + + secret = json.loads(sub.stdout) + + display.debug(f'Obtaining data for "{secret["name"]}"') + + return secret + + +class LookupModule(LookupBase): + def run(self, terms, variables=None, **kwargs): + # First of all populate options, + # this will already take into account env vars and ini config + self.set_options(var_options=variables, direct=kwargs) + + # lookups in general are expected to both take a list as input and output a list + # this is done so they work with the looping construct 'with_'. + ret = [] + for term in terms: + secret = rbw(term) + + ret.append(secret) + + return ret diff --git a/playbooks/initial-setup.yaml b/playbooks/initial-setup.yaml new file mode 100644 index 0000000..a5d9bb6 --- /dev/null +++ b/playbooks/initial-setup.yaml @@ -0,0 +1,8 @@ +--- +- hosts: localhost + vars: + secret: "{{ lookup('rbw', 'Work Laptop') }}" + tasks: + + - debug: + msg: the value of the secret is {{ secret.data.public_key }}