- name: Fix resource prefix
  set_fact:
    role_name: "{{ (resource_group | replace('-','x'))[-8:] }}{{ 1000 | random }}testrole"
    subscription_id: "{{ lookup('env','AZURE_SUBSCRIPTION_ID') }}"
    principal_id: "{{ lookup('env','AZURE_CLIENT_ID') }}"
  run_once: yes

- name: Create a role definition (Check Mode)
  azure_rm_roledefinition:
    name: "{{ role_name }}"
    scope: "/subscriptions/{{ subscription_id }}/resourceGroups/{{ resource_group }}"
    permissions:
      - actions:
          - "Microsoft.Compute/virtualMachines/read"
        not_actions:
          - "Microsoft.Compute/virtualMachines/write"
        data_actions:
          - "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read"
        not_data_actions:
          - "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write"
    assignable_scopes:
        - "/subscriptions/{{ subscription_id }}/resourceGroups/{{ resource_group }}"
  check_mode: yes
  register: output

- name: Assert creating role definition check mode
  assert:
    that:
      - output.changed

- name: Create a role definition
  azure_rm_roledefinition:
    name: "{{ role_name }}"
    scope: "/subscriptions/{{ subscription_id }}/resourceGroups/{{ resource_group }}"
    permissions:
      - actions:
          - "Microsoft.Compute/virtualMachines/read"
        not_actions:
          - "Microsoft.Compute/virtualMachines/write"
        data_actions:
          - "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read"
        not_data_actions:
          - "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write"
    assignable_scopes:
        - "/subscriptions/{{ subscription_id }}/resourceGroups/{{ resource_group }}"
  register: output

- name: Assert creating role definition
  assert:
    that:
      - output.changed

- name: Get facts by name
  azure_rm_roledefinition_info:
    scope: "/subscriptions/{{ subscription_id }}/resourceGroups/{{ resource_group }}"
    type: custom
  register: facts

- name: Assert facts
  assert:
    - facts['roledefinitions'] | length > 1

- name: Get facts
  azure_rm_roledefinition_info:
    scope: "/subscriptions/{{ subscription_id }}/resourceGroups/{{ resource_group }}"
    role_name: "{{ role_name }}"
  register: facts

- name: Assert facts
  assert:
    - facts['roledefinitions'] | length == 1
    - facts['roledefinitions']['permissions'] | length == 1
    - facts['roledefinitions']['permissions'][0]['not_data_actions'] | length == 1
    - facts['roledefinitions']['permissions'][0]['data_actions'] | length == 1

- name: Update the role definition (idempotent)
  azure_rm_roledefinition:
    name: "{{ role_name }}"
    scope: "/subscriptions/{{ subscription_id }}/resourceGroups/{{ resource_group }}"
    permissions:
      - actions:
          - "Microsoft.Compute/virtualMachines/read"
        not_actions:
          - "Microsoft.Compute/virtualMachines/write"
        data_actions:
          - "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read"
        not_data_actions:
          - "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write"
    assignable_scopes:
          - "/subscriptions/{{ subscription_id }}/resourceGroups/{{ resource_group }}"
  register: output

- name: assert output not changed
  assert:
    that:
      - not output.changed

- name: Update the role definition
  azure_rm_roledefinition:
    name: "{{ role_name }}"
    scope: "/subscriptions/{{ subscription_id }}/resourceGroups/{{ resource_group }}"
    permissions:
      - actions:
          - "Microsoft.Compute/virtualMachines/read"
          - "Microsoft.Compute/virtualMachines/start/action"
        not_actions:
          - "Microsoft.Compute/virtualMachines/write"
        data_actions:
          - "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read"
        not_data_actions:
          - "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write"
    assignable_scopes:
        - "/subscriptions/{{ subscription_id }}/resourceGroups/{{ resource_group }}"
  register: output

- name: assert output changed
  assert:
    that:
      - output.changed

- name: Get role definition facts
  azure_rm_roledefinition_info:
    role_name: "{{ role_name }}"
    scope: "/subscriptions/{{ subscription_id }}/resourceGroups/{{ resource_group }}"
    type: custom
  register: roledef

- name: Assert role definition facts
  assert:
    that:
      - roledef['roledefinitions'] | length > 1
      - roledef['roledefinitions'][0]['id']

- name: Create a role assignment (Check Mode)
  azure_rm_roleassignment:
    scope: "/subscriptions/{{ subscription_id }}/resourceGroups/{{ resource_group }}"
    assignee_object_id: "{{ principal_id }}"
    role_definition_id: "{{ roledef['roledefinitions'][0]['id'] }}"
    check_mode: yes
  register: output

- name: Assert creating role definition check mode
  assert:
    that:
      - output.changed

- name: Create a role assignment
  azure_rm_roleassignment:
    scope: "/subscriptions/{{ subscription_id }}/resourceGroups/{{ resource_group }}"
    assignee_object_id: "{{ principal_id }}"
    role_definition_id: "{{ roledef['roledefinitions'][0]['id'] }}"
  register: output

- name: Assert creating role definition
  assert:
    that:
      - output.changed

- name: Get facts
  azure_rm_roleassignment_info:
    scope: "/subscriptions/{{ subscription_id }}/resourceGroups/{{ resource_group }}"
    assignee: "{{ principal_id }}"
  register: facts

- name: assert role assignment facts
  assert:
    that:
      - facts['roleassignments'] | length > 1
      - facts['roleassignments'][0]['id']

- name: delete role assignment
  azure_rm_roleassignment:
    name: facts['roleassignments'][0]['id']
    scope: "/subscriptions/{{ subscription_id }}/resourceGroups/{{ resource_group }}"
    state: absent

- name: Delete the role definition (Check Mode)
  azure_rm_roledefinition:
    name: "{{ role_name }}"
    scope: "/subscriptions/{{ subscription_id }}/resourceGroups/{{ resource_group }}"
  check_mode: yes
  register: output

- name: assert deleting role definition check mode
  assert:
    that: output.changed

- name: Delete the redis cache
  azure_rm_roledefinition:
    name: "{{ role_name }}"
    scope: "/subscriptions/{{ subscription_id }}/resourceGroups/{{ resource_group }}"
  register: output

- assert:
    that:
      - output.changed