Ansible update (#216)

Ansible Galaxy

The main goal of the changes were to be able to publish to Ansible Galaxy. Most of the magic happens inside of a GitHub action script that moves files into the proper directories and changes some of the module names spaces.

The keeper_init action plugin was added to allow the one-time access token to be initialized via a task, since you will not have a the `keeper_ansible` script to init the token if installing from Ansible Galaxy. Included in the collection is an actual role called `keeper_init_token` to initialize a token.

This branch also included the ability to turn on caching using the `keeper_use_cache` option. SDK changes were made to allow the cache directory to be changed inside of writing to working directory. Inside of Ansible the option `keeper_cache_dir` will set it.

A stdout callback plugin called `keeper_redact` was created in an attempt to hide secrets and keeper config variables from being displayed in the log. It best to just use `no_log: True` which if 100%. This plugin doesn't work for lookup. :(

integration/keeper_secrets_manager_ansible/README.md

@@ -5,6 +5,9 @@ This module contains plugins that allow your Ansible automations to use Keeper S
 * `keeper_copy` - Similar to `ansible.builtin.copy`. Uses the KSM vault for the source/content.
 * `keeper_get` - Retrieve secrets from a record.
 * `keeper_set` - Update an existing record from Ansible information.
+* `keeper_init` - Initialize a KSM configuration from a one-time access token.
+* `keeper_cleanup` - Remove the cache file, if being used.
 * `keeper_lookup` - Retrieve secrets from a record using Ansible's lookup.
+* `keeper_redact` - Stdout Callback plugin to redact secrets from logs.
 
 For more information see our official documentation page https://docs.keeper.io/secrets-manager/secrets-manager/integrations/ansible-plugin

integration/keeper_secrets_manager_ansible/ansible_galaxy/keepersecurity/keeper_secrets_manager/README.md

@@ -0,0 +1,112 @@
+![Ansible](https://github.com/Keeper-Security/secrets-manager/actions/workflows/test.ansible.yml/badge.svg) 
+
+# Keeper Secrets Manager Collection
+
+This collection allows you retrieve and update records in your Keeper Vault.
+
+Additional documentation can be found on the [Keeper Secrets Manager Ansible](https://docs.keeper.io/secrets-manager/secrets-manager/integrations/ansible-plugin) 
+document portal.
+
+# Installation
+
+## Ansible Tower
+
+In your playbook's source repository, add `keepersecrity.keeper_secrets_manager` to the
+`requirement.yml` collections list.
+
+There is an **Execution Environment** docker image location at
+[https://hub.docker.com/repository/docker/keeper/keeper-secrets-manager-tower-ee](https://hub.docker.com/repository/docker/keeper/keeper-secrets-manager-tower-ee). 
+This **Execution Environment** contains the Python SDK.
+
+## Command Line
+
+This collection requires the [keeper-secrets-manager-core](https://pypi.org/project/keeper-secrets-manager-core/) 
+Python SDK. Use `pip` to install this module into the modules used by your installation of Ansible.
+
+```shell
+$ pip3 install -U keeper-secrets-manager-core
+```
+Then install the collection.
+
+```shell
+$ ansible-galaxy collection install keepersecrity.keeper_secrets_manager
+```
+
+# Plugins
+
+If you wish, you can set the collections in your task and
+just used the short name (ie keeper_copy)
+
+```yaml
+- name: Keeper Task
+  collections: 
+    - keepersecurity.keeper_secrets_manager
+
+  tasks:
+    - name: "Copy My SSH Keys"
+      keeper_copy:
+        notation: "OlLZ6JLjnyMOS3CiIPHBjw/field/keyPair[{{ item.notation_key }}]"
+        dest: "/home/user/.ssh/{{ item.filename }}"
+        mode: "0600"
+      loop:
+        - { notation_key: "privateKey", filename: "id_rsa" }
+        - { notation_key: "publicKey",  filename: "id_rsa.pub" }
+```
+If you omit the `collections` , you will need to use the full plugin name.
+```yaml
+  tasks:
+    - name: "Copy My SSH Keys"
+      keepersecurity.keeper_secrets_manager.keeper_copy:
+        notation: "OlLZ6JLjnyMOS3CiIPHBjw/field/keyPair[{{ item.notation_key }}]"
+```
+
+## Action
+
+* `keepersecurity.keeper_secrets_manager.keeper_copy` - Copy file, or value, from your vault to a remote server.
+* `keepersecurity.keeper_secrets_manager.keeper_get` - Get a value from your vault.
+* `keepersecurity.keeper_secrets_manager.keeper_set` - Set a value of an existing record in your vault.
+* `keepersecurity.keeper_secrets_manager.keeper_cleanup` - Clean up Keeper related files.
+* `keepersecurity.keeper_secrets_manager.keeper_init` - Init a one-time access token. Returns a configuration.
+
+## Lookup
+
+* `keepersecurity.keeper_secrets_manager.keeper` - Get a value from your vault via a lookup.
+
+## Callback
+
+* `keepersecurity.keeper_secrets_manager.keeper_redact` - Stdout callback plugin to redact secret values.
+
+## keeper_init_token Role
+
+Initializing a configuration from a one-time access token. Getting the 
+token is explained in the
+[One Time Access Token](https://docs.keeper.io/secrets-manager/secrets-manager/about/one-time-token) document.
+
+Then create a simple playbook to initialize the token.
+
+```yaml
+- name: Initialize the Keeper one time access token.
+  hosts: localhost
+  connection: local
+  collections: keepersecurity.keeper_secrets_manager
+
+  roles:
+    - keeper_init_token
+```
+Then run the playbook. Pass the token in using the extra var param (-e).
+```shell
+$ ansible-playbook keeper_init.yml -e keeper_token=US:XXX -e keeper_config_file=keeper-config.yml
+```
+When done there will be a file called `keeper-config.yml` which will contain the configuration
+for your device.
+
+```yaml
+keeper_app_key: +U5Jao ... l5FmXymVI=
+keeper_client_id: Fokc6j ... PlBwzAKlMUgFZHqLg==
+keeper_hostname: US
+keeper_private_key: MIGHf ... IcvCihUHyA7Oy
+keeper_server_public_key_id: '10'
+```
+The content of this YAML file can then be cut-n-pasted into a **group_vars**, **host_vars**, **all**
+configuration file or even a playbook.
+

integration/keeper_secrets_manager_ansible/ansible_galaxy/keepersecurity/keeper_secrets_manager/galaxy.yml

@@ -0,0 +1,62 @@
+### REQUIRED
+# The namespace of the collection. This can be a company/brand/organization or product namespace under which all
+# content lives. May only contain alphanumeric lowercase characters and underscores. Namespaces cannot start with
+# underscores or numbers and cannot contain consecutive underscores
+namespace: keepersecurity
+
+# The name of the collection. Has the same character restrictions as 'namespace'
+name: keeper_secrets_manager
+
+# The version of the collection. Must be compatible with semantic versioning
+version: VERSION_PLACEHOLDER
+
+# The path to the Markdown (.md) readme file. This path is relative to the root of the collection
+readme: README.md
+
+# A list of the collection's content authors. Can be just the name or in the format 'Full Name <email> (url)
+# @nicks:irc/im.site#channel'
+authors:
+- John Walstra <[email protected]>
+
+
+### OPTIONAL but strongly recommended
+# A short summary description of the collection
+description: Retrieve secrets from your Keeper Vault.
+
+# Either a single license or a list of licenses for content inside of a collection. Ansible Galaxy currently only
+# accepts L(SPDX,https://spdx.org/licenses/) licenses. This key is mutually exclusive with 'license_file'
+license:
+- MIT
+
+# The path to the license file for the collection. This path is relative to the root of the collection. This key is
+# mutually exclusive with 'license'
+license_file: ''
+
+# A list of tags you want to associate with the collection for indexing/searching. A tag name has the same character
+# requirements as 'namespace' and 'name'
+tags: ["secret", "password", "vault"]
+
+# Collections that this collection requires to be installed for it to be usable. The key of the dict is the
+# collection label 'namespace.name'. The value is a version range
+# L(specifiers,https://python-semanticversion.readthedocs.io/en/latest/#requirement-specification). Multiple version
+# range specifiers can be set and are separated by ','
+dependencies: {}
+
+# The URL of the originating SCM repository
+repository: https://github.com/Keeper-Security/secrets-manager
+
+# The URL to any online docs
+documentation: https://docs.keeper.io/secrets-manager/secrets-manager/integrations/ansible-plugin
+
+# The URL to the homepage of the collection/project
+homepage: https://www.keepersecurity.com
+
+# The URL to the collection issue tracker
+issues: https://github.com/Keeper-Security/secrets-manager/issues
+
+# A list of file glob-like patterns used to filter any files or directories that should not be included in the build
+# artifact. A pattern is matched from the relative path of the file or directory of the collection directory. This
+# uses 'fnmatch' to match the files or directories. Some directories and files like 'galaxy.yml', '*.pyc', '*.retry',
+# and '.git' are always filtered
+build_ignore: []
+

