@ -3,18 +3,31 @@
block:
block:
- name : 'Fetch secrets using "hashi_vault" lookup'
- name : 'Fetch secrets using "hashi_vault" lookup'
set_fact:
set_fact:
secret1 : "{{ lookup('hashi_vault', conn_params ~ 'secret=' ~ vault_base_path ~ '/secret1 auth_method=token token=' ~ user_token) }}"
gen_secret1 : "{{ lookup('hashi_vault', conn_params ~ 'secret=' ~ vault_gen_path ~ '/secret1 auth_method=token token=' ~ user_token) }}"
secret2 : "{{ lookup('hashi_vault', conn_params ~ 'secret=' ~ vault_base_path ~ '/secret2 token=' ~ user_token) }}"
gen_secret2 : "{{ lookup('hashi_vault', conn_params ~ 'secret=' ~ vault_gen_path ~ '/secret2 token=' ~ user_token) }}"
secret3 : "{{ lookup('hashi_vault', conn_params ~ ' secret=' ~ vault_base_path ~ '/secret2 token=' ~ user_token) }}"
kv1_secret1 : "{{ lookup('hashi_vault', conn_params ~ 'secret=' ~ vault_kv1_path ~ '/secret1 auth_method=token token=' ~ user_token) }}"
kv1_secret2 : "{{ lookup('hashi_vault', conn_params ~ 'secret=' ~ vault_kv1_path ~ '/secret2 token=' ~ user_token) }}"
kv2_secret1 : "{{ lookup('hashi_vault', conn_params ~ 'secret=' ~ vault_kv2_path ~ '/secret1 auth_method=token token=' ~ user_token) }}"
kv2_secret2 : "{{ lookup('hashi_vault', conn_params ~ 'secret=' ~ vault_kv2_path ~ '/secret2 token=' ~ user_token) }}"
- name : 'Check secret values'
- name : 'Check secret generic values'
fail:
fail:
msg : 'unexpected secret values'
msg : 'unexpected secret values'
when : secret1['data']['value'] != 'foo1' or secret2['data']['value'] != 'foo2' or secret3['data']['value'] != 'foo2'
when : gen_secret1['value'] != 'foo1' or gen_secret2['value'] != 'foo2'
- name : 'Check secret kv1 values'
fail:
msg : 'unexpected secret values'
when : kv1_secret1['value'] != 'foo1' or kv1_secret2['value'] != 'foo2'
- name : 'Check secret kv2 values'
fail:
msg : 'unexpected secret values'
when : kv2_secret1['value'] != 'foo1' or kv2_secret2['value'] != 'foo2'
- name : 'Failure expected when erroneous credentials are used'
- name : 'Failure expected when erroneous credentials are used'
vars:
vars:
secret_wrong_cred : "{{ lookup('hashi_vault', conn_params ~ 'secret=' ~ vault_base_path ~ '/secret2 auth_method=token token=wrong_token') }}"
secret_wrong_cred : "{{ lookup('hashi_vault', conn_params ~ 'secret=' ~ vault_ kv2 _path ~ '/secret2 auth_method=token token=wrong_token') }}"
debug:
debug:
msg : 'Failure is expected ({{ secret_wrong_cred }})'
msg : 'Failure is expected ({{ secret_wrong_cred }})'
register : test_wrong_cred
register : test_wrong_cred
@ -22,7 +35,7 @@
- name : 'Failure expected when unauthorized secret is read'
- name : 'Failure expected when unauthorized secret is read'
vars:
vars:
secret_unauthorized : "{{ lookup('hashi_vault', conn_params ~ 'secret=' ~ vault_ base _path ~ '/secret3 token=' ~ user_token) }}"
secret_unauthorized : "{{ lookup('hashi_vault', conn_params ~ 'secret=' ~ vault_ kv2 _path ~ '/secret3 token=' ~ user_token) }}"
debug:
debug:
msg : 'Failure is expected ({{ secret_unauthorized }})'
msg : 'Failure is expected ({{ secret_unauthorized }})'
register : test_unauthorized
register : test_unauthorized
@ -30,7 +43,7 @@
- name : 'Failure expected when inexistent secret is read'
- name : 'Failure expected when inexistent secret is read'
vars:
vars:
secret_inexistent : "{{ lookup('hashi_vault', conn_params ~ 'secret=' ~ vault_ base _path ~ '/secret4 token=' ~ user_token) }}"
secret_inexistent : "{{ lookup('hashi_vault', conn_params ~ 'secret=' ~ vault_ kv2 _path ~ '/secret4 token=' ~ user_token) }}"
debug:
debug:
msg : 'Failure is expected ({{ secret_inexistent }})'
msg : 'Failure is expected ({{ secret_inexistent }})'
register : test_inexistent
register : test_inexistent