Add consul_role module from domant PR (#6972)

* Update as per PR comments * Move common code to module_utils * Break up long import line * Fix pipeline errors * Inital version of check_mode support * Fix updating a role, add tests * Fix line spacing * Fix line indentation * Add consul-role tests * Fixes for role update * Apply suggestions from code review Co-authored-by: Felix Fontein <felix@fontein.de> * Update as per MR comments * Update as per MR comments * Fix documentation issues * Add types for sub-options * Allow setting of policy, service and node id fields by specifying a value, or leaving them unchanged by omitting them * Fix typo in test * Apply suggestions from code review Co-authored-by: Felix Fontein <felix@fontein.de> * Reset and force push to get rid of merge * Corrected unit tests * Apply suggestions from code review Co-authored-by: Felix Fontein <felix@fontein.de> * Add suboptions documentation for node and service identities * Fix PEP errors from pipeline * Fix pipeline errors. * Fix more pipeline errors * Apply suggestions from code review Co-authored-by: Felix Fontein <felix@fontein.de> * Fix line that is too long * Not specifying a value for description during update now leaves existing value unchanged * Fixes for pipeline errors * Add test cases to verify handling description works --------- Co-authored-by: Felix Fontein <felix@fontein.de>
2025-06-27 18:50:21 -07:00 · 2023-09-17 14:35:00 +02:00 · 2023-09-17 14:35:00 +02:00 · d0f229f5d8
commit d0f229f5d8
parent 4030481b36
4 changed files with 875 additions and 0 deletions
--- a/tests/integration/targets/consul/tasks/consul_role.yml
+++ b/tests/integration/targets/consul/tasks/consul_role.yml
@ -0,0 +1,201 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Create a policy with rules
+  consul_policy:
+    name: foo-access-for-role
+    rules: |
+        key "foo" {
+            policy = "read"
+        }
+        key "private/foo" {
+            policy = "deny"
+        }
+    token: "{{ consul_management_token }}"
+  register: policy_result
+
+- name: Create another policy with rules
+  consul_policy:
+    name: bar-access-for-role
+    rules: |
+        key "bar" {
+            policy = "read"
+        }
+        key "private/bar" {
+            policy = "deny"
+        }
+    token: "{{ consul_management_token }}"
+  register: policy_result
+
+- name: Create a role with policy
+  consul_role:
+    name: foo-role-with-policy
+    policies:
+      - name: "foo-access-for-role"
+    token: "{{ consul_management_token }}"
+  register: result
+
+- assert:
+    that:
+      - result is changed
+      - result['role']['Name'] == 'foo-role-with-policy'
+
+- name: Update policy description, in check mode
+  consul_role:
+    name: foo-role-with-policy
+    description: "Testing updating description"
+    token: "{{ consul_management_token }}"
+  check_mode: yes
+  register: result
+
+- assert:
+    that:
+      - result is changed
+      - result['role']['Description'] == "Testing updating description"
+      - result['role']['Policies'][0]['Name'] == 'foo-access-for-role'
+
+- name: Update policy to add the description
+  consul_role:
+    name: foo-role-with-policy
+    description: "Role for testing policies"
+    token: "{{ consul_management_token }}"
+  register: result
+
+- assert:
+    that:
+      - result is changed
+      - result['role']['Description'] == "Role for testing policies"
+      - result['role']['Policies'][0]['Name'] == 'foo-access-for-role'
+
+- name: Update the role with another policy, also testing leaving description blank
+  consul_role:
+    name: foo-role-with-policy
+    policies:
+      - name: "foo-access-for-role"
+      - name: "bar-access-for-role"
+    token: "{{ consul_management_token }}"
+  register: result
+
+- assert:
+    that:
+      - result is changed
+      - result['role']['Policies'][0]['Name'] == 'foo-access-for-role'
+      - result['role']['Policies'][1]['Name'] == 'bar-access-for-role'
