feat: add hashivault_unseal module (#5)

Reviewed-on: #5
Co-authored-by: Robert Kaussow <mail@thegeeklab.de>
Co-committed-by: Robert Kaussow <mail@thegeeklab.de>

.drone.jsonnet

@@ -6,7 +6,6 @@ local PythonVersion(pyversion='3.8') = {
   },
   commands: [
     'pip install poetry -qq',
-    'poetry config experimental.new-installer false',
     'poetry install --all-extras',
     'poetry run pytest',
   ],
@@ -18,17 +17,16 @@ local PythonVersion(pyversion='3.8') = {
 local AnsibleVersion(version='devel') = {
   local gitversion = if version == 'devel' then 'devel' else 'stable-' + version,
   name: 'ansible-' + std.strReplace(version, '.', ''),
-  image: 'python:3.9',
+  image: 'python:3.10',
   environment: {
     PY_COLORS: 1,
   },
   commands: [
     'pip install poetry -qq',
-    'poetry config experimental.new-installer false',
     'poetry install',
     'poetry run pip install https://github.com/ansible/ansible/archive/' + gitversion + '.tar.gz --disable-pip-version-check',
     'poetry run ansible --version',
-    'poetry run ansible-test sanity --exclude .chglog/ --exclude .drone.yml --python 3.9',
+    'poetry run ansible-test sanity --exclude .chglog/ --exclude .drone.yml --python 3.10',
   ],
   depends_on: [
     'clone',
@@ -52,7 +50,6 @@ local PipelineLint = {
       commands: [
         'git fetch -tq',
         'pip install poetry -qq',
-        'poetry config experimental.new-installer false',
         'poetry install --all-extras',
         'poetry run yapf -dr ./plugins',
       ],
@@ -66,7 +63,6 @@ local PipelineLint = {
       commands: [
         'git fetch -tq',
         'pip install poetry -qq',
-        'poetry config experimental.new-installer false',
         'poetry install --all-extras',
         'poetry run ruff ./plugins',
       ],
@@ -110,8 +106,8 @@ local PipelineSanityTest = {
   },
   steps: [
     AnsibleVersion(version='devel'),
+    AnsibleVersion(version='2.15'),
     AnsibleVersion(version='2.14'),
-    AnsibleVersion(version='2.13'),
   ],
   depends_on: [
     'unit-test',
@@ -136,7 +132,6 @@ local PipelineBuild = {
         'GALAXY_VERSION=${DRONE_TAG##v}',
         "sed -i 's/version: 0.0.0/version: '\"$${GALAXY_VERSION:-0.0.0}\"'/g' galaxy.yml",
         'pip install poetry -qq',
-        'poetry config experimental.new-installer false',
         'poetry install --all-extras',
         'poetry run ansible-galaxy collection build --output-path dist/',
       ],

.drone.yml

@@ -12,7 +12,6 @@ steps:
     commands:
       - git fetch -tq
       - pip install poetry -qq
-      - poetry config experimental.new-installer false
       - poetry install --all-extras
       - poetry run yapf -dr ./plugins
     environment:
@@ -23,7 +22,6 @@ steps:
     commands:
       - git fetch -tq
       - pip install poetry -qq
-      - poetry config experimental.new-installer false
       - poetry install --all-extras
       - poetry run ruff ./plugins
     environment:
@@ -48,7 +46,6 @@ steps:
     image: python:3.8
     commands:
       - pip install poetry -qq
-      - poetry config experimental.new-installer false
       - poetry install --all-extras
       - poetry run pytest
     environment:
@@ -60,7 +57,6 @@ steps:
     image: python:3.9
     commands:
       - pip install poetry -qq
-      - poetry config experimental.new-installer false
       - poetry install --all-extras
       - poetry run pytest
     environment:
@@ -72,7 +68,6 @@ steps:
     image: python:3.10
     commands:
       - pip install poetry -qq
-      - poetry config experimental.new-installer false
       - poetry install --all-extras
       - poetry run pytest
     environment:
@@ -84,7 +79,6 @@ steps:
     image: python:3.11
     commands:
       - pip install poetry -qq
-      - poetry config experimental.new-installer false
       - poetry install --all-extras
       - poetry run pytest
     environment:
@@ -114,42 +108,39 @@ workspace:
 
 steps:
   - name: ansible-devel
-    image: python:3.9
+    image: python:3.10
     commands:
       - pip install poetry -qq
-      - poetry config experimental.new-installer false
       - poetry install
       - poetry run pip install https://github.com/ansible/ansible/archive/devel.tar.gz --disable-pip-version-check
       - poetry run ansible --version
-      - poetry run ansible-test sanity --exclude .chglog/ --exclude .drone.yml --python 3.9
+      - poetry run ansible-test sanity --exclude .chglog/ --exclude .drone.yml --python 3.10
+    environment:
+      PY_COLORS: 1
+    depends_on:
+      - clone
+
+  - name: ansible-215
+    image: python:3.10
+    commands:
+      - pip install poetry -qq
+      - poetry install
+      - poetry run pip install https://github.com/ansible/ansible/archive/stable-2.15.tar.gz --disable-pip-version-check
+      - poetry run ansible --version
+      - poetry run ansible-test sanity --exclude .chglog/ --exclude .drone.yml --python 3.10
     environment:
       PY_COLORS: 1
     depends_on:
       - clone
 
   - name: ansible-214
-    image: python:3.9
+    image: python:3.10
     commands:
       - pip install poetry -qq
-      - poetry config experimental.new-installer false
       - poetry install
       - poetry run pip install https://github.com/ansible/ansible/archive/stable-2.14.tar.gz --disable-pip-version-check
       - poetry run ansible --version
-      - poetry run ansible-test sanity --exclude .chglog/ --exclude .drone.yml --python 3.9
-    environment:
-      PY_COLORS: 1
-    depends_on:
-      - clone
-
-  - name: ansible-213
-    image: python:3.9
-    commands:
-      - pip install poetry -qq
-      - poetry config experimental.new-installer false
-      - poetry install
-      - poetry run pip install https://github.com/ansible/ansible/archive/stable-2.13.tar.gz --disable-pip-version-check
-      - poetry run ansible --version
-      - poetry run ansible-test sanity --exclude .chglog/ --exclude .drone.yml --python 3.9
+      - poetry run ansible-test sanity --exclude .chglog/ --exclude .drone.yml --python 3.10
     environment:
       PY_COLORS: 1
     depends_on:
@@ -179,7 +170,6 @@ steps:
       - GALAXY_VERSION=${DRONE_TAG##v}
       - "sed -i 's/version: 0.0.0/version: '\"$${GALAXY_VERSION:-0.0.0}\"'/g' galaxy.yml"
       - pip install poetry -qq
-      - poetry config experimental.new-installer false
       - poetry install --all-extras
       - poetry run ansible-galaxy collection build --output-path dist/
 
@@ -289,6 +279,6 @@ depends_on:
 
 ---
 kind: signature
-hmac: 984617116d21136e915bc5f1af838be713fe0f3442645a45ec7637e13ab890d1
+hmac: f458850edd26300dda4a118e6c8cadffb9575528439efc6efff9f11cadb2a492
 
 ...

