ansible-collections/google.cloud
1
0
Fork 0
mirror of https://github.com/ansible-collections/google.cloud.git synced 2025-04-05 18:30:27 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Generates DefaultObjectACL and ObjectAccessControl resources. Also adds support for default object ACLs to storage buckets..

Browse source
This commit is contained in:
Nathan McKinley 2018-06-01 19:59:47 +00:00 committed by Alex Stephen
parent dbdb1ba127
commit 6667a7820b
8 changed files with 724 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

357
plugins/modules/gcp_storage_default_object_acl.py Normal file
View file

@ -0,0 +1,357 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Copyright (C) 2017 Google
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
# ----------------------------------------------------------------------------
#
# *** AUTO GENERATED CODE *** AUTO GENERATED CODE ***
#
# ----------------------------------------------------------------------------
#
# This file is automatically generated by Magic Modules and manual
# changes will be clobbered when the file is regenerated.
#
# Please read more about how to change this file at
# https://www.github.com/GoogleCloudPlatform/magic-modules
#
# ----------------------------------------------------------------------------
from __future__ import absolute_import, division, print_function
__metaclass__ = type
################################################################################
# Documentation
################################################################################
ANSIBLE_METADATA = {'metadata_version': '1.1',
'status': ["preview"],
'supported_by': 'community'}
DOCUMENTATION = '''
---
module: gcp_storage_default_object_acl
description:
- The ObjectAccessControls resources represent the Access Control Lists (ACLs) for
objects within Google Cloud Storage. ACLs let you specify who has access to your
data and to what extent.
- 'There are two roles that can be assigned to an entity: READERs can get an object,
though the acl property will not be revealed.'
- OWNERs are READERs, and they can get the acl property, update an object, and call
all objectAccessControls methods on the object. The owner of an object is always
an OWNER.
- For more information, see Access Control, with the caveat that this API uses READER
and OWNER instead of READ and FULL_CONTROL.
short_description: Creates a GCP DefaultObjectACL
version_added: 2.6
author: Google Inc. (@googlecloudplatform)
requirements:
- python >= 2.6
- requests >= 2.18.4
- google-auth >= 1.3.0
options:
state:
description:
- Whether the given object should exist in GCP
choices: ['present', 'absent']
default: 'present'
bucket:
description:
- The name of the bucket.
required: true
entity:
description:
- 'The entity holding the permission, in one of the following
forms: user-userId user-email group-groupId group-email
domain-domain project-team-projectId allUsers
allAuthenticatedUsers Examples: The user liz@example.com would be
user-liz@example.com.'
- The group example@googlegroups.com would be group-example@googlegroups.com.
- To refer to all members of the Google Apps for Business domain example.com, the
entity would be domain-example.com.
required: true
entity_id:
description:
- The ID for the entity.
required: false
object:
description:
- The name of the object, if applied to an object.
required: false
project_team:
description:
- The project team associated with the entity.
required: false
suboptions:
project_number:
description:
- The project team associated with the entity.
required: false
team:
description:
- The team.
required: false
choices: ['editors', 'owners', 'viewers']
role:
description:
- The access permission for the entity.
required: false
choices: ['OWNER', 'READER']
extends_documentation_fragment: gcp
'''
RETURN = '''
bucket:
description:
- The name of the bucket.
returned: success
type: dict
domain:
description:
- The domain associated with the entity.
returned: success
type: str
email:
description:
- The email address associated with the entity.
returned: success
type: str
entity:
description:
- 'The entity holding the permission, in one of the following
forms: user-userId user-email group-groupId group-email
domain-domain project-team-projectId allUsers
allAuthenticatedUsers Examples: The user liz@example.com would be
user-liz@example.com.'
- The group example@googlegroups.com would be group-example@googlegroups.com.
- To refer to all members of the Google Apps for Business domain example.com, the
entity would be domain-example.com.
returned: success
type: str
entity_id:
description:
- The ID for the entity.
returned: success
type: str
generation:
description:
- The content generation of the object, if applied to an object.
returned: success
type: int
id:
description:
- The ID of the access-control entry.
returned: success
type: str
object:
description:
- The name of the object, if applied to an object.
returned: success
type: str
project_team:
description:
- The project team associated with the entity.
returned: success
type: complex
contains:
project_number:
description:
- The project team associated with the entity.
returned: success
type: str
team:
description:
- The team.
returned: success
type: str
role:
description:
- The access permission for the entity.
returned: success
type: str
'''
################################################################################
# Imports
################################################################################
from ansible.module_utils.gcp_utils import navigate_hash, GcpSession, GcpModule, GcpRequest, remove_nones_from_dict, replace_resource_dict
import json
################################################################################
# Main
################################################################################
def main():
"""Main function"""
module = GcpModule(
argument_spec=dict(
state=dict(default='present', choices=['present', 'absent'], type='str'),
bucket=dict(required=True, type='dict'),
entity=dict(required=True, type='str'),
entity_id=dict(type='str'),
object=dict(type='str'),
project_team=dict(type='dict', options=dict(
project_number=dict(type='str'),
team=dict(type='str', choices=['editors', 'owners', 'viewers'])
)),
role=dict(type='str', choices=['OWNER', 'READER'])
)
)
state = module.params['state']
kind = 'storage#objectAccessControl'
fetch = fetch_resource(module, self_link(module), kind)
changed = False
if fetch:
if state == 'present':
if is_different(module, fetch):
fetch = update(module, self_link(module), kind)
changed = True
else:
delete(module, self_link(module), kind)
fetch = {}
changed = True
else:
if state == 'present':
fetch = create(module, collection(module), kind)
changed = True
else:
fetch = {}
fetch.update({'changed': changed})
module.exit_json(**fetch)
def create(module, link, kind):
auth = GcpSession(module, 'storage')
return return_if_object(module, auth.post(link, resource_to_request(module)), kind)
def update(module, link, kind):
auth = GcpSession(module, 'storage')
return return_if_object(module, auth.put(link, resource_to_request(module)), kind)
def delete(module, link, kind):
auth = GcpSession(module, 'storage')
return return_if_object(module, auth.delete(link), kind)
def resource_to_request(module):
request = {
u'kind': 'storage#objectAccessControl',
u'bucket': replace_resource_dict(module.params.get(u'bucket', {}), 'name'),
u'entity': module.params.get('entity'),
u'entityId': module.params.get('entity_id'),
u'object': module.params.get('object'),
u'projectTeam': DefaObjeAclProjTeam(module.params.get('project_team', {}), module).to_request(),
u'role': module.params.get('role')
}
return_vals = {}
for k, v in request.items():
if v:
return_vals[k] = v
return return_vals
def fetch_resource(module, link, kind):
auth = GcpSession(module, 'storage')
return return_if_object(module, auth.get(link), kind)
def self_link(module):
return "https://www.googleapis.com/storage/v1/b/{bucket}/defaultObjectAcl/{entity}".format(**module.params)
def collection(module):
return "https://www.googleapis.com/storage/v1/b/{bucket}/defaultObjectAcl".format(**module.params)
def return_if_object(module, response, kind):
# If not found, return nothing.
if response.status_code == 404:
return None
# If no content, return nothing.
if response.status_code == 204:
return None
try:
module.raise_for_status(response)
result = response.json()
except getattr(json.decoder, 'JSONDecodeError', ValueError) as inst:
module.fail_json(msg="Invalid JSON response with error: %s" % inst)
if navigate_hash(result, ['error', 'errors']):
module.fail_json(msg=navigate_hash(result, ['error', 'errors']))
if result['kind'] != kind:
module.fail_json(msg="Incorrect result: {kind}".format(**result))
return result
def is_different(module, response):
request = resource_to_request(module)
response = response_to_hash(module, response)
# Remove all output-only from response.
response_vals = {}
for k, v in response.items():
if k in request:
response_vals[k] = v
request_vals = {}
for k, v in request.items():
if k in response:
request_vals[k] = v
return GcpRequest(request_vals) != GcpRequest(response_vals)
# Remove unnecessary properties from the response.
# This is for doing comparisons with Ansible's current parameters.
def response_to_hash(module, response):
return {
u'bucket': response.get(u'bucket'),
u'domain': response.get(u'domain'),
u'email': response.get(u'email'),
u'entity': response.get(u'entity'),
u'entityId': response.get(u'entityId'),
u'generation': response.get(u'generation'),
u'id': response.get(u'id'),
u'object': response.get(u'object'),
u'projectTeam': DefaObjeAclProjTeam(response.get(u'projectTeam', {}), module).from_response(),
u'role': response.get(u'role')
}
class DefaObjeAclProjTeam(object):
def __init__(self, request, module):
self.module = module
if request:
self.request = request
else:
self.request = {}
def to_request(self):
return remove_nones_from_dict({
u'projectNumber': self.request.get('project_number'),
u'team': self.request.get('team')
})
def from_response(self):
return remove_nones_from_dict({
u'projectNumber': self.request.get(u'projectNumber'),
u'team': self.request.get(u'team')
})
if __name__ == '__main__':
main()

357
plugins/modules/gcp_storage_object_access_control.py Normal file
View file

@ -0,0 +1,357 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Copyright (C) 2017 Google
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
# ----------------------------------------------------------------------------
#
# *** AUTO GENERATED CODE *** AUTO GENERATED CODE ***
#
# ----------------------------------------------------------------------------
#
# This file is automatically generated by Magic Modules and manual
# changes will be clobbered when the file is regenerated.
#
# Please read more about how to change this file at
# https://www.github.com/GoogleCloudPlatform/magic-modules
#
# ----------------------------------------------------------------------------
from __future__ import absolute_import, division, print_function
__metaclass__ = type
################################################################################
# Documentation
################################################################################
ANSIBLE_METADATA = {'metadata_version': '1.1',
'status': ["preview"],
'supported_by': 'community'}
DOCUMENTATION = '''
---
module: gcp_storage_object_access_control
description:
- The ObjectAccessControls resources represent the Access Control Lists (ACLs) for
objects within Google Cloud Storage. ACLs let you specify who has access to your
data and to what extent.
- 'There are two roles that can be assigned to an entity: READERs can get an object,
though the acl property will not be revealed.'
- OWNERs are READERs, and they can get the acl property, update an object, and call
all objectAccessControls methods on the object. The owner of an object is always
an OWNER.
- For more information, see Access Control, with the caveat that this API uses READER
and OWNER instead of READ and FULL_CONTROL.
short_description: Creates a GCP ObjectAccessControl
version_added: 2.6
author: Google Inc. (@googlecloudplatform)
requirements:
- python >= 2.6
- requests >= 2.18.4
- google-auth >= 1.3.0
options:
state:
description:
- Whether the given object should exist in GCP
choices: ['present', 'absent']
default: 'present'
bucket:
description:
- The name of the bucket.
required: true
entity:
description:
- 'The entity holding the permission, in one of the following
forms: user-userId user-email group-groupId group-email
domain-domain project-team-projectId allUsers
allAuthenticatedUsers Examples: The user liz@example.com would be
user-liz@example.com.'
- The group example@googlegroups.com would be group-example@googlegroups.com.
- To refer to all members of the Google Apps for Business domain example.com, the
entity would be domain-example.com.
required: true
entity_id:
description:
- The ID for the entity.
required: false
object:
description:
- The name of the object, if applied to an object.
required: true
project_team:
description:
- The project team associated with the entity.
required: false
suboptions:
project_number:
description:
- The project team associated with the entity.
required: false
team:
description:
- The team.
required: false
choices: ['editors', 'owners', 'viewers']
role:
description:
- The access permission for the entity.
required: false
choices: ['OWNER', 'READER']
extends_documentation_fragment: gcp
'''
RETURN = '''
bucket:
description:
- The name of the bucket.
returned: success
type: dict
domain:
description:
- The domain associated with the entity.
returned: success
type: str
email:
description:
- The email address associated with the entity.
returned: success
type: str
entity:
description:
- 'The entity holding the permission, in one of the following
forms: user-userId user-email group-groupId group-email
domain-domain project-team-projectId allUsers
allAuthenticatedUsers Examples: The user liz@example.com would be
user-liz@example.com.'
- The group example@googlegroups.com would be group-example@googlegroups.com.
- To refer to all members of the Google Apps for Business domain example.com, the
entity would be domain-example.com.
returned: success
type: str
entity_id:
description:
- The ID for the entity.
returned: success
type: str
generation:
description:
- The content generation of the object, if applied to an object.
returned: success
type: int
id:
description:
- The ID of the access-control entry.
returned: success
type: str
object:
description:
- The name of the object, if applied to an object.
returned: success
type: str
project_team:
description:
- The project team associated with the entity.
returned: success
type: complex
contains:
project_number:
description:
- The project team associated with the entity.
returned: success
type: str
team:
description:
- The team.
returned: success
type: str
role:
description:
- The access permission for the entity.
returned: success
type: str
'''
################################################################################
# Imports
################################################################################
from ansible.module_utils.gcp_utils import navigate_hash, GcpSession, GcpModule, GcpRequest, remove_nones_from_dict, replace_resource_dict
import json
################################################################################
# Main
################################################################################
def main():
"""Main function"""
module = GcpModule(
argument_spec=dict(
state=dict(default='present', choices=['present', 'absent'], type='str'),
bucket=dict(required=True, type='dict'),
entity=dict(required=True, type='str'),
entity_id=dict(type='str'),
object=dict(required=True, type='str'),
project_team=dict(type='dict', options=dict(
project_number=dict(type='str'),
team=dict(type='str', choices=['editors', 'owners', 'viewers'])
)),
role=dict(type='str', choices=['OWNER', 'READER'])
)
)
state = module.params['state']
kind = 'storage#objectAccessControl'
fetch = fetch_resource(module, self_link(module), kind)
changed = False
if fetch:
if state == 'present':
if is_different(module, fetch):
fetch = update(module, self_link(module), kind)
changed = True
else:
delete(module, self_link(module), kind)
fetch = {}
changed = True
else:
if state == 'present':
fetch = create(module, collection(module), kind)
changed = True
else:
fetch = {}
fetch.update({'changed': changed})
module.exit_json(**fetch)
def create(module, link, kind):
auth = GcpSession(module, 'storage')
return return_if_object(module, auth.post(link, resource_to_request(module)), kind)
def update(module, link, kind):
auth = GcpSession(module, 'storage')
return return_if_object(module, auth.put(link, resource_to_request(module)), kind)
def delete(module, link, kind):
auth = GcpSession(module, 'storage')
return return_if_object(module, auth.delete(link), kind)
def resource_to_request(module):
request = {
u'kind': 'storage#objectAccessControl',
u'bucket': replace_resource_dict(module.params.get(u'bucket', {}), 'name'),
u'entity': module.params.get('entity'),
u'entityId': module.params.get('entity_id'),
u'object': module.params.get('object'),
u'projectTeam': ObjeAcceContProjTeam(module.params.get('project_team', {}), module).to_request(),
u'role': module.params.get('role')
}
return_vals = {}
for k, v in request.items():
if v:
return_vals[k] = v
return return_vals
def fetch_resource(module, link, kind):
auth = GcpSession(module, 'storage')
return return_if_object(module, auth.get(link), kind)
def self_link(module):
return "https://www.googleapis.com/storage/v1/b/{bucket}/o/{object}/acl/{entity}".format(**module.params)
def collection(module):
return "https://www.googleapis.com/storage/v1/b/{bucket}/o/{object}/acl".format(**module.params)
def return_if_object(module, response, kind):
# If not found, return nothing.
if response.status_code == 404:
return None
# If no content, return nothing.
if response.status_code == 204:
return None
try:
module.raise_for_status(response)
result = response.json()
except getattr(json.decoder, 'JSONDecodeError', ValueError) as inst:
module.fail_json(msg="Invalid JSON response with error: %s" % inst)
if navigate_hash(result, ['error', 'errors']):
module.fail_json(msg=navigate_hash(result, ['error', 'errors']))
if result['kind'] != kind:
module.fail_json(msg="Incorrect result: {kind}".format(**result))
return result
def is_different(module, response):
request = resource_to_request(module)
response = response_to_hash(module, response)
# Remove all output-only from response.
response_vals = {}
for k, v in response.items():
if k in request:
response_vals[k] = v
request_vals = {}
for k, v in request.items():
if k in response:
request_vals[k] = v
return GcpRequest(request_vals) != GcpRequest(response_vals)
# Remove unnecessary properties from the response.
# This is for doing comparisons with Ansible's current parameters.
def response_to_hash(module, response):
return {
u'bucket': response.get(u'bucket'),
u'domain': response.get(u'domain'),
u'email': response.get(u'email'),
u'entity': response.get(u'entity'),
u'entityId': response.get(u'entityId'),
u'generation': response.get(u'generation'),
u'id': response.get(u'id'),
u'object': response.get(u'object'),
u'projectTeam': ObjeAcceContProjTeam(response.get(u'projectTeam', {}), module).from_response(),
u'role': response.get(u'role')
}
class ObjeAcceContProjTeam(object):
def __init__(self, request, module):
self.module = module
if request:
self.request = request
else:
self.request = {}
def to_request(self):
return remove_nones_from_dict({
u'projectNumber': self.request.get('project_number'),
u'team': self.request.get('team')
})
def from_response(self):
return remove_nones_from_dict({
u'projectNumber': self.request.get(u'projectNumber'),
u'team': self.request.get(u'team')
})
if __name__ == '__main__':
main()

2
tests/integration/gcp_storage_default_object_acl/aliases Normal file
View file

@ -0,0 +1,2 @@
cloud/gcp
unsupported

3
tests/integration/gcp_storage_default_object_acl/defaults/main.yml Normal file
View file

@ -0,0 +1,3 @@
---
# defaults file
resource_name: '{{resource_prefix}}'

0
tests/integration/gcp_storage_default_object_acl/meta/main.yml Normal file
View file

2
tests/integration/gcp_storage_object_access_control/aliases Normal file
View file

@ -0,0 +1,2 @@
cloud/gcp
unsupported

3
tests/integration/gcp_storage_object_access_control/defaults/main.yml Normal file
View file

@ -0,0 +1,3 @@
---
# defaults file
resource_name: '{{resource_prefix}}'

0
tests/integration/gcp_storage_object_access_control/meta/main.yml Normal file
View file