Remove incidental_cs_role_permission (#72380)

* Add explicit argspec tests for choices

* ci_complete ci_coverage

* Remove incidental_cs_role_permission

* ci_complete ci_coverage

* ci_complete ci_coverage

(cherry picked from commit 6543c7bc5d)
This commit is contained in:
Matt Martz 2020-11-02 10:35:13 -06:00 committed by Rick Elrod
parent 73991233fb
commit 5b5870886b
9 changed files with 22 additions and 1536 deletions

View file

@ -137,7 +137,6 @@ matrix:
- env: T=i/azure/2.7/1
- env: T=i/azure/3.6/1
- env: T=i/vcenter//1
- env: T=i/cs//1
- env: T=i/tower//1
- env: T=i/cloud//1

View file

@ -91,6 +91,13 @@ def main():
'off',
],
},
'choices': {
'type': 'str',
'choices': [
'foo',
'bar',
],
}
},
required_if=(
('state', 'present', ('path', 'content'), True),

View file

@ -259,6 +259,18 @@
required_one_of_one: value
register: argspec_choices_with_strings_like_bools_false
- argspec:
required: value
required_one_of_one: value
choices: foo
- argspec:
required: value
required_one_of_one: value
choices: baz
register: argspec_choices_bad_choice
ignore_errors: true
- assert:
that:
- argspec_required_fail is failed
@ -310,3 +322,5 @@
- argspec_choices_with_strings_like_bools_true.choices_with_strings_like_bools == 'on'
- argspec_choices_with_strings_like_bools_true_bool.choices_with_strings_like_bools == 'on'
- argspec_choices_with_strings_like_bools_false.choices_with_strings_like_bools == 'off'
- argspec_choices_bad_choice is failed

