Skip to content

Instantly share code, notes, and snippets.

@asakura
Last active August 29, 2015 14:07
Show Gist options
  • Save asakura/9d3721e5643e025e7354 to your computer and use it in GitHub Desktop.
Save asakura/9d3721e5643e025e7354 to your computer and use it in GitHub Desktop.
# Ensure what variable is available
$ conjur env run --yaml '{CONJUR_GROUP: !var variable/name}' -- 'echo "$CONJUR_GROUP"'

# Install conjur's python api module first
$ sudo pip install conjur

# Okay, run ansible to affect localhost
# -K mean ask for sudo password
# (so you can be happy run this command by cron on a remote host. but better fill your own inventory file and run the play across multiple remote hosts at once)
$ ansible-playbook -i hosts -K update_etc_group.yml
sudo password: 

PLAY [A play that writes CONJUR_GROUP variable into /etc/group file] ********** 

GATHERING FACTS *************************************************************** 
ok: [localhost]

TASK: [Write into /etc/group file and make backup] **************************** 
changed: [localhost]

PLAY RECAP ******************************************************************** 
localhost                  : ok=2    changed=1    unreachable=0    failed=0   
#
# PUT THIS FILE INTO SUBDIRECTORY lookup_plugins !
#
import os
from ansible import utils, errors
try:
import conjur
import conjur.config
except ImportError:
raise errors.AnsibleError(
'Can\'t LOOKUP(conjur_variable): module `conjur` is not installed'
)
class LookupModule(object):
def __init__(self, basedir=None, **kwargs):
self.basedir = basedir
def run(self, terms, inject=None, **kwargs):
config = conjur.config.config
config.load(os.path.expanduser('~/.conjurrc'))
api = conjur.new_from_netrc(config=config)
return [api.variable(terms).value()]
{{ conjur_group }}
localhost ansible_connection=local
---
- name: A play that writes CONJUR_GROUP variable into /etc/group file
hosts: all
vars:
conjur_group: "{{ lookup('conjur_variable', 'conjur/variable/with/group/content') }}"
tasks:
- name: Write into /etc/group file and make backup
sudo: yes
template: src=./group.j2 dest=/etc/group owner=root group=root backup=yes
@kgilpin
Copy link

kgilpin commented Oct 9, 2014

Is it possible to have Ansible use the identity of each host to fetch the variable? I think in this case it doesn't matter but I am curious.

@asakura
Copy link
Author

asakura commented Oct 10, 2014

I think yes via modules.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment