Add jinja2 template option to inventory plugin for auth_token

[erichoog]

SUMMARY

This allows for jinja2 templating to be used in the zabbix_inventory plugin so that the auth_token value can be protected with an environment variable or ansible-vault file. Without this you are forced to add your API token in clear text in the configuration file which is not ideal for security.

ISSUE TYPE

• Feature Pull Request

COMPONENT NAME

community.zabbix.zabbix_inventory

ADDITIONAL INFORMATION

Credit for the code goes to contributers to the digitalocean inventory plugin where they have this feature implemented.

I have not been successful in getting my development environment / integration tests working at the moment but this has been manually tested and it works as intended.

[BGmot]

Can you elaborate please why now you can't put password or token encrypted by ansible-vault?

[pyrodie18]

Can you elaborate please why now you can't put password or token encrypted by ansible-vault?

Agreed

[erichoog]

Unless I was doing something completely wrong, any sort of jinja2 templating did not work for the inventory plugin.

It works fine for other modules in the collection but didn't seem to work for me with the inventory plugin.

I confirmed by doing the connection from ansible to zabbix API over http and sniffing the packets. I could see the jinja2 string for the auth_token was passed unchanged to the API. So it seemed as if to me that the jinja2 template portion for the plugin did not work.

Once I made the changes in this pull request it worked as expected for the auth_token.

[BGmot]

Please share how exactly you are using this inventory plugin.

PS: it would be nice if you created an Issue for this before submitting this PR, in my opinion Issues is much better place to discuss "issues" -)

[BGmot]

Freshly deployed Zabbix, has only one host.

$ ansible-vault encrypt_string zabbix
New Vault password: 
Confirm New Vault password: 
Encryption successful
!vault |
          $ANSIBLE_VAULT;1.1;AES256
          31336139333939653866313236623834316463393931646366343462373264663737356162333233
          6336366332623463626430353562396537313437616338620a626661656530663035623634343861
          36656132383061653236363338393861333839343438666364353434643865363637613735396364
          3733373136626266640a346130306633353661363166336535613866363930393561353332303135
          3166

$ cat test.zabbix_inventory.yml 
plugin: community.zabbix.zabbix_inventory
server_url: http://localhost:8080
login_user: Admin
login_password: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          31336139333939653866313236623834316463393931646366343462373264663737356162333233
          6336366332623463626430353562396537313437616338620a626661656530663035623634343861
          36656132383061653236363338393861333839343438666364353434643865363637613735396364
          3733373136626266640a346130306633353661363166336535613866363930393561353332303135
          3166
validate_certs: false

$ ansible-inventory -i test.zabbix_inventory.yml --list --ask-vault-password
Vault password: 
{
    "_meta": {
        "hostvars": {
            "Zabbix server": {
                "zbx_active_available": "0",
                "zbx_auto_compress": "1",
                "zbx_custom_interfaces": "0",
                "zbx_description": "",
                "zbx_flags": "0",
                "zbx_host": "Zabbix server",
                "zbx_hostid": "10084",
                "zbx_inventory_mode": "1",
                "zbx_ipmi_authtype": "-1",
                "zbx_ipmi_password": "",
                "zbx_ipmi_privilege": "2",
                "zbx_ipmi_username": "",
                "zbx_maintenance_from": "0",
                "zbx_maintenance_status": "0",
                "zbx_maintenance_type": "0",
                "zbx_maintenanceid": "0",
                "zbx_name": "Zabbix server",
                "zbx_proxy_address": "",
                "zbx_proxy_hostid": "0",
                "zbx_status": "0",
                "zbx_templateid": "0",
                "zbx_tls_accept": "1",
                "zbx_tls_connect": "1",
                "zbx_tls_issuer": "",
                "zbx_tls_subject": "",
                "zbx_uuid": "",
                "zbx_vendor_name": "",
                "zbx_vendor_version": ""
            }
        }
    },
    "all": {
        "children": [
            "ungrouped"
        ]
    },
    "ungrouped": {
        "hosts": [
            "Zabbix server"
        ]
    }
}

[erichoog]

Please share how exactly you are using this inventory plugin.

