Extra vars poc

[ramavenkata-loya]

Desired Outcome

Please describe the desired outcome for this PR. Said another way, what was
the original request that resulted in these code changes? Feel free to copy
this information from the connected issue.

Implemented Changes

Describe how the desired outcome above has been achieved with this PR. In
particular, consider:

• What's changed? Why were these changes made?
• How should the reviewer approach this PR, especially if manual tests are required?
• Are there relevant screenshots you can add to the PR description?

Connected Issue/Story

Resolves #[relevant GitHub issue(s), e.g. 76]

CyberArk internal issue ID: [insert issue ID]

Definition of Done

At least 1 todo must be completed in the sections below for the PR to be
merged.

Changelog

• The CHANGELOG has been updated, or
• This PR does not include user-facing changes and doesn't require a
  CHANGELOG update

Test coverage

• This PR includes new unit and integration tests to go with the code
  changes, or
• The changes in this PR do not require tests

Documentation

• Docs (e.g. READMEs) were updated in this PR
• A follow-up issue to update official docs has been filed here: [insert issue ID]
• This PR does not require updating any documentation

Behavior

• This PR changes product behavior and has been reviewed by a PO, or
• These changes are part of a larger initiative that will be reviewed later, or
• No behavior was changed with this PR

Security

• Security architect has reviewed the changes in this PR,
• These changes are part of a larger initiative with a separate security review, or
• There are no security aspects to these changes

[andytinkham]

LGTM from a security view

[john-odonnell]

Looks good so far - left one important comment about how we handle the authn_token_file var. I think it would be a good idea to add an integration test case where we use extra vars to configure the lookup plugin.

[john-odonnell]

This should count as a backwards-compatible addition

Suggested change

	## [1.2.3] - 2024-04-30
	### Changed
	- Enhancement for the lookup plugin to support the extra-vars
	## [1.3.0] - 2024-04-30
	### Added
	- Enhancement for the lookup plugin to support the extra-vars

[itsbrugu]

can you elaborate more on that John. should this be minor change or description must be updated?

[john-odonnell]

Bumping the version from 1.2.2 to 1.2.3 would imply that the only released additions were bug fixes, but this goes a bit beyond that. We're adding a new method of configuring the plugin, so as long as we maintain backwards compatibility, we should bump the version to 1.3.0 instead.

[john-odonnell]

I think we have some unexpected behavior here that breaks backwards compatibility.

Previously, we had a section in the DOCUMENTATION variable that described the conjur_authn_token_file variable, but it was being accessed exclusively as an environment variable, so the specified default value was not being applied. Now that we're accessing the value this way, the default value is being applied when we would expect it not to.

We either need to add some special handling for this variable to maintain backwards compatibility, or release this as part of a major version bump.

[ramavenkata-loya]

In the past, the authn_token_file value was generated by either an environmental variable or the default path (/var/run/conjur/access-token).

The newest modifications allow for the authn_token_file value to be pulled from either the environmental variable, extra variables, or the default path (/var/run/conjur/access-token).

The behavior was the same as earlier, but we have updated only the ini name of authn_token_file.

[john-odonnell]

In the past, the authn_token_file value was generated by either an environmental variable or the default path (/var/run/conjur/access-token)

The last part of this isn't true - previously, the lookup plugin checked the CONJUR_AUTHN_TOKEN_FILE environment variable, and if didn't exist, no default value was applied, and instead the plugin retrieved a new authn token.

Check out this PR's Jenkins build, which is failing on the lookup plugin's end-to-end tests.

TASK [Retrieve Conjur variable] ************************************************
fatal: [localhost]: FAILED! => {"msg": "An unhandled exception occurred while templating
  '{{lookup('conjur_variable', 'ansible/test-secret')}}'. Error was a
  <class 'ansible.errors.AnsibleError'>, original message: An unhandled exception
  occurred while running the lookup plugin 'conjur_variable'. Error was a
  <class 'ansible.errors.AnsibleError'>, original message: Conjur authn token
  file `/var/run/conjur/access-token` was not found on the host. Conjur authn token
  file `/var/run/conjur/access-token` was not found on the host"}

The existing DOCUMENTATION variable section describing the authn_token_file parameter is inaccurate, but we aren't using self.get_option, so it isn't being enforced. Backwards compatibility should be maintained if we updated the new authn_token_file section to specify that it doesn't have a default value, and isn't required.

[ramavenkata-loya]

To ensure backward compatibility for conjur_authn_token_file. We have removed the default key parameter in the conjur_authn_token_file documentation section and also added an extra check for conjur_authn_token_file.

if not variable_value and key != "conjur_authn_token_file":
raise AnsibleError("The value of the {0} variable is not set".format(key))

The token can either be selected from environmental/extra-vars variables or generated within the code.

[john-odonnell]

Thanks, @ramavenkata-loya!

[john-odonnell]

Bumping the version from 1.2.2 to 1.2.3 would imply that the only released additions were bug fixes, but this goes a bit beyond that. We're adding a new method of configuring the plugin, so as long as we maintain backwards compatibility, we should bump the version to 1.3.0 instead.