plugins/doc_fragments/hashivault.py

@@ -0,0 +1,107 @@
+# -*- coding: utf-8 -*-
+
+# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+"""Implement documentation fragment for Hashivault module."""
+
+from __future__ import (absolute_import, division, print_function)
+
+__metaclass__ = type
+
+
+class ModuleDocFragment:  # noqa
+    # Standard documentation
+    DOCUMENTATION = r"""
+    requirements:
+        - hvac>=0.10.1
+        - ansible>=2.0.0
+        - requests
+    options:
+        url:
+            description:
+                - URL of the Vault server.
+                - You can use C(VAULT_ADDR) environment variable.
+            default: ""
+            type: str
+        ca_cert:
+            description:
+                - Path to a PEM-encoded CA cert file to use to verify the Vault server
+                  TLS certificate.
+                - You can use C(VAULT_CACERT) environment variable.
+            default: ""
+            type: str
+        ca_path:
+            description:
+                - Path to a directory of PEM-encoded CA cert files to verify the Vault server
+                  TLS certificate. If ca_cert is specified, its value will take precedence.
+                - You can use C(VAULT_CAPATH) environment variable.
+            default: ""
+            type: str
+        client_cert:
+            description:
+                - Path to a PEM-encoded client certificate for TLS authentication to the Vault
+                  server.
+                - You can use C(VAULT_CLIENT_CERT) environment variable.
+            default: ""
+            type: str
+        client_key:
+            description:
+                - Path to an unencrypted PEM-encoded private key matching the client certificate.
+                - You can use C(VAULT_CLIENT_KEY) environment variable.
+            default: ""
+            type: str
+        verify:
+            description:
+                - If set, do not verify presented TLS certificate before communicating with Vault
+                  server. Setting this variable is not recommended except during testing.
+                - You can use C(VAULT_SKIP_VERIFY) environment variable.
+            default: false
+            type: bool
+        authtype:
+            description:
+                - Authentication type.
+                - You can use C(VAULT_AUTHTYPE) environment variable.
+            default: "token"
+            type: str
+            choices: ["token", "userpass", "github", "ldap", "approle"]
+        login_mount_point:
+            description:
+                - Authentication mount point.
+                - You can use C(VAULT_LOGIN_MOUNT_POINT) environment variable.
+            type: str
+        token:
+            description:
+                - Token for vault.
+                - You can use C(VAULT_TOKEN) environment variable.
+            type: str
+        username:
+            description:
+                - Username to login to vault.
+                - You can use C(VAULT_USER) environment variable.
+            default: ""
+            type: str
+        password:
+            description:
+                - Password to login to vault.
+                - You can use C(VAULT_PASSWORD) environment variable.
+            type: str
+        role_id:
+            description:
+                - Role id for vault.
+                - You can use C(VAULT_ROLE_ID) environment variable.
+            type: str
+        secret_id:
+            description:
+                - Secret id for vault.
+                - You can use C(VAULT_SECRET_ID) environment variable.
+            type: str
+        aws_header:
+            description:
+                - X-Vault-AWS-IAM-Server-ID Header value to prevent replay attacks.
+                - You can use C(VAULT_AWS_HEADER) environment variable.
+            type: str
+        namespace:
+            description:
+                - Namespace for vault.
+                - You can use C(VAULT_NAMESPACE) environment variable.
+            type: str
+"""

plugins/inventory/proxmox.py

@@ -99,13 +99,13 @@ import json
 import re
 import socket
 from collections import defaultdict
-from distutils.version import LooseVersion
 
 from ansible.errors import AnsibleError
 from ansible.module_utils._text import to_native
 from ansible.module_utils.parsing.convert_bool import boolean
 from ansible.module_utils.six import iteritems
 from ansible.plugins.inventory import BaseInventoryPlugin
+from ansible_collections.xoxys.general.plugins.module_utils.version import LooseVersion
 
