feat(gpg_secretstore): add ability to remove secrets

2024-09-20 06:11:58 +00:00 · 2021-11-25 12:00:43 +01:00 · 2021-11-25 12:00:43 +01:00 · 871e31b1f2
commit 871e31b1f2
parent 858c8305a2
1 changed files with 70 additions and 34 deletions
--- a/plugins/modules/gpg_secretstore.py
+++ b/plugins/modules/gpg_secretstore.py
@ -63,6 +63,13 @@ options:
        required: False
        type: str
        default: .gpg-id
+    state:
+        description:
+            - Whether the password file should exist
+        required: True
+        type: str
+        choices: 'present', 'absent'
+        default: 'present'
    password_slug
        description:
            - Password slug, something like `servers/prod/some_secret`
@ -250,6 +257,12 @@ def main():
                required=False, type="str", default=".gpg-id", no_log=False
            ),
            # Password specific arguments
+            state=dict(
+                required=False,
+                type="str",
+                choices=["present", "absent"],
+                default="present",
+            ),
            password_slug=dict(required=True, type="str", no_log=False),
            data_type=dict(
                required=False,
@ -321,15 +334,20 @@ def main():
        (Path("/tmp/") / hashlib.md5(password_slug.encode()).hexdigest()).as_posix()
    )
    with lock:
+        if state == "present":
            try:
                result["diff"]["before"] = store.get_recipients_from_encrypted_file(
                    slug=password_slug
                )
                if not overwrite:
-                result["secret"] = store.get(slug=password_slug, data_type=data_type)
+                    result["secret"] = store.get(
+                        slug=password_slug, data_type=data_type
+                    )
                    result["changed"] = False
                else:
-                result["message"] = "Secret rotation requested: rotating, if possible."
+                    result[
+                        "message"
+                    ] = "Secret rotation requested: rotating, if possible."
                    result["secret"] = secretGenerator.getSecret()
                    result["action"] = "update"
                    result["changed"] = True
@ -355,13 +373,31 @@ def main():
                result["action"] = "update"
                result["changed"] = True

-        if not module.check_mode and result["changed"]:
-            store.put(slug=password_slug, data=result["secret"], data_type=data_type)
-
+            if result["changed"]:
+                store.put(
+                    slug=password_slug, data=result["secret"], data_type=data_type
+                )
                result["diff"]["after"] = store.get_recipients_from_encrypted_file(
                    slug=password_slug
                )

+        if state == "absent":
+            try:
+                store.remove(slug=password_slug)
+                result["message"] = "Secret will be deleted!"
+                result["diff"]["before"] = store.get_recipients_from_encrypted_file(
+                    slug=password_slug
+                )
+                result["diff"]["after"] = []
+                result["action"] = "remove"
+                result["changed"] = True
+
+            except FileNotFoundError:
+                result["message"] = "Secret didn't exist"
+                result["diff"]["before"] = []
+                result["diff"]["after"] = []
+                result["changed"] = False
+
    if result["message"]:
        module.log(result["message"])