awxkit and awx.awx don't export credential input sources. about awx HOT 7 OPEN

Hello @neevnuv, after further research we have determined we don't yet have this functionality for this type of credential. I have added the feature flag to this and have added this to our backlog. PRs are welcome!

from awx.

@neevnuv Since the API endpoint is of type SubListCreateAPIView (i.e. it can take a full object instead of just an id to attach), adding it to the DEPENDENT_EXPORT list is probably what you want. You should be aware, though, that the downside of this is that on every import a new credential input source will be created, instead of an existing one reused. If that seems unacceptable, credential input sources do have a top-level API endpoint, so they could be added to EXPORTABLE_RESOURCES instead. The downside of that, though, is that you would need to make sure that the type is included in your exports (you either export everything, or include a --credential_input_sources flag in your awx export command). You will also have to add a natural key to the page type if you go this route.

Other things to care about when adding a new resource like this is whether we have a Page type for it somewhere in awxkit/awxkit/api/pages/ (and it appears that we do for these), and if we have url patterns in awxkit/awxkit/api/resources.py that match the endpoints (and it looks like we do).

I'd say go ahead and add it to DEPENDENT_EXPORT and try it out, both exporting and importing. I suspect that it will just work. To answer your question, the import machinery also makes use of that list, so there should be nothing special that you need to do there.

from awx.

Hello @neevnuv,
I am exploring this issue now. Just to confirm, in your exported file resources.json there is no actual json in the file, is that correct? Are you just seeing two empty curly brackets?

from awx.

After creating a HashiCorp Vault Secret Lookup credential, I created another credential that uses the Hashicorp secret lookup credential in order to fetch its secure data, as you'll see in the image below:

After doing so, when exporting the credentials using the cli, the output json does not contain any data about the credential input sources. Even though the input sources do not contain any important data (data that should be encrypted).

For example, when I ran the following command to get the git credential:

awx export --credentials <git-cred-id> --conf.host http://my-awx.com --conf.username <my-user> --conf.token <my-token> resources.json

I receive the following json:

{
     "credentials": [
          {
               "name": "Git Credential",
               "description": "My Cool Git Credential",
               "organization": null,
               "inputs": {},
               "credential_type": {
                    "name": "Source Control",
                    "kind": "scm",
                    "type": "credential_type"
               },
               "user": {
                    "username": "admin",
                    "type": "user"
               },
               "natural_key": {
                    "organization": null,
                    "name": "Git Credential",
                    "credential_type": {
                         "name": "Source Control",
                         "kind": "scm",
                         "type": "credential_type"
                    },
                    "type": "credential"
               }
          }
     ]
}

I am hoping the credential input sources would be also visible here, for exporting/importing awx instances. It would allow me to backup the tower credential resources without losing the data inside them (without having to reconfigure the secret lookup for vault each time I import the credentials back).

from awx.

Thank you so much for providing this additional information! I can confirm I can duplicate this on my end.

from awx.

Will it solve the export issue if we add the credential_input_source to the export command to the list of DEPENDENT_EXPORT?
Here:

And should there be any change in the import process?

from awx.

Hello, I opened a PR and tested it on a local minikube awx instance, the PR doesn't contain a lot of changes.
I ran a few tests on it, they all worked well. I would love if you take a look and gave me feedback. #14798

from awx.