View file

@ -1,2 +0,0 @@
cloud/cs
shippable/cs/incidental

View file

@ -1,3 +0,0 @@
---
dependencies:
- incidental_cs_common

View file

@ -1,303 +0,0 @@
- name: pre-setup
cs_role:
name: "testRole"
register: testRole
- name: verify pre-setup
assert:
that:
- testRole is successful
- name: setup
cs_role_permission:
name: "fakeRolePerm"
role: "{{ testRole.id }}"
state: absent
register: roleperm
- name: verify setup
assert:
that:
- roleperm is successful
- name: setup2
cs_role_permission:
name: "fakeRolePerm2"
role: "{{ testRole.id }}"
state: absent
register: roleperm2
- name: verify setup2
assert:
that:
- roleperm2 is successful
- name: test fail if missing name
cs_role_permission:
role: "{{ testRole.id }}"
register: roleperm
ignore_errors: true
- name: verify results of fail if missing name
assert:
that:
- roleperm is failed
- 'roleperm.msg == "missing required arguments: name"'
- name: test fail if missing role
cs_role_permission:
name: "fakeRolePerm"
register: roleperm
ignore_errors: true
- name: verify results of fail if missing role
assert:
that:
- roleperm is failed
- 'roleperm.msg == "missing required arguments: role"'
- name: test fail if role does not exist
cs_role_permission:
name: "fakeRolePerm"
role: "testtest"
register: roleperm
ignore_errors: true
- name: verify results of fail if role does not exist
assert:
that:
- roleperm is failed
- roleperm.msg == "Role 'testtest' not found"
- name: test fail if state is incorrcect
cs_role_permission:
state: badstate
role: "{{ testRole.id }}"
name: "fakeRolePerm"
permission: allow
register: roleperm
ignore_errors: true
- name: verify results of fail if state is incorrcect
assert:
that:
- roleperm is failed
- 'roleperm.msg == "value of state must be one of: present, absent, got: badstate"'
- name: test create role permission in check mode
cs_role_permission:
role: "{{ testRole.id }}"
name: "fakeRolePerm"
permission: allow
description: "fakeRolePerm description"
register: roleperm
check_mode: yes
- name: verify results of role permission in check mode
assert:
that:
- roleperm is successful
- roleperm is changed
- name: test create role permission
cs_role_permission:
role: "{{ testRole.id }}"
name: "fakeRolePerm"
permission: allow
description: "fakeRolePerm description"
register: roleperm
- name: verify results of role permission
assert:
that:
- roleperm is successful
- roleperm is changed
- roleperm.name == "fakeRolePerm"
- roleperm.permission == "allow"
- roleperm.description == "fakeRolePerm description"
- name: test create role permission idempotency
cs_role_permission:
role: "{{ testRole.id }}"
name: "fakeRolePerm"
permission: allow
description: "fakeRolePerm description"
register: roleperm
- name: verify results of role permission idempotency
assert:
that:
- roleperm is successful
- roleperm is not changed
- roleperm.name == "fakeRolePerm"
- roleperm.permission == "allow"
- roleperm.description == "fakeRolePerm description"
- name: test update role permission in check_mode
cs_role_permission:
role: "{{ testRole.id }}"
name: "fakeRolePerm"
permission: deny
description: "fakeRolePerm description"
register: roleperm
check_mode: yes
- name: verify results of update role permission in check mode
assert:
that:
- roleperm is successful
- roleperm is changed
- roleperm.name == "fakeRolePerm"
- roleperm.permission == "allow"
- roleperm.description == "fakeRolePerm description"
- name: test update role permission
cs_role_permission:
role: "{{ testRole.id }}"
name: "fakeRolePerm"
permission: deny
description: "fakeRolePerm description"
register: roleperm
- name: verify results of update role permission
assert:
that:
- roleperm is successful
- roleperm is changed
- roleperm.name == "fakeRolePerm"
- roleperm.permission == "deny"
- roleperm.description == "fakeRolePerm description"
- name: test update role permission idempotency
cs_role_permission:
role: "{{ testRole.id }}"
name: "fakeRolePerm"
permission: deny
description: "fakeRolePerm description"
register: roleperm
- name: verify results of update role permission idempotency
assert:
that:
- roleperm is successful
- roleperm is not changed
- roleperm.name == "fakeRolePerm"
- roleperm.permission == "deny"
- roleperm.description == "fakeRolePerm description"
- name: test create a second role permission
cs_role_permission:
role: "{{ testRole.id }}"
name: "fakeRolePerm2"
permission: allow
register: roleperm2
- name: verify results of create a second role permission
assert:
that:
- roleperm2 is successful
- roleperm2 is changed
- roleperm2.name == "fakeRolePerm2"
- name: test update rules order in check_mode
cs_role_permission:
role: "{{ testRole.id }}"
name: "fakeRolePerm"
parent: "{{ roleperm2.id }}"
register: roleperm
check_mode: yes
- name: verify results of update rule order check mode
assert:
that:
- roleperm is successful
- roleperm is changed
- roleperm.name == "fakeRolePerm"
- name: test update rules order
cs_role_permission:
role: "{{ testRole.id }}"
name: "fakeRolePerm"
parent: "{{ roleperm2.id }}"
register: roleperm
- name: verify results of update rule order
assert:
that:
- roleperm is successful
- roleperm is changed
- roleperm.name == "fakeRolePerm"
- name: test update rules order to the top of the list
cs_role_permission:
role: "{{ testRole.id }}"
name: "fakeRolePerm"
parent: 0
register: roleperm
- name: verify results of update rule order to the top of the list
assert:
that:
- roleperm is successful
- roleperm is changed
- roleperm.name == "fakeRolePerm"
- name: test update rules order with parent NAME
cs_role_permission:
role: "{{ testRole.id }}"
name: "fakeRolePerm"
parent: "{{ roleperm2.name }}"
register: roleperm
- name: verify results of update rule order with parent NAME
assert:
that:
- roleperm is successful
- roleperm is changed
- roleperm.name == "fakeRolePerm"
- name: test fail if permission AND parent args are present
cs_role_permission:
role: "{{ testRole.id }}"
name: "fakeRolePerm"
permission: allow
parent: 0
register: roleperm
ignore_errors: true
- name: verify results of fail if permission AND parent args are present
assert:
that:
- roleperm is failed
- 'roleperm.msg == "parameters are mutually exclusive: permission|parent"'
- name: test fail if parent does not exist
cs_role_permission:
role: "{{ testRole.id }}"
name: "fakeRolePerm"
parent: "badParent"
register: roleperm
ignore_errors: true
- name: verify results of fail if parent does not exist
assert:
that:
- roleperm is failed
- roleperm.msg == "Parent rule 'badParent' not found"
- name: test remove role permission in check_mode
cs_role_permission:
role: "{{ testRole.id }}"
name: "fakeRolePerm"
state: absent
register: roleperm
check_mode: yes
- name: verify results of rename role permission in check_mode
assert:
that:
- roleperm is successful
- roleperm is changed
- name: test remove role permission
cs_role_permission:
role: "{{ testRole.id }}"
name: "fakeRolePerm"
state: absent
register: roleperm
- name: verify results of remove role permission
assert:
that:
- roleperm is successful
- roleperm is changed
- name: remove second role permission
cs_role_permission:
role: "{{ testRole.id }}"
name: "fakeRolePerm2"
state: absent
register: roleperm
- name: verify results of remove second role permission
assert:
that:
- roleperm is successful
- roleperm is changed

