Merge pull request #41 from MeilleursAgents/feat_ansiblevault_string

Feat ansiblevault string
MeilleursAgents · Nov 5, 2019 · 549956b · 549956b
2 parents 56ed54e + 179d92b
commit 549956b
Show file tree

Hide file tree

Showing 9 changed files with 268 additions and 15 deletions.
diff --git a/README.md b/README.md
@@ -56,6 +56,31 @@ data "ansiblevault_path" "api_key" {
 ${data.ansiblevault_path.api_key.value} will contain value of `USER_PASSWORD` stored in "/home/username/infra/ansible/passwords.yml"
 ```
 
+ansiblevault_string example:
+
+---
+
+```tf
+provider "ansiblevault" {
+  vault_pass  = "/home/username/.vault_pass.txt"
+  root_folder = "/home/username/infra/ansible/"
+}
+
+data "ansiblevault_string" "api_key" {
+  encrypted = <<EOF
+$ANSIBLE_VAULT;1.1;AES256
+65346463633165666232636636346631626565616132653339343961656336643930323937313231
+3436383237633937636435636366386563313233366630380a316535376661653933373836633130
+30336130396635363830373135643261346437366235303463643538336561356534666161353233
+6133626433333965320a323966396162656332386265306539666436643033653466636335363363
+35656432663266353133623834653735656534346639623233623531363332373461
+EOF
+  key = "API_KEY"
+}
+
+${data.ansiblevault_string.api_key.value} will contain value of `API_KEY` pass in argument vault string.
+```
+
 ## Documentation
 
 ### Provider

diff --git a/examples/terraform/data.tf b/examples/terraform/data.tf
@@ -7,3 +7,15 @@ data "ansiblevault_env" "env" {
   env = "prod"
   key = "API_KEY"
 }
+
+data "ansiblevault_string" "string" {
+  encrypted = <<EOF
+$ANSIBLE_VAULT;1.1;AES256
+65346463633165666232636636346631626565616132653339343961656336643930323937313231
+3436383237633937636435636366386563313233366630380a316535376661653933373836633130
+30336130396635363830373135643261346437366235303463643538336561356534666161353233
+6133626433333965320a323966396162656332386265306539666436643033653466636335363363
+35656432663266353133623834653735656534346639623233623531363332373461
+EOF
+  key = "API_KEY"
+}
diff --git a/examples/terraform/outputs.tf b/examples/terraform/outputs.tf
@@ -5,3 +5,7 @@ output "path" {
 output "env" {
   value = data.ansiblevault_env.env
 }
+
+output "string" {
+  value = data.ansiblevault_string.string
+}
diff --git a/pkg/provider/inv_env_test.go → pkg/provider/in_env_test.go b/pkg/provider/inv_env_test.go → pkg/provider/in_env_test.go
diff --git a/pkg/provider/in_string.go b/pkg/provider/in_string.go
@@ -0,0 +1,52 @@
+package provider
+
+import (
+	"time"
+
+	"github.com/MeilleursAgents/terraform-provider-ansiblevault/pkg/vault"
+	"github.com/hashicorp/terraform/helper/schema"
+)
+
+func inStringResource() *schema.Resource {
+	return &schema.Resource{
+		Read: inStringRead,
+		Schema: map[string]*schema.Schema{
+			"encrypted": {
+				Type:        schema.TypeString,
+				Description: "Ansible-vault string representation",
+				Required:    true,
+			},
+			"key": {
+				Type:        schema.TypeString,
+				Description: "Vault key searched",
+				Required:    true,
+			},
+			"value": {
+				Computed:    true,
+				Description: "Vault value found",
+				Type:        schema.TypeString,
+			},
+		},
+	}
+}
+
+func inStringRead(data *schema.ResourceData, m interface{}) error {
+	raw := data.Get("encrypted").(string)
+	key := data.Get("key").(string)
+
+	data.SetId(time.Now().UTC().String())
+
+	value, err := m.(*vault.App).InString(raw, key)
+
+	if err != nil {
+		data.SetId("")
+		return err
+	}
+
+	if err := data.Set("value", value); err != nil {
+		data.SetId("")
+		return err
+	}
+
+	return nil
+}
diff --git a/pkg/provider/in_string_test.go b/pkg/provider/in_string_test.go
@@ -0,0 +1,82 @@
+package provider
+
+import (
+	"path"
+	"testing"
+
+	"github.com/MeilleursAgents/terraform-provider-ansiblevault/pkg/vault"
+)
+
+func TestInStringRead(t *testing.T) {
+	vaultRaw := `$ANSIBLE_VAULT;1.1;AES256
