bitwarden · tangowithfoxtrot · Jan 8, 2024 · Dec 12, 2023 · Dec 12, 2023 · Dec 12, 2023
@@ -0,0 +1,32 @@
+name: Publish to Ansible Galaxy
+
+on:
+  #   push:
+  #     branches:
+  #       - main
+  #     tags:
+  #       - '*'
+  #   pull_request:
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - name: Retrieve secrets from Secrets Manager
+        uses: bitwarden/sm-action@92d1d6a4f26a89a8191c83ab531a53544578f182 # v2.0.0
+        with:
+          access_token: ${{ secrets.BWS_ACCESS_TOKEN }}
+          secrets: |
+            dc3dc07b-1bbe-4ca6-bb16-b0d500fd1b71 > GALAXY_API_KEY
+
+      - name: Publish to Ansible Galaxy
+        uses: ansible/ansible-publish-action@a56a0328c92c1d4feedf5bd7f7cf7ec7a4ae3f09 # v1.0.0
+        with:
+          api_key: ${{ env.GALAXY_API_KEY }}
+          src_path: .
diff --git a/.gitignore b/.gitignore
@@ -1,5 +1,6 @@
 # General
 .DS_Store
+.env
 Thumbs.db
 
 # IDEs and editors
@@ -12,7 +13,7 @@ Thumbs.db
 *.sublime-workspace
 
 # Visual Studio Code
-.vscode/*
+.vscode/
 !.vscode/settings.json
 !.vscode/tasks.json
 !.vscode/launch.json
@@ -22,3 +23,10 @@ Thumbs.db
 # Node
 node_modules
 npm-debug.log
+
+# Python
+.venv*
+__pycache__
+
+# Vagrant
+.vagrant/
diff --git a/README.md b/README.md
@@ -1,3 +1,30 @@
-# Template Repository
+# Bitwarden Secrets Manager Lookup Plugin
 
-This repository serves as a template for others and establishes very basic structure and tooling setup for later customization.
+## Install dependencies
+
+```bash
+pip install bitwarden_sdk
+```
+
+## Run
+
+```bash
+export HISTCONTROL=ignorespace # to avoid storing access token in bash history
+ export BWS_ACCESS_TOKEN=<your_access_token> # the space keeps this out of bash history
+ansible-playbook examples/test.yml
+```
+
+### macOS
+
+On macOS, you may need to set the following environment variable to avoid an error related to fork safety:
+```bash
+export OBJC_DISABLE_INITIALIZE_FORK_SAFETY=YES
+```
+
+See [running on macos as a control node](https://docs.ansible.com/ansible/latest/reference_appendices/faq.html#running-on-macos-as-a-control-node) and [this GitHub issue](https://github.com/ansible/ansible/issues/49207) for more details.
+
+## Execute as a standalone script
+
+```bash
+python ./plugins/lookup/bitwarden_sm.py <secret_id> base_url=<vault_url>
+```
diff --git a/ansible.cfg b/ansible.cfg
@@ -0,0 +1,8 @@
+[defaults]
+callback_whitelist = profile_roles, profile_tasks, timer
+lookup_plugins = ./plugins
+nocows = True
+stdout_callback = yaml
+bin_ansible_callbacks = True
+no_log = False
+deprecation_warnings = False
diff --git a/examples/test.yml b/examples/test.yml
@@ -0,0 +1,18 @@
+---
+- name: Test Bitwarden lookup plugin
+  hosts: localhost
+  connection: local
+  gather_facts: false
+
+  vars:
+    secret: "{{ lookup('bitwarden_sm', '9165d7a8-2c22-476e-8add-b0d50162c5cc' ) }}"
+    secret_with_field: "{{ lookup('bitwarden_sm', '9165d7a8-2c22-476e-8add-b0d50162c5cc', field='note' ) }}"
+
+  tasks:
+    - name: Echo secret
+      ansible.builtin.debug:
+        msg: "Secret value is: {{ secret }}"
+
+    - name: Echo secret with field
+      ansible.builtin.debug:
+        msg: "Secret with field is: {{ secret_with_field }}"
diff --git a/examples/test_self_hosted.yml b/examples/test_self_hosted.yml
@@ -0,0 +1,17 @@
+---
+- name: Test Self-hosted Bitwarden lookup plugin
+  hosts: localhost
+  connection: local
+  gather_facts: false
+
+  vars:
+    secret_from_other_server: "{{ lookup('bitwarden_sm', 'cdc0a886-6ad6-4136-bfd4-b04f01149173', base_url='https://bitwarden.example.com' ) }}"
+    secret_advanced: >-
+      {{ lookup('bitwarden_sm', 'cdc0a886-6ad6-4136-bfd4-b04f01149173',
+        api_url='https://bitwarden.example.com/api',
+        identity_url='https://bitwarden.example.com/identity' ) }}
+
+  tasks:
+    - name: Echo secret from other server
+      ansible.builtin.debug:
+        msg: "Secret value from other server is: {{ secret_from_other_server }}"
diff --git a/galaxy.yml b/galaxy.yml
@@ -0,0 +1,40 @@
+namespace: bitwarden
+name: bitwarden_sm
+version: 0.0.1
+readme: README.md
+authors:
+  - Bitwarden <[email protected]>
+description: This is a Collection of the Bitwarden Secrets Manager lookup plugin.
+license: GPL-3.0-or-later
+tags:
+  - access
+  - account
+  - bitwarden
+  - credential
+  - identity
+  - secret
+  - security
+  - privileged
+  - vault
+  - devops
+repository: https://github.com/bitwarden/sm-ansible
+documentation: https://bitwarden.com/help
+homepage: https://bitwarden.com/products/secrets-manager
+issues: https://github.com/bitwarden/sm-ansible/issues
+build_ignore:
+  - .editorconfig
+  - .env
+  - .git
+  - .gitignore
+  - .gitattributes
+  - .github
+  - .husky
+  - .idea
+  - .vagrant
+  - .venv
+  - .vscode
+  - __pycache__
+  - ansible.cfg
+  - package.json
+  - package-lock.json
+  - tests