Add parameter to support X-Vault-AWS-IAM-Server-ID

[jonnyt]

SUMMARY

Add support for the optional parameter iam_server_id. The value is used for the X-Vault-AWS-IAM-Server-ID header as part of GetCallerIdentity request.

ISSUE TYPE

• Feature Pull Request

COMPONENT NAME

hashi_vault

ADDITIONAL INFORMATION

Without this feature the following would fail when the Hashi Vault policy requires the X-Vault-AWS-IAM-Server-ID header.

- name: Authenticate with a Vault app role
  ansible.builtin.debug:
    msg: "{{ lookup('community.hashi_vault.hashi_vault', 'secret=secret/data/test:hello auth_method=aws_iam_login role_id=ec2-instance url=https://vault-fqdn region=us-west-2') }}"

Including the parameter header_value will pass the value along to the HVAC library, which then sends it along as the header. This would return the secret.

- name: Authenticate with a Vault app role
  ansible.builtin.debug:
    msg: "{{ lookup('community.hashi_vault.hashi_vault', 'secret=secret/data/test:hello auth_method=aws_iam_login role_id=ec2-instance url=https://vault-fqdn region=us-west-2 iam_server_id=vault-fqdn') }}"

[codecov]

Codecov Report

Merging #27 (33d5f7e) into main (da1904f) will decrease coverage by 0.57%.
The diff coverage is n/a.

@@            Coverage Diff             @@
##             main      #27      +/-   ##
==========================================
- Coverage   64.86%   64.28%   -0.58%     
==========================================
  Files           1        1              
  Lines         222      224       +2     
  Branches       43       44       +1     
==========================================
  Hits          144      144              
- Misses         62       64       +2     
  Partials       16       16              

Impacted Files	Coverage Δ
...ommunity/hashi_vault/plugins/lookup/hashi_vault.py	64.28% <0.00%> (-0.58%)	⬇️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update da1904f...33d5f7e. Read the comment docs.

[briantist]

Suggesting a slightly even more specific parameter name, other than that just small nits.

Otherwise looks great, looking forward to the change.

Since we aren't currently testing the AWS components in CI, can you tell me a little about local testing you've done with the change?

Thanks and welcome!

[jonnyt]

Hi @briantist ,

Thanks for the welcome and making my first PR to any project a nice experience!

I did notice that it would be hard to add a test case for this. What I did locally was:

1. Made the code changes, built the collection, and installed the collection from the resulting tar.gz.
2. Using a Hashi Vault instance with the iam_server_id_header_value configured on the AWS client, I ran the following tests:
   2.1. Read a secret with the aws_iam_server_id value embedded in the Ansible lookup command
   2.2. Read a secret with aws_iam_server_id in ansible.cfg
   2.3. Read a secret after exporting ANSIBLE_HASHI_VAULT_AWS_IAM_SERVER_ID
3. Repeated the same steps as 2 but with an invalid value and received the expected error from Hashi Vault
4. Removed the iam_server_id_header_value setting from my Hashi Vault instance.
   4.1. Tested that the supplied aws_iam_server_id value is ignored when sent to Hashi Vault

[briantist]

Hi @briantist ,

Thanks for the welcome and making my first PR to any project a nice experience!

Very happy to hear that, thank you!
Also surprised that this is your first PR to something in Ansible, let alone anywhere; everything was in order, even the changelog fragment. Certainly better than my first submissions 😅

In any case welcome again and thanks for the contribution.

I did notice that it would be hard to add a test case for this.

I would like us to get there. The tests shouldn't be that hard to write, it's more an issue of having an AWS account we can use and coordinating that, especially since we need more than just an instance to run tests on (the easy part), we need a login we use to set up Vault as well. It might be something we can coordinate with RedHat on (and the AWS collections), but I haven't pursued it yet.

What I did locally was:

1. Made the code changes, built the collection, and installed the collection from the resulting tar.gz.
2. Using a Hashi Vault instance with the iam_server_id_header_value configured on the AWS client, I ran the following tests:
   2.1. Read a secret with the aws_iam_server_id value embedded in the Ansible lookup command
   2.2. Read a secret with aws_iam_server_id in ansible.cfg
   2.3. Read a secret after exporting ANSIBLE_HASHI_VAULT_AWS_IAM_SERVER_ID
3. Repeated the same steps as 2 but with an invalid value and received the expected error from Hashi Vault
4. Removed the iam_server_id_header_value setting from my Hashi Vault instance.
   4.1. Tested that the supplied aws_iam_server_id value is ignored when sent to Hashi Vault

👌 perfect, that's great