secretsmanager_secret module should not overwrite an existing Secret #1626

brsolomon-deloitte · 2022-12-21T18:38:39Z

Summary

The community.aws.secretsmanager_secret module currently offers no option to not overwrite a Secret if it exists with the same name but a different value. This forces the user to first try to check if the Secret exists and then skip the task if it does. It will simply call secrets_mgr.update_secret(secret) and overwrite the existing one. If the intended Secret value itself is, for example, a random password, the option to only lookup that the Secret exists (but not that its values match) would be a nice feature.

Relevant code:

community.aws/plugins/modules/secretsmanager_secret.py

Line 479 in 99978ef

if state == 'present':

Issue Type

Feature Idea

Component Name

secretsmanager_secret

Additional Information

- name: Try to retrive existing elastic secrets from AWS Secrets Manager
  ansible.builtin.set_fact:
    elastic_user_password: "{{ lookup('amazon.aws.aws_secret', clustername + '/' + elastic_namespace + '.elastic-user-password', nested=true, region=region, on_missing='error') }}"
    kibana_client_secret: "{{ lookup('amazon.aws.aws_secret', clustername + '/' + elastic_namespace + '.keycloak-secret', nested=true, region=region, on_missing='error') }}"
  register: secrets_found
  ignore_errors: true

- name: Create elastic user password and Keycloak AWS secrets if necessary
  community.aws.secretsmanager_secret:
    name: "{{ clustername }}/{{ elastic_namespace }}"
    description: Elastic secrets for {{ elastic_namespace }}
    state: present
    secret_type: "string"
    json_secret: {
      "elastic-user-password": "{{ lookup('community.general.random_string', length=16, special=false) }}",
      "keycloak-secret": "{{ lookup('community.general.random_string', length=16, special=false) }}"
    }
    region: "{{ region }}"
  when: secrets_found is failed

Code of Conduct

I agree to follow the Ansible Code of Conduct

The text was updated successfully, but these errors were encountered:

ansibullbot · 2022-12-21T18:49:27Z

Files identified in the description:

[lib/ansible/plugins/lookup](https://github.com/['ansible-collections/amazon.aws', 'ansible-collections/community.aws', 'ansible-collections/community.vmware']/blob/main/lib/ansible/plugins/lookup)
[plugins/modules/secretsmanager_secret.py](https://github.com/['ansible-collections/amazon.aws', 'ansible-collections/community.aws', 'ansible-collections/community.vmware']/blob/main/plugins/modules/secretsmanager_secret.py)

If these files are inaccurate, please update the component name section of the description or use the !component bot command.

click here for bot help

ansibullbot · 2022-12-21T18:49:30Z

cc @jillr @markuman @rrey @s-hertel @tremble
click here for bot help

Adds an 'overwrite' parameter - If set to True, an existing secret with the same name will be overwritten. - If set to False, a secret with the given name will only be created if none exists. Closes ansible-collections#1626 Signed-off-by: Brad Solomon <[email protected]>

secretsmanager_secret: add 'overwrite' parameter SUMMARY Adds an 'overwrite' parameter to secretsmanager_secret - If set to True, an existing secret with the same name will be overwritten. - If set to False, a secret with the given name will only be created if none exists. Fixes #1626 ISSUE TYPE Feature Pull Request COMPONENT NAME secretsmanager_secret ADDITIONAL INFORMATION Reviewed-by: Mark Chappell <None> Reviewed-by: Markus Bergholz <[email protected]>

secretsmanager_secret: add 'overwrite' parameter SUMMARY Adds an 'overwrite' parameter to secretsmanager_secret - If set to True, an existing secret with the same name will be overwritten. - If set to False, a secret with the given name will only be created if none exists. Fixes #1626 ISSUE TYPE Feature Pull Request COMPONENT NAME secretsmanager_secret ADDITIONAL INFORMATION Reviewed-by: Mark Chappell <None> Reviewed-by: Markus Bergholz <[email protected]> (cherry picked from commit 4bfcb0c)

[PR #1628/4bfcb0c8 backport][stable-5] secretsmanager_secret: add 'overwrite' parameter This is a backport of PR #1628 as merged into main (4bfcb0c). SUMMARY Adds an 'overwrite' parameter to secretsmanager_secret - If set to True, an existing secret with the same name will be overwritten. - If set to False, a secret with the given name will only be created if none exists. Fixes #1626 ISSUE TYPE Feature Pull Request COMPONENT NAME secretsmanager_secret ADDITIONAL INFORMATION Reviewed-by: Mark Chappell <None>

ansibullbot added feature This issue/PR relates to a feature request module module needs_triage plugins plugin (any type) labels Dec 21, 2022

brsolomon-deloitte mentioned this issue Dec 21, 2022

secretsmanager_secret: add 'overwrite' parameter #1628

Merged

alinabuzachis added has_pr and removed needs_triage labels Feb 2, 2023

softwarefactory-project-zuul bot closed this as completed in #1628 Feb 8, 2023

patchback bot mentioned this issue Feb 8, 2023

[PR #1628/4bfcb0c8 backport][stable-5] secretsmanager_secret: add 'overwrite' parameter #1715

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

secretsmanager_secret module should not overwrite an existing Secret #1626

secretsmanager_secret module should not overwrite an existing Secret #1626

brsolomon-deloitte commented Dec 21, 2022

ansibullbot commented Dec 21, 2022

ansibullbot commented Dec 21, 2022

secretsmanager_secret module should not overwrite an existing Secret #1626

secretsmanager_secret module should not overwrite an existing Secret #1626

Comments

brsolomon-deloitte commented Dec 21, 2022

Summary

Issue Type

Component Name

Additional Information

Code of Conduct

ansibullbot commented Dec 21, 2022

ansibullbot commented Dec 21, 2022