View file

@ -1,664 +0,0 @@
# -*- coding: utf-8 -*-
# Copyright (c) 2015, René Moser <mail@renemoser.net>
# Simplified BSD License (see licenses/simplified_bsd.txt or https://opensource.org/licenses/BSD-2-Clause)
from __future__ import absolute_import, division, print_function
__metaclass__ = type
import os
import sys
import time
import traceback
from ansible.module_utils._text import to_text, to_native
from ansible.module_utils.basic import missing_required_lib
CS_IMP_ERR = None
try:
from cs import CloudStack, CloudStackException, read_config
HAS_LIB_CS = True
except ImportError:
CS_IMP_ERR = traceback.format_exc()
HAS_LIB_CS = False
if sys.version_info > (3,):
long = int
def cs_argument_spec():
return dict(
api_key=dict(default=os.environ.get('CLOUDSTACK_KEY')),
api_secret=dict(default=os.environ.get('CLOUDSTACK_SECRET'), no_log=True),
api_url=dict(default=os.environ.get('CLOUDSTACK_ENDPOINT')),
api_http_method=dict(choices=['get', 'post'], default=os.environ.get('CLOUDSTACK_METHOD')),
api_timeout=dict(type='int', default=os.environ.get('CLOUDSTACK_TIMEOUT')),
api_region=dict(default=os.environ.get('CLOUDSTACK_REGION') or 'cloudstack'),
)
def cs_required_together():
return [['api_key', 'api_secret']]
class AnsibleCloudStack:
def __init__(self, module):
if not HAS_LIB_CS:
module.fail_json(msg=missing_required_lib('cs'), exception=CS_IMP_ERR)
self.result = {
'changed': False,
'diff': {
'before': dict(),
'after': dict()
}
}
# Common returns, will be merged with self.returns
# search_for_key: replace_with_key
self.common_returns = {
'id': 'id',
'name': 'name',
'created': 'created',
'zonename': 'zone',
'state': 'state',
'project': 'project',
'account': 'account',
'domain': 'domain',
'displaytext': 'display_text',
'displayname': 'display_name',
'description': 'description',
}
# Init returns dict for use in subclasses
self.returns = {}
# these values will be casted to int
self.returns_to_int = {}
# these keys will be compared case sensitive in self.has_changed()
self.case_sensitive_keys = [
'id',
'displaytext',
'displayname',
'description',
]
self.module = module
self._cs = None
# Helper for VPCs
self._vpc_networks_ids = None
self.domain = None
self.account = None
self.project = None
self.ip_address = None
self.network = None
self.physical_network = None
self.vpc = None
self.zone = None
self.vm = None
self.vm_default_nic = None
self.os_type = None
self.hypervisor = None
self.capabilities = None
self.network_acl = None
@property
def cs(self):
if self._cs is None:
api_config = self.get_api_config()
self._cs = CloudStack(**api_config)
return self._cs
def get_api_config(self):
api_region = self.module.params.get('api_region') or os.environ.get('CLOUDSTACK_REGION')
try:
config = read_config(api_region)
except KeyError:
config = {}
api_config = {
'endpoint': self.module.params.get('api_url') or config.get('endpoint'),
'key': self.module.params.get('api_key') or config.get('key'),
'secret': self.module.params.get('api_secret') or config.get('secret'),
'timeout': self.module.params.get('api_timeout') or config.get('timeout') or 10,
'method': self.module.params.get('api_http_method') or config.get('method') or 'get',
}
self.result.update({
'api_region': api_region,
'api_url': api_config['endpoint'],
'api_key': api_config['key'],
'api_timeout': int(api_config['timeout']),
'api_http_method': api_config['method'],
})
if not all([api_config['endpoint'], api_config['key'], api_config['secret']]):
self.fail_json(msg="Missing api credentials: can not authenticate")
return api_config
def fail_json(self, **kwargs):
self.result.update(kwargs)
self.module.fail_json(**self.result)
def get_or_fallback(self, key=None, fallback_key=None):
value = self.module.params.get(key)
if not value:
value = self.module.params.get(fallback_key)
return value
def has_changed(self, want_dict, current_dict, only_keys=None, skip_diff_for_keys=None):
result = False
for key, value in want_dict.items():
# Optionally limit by a list of keys
if only_keys and key not in only_keys:
continue
# Skip None values
if value is None:
continue
if key in current_dict:
if isinstance(value, (int, float, long, complex)):
# ensure we compare the same type
if isinstance(value, int):
current_dict[key] = int(current_dict[key])
elif isinstance(value, float):
current_dict[key] = float(current_dict[key])
elif isinstance(value, long):
current_dict[key] = long(current_dict[key])
elif isinstance(value, complex):
current_dict[key] = complex(current_dict[key])
if value != current_dict[key]:
if skip_diff_for_keys and key not in skip_diff_for_keys:
self.result['diff']['before'][key] = current_dict[key]
self.result['diff']['after'][key] = value
result = True
else:
before_value = to_text(current_dict[key])
