mirror of
				https://github.com/ansible-collections/community.general.git
				synced 2024-09-14 20:13:21 +02:00 
			
		
		
		
	
		
			
				
	
	
		
			183 lines
		
	
	
	
		
			5.4 KiB
		
	
	
	
		
			Python
		
	
	
	
	
	
			
		
		
	
	
			183 lines
		
	
	
	
		
			5.4 KiB
		
	
	
	
		
			Python
		
	
	
	
	
	
| #!/usr/bin/python
 | |
| # -*- coding: utf-8 -*-
 | |
| #
 | |
| # Copyright (c) 2024, Florian Apolloner (@apollo13)
 | |
| # GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
 | |
| # SPDX-License-Identifier: GPL-3.0-or-later
 | |
| 
 | |
| from __future__ import absolute_import, division, print_function
 | |
| 
 | |
| __metaclass__ = type
 | |
| 
 | |
| DOCUMENTATION = """
 | |
| module: consul_binding_rule
 | |
| short_description: Manipulate Consul binding rules
 | |
| version_added: 8.3.0
 | |
| description:
 | |
|  - Allows the addition, modification and deletion of binding rules in a consul
 | |
|    cluster via the agent. For more details on using and configuring binding rules,
 | |
|    see U(https://developer.hashicorp.com/consul/api-docs/acl/binding-rules).
 | |
| author:
 | |
|   - Florian Apolloner (@apollo13)
 | |
| extends_documentation_fragment:
 | |
|   - community.general.consul
 | |
|   - community.general.consul.actiongroup_consul
 | |
|   - community.general.consul.token
 | |
|   - community.general.attributes
 | |
| attributes:
 | |
|   check_mode:
 | |
|     support: full
 | |
|   diff_mode:
 | |
|     support: partial
 | |
|     details:
 | |
|       - In check mode the diff will miss operational attributes.
 | |
| options:
 | |
|   state:
 | |
|     description:
 | |
|       - Whether the binding rule should be present or absent.
 | |
|     choices: ['present', 'absent']
 | |
|     default: present
 | |
|     type: str
 | |
|   name:
 | |
|     description:
 | |
|       - Specifies a name for the binding rule.
 | |
|       - 'Note: This is used to identify the binding rule. But since the API does not support a name, it is prefixed to the description.'
 | |
|     type: str
 | |
|     required: true
 | |
|   description:
 | |
|     description:
 | |
|       - Free form human readable description of the binding rule.
 | |
|     type: str
 | |
|   auth_method:
 | |
|     description:
 | |
|       - The name of the auth method that this rule applies to.
 | |
|     type: str
 | |
|     required: true
 | |
|   selector:
 | |
|     description:
 | |
|       - Specifies the expression used to match this rule against valid identities returned from an auth method validation.
 | |
|       - If empty this binding rule matches all valid identities returned from the auth method.
 | |
|     type: str
 | |
|   bind_type:
 | |
|     description:
 | |
|       - Specifies the way the binding rule affects a token created at login.
 | |
|     type: str
 | |
|     choices: [service, node, role, templated-policy]
 | |
|   bind_name:
 | |
|     description:
 | |
|       - The name to bind to a token at login-time.
 | |
|       - What it binds to can be adjusted with different values of the O(bind_type) parameter.
 | |
|     type: str
 | |
|   bind_vars:
 | |
|     description:
 | |
|       - Specifies the templated policy variables when O(bind_type) is set to V(templated-policy).
 | |
|     type: dict
 | |
| """
 | |
| 
 | |
| EXAMPLES = """
 | |
| - name: Create a binding rule
 | |
|   community.general.consul_binding_rule:
 | |
|     name: my_name
 | |
|     description: example rule
 | |
|     auth_method: minikube
 | |
|     bind_type: service
 | |
|     bind_name: "{{ serviceaccount.name }}"
 | |
|     token: "{{ consul_management_token }}"
 | |
| 
 | |
| - name: Remove a binding rule
 | |
|   community.general.consul_binding_rule:
 | |
|     name: my_name
 | |
|     auth_method: minikube
 | |
|     state: absent
 | |
| """
 | |
| 
 | |
| RETURN = """
 | |
| binding_rule:
 | |
|   description: The binding rule as returned by the consul HTTP API.
 | |
|   returned: always
 | |
|   type: dict
 | |
|   sample:
 | |
|     Description: "my_name: example rule"
 | |
|     AuthMethod: minikube
 | |
|     Selector: serviceaccount.namespace==default
 | |
|     BindType: service
 | |
|     BindName: "{{ serviceaccount.name }}"
 | |
|     CreateIndex: 30
 | |
|     ID: 59c8a237-e481-4239-9202-45f117950c5f
 | |
|     ModifyIndex: 33
 | |
| operation:
 | |
|   description: The operation performed.
 | |
|   returned: changed
 | |
|   type: str
 | |
|   sample: update
 | |
| """
 | |
| 
 | |
| 
 | |
| from ansible.module_utils.basic import AnsibleModule
 | |
| from ansible_collections.community.general.plugins.module_utils.consul import (
 | |
|     AUTH_ARGUMENTS_SPEC,
 | |
|     RequestError,
 | |
|     _ConsulModule,
 | |
| )
 | |
| 
 | |
| 
 | |
| class ConsulBindingRuleModule(_ConsulModule):
 | |
|     api_endpoint = "acl/binding-rule"
 | |
|     result_key = "binding_rule"
 | |
|     unique_identifier = "id"
 | |
| 
 | |
|     def read_object(self):
 | |
|         url = "acl/binding-rules?authmethod={0}".format(self.params["auth_method"])
 | |
|         try:
 | |
|             results = self.get(url)
 | |
|             for result in results:
 | |
|                 if result.get("Description").startswith(
 | |
|                     "{0}: ".format(self.params["name"])
 | |
|                 ):
 | |
|                     return result
 | |
|         except RequestError as e:
 | |
|             if e.status == 404:
 | |
|                 return
 | |
|             elif e.status == 403 and b"ACL not found" in e.response_data:
 | |
|                 return
 | |
|             raise
 | |
| 
 | |
|     def module_to_obj(self, is_update):
 | |
|         obj = super(ConsulBindingRuleModule, self).module_to_obj(is_update)
 | |
|         del obj["Name"]
 | |
|         return obj
 | |
| 
 | |
|     def prepare_object(self, existing, obj):
 | |
|         final = super(ConsulBindingRuleModule, self).prepare_object(existing, obj)
 | |
|         name = self.params["name"]
 | |
|         description = final.pop("Description", "").split(": ", 1)[-1]
 | |
|         final["Description"] = "{0}: {1}".format(name, description)
 | |
|         return final
 | |
| 
 | |
| 
 | |
| _ARGUMENT_SPEC = {
 | |
|     "name": dict(type="str", required=True),
 | |
|     "description": dict(type="str"),
 | |
|     "auth_method": dict(type="str", required=True),
 | |
|     "selector": dict(type="str"),
 | |
|     "bind_type": dict(
 | |
|         type="str", choices=["service", "node", "role", "templated-policy"]
 | |
|     ),
 | |
|     "bind_name": dict(type="str"),
 | |
|     "bind_vars": dict(type="dict"),
 | |
|     "state": dict(default="present", choices=["present", "absent"]),
 | |
| }
 | |
| _ARGUMENT_SPEC.update(AUTH_ARGUMENTS_SPEC)
 | |
| 
 | |
| 
 | |
| def main():
 | |
|     module = AnsibleModule(
 | |
|         _ARGUMENT_SPEC,
 | |
|         supports_check_mode=True,
 | |
|     )
 | |
|     consul_module = ConsulBindingRuleModule(module)
 | |
|     consul_module.execute()
 | |
| 
 | |
| 
 | |
| if __name__ == "__main__":
 | |
|     main()
 |