#!/usr/bin/python # -*- coding: utf-8 -*- # # Copyright (C) 2017 Google # GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) # ---------------------------------------------------------------------------- # # *** AUTO GENERATED CODE *** AUTO GENERATED CODE *** # # ---------------------------------------------------------------------------- # # This file is automatically generated by Magic Modules and manual # changes will be clobbered when the file is regenerated. # # Please read more about how to change this file at # https://www.github.com/GoogleCloudPlatform/magic-modules # # ---------------------------------------------------------------------------- from __future__ import absolute_import, division, print_function __metaclass__ = type ################################################################################ # Documentation ################################################################################ ANSIBLE_METADATA = {'metadata_version': '1.1', 'status': ["preview"], 'supported_by': 'community'} DOCUMENTATION = ''' --- module: gcp_iam_role description: - A role in the Identity and Access Management API . short_description: Creates a GCP Role version_added: 2.8 author: Google Inc. (@googlecloudplatform) requirements: - python >= 2.6 - requests >= 2.18.4 - google-auth >= 1.3.0 options: state: description: - Whether the given object should exist in GCP choices: - present - absent default: present name: description: - The name of the role. required: true title: description: - A human-readable title for the role. Typically this is limited to 100 UTF-8 bytes. required: false description: description: - Human-readable description for the role. required: false included_permissions: description: - Names of permissions this role grants when bound in an IAM policy. required: false stage: description: - The current launch stage of the role. required: false choices: - ALPHA - BETA - GA - DEPRECATED - DISABLED - EAP extends_documentation_fragment: gcp ''' EXAMPLES = ''' - name: create a role gcp_iam_role: name: myCustomRole2 title: My Custom Role description: My custom role description included_permissions: - iam.roles.list - iam.roles.create - iam.roles.delete project: test_project auth_kind: serviceaccount service_account_file: "/tmp/auth.pem" state: present ''' RETURN = ''' name: description: - The name of the role. returned: success type: str title: description: - A human-readable title for the role. Typically this is limited to 100 UTF-8 bytes. returned: success type: str description: description: - Human-readable description for the role. returned: success type: str includedPermissions: description: - Names of permissions this role grants when bound in an IAM policy. returned: success type: list stage: description: - The current launch stage of the role. returned: success type: str deleted: description: - The current deleted state of the role. returned: success type: bool ''' ################################################################################ # Imports ################################################################################ from ansible.module_utils.gcp_utils import navigate_hash, GcpSession, GcpModule, GcpRequest, replace_resource_dict import json ################################################################################ # Main ################################################################################ def main(): """Main function""" module = GcpModule( argument_spec=dict( state=dict(default='present', choices=['present', 'absent'], type='str'), name=dict(required=True, type='str'), title=dict(type='str'), description=dict(type='str'), included_permissions=dict(type='list', elements='str'), stage=dict(type='str', choices=['ALPHA', 'BETA', 'GA', 'DEPRECATED', 'DISABLED', 'EAP']), ) ) if not module.params['scopes']: module.params['scopes'] = ['https://www.googleapis.com/auth/iam'] state = module.params['state'] fetch = fetch_resource(module, self_link(module)) changed = False if fetch: if state == 'present': if is_different(module, fetch): update(module, self_link(module), fetch) fetch = fetch_resource(module, self_link(module)) changed = True else: delete(module, self_link(module)) fetch = {} changed = True else: if state == 'present': fetch = create(module, collection(module)) changed = True else: fetch = {} fetch.update({'changed': changed}) module.exit_json(**fetch) def create(module, link): auth = GcpSession(module, 'iam') return return_if_object(module, auth.post(link, resource_to_create(module))) def update(module, link, fetch): auth = GcpSession(module, 'iam') params = {'updateMask': updateMask(resource_to_request(module), response_to_hash(module, fetch))} request = resource_to_request(module) del request['name'] return return_if_object(module, auth.put(link, request, params=params)) def updateMask(request, response): update_mask = [] if request.get('name') != response.get('name'): update_mask.append('name') if request.get('title') != response.get('title'): update_mask.append('title') if request.get('description') != response.get('description'): update_mask.append('description') if request.get('includedPermissions') != response.get('includedPermissions'): update_mask.append('includedPermissions') if request.get('stage') != response.get('stage'): update_mask.append('stage') return ','.join(update_mask) def delete(module, link): auth = GcpSession(module, 'iam') return return_if_object(module, auth.delete(link)) def resource_to_request(module): request = { u'name': module.params.get('name'), u'title': module.params.get('title'), u'description': module.params.get('description'), u'includedPermissions': module.params.get('included_permissions'), u'stage': module.params.get('stage'), } return_vals = {} for k, v in request.items(): if v or v is False: return_vals[k] = v return return_vals def fetch_resource(module, link, allow_not_found=True): auth = GcpSession(module, 'iam') return return_if_object(module, auth.get(link), allow_not_found) def self_link(module): return "https://iam.googleapis.com/v1/projects/{project}/roles/{name}".format(**module.params) def collection(module): return "https://iam.googleapis.com/v1/projects/{project}/roles".format(**module.params) def return_if_object(module, response, allow_not_found=False): # If not found, return nothing. if allow_not_found and response.status_code == 404: return None # If no content, return nothing. if response.status_code == 204: return None try: module.raise_for_status(response) result = response.json() except getattr(json.decoder, 'JSONDecodeError', ValueError): module.fail_json(msg="Invalid JSON response with error: %s" % response.text) result = decode_response(result, module) if navigate_hash(result, ['error', 'errors']): module.fail_json(msg=navigate_hash(result, ['error', 'errors'])) return result def is_different(module, response): request = resource_to_request(module) response = response_to_hash(module, response) request = decode_response(request, module) # Remove all output-only from response. response_vals = {} for k, v in response.items(): if k in request: response_vals[k] = v request_vals = {} for k, v in request.items(): if k in response: request_vals[k] = v return GcpRequest(request_vals) != GcpRequest(response_vals) # Remove unnecessary properties from the response. # This is for doing comparisons with Ansible's current parameters. def response_to_hash(module, response): return { u'name': response.get(u'name'), u'title': response.get(u'title'), u'description': response.get(u'description'), u'includedPermissions': response.get(u'includedPermissions'), u'stage': response.get(u'stage'), u'deleted': response.get(u'deleted'), } def resource_to_create(module): role = resource_to_request(module) del role['name'] return {'roleId': module.params['name'], 'role': role} def decode_response(response, module): if 'name' in response: response['name'] = response['name'].split('/')[-1] return response if __name__ == '__main__': main()