after_value = to_text(value)
if self.case_sensitive_keys and key in self.case_sensitive_keys:
if before_value != after_value:
if skip_diff_for_keys and key not in skip_diff_for_keys:
self.result['diff']['before'][key] = before_value
self.result['diff']['after'][key] = after_value
result = True
# Test for diff in case insensitive way
elif before_value.lower() != after_value.lower():
if skip_diff_for_keys and key not in skip_diff_for_keys:
self.result['diff']['before'][key] = before_value
self.result['diff']['after'][key] = after_value
result = True
else:
if skip_diff_for_keys and key not in skip_diff_for_keys:
self.result['diff']['before'][key] = None
self.result['diff']['after'][key] = to_text(value)
result = True
return result
def _get_by_key(self, key=None, my_dict=None):
if my_dict is None:
my_dict = {}
if key:
if key in my_dict:
return my_dict[key]
self.fail_json(msg="Something went wrong: %s not found" % key)
return my_dict
def query_api(self, command, **args):
try:
res = getattr(self.cs, command)(**args)
if 'errortext' in res:
self.fail_json(msg="Failed: '%s'" % res['errortext'])
except CloudStackException as e:
self.fail_json(msg='CloudStackException: %s' % to_native(e))
except Exception as e:
self.fail_json(msg=to_native(e))
return res
def get_network_acl(self, key=None):
if self.network_acl is None:
args = {
'name': self.module.params.get('network_acl'),
'vpcid': self.get_vpc(key='id'),
}
network_acls = self.query_api('listNetworkACLLists', **args)
if network_acls:
self.network_acl = network_acls['networkacllist'][0]
self.result['network_acl'] = self.network_acl['name']
if self.network_acl:
return self._get_by_key(key, self.network_acl)
else:
self.fail_json(msg="Network ACL %s not found" % self.module.params.get('network_acl'))
def get_vpc(self, key=None):
"""Return a VPC dictionary or the value of given key of."""
if self.vpc:
return self._get_by_key(key, self.vpc)
vpc = self.module.params.get('vpc')
if not vpc:
vpc = os.environ.get('CLOUDSTACK_VPC')
if not vpc:
return None
args = {
'account': self.get_account(key='name'),
'domainid': self.get_domain(key='id'),
'projectid': self.get_project(key='id'),
'zoneid': self.get_zone(key='id'),
}
vpcs = self.query_api('listVPCs', **args)
if not vpcs:
self.fail_json(msg="No VPCs available.")
for v in vpcs['vpc']:
if vpc in [v['name'], v['displaytext'], v['id']]:
# Fail if the identifyer matches more than one VPC
if self.vpc:
self.fail_json(msg="More than one VPC found with the provided identifyer '%s'" % vpc)
else:
self.vpc = v
self.result['vpc'] = v['name']
if self.vpc:
return self._get_by_key(key, self.vpc)
self.fail_json(msg="VPC '%s' not found" % vpc)
def is_vpc_network(self, network_id):
"""Returns True if network is in VPC."""
# This is an efficient way to query a lot of networks at a time
if self._vpc_networks_ids is None:
args = {
'account': self.get_account(key='name'),
'domainid': self.get_domain(key='id'),
'projectid': self.get_project(key='id'),
'zoneid': self.get_zone(key='id'),
}
vpcs = self.query_api('listVPCs', **args)
self._vpc_networks_ids = []
if vpcs:
for vpc in vpcs['vpc']:
for n in vpc.get('network', []):
self._vpc_networks_ids.append(n['id'])
return network_id in self._vpc_networks_ids
def get_physical_network(self, key=None):
if self.physical_network:
return self._get_by_key(key, self.physical_network)
physical_network = self.module.params.get('physical_network')
args = {
'zoneid': self.get_zone(key='id')
}
physical_networks = self.query_api('listPhysicalNetworks', **args)
if not physical_networks:
self.fail_json(msg="No physical networks available.")
for net in physical_networks['physicalnetwork']:
if physical_network in [net['name'], net['id']]:
self.physical_network = net
self.result['physical_network'] = net['name']
return self._get_by_key(key, self.physical_network)
self.fail_json(msg="Physical Network '%s' not found" % physical_network)
def get_network(self, key=None):
"""Return a network dictionary or the value of given key of."""
if self.network:
return self._get_by_key(key, self.network)
network = self.module.params.get('network')
if not network:
vpc_name = self.get_vpc(key='name')
if vpc_name:
self.fail_json(msg="Could not find network for VPC '%s' due missing argument: network" % vpc_name)
return None
args = {
'account': self.get_account(key='name'),
'domainid': self.get_domain(key='id'),
'projectid': self.get_project(key='id'),
'zoneid': self.get_zone(key='id'),
'vpcid': self.get_vpc(key='id')
}
networks = self.query_api('listNetworks', **args)
if not networks:
self.fail_json(msg="No networks available.")
for n in networks['network']:
# ignore any VPC network if vpc param is not given
if 'vpcid' in n and not self.get_vpc(key='id'):
continue
if network in [n['displaytext'], n['name'], n['id']]:
self.result['network'] = n['name']
self.network = n
return self._get_by_key(key, self.network)
self.fail_json(msg="Network '%s' not found" % network)
def get_project(self, key=None):
if self.project:
return self._get_by_key(key, self.project)
project = self.module.params.get('project')
if not project:
project = os.environ.get('CLOUDSTACK_PROJECT')
if not project:
return None
args = {
'account': self.get_account(key='name'),
'domainid': self.get_domain(key='id')
}
projects = self.query_api('listProjects', **args)
if projects:
for p in projects['project']:
if project.lower() in [p['name'].lower(), p['id']]:
self.result['project'] = p['name']
self.project = p
return self._get_by_key(key, self.project)
self.fail_json(msg="project '%s' not found" % project)
def get_ip_address(self, key=None):
if self.ip_address:
return self._get_by_key(key, self.ip_address)
ip_address = self.module.params.get('ip_address')
if not ip_address:
self.fail_json(msg="IP address param 'ip_address' is required")
args = {
'ipaddress': ip_address,
'account': self.get_account(key='name'),
'domainid': self.get_domain(key='id'),
'projectid': self.get_project(key='id'),
'vpcid': self.get_vpc(key='id'),
}
ip_addresses = self.query_api('listPublicIpAddresses', **args)
if not ip_addresses:
self.fail_json(msg="IP address '%s' not found" % args['ipaddress'])
self.ip_address = ip_addresses['publicipaddress'][0]
return self._get_by_key(key, self.ip_address)
def get_vm_guest_ip(self):
vm_guest_ip = self.module.params.get('vm_guest_ip')
default_nic = self.get_vm_default_nic()
if not vm_guest_ip:
return default_nic['ipaddress']
for secondary_ip in default_nic['secondaryip']:
if vm_guest_ip == secondary_ip['ipaddress']:
return vm_guest_ip
self.fail_json(msg="Secondary IP '%s' not assigned to VM" % vm_guest_ip)
def get_vm_default_nic(self):
if self.vm_default_nic:
return self.vm_default_nic
nics = self.query_api('listNics', virtualmachineid=self.get_vm(key='id'))
if nics:
for n in nics['nic']:
if n['isdefault']:
self.vm_default_nic = n
return self.vm_default_nic
self.fail_json(msg="No default IP address of VM '%s' found" % self.module.params.get('vm'))
def get_vm(self, key=None, filter_zone=True):
if self.vm:
return self._get_by_key(key, self.vm)
vm = self.module.params.get('vm')
if not vm:
self.fail_json(msg="Virtual machine param 'vm' is required")
args = {
'account': self.get_account(key='name'),
'domainid': self.get_domain(key='id'),
'projectid': self.get_project(key='id'),
'zoneid': self.get_zone(key='id') if filter_zone else None,
'fetch_list': True,
}
vms = self.query_api('listVirtualMachines', **args)
if vms:
for v in vms:
if vm.lower() in [v['name'].lower(), v['displayname'].lower(), v['id']]:
self.vm = v
return self._get_by_key(key, self.vm)
self.fail_json(msg="Virtual machine '%s' not found" % vm)
def get_disk_offering(self, key=None):
disk_offering = self.module.params.get('disk_offering')
if not disk_offering:
return None
# Do not add domain filter for disk offering listing.
disk_offerings = self.query_api('listDiskOfferings')
if disk_offerings:
for d in disk_offerings['diskoffering']:
if disk_offering in [d['displaytext'], d['name'], d['id']]:
return self._get_by_key(key, d)
self.fail_json(msg="Disk offering '%s' not found" % disk_offering)
def get_zone(self, key=None):
if self.zone:
return self._get_by_key(key, self.zone)
zone = self.module.params.get('zone')
if not zone:
zone = os.environ.get('CLOUDSTACK_ZONE')
zones = self.query_api('listZones')
if not zones:
self.fail_json(msg="No zones available. Please create a zone first")
# use the first zone if no zone param given
if not zone:
self.zone = zones['zone'][0]
self.result['zone'] = self.zone['name']
return self._get_by_key(key, self.zone)
if zones:
for z in zones['zone']:
if zone.lower() in [z['name'].lower(), z['id']]:
self.result['zone'] = z['name']
self.zone = z
return self._get_by_key(key, self.zone)
self.fail_json(msg="zone '%s' not found" % zone)
def get_os_type(self, key=None):
if self.os_type:
return self._get_by_key(key, self.zone)
os_type = self.module.params.get('os_type')
if not os_type:
return None
os_types = self.query_api('listOsTypes')
if os_types:
for o in os_types['ostype']:
if os_type in [o['description'], o['id']]:
self.os_type = o
return self._get_by_key(key, self.os_type)
self.fail_json(msg="OS type '%s' not found" % os_type)
def get_hypervisor(self):
if self.hypervisor:
return self.hypervisor
hypervisor = self.module.params.get('hypervisor')
hypervisors = self.query_api('listHypervisors')
# use the first hypervisor if no hypervisor param given
if not hypervisor:
