diff --git a/plugins/modules/gcp_iam_role.py b/plugins/modules/gcp_iam_role.py index 6911a8b..3600ab6 100644 --- a/plugins/modules/gcp_iam_role.py +++ b/plugins/modules/gcp_iam_role.py @@ -25,9 +25,13 @@ __metaclass__ = type # Documentation ################################################################################ -ANSIBLE_METADATA = {'metadata_version': '1.1', 'status': ["preview"], 'supported_by': 'community'} +ANSIBLE_METADATA = { + "metadata_version": "1.1", + "status": ["preview"], + "supported_by": "community", +} -DOCUMENTATION = ''' +DOCUMENTATION = """ --- module: gcp_iam_role description: @@ -114,9 +118,9 @@ options: - This should not be set unless you know what you're doing. - This only alters the User Agent string for any API requests. type: str -''' +""" -EXAMPLES = ''' +EXAMPLES = """ - name: create a role google.cloud.gcp_iam_role: name: myCustomRole2 @@ -130,9 +134,9 @@ EXAMPLES = ''' auth_kind: serviceaccount service_account_file: "/tmp/auth.pem" state: present -''' +""" -RETURN = ''' +RETURN = """ name: description: - The name of the role. @@ -163,13 +167,19 @@ deleted: - The current deleted state of the role. returned: success type: bool -''' +""" ################################################################################ # Imports ################################################################################ -from ansible_collections.google.cloud.plugins.module_utils.gcp_utils import navigate_hash, GcpSession, GcpModule, GcpRequest, replace_resource_dict +from ansible_collections.google.cloud.plugins.module_utils.gcp_utils import ( + navigate_hash, + GcpSession, + GcpModule, + GcpRequest, + replace_resource_dict, +) import json ################################################################################ @@ -182,85 +192,99 @@ def main(): module = GcpModule( argument_spec=dict( - state=dict(default='present', choices=['present', 'absent'], type='str'), - name=dict(required=True, type='str'), - title=dict(type='str'), - description=dict(type='str'), - included_permissions=dict(type='list', elements='str'), - stage=dict(type='str'), + state=dict(default="present", choices=["present", "absent"], type="str"), + name=dict(required=True, type="str"), + title=dict(type="str"), + description=dict(type="str"), + included_permissions=dict(type="list", elements="str"), + stage=dict(type="str"), ) ) - if not module.params['scopes']: - module.params['scopes'] = ['https://www.googleapis.com/auth/iam'] + if not module.params["scopes"]: + module.params["scopes"] = ["https://www.googleapis.com/auth/iam"] - state = module.params['state'] + state = module.params["state"] fetch = fetch_resource(module, self_link(module)) changed = False if fetch: - if state == 'present': - if is_different(module, fetch): + if state == "present": + if fetch.get("deleted"): + undelete(module, self_link(module), fetch["etag"]) + changed = True + elif is_different(module, fetch): update(module, self_link(module), fetch) fetch = fetch_resource(module, self_link(module)) changed = True - else: - delete(module, self_link(module)) - fetch = {} - changed = True + elif not fetch.get("deleted"): + delete(module, self_link(module)) + fetch = {} + changed = True else: - if state == 'present': + if state == "present": fetch = create(module, collection(module)) changed = True else: fetch = {} - fetch.update({'changed': changed}) + fetch.update({"changed": changed}) module.exit_json(**fetch) def create(module, link): - auth = GcpSession(module, 'iam') + auth = GcpSession(module, "iam") return return_if_object(module, auth.post(link, resource_to_create(module))) +def undelete(module, link, etag): + auth = GcpSession(module, "iam") + return return_if_object(module, auth.post(link + ":undelete", { + "etag": etag + })) + + def update(module, link, fetch): - auth = GcpSession(module, 'iam') - params = {'updateMask': updateMask(resource_to_request(module), response_to_hash(module, fetch))} + auth = GcpSession(module, "iam") + params = { + "updateMask": updateMask( + resource_to_request(module), response_to_hash(module, fetch) + ) + } request = resource_to_request(module) - del request['name'] + del request["name"] return return_if_object(module, auth.put(link, request, params=params)) def updateMask(request, response): update_mask = [] - if request.get('name') != response.get('name'): - update_mask.append('name') - if request.get('title') != response.get('title'): - update_mask.append('title') - if request.get('description') != response.get('description'): - update_mask.append('description') - if request.get('includedPermissions') != response.get('includedPermissions'): - update_mask.append('includedPermissions') - if request.get('stage') != response.get('stage'): - update_mask.append('stage') - return ','.join(update_mask) + if request.get("name") != response.get("name"): + update_mask.append("name") + if request.get("title") != response.get("title"): + update_mask.append("title") + if request.get("description") != response.get("description"): + update_mask.append("description") + if request.get("includedPermissions") != response.get("includedPermissions"): + update_mask.append("includedPermissions") + if request.get("stage") != response.get("stage"): + update_mask.append("stage") + return ",".join(update_mask) def delete(module, link): - auth = GcpSession(module, 'iam') - return return_if_object(module, auth.delete(link)) + auth = GcpSession(module, "iam") + return return_if_object(module, auth.delete(link), allow_not_found=True) def resource_to_request(module): request = { - u'name': module.params.get('name'), - u'title': module.params.get('title'), - u'description': module.params.get('description'), - u'includedPermissions': module.params.get('included_permissions'), - u'stage': module.params.get('stage'), + "name": module.params.get("name"), + "title": module.params.get("title"), + "description": module.params.get("description"), + "includedPermissions": module.params.get("included_permissions"), + "stage": module.params.get("stage"), } return_vals = {} for k, v in request.items(): @@ -271,16 +295,20 @@ def resource_to_request(module): def fetch_resource(module, link, allow_not_found=True): - auth = GcpSession(module, 'iam') + auth = GcpSession(module, "iam") return return_if_object(module, auth.get(link), allow_not_found) def self_link(module): - return "https://iam.googleapis.com/v1/projects/{project}/roles/{name}".format(**module.params) + return "https://iam.googleapis.com/v1/projects/{project}/roles/{name}".format( + **module.params + ) def collection(module): - return "https://iam.googleapis.com/v1/projects/{project}/roles".format(**module.params) + return "https://iam.googleapis.com/v1/projects/{project}/roles".format( + **module.params + ) def return_if_object(module, response, allow_not_found=False): @@ -292,16 +320,22 @@ def return_if_object(module, response, allow_not_found=False): if response.status_code == 204: return None + # catches and edge case specific to IAM roles where the role not + # existing returns 400. + if (allow_not_found and response.status_code == 400 + and "You can't delete role_id" in response.text): + return None + try: module.raise_for_status(response) result = response.json() - except getattr(json.decoder, 'JSONDecodeError', ValueError): + except getattr(json.decoder, "JSONDecodeError", ValueError): module.fail_json(msg="Invalid JSON response with error: %s" % response.text) result = decode_response(result, module) - if navigate_hash(result, ['error', 'errors']): - module.fail_json(msg=navigate_hash(result, ['error', 'errors'])) + if navigate_hash(result, ["error", "errors"]): + module.fail_json(msg=navigate_hash(result, ["error", "errors"])) return result @@ -329,26 +363,26 @@ def is_different(module, response): # This is for doing comparisons with Ansible's current parameters. def response_to_hash(module, response): return { - u'name': response.get(u'name'), - u'title': response.get(u'title'), - u'description': response.get(u'description'), - u'includedPermissions': response.get(u'includedPermissions'), - u'stage': response.get(u'stage'), - u'deleted': response.get(u'deleted'), + "name": response.get("name"), + "title": response.get("title"), + "description": response.get("description"), + "includedPermissions": response.get("includedPermissions"), + "stage": response.get("stage"), + "deleted": response.get("deleted"), } def resource_to_create(module): role = resource_to_request(module) - del role['name'] - return {'roleId': module.params['name'], 'role': role} + del role["name"] + return {"roleId": module.params["name"], "role": role} def decode_response(response, module): - if 'name' in response: - response['name'] = response['name'].split('/')[-1] + if "name" in response: + response["name"] = response["name"].split("/")[-1] return response -if __name__ == '__main__': +if __name__ == "__main__": main() diff --git a/tests/integration/targets/gcp_iam_role/aliases b/tests/integration/targets/gcp_iam_role/aliases index 9812f01..0e4419e 100644 --- a/tests/integration/targets/gcp_iam_role/aliases +++ b/tests/integration/targets/gcp_iam_role/aliases @@ -1,2 +1 @@ -cloud/gcp -unsupported +cloud/gcp \ No newline at end of file diff --git a/tests/integration/targets/gcp_iam_role/tasks/autogen.yml b/tests/integration/targets/gcp_iam_role/tasks/autogen.yml index 9e55c27..c565d47 100644 --- a/tests/integration/targets/gcp_iam_role/tasks/autogen.yml +++ b/tests/integration/targets/gcp_iam_role/tasks/autogen.yml @@ -15,7 +15,7 @@ # Pre-test setup - name: delete a role google.cloud.gcp_iam_role: - name: myCustomRole2 + name: role_{{ resource_name.split("-")[-1] }} title: My Custom Role description: My custom role description included_permissions: @@ -29,7 +29,7 @@ #---------------------------------------------------------- - name: create a role google.cloud.gcp_iam_role: - name: myCustomRole2 + name: role_{{ resource_name.split("-")[-1] }} title: My Custom Role description: My custom role description included_permissions: @@ -56,11 +56,11 @@ - name: verify that command succeeded assert: that: - - results['resources'] | map(attribute='name') | select("match", ".*myCustomRole2.*") | list | length == 1 + - results['resources'] | map(attribute='name') | select("match", ".*role_{{ resource_name.split("-")[-1] }}.*") | list | length == 1 # ---------------------------------------------------------------------------- - name: create a role that already exists google.cloud.gcp_iam_role: - name: myCustomRole2 + name: role_{{ resource_name.split("-")[-1] }} title: My Custom Role description: My custom role description included_permissions: @@ -79,7 +79,7 @@ #---------------------------------------------------------- - name: delete a role google.cloud.gcp_iam_role: - name: myCustomRole2 + name: role_{{ resource_name.split("-")[-1] }} title: My Custom Role description: My custom role description included_permissions: @@ -106,11 +106,11 @@ - name: verify that command succeeded assert: that: - - results['resources'] | map(attribute='name') | select("match", ".*myCustomRole2.*") | list | length == 0 + - results['resources'] | map(attribute='name') | select("match", ".*role_{{ resource_name.split("-")[-1] }}.*") | list | length == 0 # ---------------------------------------------------------------------------- - name: delete a role that does not exist google.cloud.gcp_iam_role: - name: myCustomRole2 + name: role_{{ resource_name.split("-")[-1] }} title: My Custom Role description: My custom role description included_permissions: