implement sops decrypt --extract for lookup plugin
#200
Conversation
Docs Build 📝Thank you for contribution!✨ This PR has been merged and the docs are now incorporated into |
There was a problem hiding this comment.
Thanks for your contribution! Can you please add a changelog fragment? Thanks.
Also please remove unrelated changes (like line 153 in the lookup and line 94 in the module utils). Thanks.
Co-authored-by: Felix Fontein <felix@fontein.de>
Co-authored-by: Felix Fontein <felix@fontein.de>
Co-authored-by: Felix Fontein <felix@fontein.de>
Co-authored-by: Felix Fontein <felix@fontein.de>
* Adds rough explanation of extract syntax. * Adds extract test case.
@felixfontein Thanks for your review! Not sure if I've adequately addressed the changelog fragment. Also cluess about how to address the failing CI checks, is that about pep8 and pylint linters not liking my code? |
Co-authored-by: Felix Fontein <felix@fontein.de>
plugins/lookup/sops.py
Outdated
| description: | ||
| - Tell SOPS to extract a specific key from a JSON or YAML file. | ||
| - Expects the same 'querystring' syntax as SOPS' C(--encrypt) option, | ||
| for example V('["somekey"][0]'). |
There was a problem hiding this comment.
Are you sure the single quotes are needed? I'm pretty sure they are not, and in fact will result in an error. In the integration tests you don't have single quotes there either.
There was a problem hiding this comment.
Quotes are needed, without them sops throws an error the likes of parsing --extract path: strconv.Atoi: parsing "hello": invalid syntax.
What I've learnt is that the entire querystring needs to be quoted, either with single or double quotes. Inside the querystring the other kind of quotes must be used.
What do you think about going with another syntax, I don't like the sops syntax either. A more pythonic syntax like dict.key[0] ?
There was a problem hiding this comment.
That's because if you enter a command in a shell, the shell will also handle quotation marks. But this is not for using SOPS in a shell, but for using Ansible, which calls SOPS without going through a shell.
For example this should work:
- name: Test extract
set_fact:
simple_yaml_with_extract: "{{ lookup('community.sops.sops', 'extract.yaml', extract=extract) }}"
vars:
extract: >-
['foo']What do you think about going with another syntax, I don't like the sops syntax either. A more pythonic syntax like
dict.key[0]?
If you want to implement an expression parser / converter, you could do that, but that sounds like quite a lot of work for little gain.
You can also simply extract a specific value from the lookup's return value without having to use the extract option in the first place:
- set_fact:
value: '{{ (lookup("community.sops.sops", "/path/to/file.yml") | from_yaml).somekey[0] }}'There was a problem hiding this comment.
Now I get it, I've updated the description once more to account for this.
Regarding the syntax, imho its more readable than the ansible native | from_yaml version, even if having to escape quotes.
* adds link to PR in changelog fragment * Improve readability of tests Co-authored-by: Felix Fontein <felix@fontein.de>
|
@niuleh thanks a lot for your contribution! |
Motivation
We have large encrypted yaml files and would like to lookup only specific keys.
Changes description
Modified the Sops.decrypt function to accept an "extract" option.