self.hypervisor = hypervisors['hypervisor'][0]['name']
return self.hypervisor
for h in hypervisors['hypervisor']:
if hypervisor.lower() == h['name'].lower():
self.hypervisor = h['name']
return self.hypervisor
self.fail_json(msg="Hypervisor '%s' not found" % hypervisor)
def get_account(self, key=None):
if self.account:
return self._get_by_key(key, self.account)
account = self.module.params.get('account')
if not account:
account = os.environ.get('CLOUDSTACK_ACCOUNT')
if not account:
return None
domain = self.module.params.get('domain')
if not domain:
self.fail_json(msg="Account must be specified with Domain")
args = {
'name': account,
'domainid': self.get_domain(key='id'),
'listall': True
}
accounts = self.query_api('listAccounts', **args)
if accounts:
self.account = accounts['account'][0]
self.result['account'] = self.account['name']
return self._get_by_key(key, self.account)
self.fail_json(msg="Account '%s' not found" % account)
def get_domain(self, key=None):
if self.domain:
return self._get_by_key(key, self.domain)
domain = self.module.params.get('domain')
if not domain:
domain = os.environ.get('CLOUDSTACK_DOMAIN')
if not domain:
return None
args = {
'listall': True,
}
domains = self.query_api('listDomains', **args)
if domains:
for d in domains['domain']:
if d['path'].lower() in [domain.lower(), "root/" + domain.lower(), "root" + domain.lower()]:
self.domain = d
self.result['domain'] = d['path']
return self._get_by_key(key, self.domain)
self.fail_json(msg="Domain '%s' not found" % domain)
def query_tags(self, resource, resource_type):
args = {
'resourceid': resource['id'],
'resourcetype': resource_type,
}
tags = self.query_api('listTags', **args)
return self.get_tags(resource=tags, key='tag')
def get_tags(self, resource=None, key='tags'):
existing_tags = []
for tag in resource.get(key) or []:
existing_tags.append({'key': tag['key'], 'value': tag['value']})
return existing_tags
def _process_tags(self, resource, resource_type, tags, operation="create"):
if tags:
self.result['changed'] = True
if not self.module.check_mode:
args = {
'resourceids': resource['id'],
'resourcetype': resource_type,
'tags': tags,
}
if operation == "create":
response = self.query_api('createTags', **args)
else:
response = self.query_api('deleteTags', **args)
self.poll_job(response)
def _tags_that_should_exist_or_be_updated(self, resource, tags):
existing_tags = self.get_tags(resource)
return [tag for tag in tags if tag not in existing_tags]
def _tags_that_should_not_exist(self, resource, tags):
existing_tags = self.get_tags(resource)
return [tag for tag in existing_tags if tag not in tags]
def ensure_tags(self, resource, resource_type=None):
if not resource_type or not resource:
self.fail_json(msg="Error: Missing resource or resource_type for tags.")
if 'tags' in resource:
tags = self.module.params.get('tags')
if tags is not None:
self._process_tags(resource, resource_type, self._tags_that_should_not_exist(resource, tags), operation="delete")
self._process_tags(resource, resource_type, self._tags_that_should_exist_or_be_updated(resource, tags))
resource['tags'] = self.query_tags(resource=resource, resource_type=resource_type)
return resource
def get_capabilities(self, key=None):
if self.capabilities:
return self._get_by_key(key, self.capabilities)
capabilities = self.query_api('listCapabilities')
self.capabilities = capabilities['capability']
return self._get_by_key(key, self.capabilities)
def poll_job(self, job=None, key=None):
if 'jobid' in job:
while True:
res = self.query_api('queryAsyncJobResult', jobid=job['jobid'])
if res['jobstatus'] != 0 and 'jobresult' in res:
if 'errortext' in res['jobresult']:
self.fail_json(msg="Failed: '%s'" % res['jobresult']['errortext'])
if key and key in res['jobresult']:
job = res['jobresult'][key]
break
time.sleep(2)
return job
def update_result(self, resource, result=None):
if result is None:
result = dict()
if resource:
returns = self.common_returns.copy()
returns.update(self.returns)
for search_key, return_key in returns.items():
if search_key in resource:
result[return_key] = resource[search_key]
# Bad bad API does not always return int when it should.
for search_key, return_key in self.returns_to_int.items():
if search_key in resource:
result[return_key] = int(resource[search_key])
if 'tags' in resource:
result['tags'] = resource['tags']
return result
def get_result(self, resource):
return self.update_result(resource, self.result)
def get_result_and_facts(self, facts_name, resource):
result = self.get_result(resource)
ansible_facts = {
facts_name: result.copy()
}
for k in ['diff', 'changed']:
if k in ansible_facts[facts_name]:
del ansible_facts[facts_name][k]
result.update(ansible_facts=ansible_facts)
return result

