Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Lookup plugin #61

Open
mnaser opened this issue Jul 25, 2022 · 8 comments
Open

Lookup plugin #61

mnaser opened this issue Jul 25, 2022 · 8 comments

Comments

@mnaser
Copy link

mnaser commented Jul 25, 2022

Summary

Collection does not have a lookup module, making it very hard to use it inside things like group_vars.

Use cases

It's much more useful to be able to put things inside group vars using a lookup module than having a whole module call to make these, also, it allows you to retrieve the secret from the running host.

Proposed solution

An Ansible lookup module :)

Is there a workaround to accomplish this today?

Not really, working with a large number of secrets makes this very hard.

References & Prior Work
@azrdev
Copy link

azrdev commented Nov 3, 2022

There's community.general.onepassword_lookup

@mnaser
Copy link
Author

mnaser commented Nov 3, 2022

this doesnt work with the 1password connect I believe.

@azrdev
Copy link

azrdev commented Nov 17, 2022

according to https://developer.1password.com/docs/connect/connect-cli the oc CLI can also talk to 1pw connect, and since the onepassword_lookup plugin is only a wrapper around oc it should work then too.
Or am I mistaken?

@thewilli
Copy link

according to https://developer.1password.com/docs/connect/connect-cli the oc CLI can also talk to 1pw connect, and since the onepassword_lookup plugin is only a wrapper around oc it should work then too. Or am I mistaken?

Nevertheless, a native way without the need for any external dependency is very handy, especially when it comes to AWX or CI/CD-driven playbook execution

@sscheib
Copy link

sscheib commented Jun 8, 2024

While community.general.onepassword works fine with the op binary, I think an official solution that would not require the op binary but simply work by using the REST API of the connect server is more desirable. Especially since the collection is also published as a certified collection at Red Hat; I am sure customers will appreciate it 🙂.

I gave it a try to implement a lookup plugin for this collection today, but unfortunately, the code is very tailored around module usage. I think the majority of the current API class implementation would need to be refactored with lookup plugin usage in mind as lookup plugins work differently.

To the maintainers: Is this something you'd like to entertain? I am talking about a refactoring that adds the possibility to also work for a lookup plugin. If so, I might give it a shot. I am asking just because I don't want to make the effort and then ultimately the PR gets never touched or declined.

@mvgijssel
Copy link

Bonus points if this can use 1Password secret references!

@mvgijssel
Copy link

Very simple implementation vgijssel/setup@279608f

@mvgijssel
Copy link

I’ve developed an Ansible vars plugin in this commit that integrates seamlessly with 1Password. This plugin allows the use of 1Password secret references directly within a dedicated Ansible variables file for a specific host or group. For instance:

my_secret_variable: op://my-vault/some-secret/password

The variables file, such as ansible/group_vars/web.op.yaml, is loaded during the inventory build phase and remains cached for the entire playbook execution. This approach significantly enhances performance compared to using lookups.

If the 1Password team is interested, I’d be happy to submit a pull request to share this functionality!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@mnaser @thewilli @azrdev @mvgijssel @sscheib