remove deprecated environment variables for 2.0.0

[briantist]

SUMMARY

Removes deprecated env vars for the 2.0.0 release:

• Resolves: hashi_vault - [env] Fix token_file and token_path env vars #15
• Resolves: hashi_vault - [env] update VAULT_AUTH_METHOD to match guidelines #17
• Resolves: hashi_vault - [env] update role_id and secret_id env vars to match guidelines #20

ISSUE TYPE

• Feature Pull Request

COMPONENT NAME

auth.py

ADDITIONAL INFORMATION

This completes the breaking changes that came from #10

[codecov]

Codecov Report

Merging #173 (41a1798) into main (af71153) will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##             main     #173   +/-   ##
=======================================
  Coverage   91.68%   91.68%           
=======================================
  Files          40       40           
  Lines        1587     1587           
  Branches      123      123           
=======================================
  Hits         1455     1455           
  Misses        119      119           
  Partials       13       13           

Flag	Coverage Δ
env_docker-default	91.68% <ø> (ø)
integration	75.80% <ø> (ø)
py2.6	36.18% <ø> (ø)
py2.7	83.49% <ø> (ø)
py3.10	90.80% <ø> (ø)
py3.5	83.74% <ø> (ø)
py3.6	83.74% <ø> (ø)
py3.7	83.74% <ø> (ø)
py3.8	90.86% <ø> (ø)
py3.9	90.86% <ø> (ø)
sanity	37.76% <ø> (ø)
target_ansible-doc	100.00% <ø> (ø)
target_auth_approle	89.47% <ø> (ø)
target_auth_cert	56.40% <ø> (ø)
target_auth_jwt	91.30% <ø> (ø)
target_auth_none	100.00% <ø> (ø)
target_auth_token	71.42% <ø> (ø)
target_connection_options	74.76% <ø> (ø)
target_controller	67.00% <ø> (ø)
target_import	37.76% <ø> (ø)
target_lookup_hashi_vault	81.33% <ø> (ø)
target_lookup_vault_read	90.00% <ø> (ø)
target_module_utils	90.40% <ø> (ø)
target_module_vault_read	92.10% <ø> (ø)
units	88.78% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
plugins/doc_fragments/auth.py	100.00% <ø> (ø)

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update af71153...41a1798. Read the comment docs.

[github-actions]

##Docs Build 📝

Thank you for contribution!✨

This PR has been merged and the docs are now incorporated into main:
https://community-hashi-vault-main.surge.sh

[felixfontein]

recheck

[gdykeman]

@briantist @felixfontein
Prepending the variable names with ansible_* | ANSIBLE_* breaks use of custom credentials in AWX / Ansible Automation Platform. Not sure of best way to resolve but wanted to bring to your attention.

[briantist]

@gdykeman this has been discussed in #49

The alternative is to use Ansible vars instead which do not have the same restriction in AWX.

[gdykeman]

@briantist Correct, the concern is that sensitive variables are exposed. Thus we were hoping to utilize custom credentials which do now allow for ansible to be prepended. We can stick with modifying the docfragments if it creates too much of a problem.

[felixfontein]

I'm not sure why AWX/Tower doesn't like these, but prefixing with ANSIBLE_ for env vars is what modules and plugins should do. See ansible/ansible#52967 and the Ansible project meeting where this was discussed and decided.

[briantist]

@briantist Correct, the concern is that sensitive variables are exposed. Thus we were hoping to utilize custom credentials which do now allow for ansible to be prepended. We can stick with modifying the docfragments if it creates too much of a problem.

AWX credentials can inject its values as either environment variables or as Ansible vars. By injecting as Ansible vars, you will avoid this issue, because the ansible_ prefix restriction only applies to environment variables, not to Ansible vars.

The issue I linked is where others brought up the concerns, and using Ansible vars completely solves the issue, there should be no reason to modify any docs fragments.

[briantist]

I'm not sure why AWX/Tower doesn't like these, but prefixing with ANSIBLE_ for env vars is what modules and plugins should do. See ansible/ansible#52967 and the Ansible project meeting where this was discussed and decided.

I agree with you and have tried to argue the same. Here's a partial answer: ansible/awx#10275 (comment)

I guess the issue is that you could use those creds to widely control Ansible behavior in ways beyond plugin configuration? But yeah, it does mean that you cannot use env vars in that way to assign options, so plugins should need to be specific about accepting vars: in addition (which I think is good practice anyway).

[gdykeman]

This is the check:
https://github.com/ansible/awx/blob/devel/awx/main/fields.py#L816

Appreciate the quick responses!

[briantist]

This is the check: https://github.com/ansible/awx/blob/devel/awx/main/fields.py#L816

Appreciate the quick responses!

Yes, again that is the check for environment variables, if you choose to inject as Ansible vars instead, there is so such check. Please read the linked thread.

[briantist]

@gdykeman see:

• AWX and ANSIBLE_ prefixed environment variables - support a 2nd set of env vars? ansible vars? #49 (comment)

[gdykeman]

@briantist @felixfontein
This clears it up. Thank you for looking into this. Will stick to Ansible vars!