View file

@ -1,211 +0,0 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# (c) 2016, René Moser <mail@renemoser.net>
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
from __future__ import absolute_import, division, print_function
__metaclass__ = type
ANSIBLE_METADATA = {'metadata_version': '1.1',
'status': ['preview'],
'supported_by': 'community'}
DOCUMENTATION = '''
---
module: cs_role
short_description: Manages user roles on Apache CloudStack based clouds.
description:
- Create, update, delete user roles.
version_added: '2.3'
author: René Moser (@resmo)
options:
name:
description:
- Name of the role.
type: str
required: true
uuid:
description:
- ID of the role.
- If provided, I(uuid) is used as key.
type: str
aliases: [ id ]
role_type:
description:
- Type of the role.
- Only considered for creation.
type: str
default: User
choices: [ User, DomainAdmin, ResourceAdmin, Admin ]
description:
description:
- Description of the role.
type: str
state:
description:
- State of the role.
type: str
default: present
choices: [ present, absent ]
extends_documentation_fragment: cloudstack
'''
EXAMPLES = '''
- name: Ensure an user role is present
cs_role:
name: myrole_user
delegate_to: localhost
- name: Ensure a role having particular ID is named as myrole_user
cs_role:
name: myrole_user
id: 04589590-ac63-4ffc-93f5-b698b8ac38b6
delegate_to: localhost
- name: Ensure a role is absent
cs_role:
name: myrole_user
state: absent
delegate_to: localhost
'''
RETURN = '''
---
id:
description: UUID of the role.
returned: success
type: str
sample: 04589590-ac63-4ffc-93f5-b698b8ac38b6
name:
description: Name of the role.
returned: success
type: str
sample: myrole
description:
description: Description of the role.
returned: success
type: str
sample: "This is my role description"
role_type:
description: Type of the role.
returned: success
type: str
sample: User
'''
from ansible.module_utils.basic import AnsibleModule
from ansible.module_utils.cloudstack import (
AnsibleCloudStack,
cs_argument_spec,
cs_required_together,
)
class AnsibleCloudStackRole(AnsibleCloudStack):
def __init__(self, module):
super(AnsibleCloudStackRole, self).__init__(module)
self.returns = {
'type': 'role_type',
}
def get_role(self):
uuid = self.module.params.get('uuid')
if uuid:
args = {
'id': uuid,
}
roles = self.query_api('listRoles', **args)
if roles:
return roles['role'][0]
else:
args = {
'name': self.module.params.get('name'),
}
roles = self.query_api('listRoles', **args)
if roles:
return roles['role'][0]
return None
def present_role(self):
role = self.get_role()
if role:
role = self._update_role(role)
else:
role = self._create_role(role)
return role
def _create_role(self, role):
self.result['changed'] = True
args = {
'name': self.module.params.get('name'),
'type': self.module.params.get('role_type'),
'description': self.module.params.get('description'),
}
if not self.module.check_mode:
res = self.query_api('createRole', **args)
role = res['role']
return role
def _update_role(self, role):
args = {
'id': role['id'],
'name': self.module.params.get('name'),
'description': self.module.params.get('description'),
}
if self.has_changed(args, role):
self.result['changed'] = True
if not self.module.check_mode:
res = self.query_api('updateRole', **args)
# The API as in 4.9 does not return an updated role yet
if 'role' not in res:
role = self.get_role()
else:
role = res['role']
return role
def absent_role(self):
role = self.get_role()
if role:
self.result['changed'] = True
args = {
'id': role['id'],
}
if not self.module.check_mode:
self.query_api('deleteRole', **args)
return role
def main():
argument_spec = cs_argument_spec()
argument_spec.update(dict(
uuid=dict(aliases=['id']),
name=dict(required=True),
description=dict(),
role_type=dict(choices=['User', 'DomainAdmin', 'ResourceAdmin', 'Admin'], default='User'),
state=dict(choices=['present', 'absent'], default='present'),
))
module = AnsibleModule(
argument_spec=argument_spec,
required_together=cs_required_together(),
supports_check_mode=True
)
acs_role = AnsibleCloudStackRole(module)
state = module.params.get('state')
if state == 'absent':
role = acs_role.absent_role()
else:
role = acs_role.present_role()
result = acs_role.get_result(role)
module.exit_json(**result)
if __name__ == '__main__':
main()

