--- # Copyright (c) Ansible Project # GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt) # SPDX-License-Identifier: GPL-3.0-or-later - name: Create a policy with rules consul_policy: name: foo-access-for-role rules: | key "foo" { policy = "read" } key "private/foo" { policy = "deny" } token: "{{ consul_management_token }}" register: policy_result - name: Create another policy with rules consul_policy: name: bar-access-for-role rules: | key "bar" { policy = "read" } key "private/bar" { policy = "deny" } token: "{{ consul_management_token }}" register: policy_result - name: Create a role with policy consul_role: name: foo-role-with-policy policies: - name: "foo-access-for-role" token: "{{ consul_management_token }}" register: result - assert: that: - result is changed - result['role']['Name'] == 'foo-role-with-policy' - name: Update policy description, in check mode consul_role: name: foo-role-with-policy description: "Testing updating description" token: "{{ consul_management_token }}" check_mode: yes register: result - assert: that: - result is changed - result['role']['Description'] == "Testing updating description" - result['role']['Policies'][0]['Name'] == 'foo-access-for-role' - name: Update policy to add the description consul_role: name: foo-role-with-policy description: "Role for testing policies" token: "{{ consul_management_token }}" register: result - assert: that: - result is changed - result['role']['Description'] == "Role for testing policies" - result['role']['Policies'][0]['Name'] == 'foo-access-for-role' - name: Update the role with another policy, also testing leaving description blank consul_role: name: foo-role-with-policy policies: - name: "foo-access-for-role" - name: "bar-access-for-role" token: "{{ consul_management_token }}" register: result - assert: that: - result is changed - result['role']['Policies'][0]['Name'] == 'foo-access-for-role' - result['role']['Policies'][1]['Name'] == 'bar-access-for-role' - result['role']['Description'] == "Role for testing policies" - name: Create a role with service identity consul_role: token: "{{ consul_management_token }}" name: role-with-service-identity service_identities: - name: web datacenters: - dc1 register: result - assert: that: - result is changed - result['role']['ServiceIdentities'][0]['ServiceName'] == "web" - result['role']['ServiceIdentities'][0]['Datacenters'][0] == "dc1" - name: Update the role with service identity in check mode consul_role: token: "{{ consul_management_token }}" name: role-with-service-identity service_identities: - name: web datacenters: - dc2 register: result check_mode: yes - assert: that: - result is changed - result['role']['ServiceIdentities'][0]['ServiceName'] == "web" - result['role']['ServiceIdentities'][0]['Datacenters'][0] == "dc2" - name: Update the role with service identity to add a policy, leaving the service id unchanged consul_role: token: "{{ consul_management_token }}" name: role-with-service-identity policies: - name: "foo-access-for-role" register: result - assert: that: - result is changed - result['role']['ServiceIdentities'][0]['ServiceName'] == "web" - result['role']['ServiceIdentities'][0]['Datacenters'][0] == "dc1" - result['role']['Policies'][0]['Name'] == 'foo-access-for-role' - name: Update the role with service identity to remove the policies consul_role: token: "{{ consul_management_token }}" name: role-with-service-identity policies: [] register: result - assert: that: - result is changed - result['role']['ServiceIdentities'][0]['ServiceName'] == "web" - result['role']['ServiceIdentities'][0]['Datacenters'][0] == "dc1" - result['role']['Policies'] is not defined - name: Update the role with service identity to remove the node identities, in check mode consul_role: token: "{{ consul_management_token }}" name: role-with-service-identity node_identities: [] register: result check_mode: yes - assert: that: - result is changed - result['role']['ServiceIdentities'][0]['ServiceName'] == "web" - result['role']['ServiceIdentities'][0]['Datacenters'][0] == "dc1" - result['role']['Policies'] is not defined - result['role']['NodeIdentities'] == [] # in check mode the cleared field is returned as an empty array - name: Update the role with service identity to remove the service identities consul_role: token: "{{ consul_management_token }}" name: role-with-service-identity service_identities: [] register: result - assert: that: - result is changed - result['role']['ServiceIdentities'] is not defined # in normal mode the dictionary is removed from the result - result['role']['Policies'] is not defined - name: Create a role with node identity consul_role: token: "{{ consul_management_token }}" name: role-with-node-identity node_identities: - name: node-1 datacenter: dc2 register: result - assert: that: - result is changed - result['role']['NodeIdentities'][0]['NodeName'] == "node-1" - result['role']['NodeIdentities'][0]['Datacenter'] == "dc2" - name: Remove the last role consul_role: token: "{{ consul_management_token }}" name: role-with-node-identity state: absent - assert: that: - result is changed