ansible-collections/google.cloud
1
0
Fork 0
mirror of https://github.com/ansible-collections/google.cloud.git synced 2025-04-05 10:20:26 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

fix gcp_iam_role

Browse source 
gcp_iam_role did not handle the undelete behavior
that is specific to gcp_iam_role.
This commit is contained in:
Yusuke Tsutsumi 2022-11-20 08:07:58 +00:00 committed by Yusuke Tsutsumi
parent 6171713572
commit 117224d352
3 changed files with 106 additions and 73 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

162
plugins/modules/gcp_iam_role.py
View file

@ -25,9 +25,13 @@ __metaclass__ = type
# Documentation
################################################################################
ANSIBLE_METADATA = {'metadata_version': '1.1', 'status': ["preview"], 'supported_by': 'community'}
ANSIBLE_METADATA = {
"metadata_version": "1.1",
"status": ["preview"],
"supported_by": "community",
}
DOCUMENTATION = '''
DOCUMENTATION = """
---
module: gcp_iam_role
description:
@ -114,9 +118,9 @@ options:
- This should not be set unless you know what you're doing.
- This only alters the User Agent string for any API requests.
type: str
'''
"""
EXAMPLES = '''
EXAMPLES = """
- name: create a role
google.cloud.gcp_iam_role:
name: myCustomRole2
@ -130,9 +134,9 @@ EXAMPLES = '''
auth_kind: serviceaccount
service_account_file: "/tmp/auth.pem"
state: present
'''
"""
RETURN = '''
RETURN = """
name:
description:
- The name of the role.
@ -163,13 +167,19 @@ deleted:
- The current deleted state of the role.
returned: success
type: bool
'''
"""
################################################################################
# Imports
################################################################################
from ansible_collections.google.cloud.plugins.module_utils.gcp_utils import navigate_hash, GcpSession, GcpModule, GcpRequest, replace_resource_dict
from ansible_collections.google.cloud.plugins.module_utils.gcp_utils import (
navigate_hash,
GcpSession,
GcpModule,
GcpRequest,
replace_resource_dict,
)
import json
################################################################################
@ -182,85 +192,99 @@ def main():
module = GcpModule(
argument_spec=dict(
state=dict(default='present', choices=['present', 'absent'], type='str'),
name=dict(required=True, type='str'),
title=dict(type='str'),
description=dict(type='str'),
included_permissions=dict(type='list', elements='str'),
stage=dict(type='str'),
state=dict(default="present", choices=["present", "absent"], type="str"),
name=dict(required=True, type="str"),
title=dict(type="str"),
description=dict(type="str"),
included_permissions=dict(type="list", elements="str"),
stage=dict(type="str"),
)
)
if not module.params['scopes']:
module.params['scopes'] = ['https://www.googleapis.com/auth/iam']
if not module.params["scopes"]:
module.params["scopes"] = ["https://www.googleapis.com/auth/iam"]
state = module.params['state']
state = module.params["state"]
fetch = fetch_resource(module, self_link(module))
changed = False
if fetch:
if state == 'present':
if is_different(module, fetch):
if state == "present":
if fetch.get("deleted"):
undelete(module, self_link(module), fetch["etag"])
changed = True
elif is_different(module, fetch):
update(module, self_link(module), fetch)
fetch = fetch_resource(module, self_link(module))
changed = True
else:
delete(module, self_link(module))
fetch = {}
changed = True
elif not fetch.get("deleted"):
delete(module, self_link(module))
fetch = {}
changed = True
else:
if state == 'present':
if state == "present":
fetch = create(module, collection(module))
changed = True
else:
fetch = {}
fetch.update({'changed': changed})
fetch.update({"changed": changed})
module.exit_json(**fetch)
def create(module, link):
auth = GcpSession(module, 'iam')
auth = GcpSession(module, "iam")
return return_if_object(module, auth.post(link, resource_to_create(module)))
def undelete(module, link, etag):
auth = GcpSession(module, "iam")
return return_if_object(module, auth.post(link + ":undelete", {
"etag": etag
}))
def update(module, link, fetch):
auth = GcpSession(module, 'iam')
params = {'updateMask': updateMask(resource_to_request(module), response_to_hash(module, fetch))}
auth = GcpSession(module, "iam")
params = {
"updateMask": updateMask(
resource_to_request(module), response_to_hash(module, fetch)
)
}
request = resource_to_request(module)
del request['name']
del request["name"]
return return_if_object(module, auth.put(link, request, params=params))
def updateMask(request, response):
update_mask = []
if request.get('name') != response.get('name'):
update_mask.append('name')
if request.get('title') != response.get('title'):
update_mask.append('title')
if request.get('description') != response.get('description'):
update_mask.append('description')
if request.get('includedPermissions') != response.get('includedPermissions'):
update_mask.append('includedPermissions')
if request.get('stage') != response.get('stage'):
update_mask.append('stage')
return ','.join(update_mask)
if request.get("name") != response.get("name"):
update_mask.append("name")
if request.get("title") != response.get("title"):
update_mask.append("title")
if request.get("description") != response.get("description"):
update_mask.append("description")
if request.get("includedPermissions") != response.get("includedPermissions"):
update_mask.append("includedPermissions")
if request.get("stage") != response.get("stage"):
update_mask.append("stage")
return ",".join(update_mask)
def delete(module, link):
auth = GcpSession(module, 'iam')
return return_if_object(module, auth.delete(link))
auth = GcpSession(module, "iam")
return return_if_object(module, auth.delete(link), allow_not_found=True)
def resource_to_request(module):
request = {
u'name': module.params.get('name'),
u'title': module.params.get('title'),
u'description': module.params.get('description'),
u'includedPermissions': module.params.get('included_permissions'),
u'stage': module.params.get('stage'),
"name": module.params.get("name"),
"title": module.params.get("title"),
"description": module.params.get("description"),
"includedPermissions": module.params.get("included_permissions"),
"stage": module.params.get("stage"),
}
return_vals = {}
for k, v in request.items():
@ -271,16 +295,20 @@ def resource_to_request(module):
def fetch_resource(module, link, allow_not_found=True):
auth = GcpSession(module, 'iam')
auth = GcpSession(module, "iam")
return return_if_object(module, auth.get(link), allow_not_found)
def self_link(module):
return "https://iam.googleapis.com/v1/projects/{project}/roles/{name}".format(**module.params)
return "https://iam.googleapis.com/v1/projects/{project}/roles/{name}".format(
**module.params
)
def collection(module):
return "https://iam.googleapis.com/v1/projects/{project}/roles".format(**module.params)
return "https://iam.googleapis.com/v1/projects/{project}/roles".format(
**module.params
)
def return_if_object(module, response, allow_not_found=False):
@ -292,16 +320,22 @@ def return_if_object(module, response, allow_not_found=False):
if response.status_code == 204:
return None
# catches and edge case specific to IAM roles where the role not
# existing returns 400.
if (allow_not_found and response.status_code == 400
and "You can't delete role_id" in response.text):
return None
try:
module.raise_for_status(response)
result = response.json()
except getattr(json.decoder, 'JSONDecodeError', ValueError):
except getattr(json.decoder, "JSONDecodeError", ValueError):
module.fail_json(msg="Invalid JSON response with error: %s" % response.text)
result = decode_response(result, module)
if navigate_hash(result, ['error', 'errors']):
module.fail_json(msg=navigate_hash(result, ['error', 'errors']))
if navigate_hash(result, ["error", "errors"]):
module.fail_json(msg=navigate_hash(result, ["error", "errors"]))
return result
@ -329,26 +363,26 @@ def is_different(module, response):
# This is for doing comparisons with Ansible's current parameters.
def response_to_hash(module, response):
return {
u'name': response.get(u'name'),
u'title': response.get(u'title'),
u'description': response.get(u'description'),
u'includedPermissions': response.get(u'includedPermissions'),
u'stage': response.get(u'stage'),
u'deleted': response.get(u'deleted'),
"name": response.get("name"),
"title": response.get("title"),
"description": response.get("description"),
"includedPermissions": response.get("includedPermissions"),
"stage": response.get("stage"),
"deleted": response.get("deleted"),
}
def resource_to_create(module):
role = resource_to_request(module)
del role['name']
return {'roleId': module.params['name'], 'role': role}
del role["name"]
return {"roleId": module.params["name"], "role": role}
def decode_response(response, module):
if 'name' in response:
response['name'] = response['name'].split('/')[-1]
if "name" in response:
response["name"] = response["name"].split("/")[-1]
return response
if __name__ == '__main__':
if __name__ == "__main__":
main()