integration/keeper_secrets_manager_ansible/ansible_galaxy/keepersecurity/keeper_secrets_manager/meta/runtime.yml

@@ -0,0 +1,8 @@
+---
+requires_ansible: '>=2.10'
+action_groups:
+  keeper_secrets_manager:
+    - keeper_copy
+    - keeper_get
+    - keeper_set
+    - keeper_cleanup

integration/keeper_secrets_manager_ansible/ansible_galaxy/keepersecurity/keeper_secrets_manager/roles/keeper_init_token/.travis.yml

@@ -0,0 +1,29 @@
+---
+language: python
+python: "2.7"
+
+# Use the new container infrastructure
+sudo: false
+
+# Install ansible
+addons:
+  apt:
+    packages:
+    - python-pip
+
+install:
+  # Install ansible
+  - pip install ansible
+
+  # Check ansible version
+  - ansible --version
+
+  # Create ansible.cfg with correct roles_path
+  - printf '[defaults]\nroles_path=../' >ansible.cfg
+
+script:
+  # Basic role syntax check
+  - ansible-playbook tests/test.yml -i tests/inventory --syntax-check
+
+notifications:
+  webhooks: https://galaxy.ansible.com/api/v1/notifications/

integration/keeper_secrets_manager_ansible/ansible_galaxy/keepersecurity/keeper_secrets_manager/roles/keeper_init_token/README.md

@@ -0,0 +1,41 @@
+Role Name
+=========
+
+Initialize a one-time access token into a configuration.
+
+Requirements
+------------
+
+You will need a Keeper Vault account with Secrets Manager enabled. Follow the
+[Quick Start Guide](https://docs.keeper.io/secrets-manager/secrets-manager/quick-start-guide) 
+to get a One-time Access Token.
+
+Role Variables
+--------------
+
+A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
+
+Dependencies
+------------
+
+A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
+
+Example Playbook
+----------------
+
+```yaml
+- hosts: servers
+  roles:
+    - name: Init Token
+```
+
+
+License
+-------
+
+MIT
+
+Author Information
+------------------
+
+John Walstra 

integration/keeper_secrets_manager_ansible/ansible_galaxy/keepersecurity/keeper_secrets_manager/roles/keeper_init_token/defaults/main.yml

@@ -0,0 +1,2 @@
+---
+# defaults file for keeper_init_token

integration/keeper_secrets_manager_ansible/ansible_galaxy/keepersecurity/keeper_secrets_manager/roles/keeper_init_token/handlers/main.yml

@@ -0,0 +1,2 @@
+---
+# handlers file for keeper_init_token

integration/keeper_secrets_manager_ansible/ansible_galaxy/keepersecurity/keeper_secrets_manager/roles/keeper_init_token/meta/main.yml

