Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

azure_rm: Dynamic Inventory allow for template expressions in some parameters #1438

Closed
franciscogarcia-payroc opened this issue Feb 8, 2024 · 0 comments
Closed

azure_rm: Dynamic Inventory allow for template expressions in some parameters #1438

franciscogarcia-payroc opened this issue Feb 8, 2024 · 0 comments
Labels
has_pr PR fixes have been made medium_priority Medium priority

Comments

@franciscogarcia-payroc
Copy link
Contributor

franciscogarcia-payroc commented Feb 8, 2024
edited
Loading

SUMMARY

We would love to be able to use templates to evaluate the values of client_id, secret, tenant and subscription_id when configuring authentication for the azure_rm inventory plugin.

ISSUE TYPE
  • Feature Idea
COMPONENT NAME

azure_rm inventory plugin

ADDITIONAL INFORMATION

Our use case is somewhat particular, and we can't leverage the cli or environment variables for various reasons and we want to avoid our secrets hard coded in file. The ideal way for us to get those values in without having them on a file on disk is to execute a lookup in a template. This behavior works as described in a few other inventory plugins we're using for enumerating VMs on other providers, but in this case the plugin only seems to accept static values in the following fields:

client_id
secret
tenant
subscription_id

To prove the case and get us past this issue in our current proof of concept we added the following snippet to azure_rm.py in the _credential_setup method.

This seemed to work as intended to allow for the lookup inside the inventory plugin to be executed dynamically.

  def _credential_setup(self):
          auth_options = dict(
              auth_source=self.get_option('auth_source'),
              profile=self.get_option('profile'),
              subscription_id=self.get_option('subscription_id'),
              client_id=self.get_option('client_id'),
              secret=self.get_option('secret'),
              tenant=self.get_option('tenant'),
              ad_user=self.get_option('ad_user'),
              password=self.get_option('password'),
              cloud_environment=self.get_option('cloud_environment'),
              cert_validation_mode=self.get_option('cert_validation_mode'),
              api_profile=self.get_option('api_profile'),
              track1_cred=True,
              adfs_authority_url=self.get_option('adfs_authority_url')
          )

       #this part here was added
       if self.templar.is_template(auth_options["tenant"]):
            auth_options["tenant"] = self.templar.template(variable=auth_options["tenant"], disable_lookups=False)

        if self.templar.is_template(auth_options["client_id"]):
            auth_options["client_id"] = self.templar.template(variable=auth_options["client_id"], disable_lookups=False)

        if self.templar.is_template(auth_options["secret"]):
            auth_options["secret"] = self.templar.template(variable=auth_options["secret"], disable_lookups=False)

        if self.templar.is_template(auth_options["subscription_id"]):
            auth_options["subscription_id"] = self.templar.template(variable=auth_options["subscription_id"], disable_lookups=False)
       #end of addition

       self.azure_auth = AzureRMAuth(**auth_options)

Not sure if this is the best approach but figured I'd start the discussion, thanks!
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
has_pr PR fixes have been made medium_priority Medium priority
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Fred-sun @franciscogarcia-payroc