 try:
     from proxmoxer import ProxmoxAPI

plugins/module_utils/hashivault.py

@@ -0,0 +1,407 @@
+"""Provide helper functions for Hashivault module."""
+
+from __future__ import (absolute_import, division, print_function)
+
+__metaclass__ = type
+
+import os
+import traceback
+
+from ansible.module_utils.basic import missing_required_lib
+from ansible.module_utils.basic import AnsibleModule
+from ansible.module_utils.basic import env_fallback
+
+HVAC_IMP_ERR = None
+try:
+    import hvac
+    from hvac.exceptions import InvalidPath
+    HAS_HVAC = True
+except ImportError:
+    HAS_HVAC = False
+    HVAC_IMP_ERR = traceback.format_exc()
+
+
+def hashivault_argspec():
+    return dict(
+        url=dict(required=False, default=os.environ.get("VAULT_ADDR", ""), type="str"),
+        ca_cert=dict(required=False, default=os.environ.get("VAULT_CACERT", ""), type="str"),
+        ca_path=dict(required=False, default=os.environ.get("VAULT_CAPATH", ""), type="str"),
+        client_cert=dict(
+            required=False, default=os.environ.get("VAULT_CLIENT_CERT", ""), type="str"
+        ),
+        client_key=dict(
+            required=False,
+            default=os.environ.get("VAULT_CLIENT_KEY", ""),
+            type="str",
+            no_log=True
+        ),
+        verify=dict(
+            required=False,
+            default=(not os.environ.get("VAULT_SKIP_VERIFY", "False")),
+            type="bool"
+        ),
+        authtype=dict(
+            required=False,
+            default=os.environ.get("VAULT_AUTHTYPE", "token"),
+            type="str",
+            choices=["token", "userpass", "github", "ldap", "approle"]
+        ),
+        login_mount_point=dict(
+            required=False, default=os.environ.get("VAULT_LOGIN_MOUNT_POINT", None), type="str"
+        ),
+        token=dict(
+            required=False,
+            fallback=(hashivault_default_token, ["VAULT_TOKEN"]),
+            type="str",
+            no_log=True
+        ),
+        username=dict(required=False, default=os.environ.get("VAULT_USER", ""), type="str"),
+        password=dict(
+            required=False, fallback=(env_fallback, ["VAULT_PASSWORD"]), type="str", no_log=True
+        ),
+        role_id=dict(
+            required=False, fallback=(env_fallback, ["VAULT_ROLE_ID"]), type="str", no_log=True
+        ),
+        secret_id=dict(
+            required=False, fallback=(env_fallback, ["VAULT_SECRET_ID"]), type="str", no_log=True
+        ),
+        aws_header=dict(
+            required=False, fallback=(env_fallback, ["VAULT_AWS_HEADER"]), type="str", no_log=True
+        ),
+        namespace=dict(
+            required=False, default=os.environ.get("VAULT_NAMESPACE", None), type="str"
+        )
+    )
+
+
+def hashivault_init(
+    argument_spec,
+    supports_check_mode=False,
+    required_if=None,
+    required_together=None,
+    required_one_of=None,
+    mutually_exclusive=None
+):
+    module = AnsibleModule(
+        argument_spec=argument_spec,
+        supports_check_mode=supports_check_mode,
+        required_if=required_if,
+        required_together=required_together,
+        required_one_of=required_one_of,
+        mutually_exclusive=mutually_exclusive
+    )
+
+    if not HAS_HVAC:
+        module.fail_json(msg=missing_required_lib("hvac"), exception=HVAC_IMP_ERR)
+
+    module.no_log_values.discard("0")
+    module.no_log_values.discard(0)
+    module.no_log_values.discard("1")
+    module.no_log_values.discard(1)
+    module.no_log_values.discard(True)
+    module.no_log_values.discard(False)
+    module.no_log_values.discard("ttl")
+
+    return module
+
+
+def hashivault_client(params):
+    url = params.get("url")
+    ca_cert = params.get("ca_cert")
+    ca_path = params.get("ca_path")
+    client_cert = params.get("client_cert")
+    client_key = params.get("client_key")
+    cert = (client_cert, client_key)
+    check_verify = params.get("verify")
+    namespace = params.get("namespace", None)
+
+    if check_verify == "" or check_verify:
+        if ca_cert:
+            verify = ca_cert
+        elif ca_path:
+            verify = ca_path
+        else:
+            verify = check_verify
+    else:
+        verify = check_verify
+
+    return hvac.Client(url=url, cert=cert, verify=verify, namespace=namespace)
+
+
+def hashivault_auth(client, params):
+    token = params.get("token")
+    authtype = params.get("authtype")
+    login_mount_point = params.get("login_mount_point", authtype)
+    if not login_mount_point:
+        login_mount_point = authtype
+    username = params.get("username")
+    password = params.get("password")
+    secret_id = params.get("secret_id")
+    role_id = params.get("role_id")
+
+    if authtype == "github":
+        client.auth.github.login(token, mount_point=login_mount_point)
+    elif authtype == "userpass":
+        client.auth_userpass(username, password, mount_point=login_mount_point)
+    elif authtype == "ldap":
+        client.auth.ldap.login(username, password, mount_point=login_mount_point)
+    elif authtype == "approle":
+        client = AppRoleClient(client, role_id, secret_id, mount_point=login_mount_point)
+    elif authtype == "tls":
+        client.auth_tls()
+    else:
+        client.token = token
+    return client
+
+
+def hashivault_auth_client(params):
+    client = hashivault_client(params)
+    return hashivault_auth(client, params)
+
+
+def hashiwrapper(function):
+
+    def wrapper(*args, **kwargs):
+        result = {"changed": False, "rc": 0}
+        result.update(function(*args, **kwargs))
+        return result
+
+    return wrapper
+
+
+def hashivault_default_token(env):
+    """Get a default Vault token from an environment variable or a file."""
+    envvar = env[0]
+    if envvar in os.environ:
+        return os.environ[envvar]
+    token_file = os.path.expanduser("~/.vault-token")
+    if os.path.exists(token_file):
+        with open(token_file) as f:
+            return f.read().strip()
+    return ""
+
+
+@hashiwrapper
+def hashivault_read(params):
+    result = {"changed": False, "rc": 0}
+    client = hashivault_auth_client(params)
+    version = params.get("version")
+    mount_point = params.get("mount_point")
+    secret = params.get("secret")
+    secret_version = params.get("secret_version")
+
+    key = params.get("key")
+    default = params.get("default")
+
+    if secret.startswith("/"):
+        secret = secret.lstrip("/")
+        mount_point = ""
+
+    secret_path = f"{mount_point}/{secret}" if mount_point else secret
+
+    try:
+        if version == 2:
+            response = client.secrets.kv.v2.read_secret_version(
+                secret, mount_point=mount_point, version=secret_version
+            )
+        else:
+            response = client.secrets.kv.v1.read_secret(secret, mount_point=mount_point)
+    except InvalidPath:
+        response = None
+    except Exception as e:  # noqa: BLE001
+        result["rc"] = 1
+        result["failed"] = True
+        error_string = f"{e.__class__.__name__}({e})"
+        result["msg"] = f"Error {error_string} reading {secret_path}"
+        return result
+    if not response:
+        if default is not None:
+            result["value"] = default
+            return result
+        result["rc"] = 1
+        result["failed"] = True
+        result["msg"] = f"Secret {secret_path} is not in vault"
+        return result
+    if version == 2:
+        try:
+            data = response.get("data", {})
+            data = data.get("data", {})
+        except Exception:  # noqa: BLE001
+            data = str(response)
+    else:
+        data = response["data"]
+    lease_duration = response.get("lease_duration", None)
+    if lease_duration is not None:
+        result["lease_duration"] = lease_duration
+    lease_id = response.get("lease_id", None)
+    if lease_id is not None:
+        result["lease_id"] = lease_id
+    renewable = response.get("renewable", None)
+    if renewable is not None:
+        result["renewable"] = renewable
+    wrap_info = response.get("wrap_info", None)
+    if wrap_info is not None:
+        result["wrap_info"] = wrap_info
+    if key and key not in data:
+        if default is not None:
+            result["value"] = default
+            return result
+        result["rc"] = 1
+        result["failed"] = True
+        result["msg"] = f"Key {key} is not in secret {secret_path}"
+        return result
+    value = data[key] if key else data
+    result["value"] = value
+    return result
+
+
+class AppRoleClient:
+    """
+    hvac.Client decorator generate and set a new approle token.
+
+    This allows multiple calls to Vault without having to manually
+    generate and set a token on every Vault call.
+    """
+
+    def __init__(self, client, role_id, secret_id, mount_point):
+        object.__setattr__(self, "client", client)
+        object.__setattr__(self, "role_id", role_id)