@@ -0,0 +1,52 @@
+galaxy_info:
+  author: John Walstra
+  description: Initialize a configuration from a one-time access token.
+  company: Keeper Security
+
+  # If the issue tracker for your role is not on github, uncomment the
+  # next line and provide a value
+  # issue_tracker_url: http://example.com/issue/tracker
+
+  # Choose a valid license ID from https://spdx.org - some suggested licenses:
+  # - BSD-3-Clause (default)
+  # - MIT
+  # - GPL-2.0-or-later
+  # - GPL-3.0-only
+  # - Apache-2.0
+  # - CC-BY-4.0
+  license: MIT
+
+  min_ansible_version: 2.10
+
+  # If this a Container Enabled role, provide the minimum Ansible Container version.
+  # min_ansible_container_version:
+
+  #
+  # Provide a list of supported platforms, and for each platform a list of versions.
+  # If you don't wish to enumerate all versions for a particular platform, use 'all'.
+  # To view available platforms and versions (or releases), visit:
+  # https://galaxy.ansible.com/api/v1/platforms/
+  #
+  # platforms:
+  # - name: Fedora
+  #   versions:
+  #   - all
+  #   - 25
+  # - name: SomePlatform
+  #   versions:
+  #   - all
+  #   - 1.0
+  #   - 7
+  #   - 99.99
+
+  galaxy_tags: ['secret', 'password', 'vault']
+    # List tags for your role here, one per line. A tag is a keyword that describes
+    # and categorizes the role. Users find roles by searching for tags. Be sure to
+    # remove the '[]' above, if you add tags to this list.
+    #
+    # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
+    #       Maximum 20 tags per role.
+
+dependencies: []
+  # List your role dependencies here, one per line. Be sure to remove the '[]' above,
+  # if you add dependencies to this list.

integration/keeper_secrets_manager_ansible/ansible_galaxy/keepersecurity/keeper_secrets_manager/roles/keeper_init_token/tasks/main.yml

@@ -0,0 +1,13 @@
+---
+# tasks file for keeper_init_token
+
+- name: Check if keeper_token has been set.
+  fail:
+    msg: "The keeper_token has not been set. Use '-e keeper_token=XX:XXXX' to pass in the one time access token."
+  when: keeper_token is undefined
+
+- name: Init the one-time access token.
+  keepersecurity.keeper_secrets_manager.keeper_init:
+    token: "{{ keeper_token }}"
+    filename: "{{ keeper_config_file | default('') }}"
+    show_config: "{{ keeper_show_config | default(False) }}"

integration/keeper_secrets_manager_ansible/ansible_galaxy/keepersecurity/keeper_secrets_manager/roles/keeper_init_token/tests/inventory

@@ -0,0 +1,2 @@
+localhost
+

integration/keeper_secrets_manager_ansible/ansible_galaxy/keepersecurity/keeper_secrets_manager/roles/keeper_init_token/tests/test.yml

@@ -0,0 +1,5 @@
+---
+- hosts: localhost
+  remote_user: root
+  roles:
+    - keeper_init_token

integration/keeper_secrets_manager_ansible/ansible_galaxy/keepersecurity/keeper_secrets_manager/roles/keeper_init_token/vars/main.yml

@@ -0,0 +1,2 @@
+---
+# vars file for keeper_init_token

integration/keeper_secrets_manager_ansible/ansible_galaxy/tower_execution_environment/README.md

@@ -0,0 +1,23 @@
+# What is this?
+
+Tower/AWX uses an Execution Environment. This is a Docker container used to run
+the playbooks. This is where a playbook gets its Python interpreter and modules.
+This is where the KSM Python SDK is installed.
+
+First install the Ansible EE builder.
+```shell
+pip install ansible-builder
+```
+Build the Docker image
+```shell
+$ ansible-builder build \
+  --tag docker.io/keeper/keeper-secrets-manager-tower-ee:latest \
+  --context ./context \
+  --container-runtime docker
+```
+Then push to Docker Hub
+
+```shell
+$ docker push docker.io/keeper/keeper-secrets-manager-tower-ee:latest
+```
+

integration/keeper_secrets_manager_ansible/ansible_galaxy/tower_execution_environment/execution-environment.yml

@@ -0,0 +1,5 @@
+---
+version: 1
+dependencies:
+  galaxy: requirements.yml
+  python: requirements.txt

integration/keeper_secrets_manager_ansible/ansible_galaxy/tower_execution_environment/requirements.txt

@@ -0,0 +1 @@
+keeper-secrets-manager-core

integration/keeper_secrets_manager_ansible/ansible_galaxy/tower_execution_environment/requirements.yml

@@ -0,0 +1,3 @@
+---
+collections:
+  - name: keepersecurity.keeper_secrets_manager