3
tests/integration/targets/gcp_iam_role/aliases
View file

@ -1,2 +1 @@
cloud/gcp
unsupported
cloud/gcp

14
tests/integration/targets/gcp_iam_role/tasks/autogen.yml
View file

@ -15,7 +15,7 @@
# Pre-test setup
- name: delete a role
google.cloud.gcp_iam_role:
name: myCustomRole2
name: role_{{ resource_name.split("-")[-1] }}
title: My Custom Role
description: My custom role description
included_permissions:
@ -29,7 +29,7 @@
#----------------------------------------------------------
- name: create a role
google.cloud.gcp_iam_role:
name: myCustomRole2
name: role_{{ resource_name.split("-")[-1] }}
title: My Custom Role
description: My custom role description
included_permissions:
@ -56,11 +56,11 @@
- name: verify that command succeeded
assert:
that:
- results['resources'] | map(attribute='name') | select("match", ".*myCustomRole2.*") | list | length == 1
- results['resources'] | map(attribute='name') | select("match", ".*role_{{ resource_name.split("-")[-1] }}.*") | list | length == 1
# ----------------------------------------------------------------------------
- name: create a role that already exists
google.cloud.gcp_iam_role:
name: myCustomRole2
name: role_{{ resource_name.split("-")[-1] }}
title: My Custom Role
description: My custom role description
included_permissions:
@ -79,7 +79,7 @@
#----------------------------------------------------------
- name: delete a role
google.cloud.gcp_iam_role:
name: myCustomRole2
name: role_{{ resource_name.split("-")[-1] }}
title: My Custom Role
description: My custom role description
included_permissions:
@ -106,11 +106,11 @@
- name: verify that command succeeded
assert:
that:
- results['resources'] | map(attribute='name') | select("match", ".*myCustomRole2.*") | list | length == 0
- results['resources'] | map(attribute='name') | select("match", ".*role_{{ resource_name.split("-")[-1] }}.*") | list | length == 0
# ----------------------------------------------------------------------------
- name: delete a role that does not exist
google.cloud.gcp_iam_role:
name: myCustomRole2
name: role_{{ resource_name.split("-")[-1] }}
title: My Custom Role
description: My custom role description
included_permissions: