diff --git a/lib/ansible/module_utils/gcp_utils.py b/lib/ansible/module_utils/gcp_utils.py index 65cd877781..d5a5b184a3 100644 --- a/lib/ansible/module_utils/gcp_utils.py +++ b/lib/ansible/module_utils/gcp_utils.py @@ -21,6 +21,7 @@ from ansible.module_utils.six import string_types from ansible.module_utils._text import to_text import ast import os +import json def navigate_hash(source, path, default=None): @@ -143,7 +144,8 @@ class GcpSession(object): msg="Service Account Email only works with Machine Account-based authentication" ) - if self.module.params.get('service_account_file') is not None and self.module.params['auth_kind'] != 'serviceaccount': + if (self.module.params.get('service_account_file') is not None or + self.module.params.get('service_account_contents') is not None) and self.module.params['auth_kind'] != 'serviceaccount': self.module.fail_json( msg="Service Account File only works with Service Account-based authentication" ) @@ -153,9 +155,12 @@ class GcpSession(object): if cred_type == 'application': credentials, project_id = google.auth.default(scopes=self.module.params['scopes']) return credentials - elif cred_type == 'serviceaccount': + elif cred_type == 'serviceaccount' and self.module.params.get('service_account_file'): path = os.path.realpath(os.path.expanduser(self.module.params['service_account_file'])) return service_account.Credentials.from_service_account_file(path).with_scopes(self.module.params['scopes']) + elif cred_type == 'serviceaccount' and self.module.params.get('service_account_contents'): + cred = json.loads(self.module.params.get('service_account_contents')) + return service_account.Credentials.from_service_account_info(cred).with_scopes(self.module.params['scopes']) elif cred_type == 'machineaccount': return google.auth.compute_engine.Credentials( self.module.params['service_account_email']) @@ -199,6 +204,10 @@ class GcpModule(AnsibleModule): required=False, fallback=(env_fallback, ['GCP_SERVICE_ACCOUNT_FILE']), type='path'), + service_account_contents=dict( + required=False, + fallback=(env_fallback, ['GCP_SERVICE_ACCOUNT_CONTENTS']), + type='str'), scopes=dict( required=False, fallback=(env_fallback, ['GCP_SCOPES']), @@ -211,7 +220,7 @@ class GcpModule(AnsibleModule): mutual = kwargs['mutually_exclusive'] kwargs['mutually_exclusive'] = mutual.append( - ['service_account_email', 'service_account_file'] + ['service_account_email', 'service_account_file', 'service_account_contents'] ) AnsibleModule.__init__(self, *args, **kwargs) diff --git a/lib/ansible/modules/cloud/google/gcp_iam_role.py b/lib/ansible/modules/cloud/google/gcp_iam_role.py new file mode 100644 index 0000000000..a9e8a859ea --- /dev/null +++ b/lib/ansible/modules/cloud/google/gcp_iam_role.py @@ -0,0 +1,316 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- +# +# Copyright (C) 2017 Google +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) +# ---------------------------------------------------------------------------- +# +# *** AUTO GENERATED CODE *** AUTO GENERATED CODE *** +# +# ---------------------------------------------------------------------------- +# +# This file is automatically generated by Magic Modules and manual +# changes will be clobbered when the file is regenerated. +# +# Please read more about how to change this file at +# https://www.github.com/GoogleCloudPlatform/magic-modules +# +# ---------------------------------------------------------------------------- + +from __future__ import absolute_import, division, print_function + +__metaclass__ = type + +################################################################################ +# Documentation +################################################################################ + +ANSIBLE_METADATA = {'metadata_version': '1.1', 'status': ["preview"], 'supported_by': 'community'} + +DOCUMENTATION = ''' +--- +module: gcp_iam_role +description: +- A role in the Identity and Access Management API . +short_description: Creates a GCP Role +version_added: 2.8 +author: Google Inc. (@googlecloudplatform) +requirements: +- python >= 2.6 +- requests >= 2.18.4 +- google-auth >= 1.3.0 +options: + state: + description: + - Whether the given object should exist in GCP + choices: + - present + - absent + default: present + name: + description: + - The name of the role. + required: true + title: + description: + - A human-readable title for the role. Typically this is limited to 100 UTF-8 + bytes. + required: false + description: + description: + - Human-readable description for the role. + required: false + included_permissions: + description: + - Names of permissions this role grants when bound in an IAM policy. + required: false + stage: + description: + - The current launch stage of the role. + required: false + choices: + - ALPHA + - BETA + - GA + - DEPRECATED + - DISABLED + - EAP +extends_documentation_fragment: gcp +''' + +EXAMPLES = ''' +- name: create a role + gcp_iam_role: + name: myCustomRole2 + title: My Custom Role + description: My custom role description + included_permissions: + - iam.roles.list + - iam.roles.create + - iam.roles.delete + project: test_project + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present +''' + +RETURN = ''' +name: + description: + - The name of the role. + returned: success + type: str +title: + description: + - A human-readable title for the role. Typically this is limited to 100 UTF-8 bytes. + returned: success + type: str +description: + description: + - Human-readable description for the role. + returned: success + type: str +includedPermissions: + description: + - Names of permissions this role grants when bound in an IAM policy. + returned: success + type: list +stage: + description: + - The current launch stage of the role. + returned: success + type: str +deleted: + description: + - The current deleted state of the role. + returned: success + type: bool +''' + +################################################################################ +# Imports +################################################################################ + +from ansible.module_utils.gcp_utils import navigate_hash, GcpSession, GcpModule, GcpRequest, replace_resource_dict +import json + +################################################################################ +# Main +################################################################################ + + +def main(): + """Main function""" + + module = GcpModule( + argument_spec=dict( + state=dict(default='present', choices=['present', 'absent'], type='str'), + name=dict(required=True, type='str'), + title=dict(type='str'), + description=dict(type='str'), + included_permissions=dict(type='list', elements='str'), + stage=dict(type='str', choices=['ALPHA', 'BETA', 'GA', 'DEPRECATED', 'DISABLED', 'EAP']), + ) + ) + + if not module.params['scopes']: + module.params['scopes'] = ['https://www.googleapis.com/auth/iam'] + + state = module.params['state'] + + fetch = fetch_resource(module, self_link(module)) + changed = False + + if fetch: + if state == 'present': + if is_different(module, fetch): + update(module, self_link(module), fetch) + fetch = fetch_resource(module, self_link(module)) + changed = True + else: + delete(module, self_link(module)) + fetch = {} + changed = True + else: + if state == 'present': + fetch = create(module, collection(module)) + changed = True + else: + fetch = {} + + fetch.update({'changed': changed}) + + module.exit_json(**fetch) + + +def create(module, link): + auth = GcpSession(module, 'iam') + return return_if_object(module, auth.post(link, resource_to_create(module))) + + +def update(module, link, fetch): + auth = GcpSession(module, 'iam') + params = {'updateMask': updateMask(resource_to_request(module), response_to_hash(module, fetch))} + request = resource_to_request(module) + del request['name'] + return return_if_object(module, auth.put(link, request, params=params)) + + +def updateMask(request, response): + update_mask = [] + if request.get('name') != response.get('name'): + update_mask.append('name') + if request.get('title') != response.get('title'): + update_mask.append('title') + if request.get('description') != response.get('description'): + update_mask.append('description') + if request.get('includedPermissions') != response.get('includedPermissions'): + update_mask.append('includedPermissions') + if request.get('stage') != response.get('stage'): + update_mask.append('stage') + return ','.join(update_mask) + + +def delete(module, link): + auth = GcpSession(module, 'iam') + return return_if_object(module, auth.delete(link)) + + +def resource_to_request(module): + request = { + u'name': module.params.get('name'), + u'title': module.params.get('title'), + u'description': module.params.get('description'), + u'includedPermissions': module.params.get('included_permissions'), + u'stage': module.params.get('stage'), + } + return_vals = {} + for k, v in request.items(): + if v or v is False: + return_vals[k] = v + + return return_vals + + +def fetch_resource(module, link, allow_not_found=True): + auth = GcpSession(module, 'iam') + return return_if_object(module, auth.get(link), allow_not_found) + + +def self_link(module): + return "https://iam.googleapis.com/v1/projects/{project}/roles/{name}".format(**module.params) + + +def collection(module): + return "https://iam.googleapis.com/v1/projects/{project}/roles".format(**module.params) + + +def return_if_object(module, response, allow_not_found=False): + # If not found, return nothing. + if allow_not_found and response.status_code == 404: + return None + + # If no content, return nothing. + if response.status_code == 204: + return None + + try: + module.raise_for_status(response) + result = response.json() + except getattr(json.decoder, 'JSONDecodeError', ValueError): + module.fail_json(msg="Invalid JSON response with error: %s" % response.text) + + result = decode_response(result, module) + + if navigate_hash(result, ['error', 'errors']): + module.fail_json(msg=navigate_hash(result, ['error', 'errors'])) + + return result + + +def is_different(module, response): + request = resource_to_request(module) + response = response_to_hash(module, response) + request = decode_response(request, module) + + # Remove all output-only from response. + response_vals = {} + for k, v in response.items(): + if k in request: + response_vals[k] = v + + request_vals = {} + for k, v in request.items(): + if k in response: + request_vals[k] = v + + return GcpRequest(request_vals) != GcpRequest(response_vals) + + +# Remove unnecessary properties from the response. +# This is for doing comparisons with Ansible's current parameters. +def response_to_hash(module, response): + return { + u'name': response.get(u'name'), + u'title': response.get(u'title'), + u'description': response.get(u'description'), + u'includedPermissions': response.get(u'includedPermissions'), + u'stage': response.get(u'stage'), + u'deleted': response.get(u'deleted'), + } + + +def resource_to_create(module): + role = resource_to_request(module) + del role['name'] + return {'roleId': module.params['name'], 'role': role} + + +def decode_response(response, module): + if 'name' in response: + response['name'] = response['name'].split('/')[-1] + return response + + +if __name__ == '__main__': + main() diff --git a/lib/ansible/plugins/doc_fragments/gcp.py b/lib/ansible/plugins/doc_fragments/gcp.py index ecbf467eb2..110d279595 100644 --- a/lib/ansible/plugins/doc_fragments/gcp.py +++ b/lib/ansible/plugins/doc_fragments/gcp.py @@ -18,6 +18,12 @@ options: type: str required: true choices: [ application, machineaccount, serviceaccount ] + service_account_contents: + description: + - A string representing the contents of a Service Account JSON file. + - This should not be passed in as a dictionary, but a string + that has the exact contents of a service account json file (valid JSON) + type: str service_account_file: description: - The path of a Service Account JSON file if serviceaccount is selected as type. @@ -36,6 +42,8 @@ notes: C(GCP_SERVICE_ACCOUNT_FILE) env variable. - For authentication, you can set service_account_email using the C(GCP_SERVICE_ACCOUNT_EMAIL) env variable. + - For authentication, you can set service_account_contents using the + C(GCP_SERVICE_ACCOUNT_CONTENTS) env variable. - For authentication, you can set auth_kind using the C(GCP_AUTH_KIND) env variable. - For authentication, you can set scopes using the C(GCP_SCOPES) env variable. diff --git a/test/integration/targets/gcp_iam_role/aliases b/test/integration/targets/gcp_iam_role/aliases new file mode 100644 index 0000000000..9812f019ca --- /dev/null +++ b/test/integration/targets/gcp_iam_role/aliases @@ -0,0 +1,2 @@ +cloud/gcp +unsupported diff --git a/test/integration/targets/gcp_iam_role/defaults/main.yml b/test/integration/targets/gcp_iam_role/defaults/main.yml new file mode 100644 index 0000000000..aa87a2a8e0 --- /dev/null +++ b/test/integration/targets/gcp_iam_role/defaults/main.yml @@ -0,0 +1,3 @@ +--- +# defaults file +resource_name: '{{resource_prefix}}' diff --git a/test/integration/targets/gcp_iam_role/meta/main.yml b/test/integration/targets/gcp_iam_role/meta/main.yml new file mode 100644 index 0000000000..e69de29bb2 diff --git a/test/integration/targets/gcp_iam_role/tasks/main.yml b/test/integration/targets/gcp_iam_role/tasks/main.yml new file mode 100644 index 0000000000..6299f760ce --- /dev/null +++ b/test/integration/targets/gcp_iam_role/tasks/main.yml @@ -0,0 +1,128 @@ +--- +# ---------------------------------------------------------------------------- +# +# *** AUTO GENERATED CODE *** AUTO GENERATED CODE *** +# +# ---------------------------------------------------------------------------- +# +# This file is automatically generated by Magic Modules and manual +# changes will be clobbered when the file is regenerated. +# +# Please read more about how to change this file at +# https://www.github.com/GoogleCloudPlatform/magic-modules +# +# ---------------------------------------------------------------------------- +# Pre-test setup +- name: delete a role + gcp_iam_role: + name: myCustomRole2 + title: My Custom Role + description: My custom role description + included_permissions: + - iam.roles.list + - iam.roles.create + - iam.roles.delete + project: "{{ gcp_project }}" + auth_kind: "{{ gcp_cred_kind }}" + service_account_file: "{{ gcp_cred_file }}" + state: absent +#---------------------------------------------------------- +- name: create a role + gcp_iam_role: + name: myCustomRole2 + title: My Custom Role + description: My custom role description + included_permissions: + - iam.roles.list + - iam.roles.create + - iam.roles.delete + project: "{{ gcp_project }}" + auth_kind: "{{ gcp_cred_kind }}" + service_account_file: "{{ gcp_cred_file }}" + state: present + register: result +- name: assert changed is true + assert: + that: + - result.changed == true +- name: verify that role was created + gcp_iam_role_facts: + project: "{{ gcp_project }}" + auth_kind: "{{ gcp_cred_kind }}" + service_account_file: "{{ gcp_cred_file }}" + scopes: + - https://www.googleapis.com/auth/iam + register: results +- name: verify that command succeeded + assert: + that: + - results['items'] | length >= 1 +# ---------------------------------------------------------------------------- +- name: create a role that already exists + gcp_iam_role: + name: myCustomRole2 + title: My Custom Role + description: My custom role description + included_permissions: + - iam.roles.list + - iam.roles.create + - iam.roles.delete + project: "{{ gcp_project }}" + auth_kind: "{{ gcp_cred_kind }}" + service_account_file: "{{ gcp_cred_file }}" + state: present + register: result +- name: assert changed is false + assert: + that: + - result.changed == false +#---------------------------------------------------------- +- name: delete a role + gcp_iam_role: + name: myCustomRole2 + title: My Custom Role + description: My custom role description + included_permissions: + - iam.roles.list + - iam.roles.create + - iam.roles.delete + project: "{{ gcp_project }}" + auth_kind: "{{ gcp_cred_kind }}" + service_account_file: "{{ gcp_cred_file }}" + state: absent + register: result +- name: assert changed is true + assert: + that: + - result.changed == true +- name: verify that role was deleted + gcp_iam_role_facts: + project: "{{ gcp_project }}" + auth_kind: "{{ gcp_cred_kind }}" + service_account_file: "{{ gcp_cred_file }}" + scopes: + - https://www.googleapis.com/auth/iam + register: results +- name: verify that command succeeded + assert: + that: + - results['items'] | length == 0 +# ---------------------------------------------------------------------------- +- name: delete a role that does not exist + gcp_iam_role: + name: myCustomRole2 + title: My Custom Role + description: My custom role description + included_permissions: + - iam.roles.list + - iam.roles.create + - iam.roles.delete + project: "{{ gcp_project }}" + auth_kind: "{{ gcp_cred_kind }}" + service_account_file: "{{ gcp_cred_file }}" + state: absent + register: result +- name: assert changed is false + assert: + that: + - result.changed == false