+        object.__setattr__(self, "secret_id", secret_id)
+        object.__setattr__(self, "login_mount_point", mount_point)
+
+    def __setattr__(self, name, val):
+        client = object.__getattribute__(self, "client")
+        client.__setattr__(name, val)
+
+    def __getattribute__(self, name):
+        client = object.__getattribute__(self, "client")
+        attr = client.__getattribute__(name)
+
+        role_id = object.__getattribute__(self, "role_id")
+        secret_id = object.__getattribute__(self, "secret_id")
+        login_mount_point = object.__getattribute__(self, "login_mount_point")
+        resp = client.auth_approle(role_id, secret_id=secret_id, mount_point=login_mount_point)
+        client.token = str(resp["auth"]["client_token"])
+        return attr
+
+
+def _compare_state(desired_state, current_state, ignore=None):
+    """
+    Compare desired state to current state.
+
+    Returns true if objects are equal.
+
+    Recursively walks dict object to compare all keys.
+
+    :param desired_state: The state user desires.
+    :param current_state: The state that currently exists.
+    :param ignore: Ignore these keys.
+    :type ignore: list
+
+    :return: True if the states are the same.
+    :rtype: bool
+    """
+
+    if ignore is None:
+        ignore = []
+    if (type(desired_state) is list):
+        if ((type(current_state) != list) or (len(desired_state) != len(current_state))):
+            return False
+        return set(desired_state) == set(current_state)
+
+    if (type(desired_state) is dict):
+        if (type(current_state) != dict):
+            return False
+
+        # iterate over dictionary keys
+        for key in desired_state:
+            if key in ignore:
+                continue
+            v = desired_state[key]
+            if ((key not in current_state) or (not _compare_state(v, current_state.get(key)))):
+                return False
+        return True
+
+    # Lots of things get handled as strings in ansible that aren"t necessarily strings,
+    # can extend this list later.
+    if isinstance(desired_state, str) and isinstance(current_state, int):
+        current_state = str(current_state)
+
+    return (desired_state == current_state)
+
+
+def _convert_to_seconds(original_value):
+    try:
+        value = str(original_value)
+        seconds = 0
+        if "h" in value:
+            ray = value.split("h")
+            seconds = int(ray.pop(0)) * 3600
+            value = "".join(ray)
+        if "m" in value:
+            ray = value.split("m")
+            seconds += int(ray.pop(0)) * 60
+            value = "".join(ray)
+        if value:
+            ray = value.split("s")
+            seconds += int(ray.pop(0))
+        return seconds
+    except Exception:  # noqa: BLE001
+        pass
+    return original_value
+
+
+def get_keys_updated(desired_state, current_state, ignore=None):
+    """
+
+    Return list of keys that have different values.
+
+    Recursively walks dict object to compare all keys.
+
+    :param desired_state: The state user desires.
+    :type desired_state: dict
+    :param current_state: The state that currently exists.
+    :type current_state: dict
+    :param ignore: Ignore these keys.
+    :type ignore: list
+
+    :return: Different items
+    :rtype: list
+    """
+
+    if ignore is None:
+        ignore = []
+
+    differences = []
+    for key in desired_state:
+        if key in ignore:
+            continue
+        if (key not in current_state):
+            differences.append(key)
+            continue
+        new_value = desired_state[key]
+        old_value = current_state[key]
+        if "ttl" in key and (_convert_to_seconds(old_value) != _convert_to_seconds(new_value)):
+            differences.append(key)
+        elif not _compare_state(new_value, old_value):
+            differences.append(key)
+    return differences
+
+
+def is_state_changed(desired_state, current_state, ignore=None):  # noqa: ARG001
+    """
+    Return list of keys that have different values.
+
+    Recursively walks dict object to compare all keys.
+
+    :param desired_state: The state user desires.
+    :type desired_state: dict
+    :param current_state: The state that currently exists.
+    :type current_state: dict
+    :param ignore: Ignore these keys.
+    :type ignore: list
+
+    :return: Different
+    :rtype: bool
+    """
+    return (len(get_keys_updated(desired_state, current_state)) > 0)

