Bug fixes for GCP modules (#58850)

2019-07-09 11:35:15 -07:00 · 2019-07-09 11:35:15 -07:00 · eb839c94ea
commit eb839c94ea
parent d88f686976
9 changed files with 146 additions and 14 deletions
--- a/lib/ansible/modules/cloud/google/gcp_container_cluster.py
+++ b/lib/ansible/modules/cloud/google/gcp_container_cluster.py
@ -409,6 +409,20 @@ options:
    aliases:
    - zone
    version_added: 2.8
+  kubectl_path:
+    description:
+    - The path that the kubectl config file will be written to.
+    - The file will not be created if this path is unset.
+    - Any existing file at this path will be completely overwritten.
+    - This requires the PyYaml library.
+    required: false
+    version_added: 2.9
+  kubectl_context:
+    description:
+    - The name of the context for the kubectl config file. Will default to the cluster
+      name.
+    required: false
+    version_added: 2.9
 extends_documentation_fragment: gcp
 '''

@ -619,7 +633,7 @@ masterAuth:
      description:
      - The password to use for HTTP basic authentication to the master endpoint.
        Because the master endpoint is open to the Internet, you should create a strong
-        password.
+        password with a minimum of 16 characters.
      returned: success
      type: str
    clientCertificateConfig:
@ -924,6 +938,20 @@ location:
  - The location where the cluster is deployed.
  returned: success
  type: str
+kubectlPath:
+  description:
+  - The path that the kubectl config file will be written to.
+  - The file will not be created if this path is unset.
+  - Any existing file at this path will be completely overwritten.
+  - This requires the PyYaml library.
+  returned: success
+  type: str
+kubectlContext:
+  description:
+  - The name of the context for the kubectl config file. Will default to the cluster
+    name.
+  returned: success
+  type: str
 '''

 ################################################################################
@ -1000,6 +1028,8 @@ def main():
            enable_tpu=dict(type='bool'),
            tpu_ipv4_cidr_block=dict(type='str'),
            location=dict(required=True, type='str', aliases=['zone']),
+            kubectl_path=dict(type='str'),
+            kubectl_context=dict(type='str'),
        )
    )

@ -1029,6 +1059,8 @@ def main():
        else:
            fetch = {}

+    if module.params.get('kubectl_path'):
+        Kubectl(module).write_file()
    fetch.update({'changed': changed})

    module.exit_json(**fetch)
@ -1231,6 +1263,77 @@ def delete_default_node_pool(module):
    return wait_for_operation(module, auth.delete(link))


+class Kubectl(object):
+    def __init__(self, module):
+        self.module = module
+
+    """
+    Writes a kubectl config file
+    kubectl_path must be set or this will fail.
+    """
+
+    def write_file(self):
+        try:
+            import yaml
+        except ImportError:
+            self.module.fail_json(msg="Please install the pyyaml module")
+
+        with open(self.module.params['kubectl_path'], 'w') as f:
+            f.write(yaml.dump(self._contents()))
+
+    """
+    Returns the contents of a kubectl file
+    """
+
+    def _contents(self):
+        token = self._auth_token()
+        endpoint = "https://%s" % self.fetch["endpoint"]
+        context = self.module.params.get('kubectl_context')
+        if not context:
+            context = self.module.params['name']
+
+        return {
+            'apiVersion': 'v1',
+            'clusters': [
+                {'name': context, 'cluster': {'certificate-authority-data': str(self.fetch['masterAuth']['clusterCaCertificate']), 'server': endpoint}}
+            ],
+            'contexts': [{'name': context, 'context': {'cluster': context, 'user': context}}],
+            'current-context': context,
+            'kind': 'Config',
+            'preferences': {},
+            'users': [
+                {
+                    'name': context,
+                    'user': {
+                        'auth-provider': {
+                            'config': {
+                                'access-token': token,
+                                'cmd-args': 'config config-helper --format=json',
+                                'cmd-path': '/usr/lib64/google-cloud-sdk/bin/gcloud',
+                                'expiry-key': '{.credential.token_expiry}',
+                                'token-key': '{.credential.access_token}',
+                            },
+                            'name': 'gcp',
+                        },
+                        'username': str(self.fetch['masterAuth']['username']),
+                        'password': str(self.fetch['masterAuth']['password']),
+                    },
+                }
+            ],
+        }
+
+    """
+    Returns the auth token used in kubectl
+    This also sets the 'fetch' variable used in creating the kubectl
+    """
+
+    def _auth_token(self):
+        auth = GcpSession(self.module, 'auth')
+        response = auth.get(self_link(self.module))
+        self.fetch = response.json()
+        return response.request.headers['authorization'].split(' ')[1]
+
+
 class ClusterNodeconfig(object):
    def __init__(self, request, module):
        self.module = module
--- a/lib/ansible/modules/cloud/google/gcp_container_cluster_facts.py
+++ b/lib/ansible/modules/cloud/google/gcp_container_cluster_facts.py
@ -256,7 +256,7 @@ resources:
          description:
          - The password to use for HTTP basic authentication to the master endpoint.
            Because the master endpoint is open to the Internet, you should create
-            a strong password.
+            a strong password with a minimum of 16 characters.
          returned: success
          type: str
        clientCertificateConfig:
--- a/lib/ansible/modules/cloud/google/gcp_iam_service_account_key.py
+++ b/lib/ansible/modules/cloud/google/gcp_iam_service_account_key.py
@ -152,6 +152,7 @@ path:
 ################################################################################

