#!/usr/bin/python # Copyright (c) 2024, Ansible Project # GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt) # SPDX-License-Identifier: GPL-3.0-or-later from __future__ import absolute_import, division, print_function __metaclass__ = type DOCUMENTATION = r""" module: systemd_creds_encrypt short_description: C(systemd)'s C(systemd-creds encrypt) plugin description: - This module encrypts input using C(systemd)'s C(systemd-creds encrypt). author: - Thomas Sjögren (@konstruktoid) version_added: '10.2.0' extends_documentation_fragment: - community.general.attributes attributes: check_mode: support: full details: - This action does not modify state. diff_mode: support: N/A details: - This action does not modify state. options: name: description: - The credential name to embed in the encrypted credential data. type: str required: false not_after: description: - The time when the credential shall not be used anymore. - Takes a timestamp specification in the format described in V(systemd.time(7\)). type: str required: false pretty: description: - Pretty print the output so that it may be pasted directly into a unit file. type: bool required: false default: false secret: description: - The secret to encrypt. type: str required: true timestamp: description: - The timestamp to embed into the encrypted credential. - Takes a timestamp specification in the format described in V(systemd.time(7\)). type: str required: false user: description: - A user name or numeric UID to encrypt the credential for. - If set to the special string V(self) it sets the user to the user of the calling process. - Requires C(systemd) 256 or later. type: str required: false notes: - C(systemd-creds) requires C(systemd) 250 or later. """ EXAMPLES = r""" - name: Encrypt secret become: true community.general.systemd_creds_encrypt: name: db not_after: +48hr secret: access_token register: encrypted_secret - name: Print the encrypted secret ansible.builtin.debug: msg: "{{ encrypted_secret }}" """ RETURN = r""" value: description: The Base64 encoded encrypted secret. type: str returned: always sample: "WhQZht+JQJax1aZemmGLxmAAAA..." """ from ansible.module_utils.basic import AnsibleModule def main(): """Encrypt secret using systemd-creds.""" module = AnsibleModule( argument_spec=dict( name=dict(type="str", required=False), not_after=dict(type="str", required=False), pretty=dict(type="bool", default=False), secret=dict(type="str", required=True, no_log=True), timestamp=dict(type="str", required=False), user=dict(type="str", required=False), ), supports_check_mode=True, ) cmd = module.get_bin_path("systemd-creds", required=True) name = module.params["name"] not_after = module.params["not_after"] pretty = module.params["pretty"] secret = module.params["secret"] timestamp = module.params["timestamp"] user = module.params["user"] encrypt_cmd = [cmd, "encrypt"] if name: encrypt_cmd.append("--name=" + name) else: encrypt_cmd.append("--name=") if not_after: encrypt_cmd.append("--not-after=" + not_after) if pretty: encrypt_cmd.append("--pretty") if timestamp: encrypt_cmd.append("--timestamp=" + timestamp) if user: encrypt_cmd.append("--uid=" + user) encrypt_cmd.extend(["-", "-"]) rc, stdout, stderr = module.run_command(encrypt_cmd, data=secret, binary_data=True) module.exit_json( changed=False, value=stdout, rc=rc, stderr=stderr, ) if __name__ == "__main__": main()