add 'update_password' param to manageiq_user (#29093)

* add 'update_password' param to manageiq_user Currently with the manageiq_user module, if you call it repeatedly while passing the 'password' parameter, it will always run the task and mark it as 'changed'. Following the pattern of the AWS IAM module, add an 'update_password' parameter that takes 'always' (default) or 'on_create'. This will let you set an initial password when creating a user, but allow the user to modify their password and not stomp over their password changes if you re-run the playbook/task that created the user. * don't stomp password when other fields change Handle case where user fields change, but we don't want to stomp on a potentially user-changed password. Previously, if a non-password field changed, and the password param was passed in, it would ignore the 'update_password': 'on_create' setting (ie it would update/modify the password even if the user already exists). Add trailing ',' to list of params.
2017-09-19 09:10:12 -04:00 · 2017-09-19 09:10:12 -04:00 · 99f6f0ccc2
commit 99f6f0ccc2
parent dbf9634b1b
1 changed files with 17 additions and 3 deletions
--- a/lib/ansible/modules/remote_management/manageiq/manageiq_user.py
+++ b/lib/ansible/modules/remote_management/manageiq/manageiq_user.py
@ -68,6 +68,13 @@ options:
      - The users' E-mail address.
    required: false
    default: null
+  update_password:
+    required: false
+    default: always
+    choices: ['always', 'on_create']
+    description:
+      - C(always) will update passwords unconditionally.  C(on_create) will only set the password for a newly created user.
+    version_added: '2.5'
 '''

 EXAMPLES = '''
@ -219,11 +226,16 @@ class ManageIQUser(object):
            resource['group'] = dict(id=group_id)
        if name is not None:
            resource['name'] = name
-        if password is not None:
-            resource['password'] = password
        if email is not None:
            resource['email'] = email

+        # if there is a password param, but 'update_password' is 'on_create'
+        # then discard the password (since we're editing an existing user)
+        if self.module.params['update_password'] == 'on_create':
+            password = None
+        if password is not None:
+            resource['password'] = password
+
        # check if we need to update ( compare_user is true is no difference found )
        if self.compare_user(user, name, group_id, password, email):
            return dict(
@ -280,7 +292,9 @@ def main():
            password=dict(no_log=True),
            group=dict(),
            email=dict(),
-            state=dict(choices=['absent', 'present'], default='present')
+            state=dict(choices=['absent', 'present'], default='present'),
+            update_password=dict(choices=['always', 'on_create'],
+                                 default='always'),
        ),
    )