 from ansible.module_utils.gcp_utils import navigate_hash, GcpSession, GcpModule, GcpRequest, replace_resource_dict
+from ansible.module_utils._text import to_native
 import json
 import os
 import mimetypes
@ -204,7 +205,7 @@ def create(module):
    auth = GcpSession(module, 'iam')
    json_content = return_if_object(module, auth.post(self_link(module), resource_to_request(module)))
    with open(module.params['path'], 'w') as f:
-        private_key_contents = base64.b64decode(json_content['privateKeyData'])
+        private_key_contents = to_native(base64.b64decode(json_content['privateKeyData']))
        f.write(private_key_contents)


--- a/lib/ansible/modules/cloud/google/gcp_pubsub_topic.py
+++ b/lib/ansible/modules/cloud/google/gcp_pubsub_topic.py
@ -51,6 +51,14 @@ options:
    description:
    - Name of the topic.
    required: true
+  kms_key_name:
+    description:
+    - The resource name of the Cloud KMS CryptoKey to be used to protect access to
+      messsages published on this topic. Your project's PubSub service account (`service-{{PROJECT_NUMBER}}@gcp-sa-pubsub.iam.gserviceaccount.com`)
+      must have `roles/cloudkms.cryptoKeyEncrypterDecrypter` to use this feature.
+    - The expected format is `projects/*/locations/*/keyRings/*/cryptoKeys/*` .
+    required: false
+    version_added: 2.9
  labels:
    description:
    - A set of key/value label pairs to assign to this Topic.
@ -78,6 +86,14 @@ name:
  - Name of the topic.
  returned: success
  type: str
+kmsKeyName:
+  description:
+  - The resource name of the Cloud KMS CryptoKey to be used to protect access to messsages
+    published on this topic. Your project's PubSub service account (`service-{{PROJECT_NUMBER}}@gcp-sa-pubsub.iam.gserviceaccount.com`)
+    must have `roles/cloudkms.cryptoKeyEncrypterDecrypter` to use this feature.
+  - The expected format is `projects/*/locations/*/keyRings/*/cryptoKeys/*` .
+  returned: success
+  type: str
 labels:
  description:
  - A set of key/value label pairs to assign to this Topic.
@ -102,7 +118,10 @@ def main():

    module = GcpModule(
        argument_spec=dict(
-            state=dict(default='present', choices=['present', 'absent'], type='str'), name=dict(required=True, type='str'), labels=dict(type='dict')
+            state=dict(default='present', choices=['present', 'absent'], type='str'),
+            name=dict(required=True, type='str'),
+            kms_key_name=dict(type='str'),
+            labels=dict(type='dict'),
        )
    )

@ -162,7 +181,7 @@ def delete(module, link):


 def resource_to_request(module):
-    request = {u'name': module.params.get('name'), u'labels': module.params.get('labels')}
+    request = {u'name': module.params.get('name'), u'kmsKeyName': module.params.get('kms_key_name'), u'labels': module.params.get('labels')}
    request = encode_request(request, module)
    return_vals = {}
    for k, v in request.items():
@ -230,7 +249,7 @@ def is_different(module, response):
 # Remove unnecessary properties from the response.
 # This is for doing comparisons with Ansible's current parameters.
 def response_to_hash(module, response):
-    return {u'name': module.params.get('name'), u'labels': response.get(u'labels')}
+    return {u'name': module.params.get('name'), u'kmsKeyName': module.params.get('kms_key_name'), u'labels': response.get(u'labels')}


