1- name: "Test block" 2 vars: 3 role_id: test-role 4 jwt: '{{ lookup("file", "token.jwt") }}' 5 jwt_invalid: '{{ lookup("file", "token_invalid.jwt") }}' 6 is_default_path: "{{ this_path == default_path }}" 7 common: "{{ conn_params ~ ('' if is_default_path else 'mount_point=' ~ this_path ~ ' ') }}" 8 block: 9 - name: 'Fetch secrets using "hashi_vault" lookup' 10 set_fact: 11 secret1: "{{ lookup('community.hashi_vault.hashi_vault', common ~ 'secret=' ~ vault_kv2_path ~ '/secret1 auth_method=jwt jwt=' ~ jwt ~ ' role_id=' ~ role_id) }}" 12 secret2: "{{ lookup('community.hashi_vault.hashi_vault', common ~ 'secret=' ~ vault_kv2_path ~ '/secret2 auth_method=jwt jwt=' ~ jwt ~ ' role_id=' ~ role_id) }}" 13 14 - name: 'Check secret values' 15 fail: 16 msg: 'unexpected secret values' 17 when: secret1['value'] != 'foo1' or secret2['value'] != 'foo2' 18 19 # the purpose of this test is to catch when the plugin accepts mount_point but does not pass it into hvac 20 # we set the policy of the default mount to deny access to this secret and so we expect failure when the mount 21 # is default, and success when the mount is alternate 22 - name: 'Check auth mount differing secret value' 23 vars: 24 secret5: "{{ lookup('community.hashi_vault.hashi_vault', common ~ 'secret=' ~ vault_kv2_path ~ '/secret5', auth_method='jwt', jwt=jwt, role_id=role_id) }}" 25 debug: 26 msg: 27 - "Checking secret5 with {{ auth_type }} auth via mount path '{{ this_path }}'" 28 - "{{ secret5 }}" 29 register: secret5_status 30 ignore_errors: true 31 32 - assert: 33 fail_msg: "A token from mount path '{{ this_path}}' had incorrect access to secret5" 34 that: >- 35 (is_default_path and (secret5_status is failed)) 36 or (not is_default_path and (secret5_status is not failed)) 37 38 - name: 'Failure expected when erroneous credentials are used' 39 vars: 40 secret_wrong_cred: "{{ lookup('community.hashi_vault.hashi_vault', common ~ 'secret=' ~ vault_kv2_path ~ '/secret2 auth_method=jwt jwt=' ~ jwt_invalid ~ ' role_id=' ~ role_id) }}" 41 debug: 42 msg: 'Failure is expected ({{ secret_wrong_cred }})' 43 register: test_wrong_cred 44 ignore_errors: true 45 46 - name: 'Failure expected when unauthorized secret is read' 47 vars: 48 secret_unauthorized: "{{ lookup('community.hashi_vault.hashi_vault', common ~ 'secret=' ~ vault_kv2_path ~ '/secret3 auth_method=jwt jwt=' ~ jwt ~ ' role_id=' ~ role_id) }}" 49 debug: 50 msg: 'Failure is expected ({{ secret_unauthorized }})' 51 register: test_unauthorized 52 ignore_errors: true 53 54 - name: 'Failure expected when non-existent secret is read' 55 vars: 56 secret_inexistent: "{{ lookup('community.hashi_vault.hashi_vault', common ~ 'secret=' ~ vault_kv2_path ~ '/non_existent_secret4 auth_method=jwt jwt=' ~ jwt ~ ' role_id=' ~ role_id) }}" 57 debug: 58 msg: 'Failure is expected ({{ secret_inexistent }})' 59 register: test_inexistent 60 ignore_errors: true 61 62 - name: 'Check expected failures' 63 assert: 64 msg: "an expected failure didn't occur" 65 that: 66 - test_wrong_cred is failed 67 - test_unauthorized is failed 68 - test_inexistent is failed 69