+61336365316161396566653134393964613564646439313333666233356463336131336537303633
+6239626439383636346130653132326138313437306365310a663961653131373535633431393836
+34353035376531643266383736306338333764373837656131323663396435666332343039666465
+3635613231313833650a346365623861663638313830616564623663386137303735356639313163
+34343639636161656230363030353763623830653838333166623234326334663338`
+
+	var cases = []struct {
+		intention string
+		input     string
+		key       string
+		want      string
+		wantErr   error
+	}{
+		{
+			"simple",
+			vaultRaw,
+			"API_KEY",
+			"NOT_IN_CLEAR_TEXT",
+			nil,
+		},
+		{
+			"not found key",
+			vaultRaw,
+			"SECRET_KEY",
+			"",
+			vault.ErrKeyNotFound,
+		},
+	}
+
+	for _, testCase := range cases {
+		t.Run(testCase.intention, func(t *testing.T) {
+			data := inStringResource().Data(nil)
+
+			if err := data.Set("encrypted", testCase.input); err != nil {
+				t.Errorf("unable to set encrypted: %s", err)
+				return
+			}
+
+			data.Set("key", testCase.key)
+			if err := data.Set("key", testCase.key); err != nil {
+				t.Errorf("unable to set key: %s", err)
+				return
+			}
+
+			vaultApp, err := vault.New(path.Join(ansibleFolder, "vault_pass_test.txt"), ansibleFolder, "")
+			if err != nil {
+				t.Errorf("unable to create vault app: %#v", err)
+				return
+			}
+
+			err = inStringRead(data, vaultApp)
+			result := data.Get("value").(string)
+
+			failed := false
+
+			if err == nil && testCase.wantErr != nil {
+				failed = true
+			} else if err != nil && testCase.wantErr == nil {
+				failed = true
+			} else if err != nil && err.Error() != testCase.wantErr.Error() {
+				failed = true
+			} else if result != testCase.want {
+				failed = true
+			}
+
+			if failed {
+				t.Errorf("inStringRead() = (`%s`, %#v), want (`%s`, %#v)", result, err, testCase.want, testCase.wantErr)
+			}
+		})
+	}
+}
diff --git a/pkg/provider/provider.go b/pkg/provider/provider.go
@@ -39,8 +39,9 @@ func Provider() *schema.Provider {
 			},
 		},
 		DataSourcesMap: map[string]*schema.Resource{
-			"ansiblevault_env":  inEnvResource(),
-			"ansiblevault_path": inPathResource(),
+			"ansiblevault_env":    inEnvResource(),
+			"ansiblevault_path":   inPathResource(),
+			"ansiblevault_string": inStringResource(),
 		},
 		ConfigureFunc: func(r *schema.ResourceData) (interface{}, error) {
 			vaultPass := r.Get("vault_pass").(string)

diff --git a/pkg/vault/vault.go b/pkg/vault/vault.go
@@ -64,13 +64,13 @@ func (a App) getVaultPass() (string, error) {
 	return strings.TrimRight(string(data), "\n"), nil
 }
 
-func (a App) getVaultKey(filename string, key string) (string, error) {
+func (a App) getVaultKey(filename string, key string, getVaultContent func(string, string) (string, error)) (string, error) {
 	pass, err := a.getVaultPass()
 	if err != nil {
 		return "", err
 	}
 
-	rawVault, err := ansible_vault.DecryptFile(filename, pass)
+	rawVault, err := getVaultContent(filename, pass)
 	if err != nil {
 		return "", err
 	}
@@ -90,12 +90,17 @@ func (a App) getVaultKey(filename string, key string) (string, error) {
 
 // InEnv retrieves given key in environment vault
 func (a App) InEnv(env string, key string) (string, error) {
-	return a.getVaultKey(path.Join(a.rootFolder, fmt.Sprintf("group_vars/tag_%s/vault.yml", env)), key)
+	return a.getVaultKey(path.Join(a.rootFolder, fmt.Sprintf("group_vars/tag_%s/vault.yml", env)), key, ansible_vault.DecryptFile)
 }
 
 // InPath retrieves given key in vault file
 func (a App) InPath(vaultPath string, key string) (string, error) {
-	return a.getVaultKey(path.Join(a.rootFolder, vaultPath), key)
+	return a.getVaultKey(path.Join(a.rootFolder, vaultPath), key, ansible_vault.DecryptFile)
+}
+
+// InString retrieves given key in vault file
+func (a App) InString(rawVault string, key string) (string, error) {
+	return a.getVaultKey(rawVault, key, ansible_vault.Decrypt)
 }
 
 func sanitize(word string) string {