 def decode_request(response, module):
--- a/lib/ansible/modules/cloud/google/gcp_pubsub_topic_facts.py
+++ b/lib/ansible/modules/cloud/google/gcp_pubsub_topic_facts.py
@ -63,6 +63,15 @@ resources:
      - Name of the topic.
      returned: success
      type: str
+    kmsKeyName:
+      description:
+      - The resource name of the Cloud KMS CryptoKey to be used to protect access
+        to messsages published on this topic. Your project's PubSub service account
+        (`service-{{PROJECT_NUMBER}}@gcp-sa-pubsub.iam.gserviceaccount.com`) must
+        have `roles/cloudkms.cryptoKeyEncrypterDecrypter` to use this feature.
+      - The expected format is `projects/*/locations/*/keyRings/*/cryptoKeys/*` .
+      returned: success
+      type: str
    labels:
      description:
      - A set of key/value label pairs to assign to this Topic.
--- a/test/integration/targets/gcp_iam_role/tasks/main.yml
+++ b/test/integration/targets/gcp_iam_role/tasks/main.yml
@ -56,7 +56,7 @@
 - name: verify that command succeeded
  assert:
    that:
-      - results['resources'] | length >= 1
+      - results['resources'] | map(attribute='name') | select("match", ".*myCustomRole2.*") | list | length == 1
 # ----------------------------------------------------------------------------
 - name: create a role that already exists
  gcp_iam_role:
@ -106,7 +106,7 @@
 - name: verify that command succeeded
  assert:
    that:
-      - results['resources'] | length == 0
+      - results['resources'] | map(attribute='name') | select("match", ".*myCustomRole2.*") | list | length == 0
 # ----------------------------------------------------------------------------
 - name: delete a role that does not exist
  gcp_iam_role:
--- a/test/integration/targets/gcp_iam_service_account/tasks/main.yml
+++ b/test/integration/targets/gcp_iam_service_account/tasks/main.yml
@ -46,7 +46,7 @@
 - name: verify that command succeeded
  assert:
    that:
-      - results['resources'] | length >= 1
+      - results['resources'] | map(attribute='name') | select("match", ".*{{ sa_name }}.*") | list | length == 1
 # ----------------------------------------------------------------------------
 - name: create a service account that already exists
  gcp_iam_service_account:
@ -86,7 +86,7 @@
 - name: verify that command succeeded
  assert:
    that:
-      - results['resources'] | length == 0
+      - results['resources'] | map(attribute='name') | select("match", ".*{{ sa_name }}.*") | list | length == 0
 # ----------------------------------------------------------------------------
 - name: delete a service account that does not exist
  gcp_iam_service_account:
--- a/test/integration/targets/gcp_redis_instance/tasks/main.yml
+++ b/test/integration/targets/gcp_redis_instance/tasks/main.yml
@ -73,7 +73,7 @@
 - name: verify that command succeeded
  assert:
    that:
-      - results['resources'] | length >= 1
+      - results['resources'] | map(attribute='name') | select("match", ".*instance37.*") | list | length == 1
 # ----------------------------------------------------------------------------
 - name: create a instance that already exists
  gcp_redis_instance:
@ -132,7 +132,7 @@
 - name: verify that command succeeded
  assert:
    that:
-      - results['resources'] | length == 0
+      - results['resources'] | map(attribute='name') | select("match", ".*instance37.*") | list | length == 0
 # ----------------------------------------------------------------------------
 - name: delete a instance that does not exist
  gcp_redis_instance:
--- a/test/integration/targets/gcp_resourcemanager_project/tasks/main.yml
+++ b/test/integration/targets/gcp_resourcemanager_project/tasks/main.yml
@ -50,7 +50,7 @@
 - name: verify that command succeeded
  assert:
    that:
-      - results['resources'] | length >= 1
+      - results['resources'] | map(attribute='name') | select("match", ".*My Sample Project.*") | list | length == 1
 # ----------------------------------------------------------------------------
 - name: create a project that already exists
  gcp_resourcemanager_project:
@ -94,7 +94,7 @@
 - name: verify that command succeeded
  assert:
    that:
-      - results['resources'] | length == 0
+      - results['resources'] | map(attribute='name') | select("match", ".*My Sample Project.*") | list | length == 0
 # ----------------------------------------------------------------------------
 - name: delete a project that does not exist
  gcp_resourcemanager_project: