Support cloudflare API Tokens. (#62043)

API Tokens provide a new way to authenticate with the Cloudflare API. They allow for scoped and permissioned access to resources.
2019-09-21 17:55:53 +03:00 · 2019-09-21 17:55:53 +03:00 · 8cabf1c1d8
commit 8cabf1c1d8
parent c6dcf78f53
2 changed files with 67 additions and 9 deletions
--- a/lib/ansible/modules/net_tools/cloudflare_dns.py
+++ b/lib/ansible/modules/net_tools/cloudflare_dns.py
@ -23,17 +23,26 @@ short_description: Manage Cloudflare DNS records
 description:
   - "Manages dns records via the Cloudflare API, see the docs: U(https://api.cloudflare.com/)"
 options:
+  api_token:
+    description:
+    - API token.
+    - Required for api token authentication.
+    - "You can obtain your API token from the bottom of the Cloudflare 'My Account' page, found here: U(https://dash.cloudflare.com/)"
+    type: str
+    required: false
+    version_added: '2.10'
  account_api_token:
    description:
-    - Account API token.
+    - Account API key.
+    - Required for api keys authentication.
    - "You can obtain your API key from the bottom of the Cloudflare 'My Account' page, found here: U(https://dash.cloudflare.com/)"
    type: str
-    required: true
+    required: false
  account_email:
    description:
-    - Account email.
+    - Account email. Required for api keys authentication.
    type: str
-    required: true
+    required: false
  algorithm:
    description:
    - Algorithm number.
@ -162,6 +171,14 @@ EXAMPLES = r'''
    account_api_token: dummyapitoken
  register: record

+- name: Create a record using api token
+  cloudflare_dns:
+    zone: my.com
+    record: test
+    type: A
+    value: 127.0.0.1
+    api_token: dummyapitoken
+
 - name: Create a my.com CNAME record to example.com
  cloudflare_dns:
    zone: my.com
@ -367,6 +384,7 @@ class CloudflareAPI(object):

    def __init__(self, module):
        self.module = module
+        self.api_token = module.params['api_token']
        self.account_api_token = module.params['account_api_token']
        self.account_email = module.params['account_email']
        self.algorithm = module.params['algorithm']
@ -418,9 +436,17 @@ class CloudflareAPI(object):
                self.module.fail_json(msg="DS records only apply to subdomains.")

    def _cf_simple_api_call(self, api_call, method='GET', payload=None):
-        headers = {'X-Auth-Email': self.account_email,
+        if self.api_token:
+            headers = {
+                'Authorization': 'Bearer ' + self.api_token,
+                'Content-Type': 'application/json',
+            }
+        else:
+            headers = {
+                'X-Auth-Email': self.account_email,
                'X-Auth-Key': self.account_api_token,
-                   'Content-Type': 'application/json'}
+                'Content-Type': 'application/json',
+            }
        data = None
        if payload:
            try:
@ -766,8 +792,9 @@ class CloudflareAPI(object):
 def main():
    module = AnsibleModule(
        argument_spec=dict(
-            account_api_token=dict(type='str', required=True, no_log=True),
-            account_email=dict(type='str', required=True),
+            api_token=dict(type='str', required=False, no_log=True),
+            account_api_token=dict(type='str', required=False, no_log=True),
+            account_email=dict(type='str', required=False),
            algorithm=dict(type='int'),
            cert_usage=dict(type='int', choices=[0, 1, 2, 3]),
            hash_type=dict(type='int', choices=[1, 2]),
@ -797,6 +824,8 @@ def main():
        ],
    )

+    if not module.params['api_token'] and not (module.params['account_api_token'] and module.params['account_email']):
+        module.fail_json(msg="Either api_token or account_api_token and account_email params are required.")
    if module.params['type'] == 'SRV':
        if not ((module.params['weight'] is not None and module.params['port'] is not None
                 and not (module.params['value'] is None or module.params['value'] == ''))
--- a/test/legacy/roles/test_cloudflare_dns/tasks/main.yml
+++ b/test/legacy/roles/test_cloudflare_dns/tasks/main.yml
@ -52,6 +52,35 @@
      - cloudflare_dns is failed
      - "cloudflare_dns.msg.find('but all of the following are missing: ') != -1"

+- name: "Test: partial credentials"
+  cloudflare_dns:
+    account_email: "{{ cloudflare_email }}"
+    zone: "{{ cloudflare_zone }}"
+    type: A
+    value: 127.0.0.1
+  ignore_errors: true
+  register: cloudflare_dns
+
+- name: "Validate: partial credentials"
+  assert:
+    that:
+      - cloudflare_dns is failed
+      - "cloudflare_dns.msg.find('Either api_token or account_api_token and account_email params are required.') != -1"
+
+- name: "Test: api token, zone and type"
+  cloudflare_dns:
+    api_token: dummyapitoken
+    zone: "{{ cloudflare_zone }}"
+    type: TXT
+  ignore_errors: true
+  register: cloudflare_dns
+
+- name: "Validate: api token, zone and type"
+  assert:
+    that:
+      - cloudflare_dns is failed
+      - "cloudflare_dns.msg.find('but all of the following are missing: ') != -1"
+
 ######## record tests #################

 - include: a_record.yml