New module: GCP Storage Bucket Access Controls (#37289)
This commit is contained in:
parent
ebe7666d71
commit
d39b1ff664
5 changed files with 488 additions and 0 deletions
|
@ -0,0 +1,363 @@
|
||||||
|
#!/usr/bin/python
|
||||||
|
# -*- coding: utf-8 -*-
|
||||||
|
#
|
||||||
|
# Copyright (C) 2017 Google
|
||||||
|
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
|
||||||
|
# ----------------------------------------------------------------------------
|
||||||
|
#
|
||||||
|
# *** AUTO GENERATED CODE *** AUTO GENERATED CODE ***
|
||||||
|
#
|
||||||
|
# ----------------------------------------------------------------------------
|
||||||
|
#
|
||||||
|
# This file is automatically generated by Magic Modules and manual
|
||||||
|
# changes will be clobbered when the file is regenerated.
|
||||||
|
#
|
||||||
|
# Please read more about how to change this file at
|
||||||
|
# https://www.github.com/GoogleCloudPlatform/magic-modules
|
||||||
|
#
|
||||||
|
# ----------------------------------------------------------------------------
|
||||||
|
|
||||||
|
from __future__ import absolute_import, division, print_function
|
||||||
|
__metaclass__ = type
|
||||||
|
|
||||||
|
################################################################################
|
||||||
|
# Documentation
|
||||||
|
################################################################################
|
||||||
|
|
||||||
|
ANSIBLE_METADATA = {'metadata_version': '1.1',
|
||||||
|
'status': ["preview"],
|
||||||
|
'supported_by': 'community'}
|
||||||
|
|
||||||
|
DOCUMENTATION = '''
|
||||||
|
---
|
||||||
|
module: gcp_storage_bucket_access_control
|
||||||
|
description:
|
||||||
|
- The BucketAccessControls resource represents the Access Control Lists (ACLs) for
|
||||||
|
buckets within Google Cloud Storage. ACLs let you specify who has access to your
|
||||||
|
data and to what extent.
|
||||||
|
- 'There are three roles that can be assigned to an entity: READERs can get the bucket,
|
||||||
|
though no acl property will be returned, and list the bucket''s objects. WRITERs
|
||||||
|
are READERs, and they can insert objects into the bucket and delete the bucket''s
|
||||||
|
objects. OWNERs are WRITERs, and they can get the acl property of a bucket, update
|
||||||
|
a bucket, and call all BucketAccessControls methods on the bucket. For more information,
|
||||||
|
see Access Control, with the caveat that this API uses READER, WRITER, and OWNER
|
||||||
|
instead of READ, WRITE, and FULL_CONTROL.'
|
||||||
|
short_description: Creates a GCP BucketAccessControl
|
||||||
|
version_added: 2.6
|
||||||
|
author: Google Inc. (@googlecloudplatform)
|
||||||
|
requirements:
|
||||||
|
- python >= 2.6
|
||||||
|
- requests >= 2.18.4
|
||||||
|
- google-auth >= 1.3.0
|
||||||
|
options:
|
||||||
|
state:
|
||||||
|
description:
|
||||||
|
- Whether the given object should exist in GCP
|
||||||
|
required: true
|
||||||
|
choices: ['present', 'absent']
|
||||||
|
default: 'present'
|
||||||
|
bucket:
|
||||||
|
description:
|
||||||
|
- A reference to Bucket resource.
|
||||||
|
required: true
|
||||||
|
entity:
|
||||||
|
description:
|
||||||
|
- 'The entity holding the permission, in one of the following
|
||||||
|
forms: user-userId user-email group-groupId group-email
|
||||||
|
domain-domain project-team-projectId allUsers
|
||||||
|
allAuthenticatedUsers Examples: The user liz@example.com would be
|
||||||
|
user-liz@example.com.'
|
||||||
|
- The group example@googlegroups.com would be group-example@googlegroups.com.
|
||||||
|
- To refer to all members of the Google Apps for Business domain example.com, the
|
||||||
|
entity would be domain-example.com.
|
||||||
|
required: true
|
||||||
|
entity_id:
|
||||||
|
description:
|
||||||
|
- The ID for the entity.
|
||||||
|
required: false
|
||||||
|
project_team:
|
||||||
|
description:
|
||||||
|
- The project team associated with the entity.
|
||||||
|
required: false
|
||||||
|
suboptions:
|
||||||
|
project_number:
|
||||||
|
description:
|
||||||
|
- The project team associated with the entity.
|
||||||
|
required: false
|
||||||
|
team:
|
||||||
|
description:
|
||||||
|
- The team.
|
||||||
|
required: false
|
||||||
|
choices: ['editors', 'owners', 'viewers']
|
||||||
|
role:
|
||||||
|
description:
|
||||||
|
- The access permission for the entity.
|
||||||
|
required: false
|
||||||
|
choices: ['OWNER', 'READER', 'WRITER']
|
||||||
|
extends_documentation_fragment: gcp
|
||||||
|
'''
|
||||||
|
|
||||||
|
EXAMPLES = '''
|
||||||
|
- name: create a bucket
|
||||||
|
gcp_storage_bucket:
|
||||||
|
name: 'bucket-bac'
|
||||||
|
project: "{{ gcp_project }}"
|
||||||
|
auth_kind: "{{ gcp_cred_kind }}"
|
||||||
|
service_account_file: "{{ gcp_cred_file }}"
|
||||||
|
scopes:
|
||||||
|
- https://www.googleapis.com/auth/devstorage.full_control
|
||||||
|
state: present
|
||||||
|
register: bucket
|
||||||
|
- name: create a bucket access control
|
||||||
|
gcp_storage_bucket_access_control:
|
||||||
|
bucket: "{{ bucket }}"
|
||||||
|
entity: 'user-alexstephen@google.com'
|
||||||
|
role: 'WRITER'
|
||||||
|
project: testProject
|
||||||
|
auth_kind: service_account
|
||||||
|
service_account_file: /tmp/auth.pem
|
||||||
|
scopes:
|
||||||
|
- https://www.googleapis.com/auth/devstorage.full_control
|
||||||
|
state: present
|
||||||
|
'''
|
||||||
|
|
||||||
|
RETURN = '''
|
||||||
|
bucket:
|
||||||
|
description:
|
||||||
|
- A reference to Bucket resource.
|
||||||
|
returned: success
|
||||||
|
type: dict
|
||||||
|
domain:
|
||||||
|
description:
|
||||||
|
- The domain associated with the entity.
|
||||||
|
returned: success
|
||||||
|
type: str
|
||||||
|
email:
|
||||||
|
description:
|
||||||
|
- The email address associated with the entity.
|
||||||
|
returned: success
|
||||||
|
type: str
|
||||||
|
entity:
|
||||||
|
description:
|
||||||
|
- 'The entity holding the permission, in one of the following
|
||||||
|
forms: user-userId user-email group-groupId group-email
|
||||||
|
domain-domain project-team-projectId allUsers
|
||||||
|
allAuthenticatedUsers Examples: The user liz@example.com would be
|
||||||
|
user-liz@example.com.'
|
||||||
|
- The group example@googlegroups.com would be group-example@googlegroups.com.
|
||||||
|
- To refer to all members of the Google Apps for Business domain example.com, the
|
||||||
|
entity would be domain-example.com.
|
||||||
|
returned: success
|
||||||
|
type: str
|
||||||
|
entity_id:
|
||||||
|
description:
|
||||||
|
- The ID for the entity.
|
||||||
|
returned: success
|
||||||
|
type: str
|
||||||
|
id:
|
||||||
|
description:
|
||||||
|
- The ID of the access-control entry.
|
||||||
|
returned: success
|
||||||
|
type: str
|
||||||
|
project_team:
|
||||||
|
description:
|
||||||
|
- The project team associated with the entity.
|
||||||
|
returned: success
|
||||||
|
type: complex
|
||||||
|
contains:
|
||||||
|
project_number:
|
||||||
|
description:
|
||||||
|
- The project team associated with the entity.
|
||||||
|
returned: success
|
||||||
|
type: str
|
||||||
|
team:
|
||||||
|
description:
|
||||||
|
- The team.
|
||||||
|
returned: success
|
||||||
|
type: str
|
||||||
|
role:
|
||||||
|
description:
|
||||||
|
- The access permission for the entity.
|
||||||
|
returned: success
|
||||||
|
type: str
|
||||||
|
'''
|
||||||
|
|
||||||
|
################################################################################
|
||||||
|
# Imports
|
||||||
|
################################################################################
|
||||||
|
|
||||||
|
from ansible.module_utils.gcp_utils import navigate_hash, GcpSession, GcpModule, GcpRequest, remove_nones_from_dict, replace_resource_dict
|
||||||
|
import json
|
||||||
|
|
||||||
|
################################################################################
|
||||||
|
# Main
|
||||||
|
################################################################################
|
||||||
|
|
||||||
|
|
||||||
|
def main():
|
||||||
|
"""Main function"""
|
||||||
|
|
||||||
|
module = GcpModule(
|
||||||
|
argument_spec=dict(
|
||||||
|
state=dict(default='present', choices=['present', 'absent'], type='str'),
|
||||||
|
bucket=dict(required=True, type='dict'),
|
||||||
|
entity=dict(required=True, type='str'),
|
||||||
|
entity_id=dict(type='str'),
|
||||||
|
project_team=dict(type='dict', options=dict(
|
||||||
|
project_number=dict(type='str'),
|
||||||
|
team=dict(type='str', choices=['editors', 'owners', 'viewers'])
|
||||||
|
)),
|
||||||
|
role=dict(type='str', choices=['OWNER', 'READER', 'WRITER'])
|
||||||
|
)
|
||||||
|
)
|
||||||
|
|
||||||
|
state = module.params['state']
|
||||||
|
kind = 'storage#bucketAccessControl'
|
||||||
|
|
||||||
|
fetch = fetch_resource(module, self_link(module), kind)
|
||||||
|
changed = False
|
||||||
|
|
||||||
|
if fetch:
|
||||||
|
if state == 'present':
|
||||||
|
if is_different(module, fetch):
|
||||||
|
fetch = update(module, self_link(module), kind)
|
||||||
|
changed = True
|
||||||
|
else:
|
||||||
|
delete(module, self_link(module), kind)
|
||||||
|
fetch = {}
|
||||||
|
changed = True
|
||||||
|
else:
|
||||||
|
if state == 'present':
|
||||||
|
fetch = create(module, collection(module), kind)
|
||||||
|
changed = True
|
||||||
|
else:
|
||||||
|
fetch = {}
|
||||||
|
|
||||||
|
fetch.update({'changed': changed})
|
||||||
|
|
||||||
|
module.exit_json(**fetch)
|
||||||
|
|
||||||
|
|
||||||
|
def create(module, link, kind):
|
||||||
|
auth = GcpSession(module, 'storage')
|
||||||
|
return return_if_object(module, auth.post(link, resource_to_request(module)), kind)
|
||||||
|
|
||||||
|
|
||||||
|
def update(module, link, kind):
|
||||||
|
auth = GcpSession(module, 'storage')
|
||||||
|
return return_if_object(module, auth.put(link, resource_to_request(module)), kind)
|
||||||
|
|
||||||
|
|
||||||
|
def delete(module, link, kind):
|
||||||
|
auth = GcpSession(module, 'storage')
|
||||||
|
return return_if_object(module, auth.delete(link), kind)
|
||||||
|
|
||||||
|
|
||||||
|
def resource_to_request(module):
|
||||||
|
request = {
|
||||||
|
u'kind': 'storage#bucketAccessControl',
|
||||||
|
u'bucket': replace_resource_dict(module.params.get(u'bucket', {}), 'name'),
|
||||||
|
u'entity': module.params.get('entity'),
|
||||||
|
u'entityId': module.params.get('entity_id'),
|
||||||
|
u'projectTeam': BuckAcceContProjTeam(module.params.get('project_team', {}), module).to_request(),
|
||||||
|
u'role': module.params.get('role')
|
||||||
|
}
|
||||||
|
return_vals = {}
|
||||||
|
for k, v in request.items():
|
||||||
|
if v:
|
||||||
|
return_vals[k] = v
|
||||||
|
|
||||||
|
return return_vals
|
||||||
|
|
||||||
|
|
||||||
|
def fetch_resource(module, link, kind):
|
||||||
|
auth = GcpSession(module, 'storage')
|
||||||
|
return return_if_object(module, auth.get(link), kind)
|
||||||
|
|
||||||
|
|
||||||
|
def self_link(module):
|
||||||
|
return "https://www.googleapis.com/storage/v1/b/{bucket}/acl/{entity}".format(**module.params)
|
||||||
|
|
||||||
|
|
||||||
|
def collection(module):
|
||||||
|
return "https://www.googleapis.com/storage/v1/b/{bucket}/acl".format(**module.params)
|
||||||
|
|
||||||
|
|
||||||
|
def return_if_object(module, response, kind):
|
||||||
|
# If not found, return nothing.
|
||||||
|
if response.status_code == 404:
|
||||||
|
return None
|
||||||
|
|
||||||
|
# If no content, return nothing.
|
||||||
|
if response.status_code == 204:
|
||||||
|
return None
|
||||||
|
|
||||||
|
try:
|
||||||
|
module.raise_for_status(response)
|
||||||
|
result = response.json()
|
||||||
|
except getattr(json.decoder, 'JSONDecodeError', ValueError) as inst:
|
||||||
|
module.fail_json(msg="Invalid JSON response with error: %s" % inst)
|
||||||
|
|
||||||
|
if navigate_hash(result, ['error', 'errors']):
|
||||||
|
module.fail_json(msg=navigate_hash(result, ['error', 'errors']))
|
||||||
|
if result['kind'] != kind:
|
||||||
|
module.fail_json(msg="Incorrect result: {kind}".format(**result))
|
||||||
|
|
||||||
|
return result
|
||||||
|
|
||||||
|
|
||||||
|
def is_different(module, response):
|
||||||
|
request = resource_to_request(module)
|
||||||
|
response = response_to_hash(module, response)
|
||||||
|
|
||||||
|
# Remove all output-only from response.
|
||||||
|
response_vals = {}
|
||||||
|
for k, v in response.items():
|
||||||
|
if k in request:
|
||||||
|
response_vals[k] = v
|
||||||
|
|
||||||
|
request_vals = {}
|
||||||
|
for k, v in request.items():
|
||||||
|
if k in response:
|
||||||
|
request_vals[k] = v
|
||||||
|
|
||||||
|
return GcpRequest(request_vals) != GcpRequest(response_vals)
|
||||||
|
|
||||||
|
|
||||||
|
# Remove unnecessary properties from the response.
|
||||||
|
# This is for doing comparisons with Ansible's current parameters.
|
||||||
|
def response_to_hash(module, response):
|
||||||
|
return {
|
||||||
|
u'bucket': response.get(u'bucket'),
|
||||||
|
u'domain': response.get(u'domain'),
|
||||||
|
u'email': response.get(u'email'),
|
||||||
|
u'entity': response.get(u'entity'),
|
||||||
|
u'entityId': response.get(u'entityId'),
|
||||||
|
u'id': response.get(u'id'),
|
||||||
|
u'projectTeam': BuckAcceContProjTeam(response.get(u'projectTeam', {}), module).from_response(),
|
||||||
|
u'role': response.get(u'role')
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
class BuckAcceContProjTeam(object):
|
||||||
|
def __init__(self, request, module):
|
||||||
|
self.module = module
|
||||||
|
if request:
|
||||||
|
self.request = request
|
||||||
|
else:
|
||||||
|
self.request = {}
|
||||||
|
|
||||||
|
def to_request(self):
|
||||||
|
return remove_nones_from_dict({
|
||||||
|
u'projectNumber': self.request.get('project_number'),
|
||||||
|
u'team': self.request.get('team')
|
||||||
|
})
|
||||||
|
|
||||||
|
def from_response(self):
|
||||||
|
return remove_nones_from_dict({
|
||||||
|
u'projectNumber': self.request.get(u'projectNumber'),
|
||||||
|
u'team': self.request.get(u'team')
|
||||||
|
})
|
||||||
|
|
||||||
|
if __name__ == '__main__':
|
||||||
|
main()
|
|
@ -0,0 +1,2 @@
|
||||||
|
cloud/gcp
|
||||||
|
unsupported
|
|
@ -0,0 +1,3 @@
|
||||||
|
---
|
||||||
|
# defaults file
|
||||||
|
resource_name: '{{resource_prefix}}'
|
|
@ -0,0 +1,120 @@
|
||||||
|
---
|
||||||
|
# ----------------------------------------------------------------------------
|
||||||
|
#
|
||||||
|
# *** AUTO GENERATED CODE *** AUTO GENERATED CODE ***
|
||||||
|
#
|
||||||
|
# ----------------------------------------------------------------------------
|
||||||
|
#
|
||||||
|
# This file is automatically generated by Magic Modules and manual
|
||||||
|
# changes will be clobbered when the file is regenerated.
|
||||||
|
#
|
||||||
|
# Please read more about how to change this file at
|
||||||
|
# https://www.github.com/GoogleCloudPlatform/magic-modules
|
||||||
|
#
|
||||||
|
# ----------------------------------------------------------------------------
|
||||||
|
# Pre-test setup
|
||||||
|
- name: create a bucket
|
||||||
|
gcp_storage_bucket:
|
||||||
|
name: 'bucket-bac'
|
||||||
|
project: "{{ gcp_project }}"
|
||||||
|
auth_kind: "{{ gcp_cred_kind }}"
|
||||||
|
service_account_file: "{{ gcp_cred_file }}"
|
||||||
|
scopes:
|
||||||
|
- https://www.googleapis.com/auth/devstorage.full_control
|
||||||
|
state: present
|
||||||
|
register: bucket
|
||||||
|
- name: delete a bucket access control
|
||||||
|
gcp_storage_bucket_access_control:
|
||||||
|
bucket: "{{ bucket }}"
|
||||||
|
entity: 'user-alexstephen@google.com'
|
||||||
|
role: 'WRITER'
|
||||||
|
project: "{{ gcp_project }}"
|
||||||
|
auth_kind: "{{ gcp_cred_kind }}"
|
||||||
|
service_account_file: "{{ gcp_cred_file }}"
|
||||||
|
scopes:
|
||||||
|
- https://www.googleapis.com/auth/devstorage.full_control
|
||||||
|
state: absent
|
||||||
|
#----------------------------------------------------------
|
||||||
|
- name: create a bucket access control
|
||||||
|
gcp_storage_bucket_access_control:
|
||||||
|
bucket: "{{ bucket }}"
|
||||||
|
entity: 'user-alexstephen@google.com'
|
||||||
|
role: 'WRITER'
|
||||||
|
project: "{{ gcp_project }}"
|
||||||
|
auth_kind: "{{ gcp_cred_kind }}"
|
||||||
|
service_account_file: "{{ gcp_cred_file }}"
|
||||||
|
scopes:
|
||||||
|
- https://www.googleapis.com/auth/devstorage.full_control
|
||||||
|
state: present
|
||||||
|
register: result
|
||||||
|
- name: assert changed is true
|
||||||
|
assert:
|
||||||
|
that:
|
||||||
|
- result.changed == true
|
||||||
|
- "result.kind == 'storage#bucketAccessControl'"
|
||||||
|
# ----------------------------------------------------------------------------
|
||||||
|
- name: create a bucket access control that already exists
|
||||||
|
gcp_storage_bucket_access_control:
|
||||||
|
bucket: "{{ bucket }}"
|
||||||
|
entity: 'user-alexstephen@google.com'
|
||||||
|
role: 'WRITER'
|
||||||
|
project: "{{ gcp_project }}"
|
||||||
|
auth_kind: "{{ gcp_cred_kind }}"
|
||||||
|
service_account_file: "{{ gcp_cred_file }}"
|
||||||
|
scopes:
|
||||||
|
- https://www.googleapis.com/auth/devstorage.full_control
|
||||||
|
state: present
|
||||||
|
register: result
|
||||||
|
- name: assert changed is false
|
||||||
|
assert:
|
||||||
|
that:
|
||||||
|
- result.changed == false
|
||||||
|
- "result.kind == 'storage#bucketAccessControl'"
|
||||||
|
#----------------------------------------------------------
|
||||||
|
- name: delete a bucket access control
|
||||||
|
gcp_storage_bucket_access_control:
|
||||||
|
bucket: "{{ bucket }}"
|
||||||
|
entity: 'user-alexstephen@google.com'
|
||||||
|
role: 'WRITER'
|
||||||
|
project: "{{ gcp_project }}"
|
||||||
|
auth_kind: "{{ gcp_cred_kind }}"
|
||||||
|
service_account_file: "{{ gcp_cred_file }}"
|
||||||
|
scopes:
|
||||||
|
- https://www.googleapis.com/auth/devstorage.full_control
|
||||||
|
state: absent
|
||||||
|
register: result
|
||||||
|
- name: assert changed is true
|
||||||
|
assert:
|
||||||
|
that:
|
||||||
|
- result.changed == true
|
||||||
|
- result.has_key('kind') == False
|
||||||
|
# ----------------------------------------------------------------------------
|
||||||
|
- name: delete a bucket access control that does not exist
|
||||||
|
gcp_storage_bucket_access_control:
|
||||||
|
bucket: "{{ bucket }}"
|
||||||
|
entity: 'user-alexstephen@google.com'
|
||||||
|
role: 'WRITER'
|
||||||
|
project: "{{ gcp_project }}"
|
||||||
|
auth_kind: "{{ gcp_cred_kind }}"
|
||||||
|
service_account_file: "{{ gcp_cred_file }}"
|
||||||
|
scopes:
|
||||||
|
- https://www.googleapis.com/auth/devstorage.full_control
|
||||||
|
state: absent
|
||||||
|
register: result
|
||||||
|
- name: assert changed is false
|
||||||
|
assert:
|
||||||
|
that:
|
||||||
|
- result.changed == false
|
||||||
|
- result.has_key('kind') == False
|
||||||
|
#---------------------------------------------------------
|
||||||
|
# Post-test teardown
|
||||||
|
- name: delete a bucket
|
||||||
|
gcp_storage_bucket:
|
||||||
|
name: 'bucket-bac'
|
||||||
|
project: "{{ gcp_project }}"
|
||||||
|
auth_kind: "{{ gcp_cred_kind }}"
|
||||||
|
service_account_file: "{{ gcp_cred_file }}"
|
||||||
|
scopes:
|
||||||
|
- https://www.googleapis.com/auth/devstorage.full_control
|
||||||
|
state: absent
|
||||||
|
register: bucket
|
Loading…
Reference in a new issue