From 52b5ba1f36a6e747e2d59ab583e76d09c19d4764 Mon Sep 17 00:00:00 2001 From: Alex Stephen Date: Wed, 6 Mar 2019 14:02:48 -0800 Subject: [PATCH] Ansible - allowing for creds to be passed in as string/env var (#1458) Merged PR #1458. --- build/ansible | 2 +- build/inspec | 2 +- build/terraform | 2 +- build/terraform-beta | 2 +- build/terraform-mapper | 2 +- provider/ansible/gcp_doc_frag.py | 11 +++++++++-- provider/ansible/gcp_utils.py | 15 ++++++++++++--- 7 files changed, 26 insertions(+), 10 deletions(-) diff --git a/build/ansible b/build/ansible index 8e959e032599..117c0a6e0204 160000 --- a/build/ansible +++ b/build/ansible @@ -1 +1 @@ -Subproject commit 8e959e032599ceade785032a52f7d019db1db885 +Subproject commit 117c0a6e020412ac0d687d63ce73d95648bad6d3 diff --git a/build/inspec b/build/inspec index bee2f0afeb20..21720daee96c 160000 --- a/build/inspec +++ b/build/inspec @@ -1 +1 @@ -Subproject commit bee2f0afeb2054f844627ddc3951ea196234481f +Subproject commit 21720daee96c04acfc4275879a69e9819abf3b36 diff --git a/build/terraform b/build/terraform index 92dff97bbc2a..03f8e667be1b 160000 --- a/build/terraform +++ b/build/terraform @@ -1 +1 @@ -Subproject commit 92dff97bbc2a661b8903379db7b397cbac07f1e1 +Subproject commit 03f8e667be1b91915d680ed7c585c80e4e851ec0 diff --git a/build/terraform-beta b/build/terraform-beta index 333524cf0e51..66f6b0a1d324 160000 --- a/build/terraform-beta +++ b/build/terraform-beta @@ -1 +1 @@ -Subproject commit 333524cf0e5115507e62e15cea322b5a851230fb +Subproject commit 66f6b0a1d324de69fdcb6d8541ff9abdd471ce84 diff --git a/build/terraform-mapper b/build/terraform-mapper index de4d85cebf21..deab6bbedd9d 160000 --- a/build/terraform-mapper +++ b/build/terraform-mapper @@ -1 +1 @@ -Subproject commit de4d85cebf2144793a88b3edfb867bfa82d17008 +Subproject commit deab6bbedd9df3ac06bd8344d6fc4afc530a39fe diff --git a/provider/ansible/gcp_doc_frag.py b/provider/ansible/gcp_doc_frag.py index e736e5d4de78..c096a5fc7e25 100644 --- a/provider/ansible/gcp_doc_frag.py +++ b/provider/ansible/gcp_doc_frag.py @@ -18,6 +18,11 @@ class ModuleDocFragment(object): service_account_file: description: - The path of a Service Account JSON file if serviceaccount is selected as type. + service_account_contents: + description: + - A string representing the contents of a Service Account JSON file. + - This should not be passed in as a dictionary, but a string has + the exact contents of a service account json file (valid JSON). service_account_email: description: - An optional service account email address if machineaccount is selected @@ -26,8 +31,10 @@ class ModuleDocFragment(object): description: - Array of scopes to be used. notes: - - For authentication, you can set service_account_file using the - C(GCP_SERVICE_ACCOUNT_FILE) env variable. + - for authentication, you can set service_account_file using the + c(gcp_service_account_file) env variable. + - for authentication, you can set service_account_contents using the + c(GCP_SERVICE_ACCOUNT_CONTENTS) env variable. - For authentication, you can set service_account_email using the C(GCP_SERVICE_ACCOUNT_EMAIL) env variable. - For authentication, you can set auth_kind using the C(GCP_AUTH_KIND) env diff --git a/provider/ansible/gcp_utils.py b/provider/ansible/gcp_utils.py index 15c27e388197..0a89db410087 100644 --- a/provider/ansible/gcp_utils.py +++ b/provider/ansible/gcp_utils.py @@ -21,6 +21,7 @@ from ansible.module_utils._text import to_text import ast import os +import json def navigate_hash(source, path, default=None): @@ -143,7 +144,8 @@ def _validate(self): msg="Service Account Email only works with Machine Account-based authentication" ) - if self.module.params.get('service_account_file') is not None and self.module.params['auth_kind'] != 'serviceaccount': + if (self.module.params.get('service_account_file') is not None or + self.module.params.get('service_account_contents') is not None) and self.module.params['auth_kind'] != 'serviceaccount': self.module.fail_json( msg="Service Account File only works with Service Account-based authentication" ) @@ -153,9 +155,12 @@ def _credentials(self): if cred_type == 'application': credentials, project_id = google.auth.default(scopes=self.module.params['scopes']) return credentials - elif cred_type == 'serviceaccount': + elif cred_type == 'serviceaccount' and self.module.params.get('service_account_file'): path = os.path.realpath(os.path.expanduser(self.module.params['service_account_file'])) return service_account.Credentials.from_service_account_file(path).with_scopes(self.module.params['scopes']) + elif cred_type == 'serviceaccount' and self.module.params.get('service_account_contents'): + cred = json.loads(self.module.params.get('service_account_contents')) + return service_account.Credentials.from_service_account_info(cred).with_scopes(self.module.params['scopes']) elif cred_type == 'machineaccount': return google.auth.compute_engine.Credentials( self.module.params['service_account_email']) @@ -199,6 +204,10 @@ def __init__(self, *args, **kwargs): required=False, fallback=(env_fallback, ['GCP_SERVICE_ACCOUNT_FILE']), type='path'), + service_account_contents=dict( + required=False, + fallback=(env_fallback, ['GCP_SERVICE_ACCOUNT_CONTENTS']), + type='str'), scopes=dict( required=False, fallback=(env_fallback, ['GCP_SCOPES']), @@ -211,7 +220,7 @@ def __init__(self, *args, **kwargs): mutual = kwargs['mutually_exclusive'] kwargs['mutually_exclusive'] = mutual.append( - ['service_account_email', 'service_account_file'] + ['service_account_email', 'service_account_file', 'service_account_contents'] ) AnsibleModule.__init__(self, *args, **kwargs)