1 files changed, 144 insertions, 0 deletions

diff --git a/ansible_collections/community/general/plugins/lookup/credstash.py b/ansible_collections/community/general/plugins/lookup/credstash.py
new file mode 100644
index 000000000..6a3f58595
--- /dev/null
+++ b/ansible_collections/community/general/plugins/lookup/credstash.py
@@ -0,0 +1,144 @@
+# -*- coding: utf-8 -*-
+# Copyright (c) 2015, Ensighten <infra@ensighten.com>
+# Copyright (c) 2017 Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+from __future__ import (absolute_import, division, print_function)
+__metaclass__ = type
+
+DOCUMENTATION = '''
+    author: Unknown (!UNKNOWN)
+    name: credstash
+    short_description: retrieve secrets from Credstash on AWS
+    requirements:
+      - credstash (python library)
+    description:
+      - "Credstash is a small utility for managing secrets using AWS's KMS and DynamoDB: https://github.com/fugue/credstash"
+    options:
+      _terms:
+        description: term or list of terms to lookup in the credit store
+        type: list
+        elements: string
+        required: true
+      table:
+        description: name of the credstash table to query
+        type: str
+        default: 'credential-store'
+      version:
+        description: Credstash version
+        type: str
+        default: ''
+      region:
+        description: AWS region
+        type: str
+      profile_name:
+        description: AWS profile to use for authentication
+        type: str
+        env:
+          - name: AWS_PROFILE
+      aws_access_key_id:
+        description: AWS access key ID
+        type: str
+        env:
+          - name: AWS_ACCESS_KEY_ID
+      aws_secret_access_key:
+        description: AWS access key
+        type: str
+        env:
+          - name: AWS_SECRET_ACCESS_KEY
+      aws_session_token:
+        description: AWS session token
+        type: str
+        env:
+          - name: AWS_SESSION_TOKEN
+'''
+
+EXAMPLES = """
+- name: first use credstash to store your secrets
+  ansible.builtin.shell: credstash put my-github-password secure123
+
+- name: "Test credstash lookup plugin -- get my github password"
+  ansible.builtin.debug:
+    msg: "Credstash lookup! {{ lookup('community.general.credstash', 'my-github-password') }}"
+
+- name: "Test credstash lookup plugin -- get my other password from us-west-1"
+  ansible.builtin.debug:
+    msg: "Credstash lookup! {{ lookup('community.general.credstash', 'my-other-password', region='us-west-1') }}"
+
+- name: "Test credstash lookup plugin -- get the company's github password"
+  ansible.builtin.debug:
+    msg: "Credstash lookup! {{ lookup('community.general.credstash', 'company-github-password', table='company-passwords') }}"
+
+- name: Example play using the 'context' feature
+  hosts: localhost
+  vars:
+    context:
+      app: my_app
+      environment: production
+  tasks:
+
+  - name: "Test credstash lookup plugin -- get the password with a context passed as a variable"
+    ansible.builtin.debug:
+      msg: "{{ lookup('community.general.credstash', 'some-password', context=context) }}"
+
+  - name: "Test credstash lookup plugin -- get the password with a context defined here"
+    ansible.builtin.debug:
+      msg: "{{ lookup('community.general.credstash', 'some-password', context=dict(app='my_app', environment='production')) }}"
+"""
+
+RETURN = """
+  _raw:
+    description:
+      - Value(s) stored in Credstash.
+    type: str
+"""
+
+from ansible.errors import AnsibleError
+from ansible.plugins.lookup import LookupBase
+
+CREDSTASH_INSTALLED = False
+
+try:
+    import credstash
+    CREDSTASH_INSTALLED = True
+except ImportError:
+    CREDSTASH_INSTALLED = False
+
+
+class LookupModule(LookupBase):
+    def run(self, terms, variables=None, **kwargs):
+        if not CREDSTASH_INSTALLED:
+            raise AnsibleError('The credstash lookup plugin requires credstash to be installed.')
+
+        self.set_options(var_options=variables, direct=kwargs)
+
+        version = self.get_option('version')
+        region = self.get_option('region')
+        table = self.get_option('table')
+        profile_name = self.get_option('profile_name')
+        aws_access_key_id = self.get_option('aws_access_key_id')
+        aws_secret_access_key = self.get_option('aws_secret_access_key')
+        aws_session_token = self.get_option('aws_session_token')
+
+        context = dict(
+            (k, v) for k, v in kwargs.items()
+            if k not in ('version', 'region', 'table', 'profile_name', 'aws_access_key_id', 'aws_secret_access_key', 'aws_session_token')
+        )
+
+        kwargs_pass = {
+            'profile_name': profile_name,
+            'aws_access_key_id': aws_access_key_id,
+            'aws_secret_access_key': aws_secret_access_key,
+            'aws_session_token': aws_session_token,
+        }
+
+        ret = []
+        for term in terms:
+            try:
+                ret.append(credstash.getSecret(term, version, region, table, context=context, **kwargs_pass))
+            except credstash.ItemNotFound:
+                raise AnsibleError('Key {0} not found'.format(term))
+            except Exception as e:
+                raise AnsibleError('Encountered exception while fetching {0}: {1}'.format(term, e))
+
+        return ret