plugins/module_utils/version.py

@@ -0,0 +1,24 @@
+# -*- coding: utf-8 -*-
+
+# Copyright (c) 2021, Felix Fontein <felix@fontein.de>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+"""Provide version object to compare version numbers."""
+
+from __future__ import absolute_import, division, print_function
+
+__metaclass__ = type
+
+from ansible.module_utils.six import raise_from
+
+try:
+    from ansible.module_utils.compat.version import LooseVersion  # noqa: F401,E501 pylint: disable=unused-import
+except ImportError:
+    try:
+        from distutils.version import LooseVersion  # noqa: F401, pylint: disable=unused-import
+    except ImportError as exc:
+        msg = (
+            "To use this plugin or module with ansible-core 2.11, you need to use Python < 3.12 "
+            "with distutils.version present"
+        )
+        raise_from(ImportError(msg), exc)

plugins/modules/hashivault_unseal.py

@@ -0,0 +1,72 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+
+# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+"""Unseal Hashicorp Vault servers."""
+
+from __future__ import (absolute_import, division, print_function)
+
+__metaclass__ = type
+
+ANSIBLE_METADATA = {"status": ["stableinterface"], "supported_by": "community", "version": "1.1"}
+
+DOCUMENTATION = """
+---
+module: hashivault_unseal
+short_description: Hashicorp Vault unseal module.
+version_added: 1.2.0
+description:
+  - "Module to unseal Hashicorp Vault."
+options:
+  keys:
+    description:
+      - Vault key shard(s).
+    type: list
+    elements: str
+    required: true
+author:
+  - Robert Kaussow (@xoxys)
+extends_documentation_fragment:
+  - xoxys.general.hashivault
+"""
+
+EXAMPLES = """
+---
+- name: Unseal vault
+  hashivault_unseal:
+    keys:
+      - 26479cc0-54bc-4252-9c34-baca54aa5de7
+      - 47f942e3-8525-4b44-ba2f-84a4ae81db7d
+      - 2ee9c868-4275-4836-8747-4f8fb7611aa0
+    url: https://vault.example.com
+"""
+
+from ansible_collections.xoxys.general.plugins.module_utils.hashivault import hashivault_argspec
+from ansible_collections.xoxys.general.plugins.module_utils.hashivault import hashivault_client
+from ansible_collections.xoxys.general.plugins.module_utils.hashivault import hashivault_init
+from ansible_collections.xoxys.general.plugins.module_utils.hashivault import hashiwrapper
+
+
+def main():
+    argspec = hashivault_argspec()
+    argspec["keys"] = dict(required=True, type="list", elements="str", no_log=True)
+    module = hashivault_init(argspec)
+    result = hashivault_unseal(module.params)
+    if result.get("failed"):
+        module.fail_json(**result)
+    else:
+        module.exit_json(**result)
+
+
+@hashiwrapper
+def hashivault_unseal(params):
+    keys = params.get("keys")
+    client = hashivault_client(params)
+    if client.sys.is_sealed():
+        return {"status": client.sys.submit_unseal_keys(keys), "changed": True}
+
+    return {"changed": False}
+
+
+if __name__ == "__main__":
+    main()

plugins/modules/iptables_raw.py

@@ -216,6 +216,7 @@ from collections import defaultdict
 
 from ansible.module_utils.basic import AnsibleModule
 from ansible.module_utils.basic import json
+from ansible_collections.xoxys.general.plugins.module_utils.version import LooseVersion
 
 
 # Genereates a diff dictionary from an old and new table dump.
@@ -357,7 +358,6 @@ class Iptables:
 
     # Checks if iptables is installed and if we have a correct version.
     def _check_compatibility(self):
-        from distutils.version import StrictVersion
         cmd = [self.bins['iptables'], '--version']
         rc, stdout, stderr = Iptables.module.run_command(cmd, check_rc=False)
         if rc == 0:
@@ -366,7 +366,7 @@ class Iptables:
                 version = result.group(1)
                 # CentOS 5 ip6tables (v1.3.x) doesn't support comments,
                 # which means it cannot be used with this module.
-                if StrictVersion(version) < StrictVersion('1.4'):
+                if LooseVersion(version) < LooseVersion('1.4'):
                     Iptables.module.fail_json(
                         msg="This module isn't compatible with ip6tables versions older than 1.4.x"
                     )

plugins/modules/proxmox_kvm.py

@@ -813,9 +813,9 @@ import string
 import time
 import traceback
 from collections import defaultdict
-from distutils.version import LooseVersion
 
 from ansible.module_utils.six.moves.urllib.parse import quote
+from ansible_collections.xoxys.general.plugins.module_utils.version import LooseVersion
 
 try:
     from proxmoxer import ProxmoxAPI

pyproject.toml

@@ -46,6 +46,9 @@ pycodestyle = "2.10.0"
 yamllint = "1.29.0"
 pylint = "2.15.0"
 voluptuous = "0.13.1"
+pytest-ansible = "3.1.5"
+pytest-forked = "1.6.0"
+pytest-xdist = "3.3.1"
 
 [tool.pytest.ini_options]
 addopts = "--cov --cov-report=xml:coverage.xml --cov-report=term --cov-append --no-cov-on-fail"
@@ -59,6 +62,7 @@ filterwarnings = [
   "ignore::FutureWarning",
   "ignore::DeprecationWarning",
   "ignore:.*pep8.*:FutureWarning",
+  "ignore:AnsibleCollectionFinder.*:UserWarning"
 ]
 
 [tool.coverage.run]
@@ -80,6 +84,7 @@ exclude = [
     ".cache",
     ".eggs",
     "env*",
+    ".venv",
     "iptables_raw.py",
 ]
 # Explanation of errors
@@ -114,6 +119,7 @@ ignore = [
     "UP001",
     "UP009",
     "UP010",
+    "RUF100",
 ]
 line-length = 99
 select = [

tests/unit/plugins/inventory/test_proxmox.py

@@ -10,8 +10,7 @@ import pytest
 
 proxmox = pytest.importorskip("proxmoxer")
 
-from ansible.errors import AnsibleError, AnsibleParserError  # noqa
-from plugins.inventory.proxmox import InventoryModule
+from ansible_collections.xoxys.general.plugins.inventory.proxmox import InventoryModule
 
 
 @pytest.fixture