View file

@ -1,351 +0,0 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Copyright (c) 2017, David Passante (@dpassante)
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
from __future__ import absolute_import, division, print_function
__metaclass__ = type
ANSIBLE_METADATA = {'metadata_version': '1.1',
'status': ['preview'],
'supported_by': 'community'}
DOCUMENTATION = '''
---
module: cs_role_permission
short_description: Manages role permissions on Apache CloudStack based clouds.
description:
- Create, update and remove CloudStack role permissions.
- Managing role permissions only supported in CloudStack >= 4.9.
version_added: '2.6'
author: David Passante (@dpassante)
options:
name:
description:
- The API name of the permission.
type: str
required: true
role:
description:
- Name or ID of the role.
type: str
required: true
permission:
description:
- The rule permission, allow or deny. Defaulted to deny.
type: str
choices: [ allow, deny ]
default: deny
state:
description:
- State of the role permission.
type: str
choices: [ present, absent ]
default: present
description:
description:
- The description of the role permission.
type: str
parent:
description:
- The parent role permission uuid. use 0 to move this rule at the top of the list.
type: str
extends_documentation_fragment: cloudstack
'''
EXAMPLES = '''
- name: Create a role permission
cs_role_permission:
role: My_Custom_role
name: createVPC
permission: allow
description: My comments
delegate_to: localhost
- name: Remove a role permission
cs_role_permission:
state: absent
role: My_Custom_role
name: createVPC
delegate_to: localhost
- name: Update a system role permission
cs_role_permission:
role: Domain Admin
name: createVPC
permission: deny
delegate_to: localhost
- name: Update rules order. Move the rule at the top of list
cs_role_permission:
role: Domain Admin
name: createVPC
parent: 0
delegate_to: localhost
'''
RETURN = '''
---
id:
description: The ID of the role permission.
returned: success
type: str
sample: a6f7a5fc-43f8-11e5-a151-feff819cdc9f
name:
description: The API name of the permission.
returned: success
type: str
sample: createVPC
permission:
description: The permission type of the api name.
returned: success
type: str
sample: allow
role_id:
description: The ID of the role to which the role permission belongs.
returned: success
type: str
sample: c6f7a5fc-43f8-11e5-a151-feff819cdc7f
description:
description: The description of the role permission
returned: success
type: str
sample: Deny createVPC for users
'''
from distutils.version import LooseVersion
from ansible.module_utils.basic import AnsibleModule
from ansible.module_utils.cloudstack import (
AnsibleCloudStack,
cs_argument_spec,
cs_required_together,
)
class AnsibleCloudStackRolePermission(AnsibleCloudStack):
def __init__(self, module):
super(AnsibleCloudStackRolePermission, self).__init__(module)
cloudstack_min_version = LooseVersion('4.9.2')
self.returns = {
'id': 'id',
'roleid': 'role_id',
'rule': 'name',
'permission': 'permission',
'description': 'description',
}
self.role_permission = None
self.cloudstack_version = self._cloudstack_ver()
if self.cloudstack_version < cloudstack_min_version:
self.fail_json(msg="This module requires CloudStack >= %s." % cloudstack_min_version)
def _cloudstack_ver(self):
capabilities = self.get_capabilities()
return LooseVersion(capabilities['cloudstackversion'])
def _get_role_id(self):
role = self.module.params.get('role')
if not role:
return None
res = self.query_api('listRoles')
roles = res['role']
if roles:
for r in roles:
if role in [r['name'], r['id']]:
return r['id']
self.fail_json(msg="Role '%s' not found" % role)
def _get_role_perm(self):
role_permission = self.role_permission
args = {
'roleid': self._get_role_id(),
}
rp = self.query_api('listRolePermissions', **args)
if rp:
role_permission = rp['rolepermission']
return role_permission
def _get_rule(self, rule=None):
if not rule:
rule = self.module.params.get('name')
if self._get_role_perm():
for _rule in self._get_role_perm():
if rule == _rule['rule'] or rule == _rule['id']:
return _rule
return None
def _get_rule_order(self):
perms = self._get_role_perm()
rules = []
if perms:
for i, rule in enumerate(perms):
rules.append(rule['id'])
return rules
def replace_rule(self):
old_rule = self._get_rule()
if old_rule:
rules_order = self._get_rule_order()
old_pos = rules_order.index(old_rule['id'])
self.remove_role_perm()
new_rule = self.create_role_perm()
if new_rule:
perm_order = self.order_permissions(int(old_pos - 1), new_rule['id'])
return perm_order
return None
def order_permissions(self, parent, rule_id):
rules = self._get_rule_order()
if isinstance(parent, int):
parent_pos = parent
elif parent == '0':
parent_pos = -1
else:
parent_rule = self._get_rule(parent)
if not parent_rule:
self.fail_json(msg="Parent rule '%s' not found" % parent)
parent_pos = rules.index(parent_rule['id'])
r_id = rules.pop(rules.index(rule_id))
rules.insert((parent_pos + 1), r_id)
rules = ','.join(map(str, rules))
return rules
def create_or_update_role_perm(self):
role_permission = self._get_rule()
if not role_permission:
role_permission = self.create_role_perm()
else:
role_permission = self.update_role_perm(role_permission)
return role_permission
def create_role_perm(self):
role_permission = None
self.result['changed'] = True
args = {
'rule': self.module.params.get('name'),
'description': self.module.params.get('description'),
'roleid': self._get_role_id(),
'permission': self.module.params.get('permission'),
}
if not self.module.check_mode:
res = self.query_api('createRolePermission', **args)
role_permission = res['rolepermission']
return role_permission
def update_role_perm(self, role_perm):
perm_order = None
if not self.module.params.get('parent'):
args = {
'ruleid': role_perm['id'],
'roleid': role_perm['roleid'],
'permission': self.module.params.get('permission'),
}
if self.has_changed(args, role_perm, only_keys=['permission']):
self.result['changed'] = True
if not self.module.check_mode:
if self.cloudstack_version >= LooseVersion('4.11.0'):
self.query_api('updateRolePermission', **args)
role_perm = self._get_rule()
else:
perm_order = self.replace_rule()
else:
perm_order = self.order_permissions(self.module.params.get('parent'), role_perm['id'])
if perm_order:
args = {
'roleid': role_perm['roleid'],
'ruleorder': perm_order,
}
self.result['changed'] = True
if not self.module.check_mode:
self.query_api('updateRolePermission', **args)
role_perm = self._get_rule()
return role_perm
def remove_role_perm(self):
role_permission = self._get_rule()
if role_permission:
self.result['changed'] = True
args = {
'id': role_permission['id'],
}
if not self.module.check_mode:
self.query_api('deleteRolePermission', **args)
return role_permission
def main():
argument_spec = cs_argument_spec()
argument_spec.update(dict(
role=dict(required=True),
name=dict(required=True),
permission=dict(choices=['allow', 'deny'], default='deny'),
description=dict(),
state=dict(choices=['present', 'absent'], default='present'),
parent=dict(),
))
module = AnsibleModule(
argument_spec=argument_spec,
required_together=cs_required_together(),
mutually_exclusive=(
['permission', 'parent'],
),
supports_check_mode=True
)
acs_role_perm = AnsibleCloudStackRolePermission(module)
state = module.params.get('state')
if state in ['absent']:
role_permission = acs_role_perm.remove_role_perm()
else:
role_permission = acs_role_perm.create_or_update_role_perm()
result = acs_role_perm.get_result(role_permission)
module.exit_json(**result)
if __name__ == '__main__':
main()