PS: it would be nice if you created an Issue for this before submitting this PR, in my opinion Issues is much better place to discuss "issues" -)

Sure I can do that apologies as first time trying to contribute here. I will try and raise the issue late today.

[erichoog]

Freshly deployed Zabbix, has only one host.

$ ansible-vault encrypt_string zabbix
New Vault password: 
Confirm New Vault password: 
Encryption successful
!vault |
          $ANSIBLE_VAULT;1.1;AES256
          31336139333939653866313236623834316463393931646366343462373264663737356162333233
          6336366332623463626430353562396537313437616338620a626661656530663035623634343861
          36656132383061653236363338393861333839343438666364353434643865363637613735396364
          3733373136626266640a346130306633353661363166336535613866363930393561353332303135
          3166

$ cat test.zabbix_inventory.yml 
plugin: community.zabbix.zabbix_inventory
server_url: http://localhost:8080
login_user: Admin
login_password: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          31336139333939653866313236623834316463393931646366343462373264663737356162333233
          6336366332623463626430353562396537313437616338620a626661656530663035623634343861
          36656132383061653236363338393861333839343438666364353434643865363637613735396364
          3733373136626266640a346130306633353661363166336535613866363930393561353332303135
          3166
validate_certs: false

$ ansible-inventory -i test.zabbix_inventory.yml --list --ask-vault-password
Vault password: 
{
    "_meta": {
        "hostvars": {
            "Zabbix server": {
                "zbx_active_available": "0",
                "zbx_auto_compress": "1",
                "zbx_custom_interfaces": "0",
                "zbx_description": "",
                "zbx_flags": "0",
                "zbx_host": "Zabbix server",
                "zbx_hostid": "10084",
                "zbx_inventory_mode": "1",
                "zbx_ipmi_authtype": "-1",
                "zbx_ipmi_password": "",
                "zbx_ipmi_privilege": "2",
                "zbx_ipmi_username": "",
                "zbx_maintenance_from": "0",
                "zbx_maintenance_status": "0",
                "zbx_maintenance_type": "0",
                "zbx_maintenanceid": "0",
                "zbx_name": "Zabbix server",
                "zbx_proxy_address": "",
                "zbx_proxy_hostid": "0",
                "zbx_status": "0",
                "zbx_templateid": "0",
                "zbx_tls_accept": "1",
                "zbx_tls_connect": "1",
                "zbx_tls_issuer": "",
                "zbx_tls_subject": "",
                "zbx_uuid": "",
                "zbx_vendor_name": "",
                "zbx_vendor_version": ""
            }
        }
    },
    "all": {
        "children": [
            "ungrouped"
        ]
    },
    "ungrouped": {
        "hosts": [
            "Zabbix server"
        ]
    }
}

Yes that option will work, but using jinja2 in the inventory file would be a nice option in my opinion.

Such as:
auth_token: "{{ lookup('ansible.builtin.env', 'ZABBIX_API_KEY') }}"

[BGmot]

Ok, I have tested and your PR does not break anything but brings new functionality. I am ok with that. Please provide changelog fragment and we'll merge this PR. Thanks!

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 76.45%. Comparing base (88513a7) to head (ee27b60).
Report is 7 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1342      +/-   ##
==========================================
+ Coverage   75.28%   76.45%   +1.17%     
==========================================
  Files          44       43       -1     
  Lines        5523     5445      -78     
  Branches     1410     1396      -14     
==========================================
+ Hits         4158     4163       +5     
+ Misses        859      814      -45     
+ Partials      506      468      -38     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[erichoog]

Ok, I have tested and your PR does not break anything but brings new functionality. I am ok with that. Please provide changelog fragment and we'll merge this PR. Thanks!

Thanks, I believe I have added the changelog fragment correctly. Is there still a need to open an issue for this PR or should I just remember for next time?

[BGmot]

Ok, I have tested and your PR does not break anything but brings new functionality. I am ok with that. Please provide changelog fragment and we'll merge this PR. Thanks!

Thanks, I believe I have added the changelog fragment correctly. Is there still a need to open an issue for this PR or should I just remember for next time?

Just remember for the next time.
Thanks for your contribution!