+      - result['role']['Description'] == "Role for testing policies"
+
+- name: Create a role with service identity
+  consul_role:
+    token: "{{ consul_management_token }}"
+    name: role-with-service-identity
+    service_identities:
+      - name: web
+        datacenters:
+          - dc1
+  register: result
+
+- assert:
+    that:
+      - result is changed
+      - result['role']['ServiceIdentities'][0]['ServiceName'] == "web"
+      - result['role']['ServiceIdentities'][0]['Datacenters'][0] == "dc1"
+
+- name: Update the role with service identity in check mode
+  consul_role:
+    token: "{{ consul_management_token }}"
+    name: role-with-service-identity
+    service_identities:
+      - name: web
+        datacenters:
+          - dc2
+  register: result
+  check_mode: yes
+
+- assert:
+    that:
+      - result is changed
+      - result['role']['ServiceIdentities'][0]['ServiceName'] == "web"
+      - result['role']['ServiceIdentities'][0]['Datacenters'][0] == "dc2"
+
+- name: Update the role with service identity to add a policy, leaving the service id unchanged
+  consul_role:
+    token: "{{ consul_management_token }}"
+    name: role-with-service-identity
+    policies:
+      - name: "foo-access-for-role"
+  register: result
+
+- assert:
+    that:
+      - result is changed
+      - result['role']['ServiceIdentities'][0]['ServiceName'] == "web"
+      - result['role']['ServiceIdentities'][0]['Datacenters'][0] == "dc1"
+      - result['role']['Policies'][0]['Name'] == 'foo-access-for-role'
+
+- name: Update the role with service identity to remove the policies
+  consul_role:
+    token: "{{ consul_management_token }}"
+    name: role-with-service-identity
+    policies: []
+  register: result
+
+- assert:
+    that:
+      - result is changed
+      - result['role']['ServiceIdentities'][0]['ServiceName'] == "web"
+      - result['role']['ServiceIdentities'][0]['Datacenters'][0] == "dc1"
+      - result['role']['Policies'] is not defined
+
+- name: Update the role with service identity to remove the node identities, in check mode
+  consul_role:
+    token: "{{ consul_management_token }}"
+    name: role-with-service-identity
+    node_identities: []
+  register: result
+  check_mode: yes
+
+- assert:
+    that:
+      - result is changed
+      - result['role']['ServiceIdentities'][0]['ServiceName'] == "web"
+      - result['role']['ServiceIdentities'][0]['Datacenters'][0] == "dc1"
+      - result['role']['Policies'] is not defined
+      - result['role']['NodeIdentities'] == [] # in check mode the cleared field is returned as an emtpy array
+
+- name: Update the role with service identity to remove the service identities
+  consul_role:
+    token: "{{ consul_management_token }}"
+    name: role-with-service-identity
+    service_identities: []
+  register: result
+
+- assert:
+    that:
+      - result is changed
+      - result['role']['ServiceIdentities'] is not defined # in normal mode the dictionary is removed from the result
+      - result['role']['Policies'] is not defined
+
+- name: Create a role with node identity
+  consul_role:
+    token: "{{ consul_management_token }}"
+    name: role-with-node-identity
+    node_identities:
+      - name: node-1
+        datacenter: dc2
+  register: result
+
+- assert:
+    that:
+      - result is changed
+      - result['role']['NodeIdentities'][0]['NodeName'] == "node-1"
+      - result['role']['NodeIdentities'][0]['Datacenter'] == "dc2"
+
+- name: Remove the last role
+  consul_role:
+    token: "{{ consul_management_token }}"
+    name: role-with-node-identity
+    state: absent
+- assert:
+    that:
+      - result is changed
--- a/tests/integration/targets/consul/tasks/main.yml
+++ b/tests/integration/targets/consul/tasks/main.yml
@ -91,6 +91,7 @@
      - 3
    - import_tasks: consul_session.yml
    - import_tasks: consul_policy.yml
+    - import_tasks: consul_role.yml
    always:
    - name: Kill consul process
      shell: kill $(cat {{ remote_tmp_dir }}/consul.pid)