diff --git a/lib/ansible/modules/cloud/google/gcp_storage_bucket_access_control.py b/lib/ansible/modules/cloud/google/gcp_storage_bucket_access_control.py new file mode 100644 index 00000000000..b8c8cbca54f --- /dev/null +++ b/lib/ansible/modules/cloud/google/gcp_storage_bucket_access_control.py @@ -0,0 +1,363 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- +# +# Copyright (C) 2017 Google +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) +# ---------------------------------------------------------------------------- +# +# *** AUTO GENERATED CODE *** AUTO GENERATED CODE *** +# +# ---------------------------------------------------------------------------- +# +# This file is automatically generated by Magic Modules and manual +# changes will be clobbered when the file is regenerated. +# +# Please read more about how to change this file at +# https://www.github.com/GoogleCloudPlatform/magic-modules +# +# ---------------------------------------------------------------------------- + +from __future__ import absolute_import, division, print_function +__metaclass__ = type + +################################################################################ +# Documentation +################################################################################ + +ANSIBLE_METADATA = {'metadata_version': '1.1', + 'status': ["preview"], + 'supported_by': 'community'} + +DOCUMENTATION = ''' +--- +module: gcp_storage_bucket_access_control +description: + - The BucketAccessControls resource represents the Access Control Lists (ACLs) for + buckets within Google Cloud Storage. ACLs let you specify who has access to your + data and to what extent. + - 'There are three roles that can be assigned to an entity: READERs can get the bucket, + though no acl property will be returned, and list the bucket''s objects. WRITERs + are READERs, and they can insert objects into the bucket and delete the bucket''s + objects. OWNERs are WRITERs, and they can get the acl property of a bucket, update + a bucket, and call all BucketAccessControls methods on the bucket. For more information, + see Access Control, with the caveat that this API uses READER, WRITER, and OWNER + instead of READ, WRITE, and FULL_CONTROL.' +short_description: Creates a GCP BucketAccessControl +version_added: 2.6 +author: Google Inc. (@googlecloudplatform) +requirements: + - python >= 2.6 + - requests >= 2.18.4 + - google-auth >= 1.3.0 +options: + state: + description: + - Whether the given object should exist in GCP + required: true + choices: ['present', 'absent'] + default: 'present' + bucket: + description: + - A reference to Bucket resource. + required: true + entity: + description: + - 'The entity holding the permission, in one of the following + forms: user-userId user-email group-groupId group-email + domain-domain project-team-projectId allUsers + allAuthenticatedUsers Examples: The user liz@example.com would be + user-liz@example.com.' + - The group example@googlegroups.com would be group-example@googlegroups.com. + - To refer to all members of the Google Apps for Business domain example.com, the + entity would be domain-example.com. + required: true + entity_id: + description: + - The ID for the entity. + required: false + project_team: + description: + - The project team associated with the entity. + required: false + suboptions: + project_number: + description: + - The project team associated with the entity. + required: false + team: + description: + - The team. + required: false + choices: ['editors', 'owners', 'viewers'] + role: + description: + - The access permission for the entity. + required: false + choices: ['OWNER', 'READER', 'WRITER'] +extends_documentation_fragment: gcp +''' + +EXAMPLES = ''' +- name: create a bucket + gcp_storage_bucket: + name: 'bucket-bac' + project: "{{ gcp_project }}" + auth_kind: "{{ gcp_cred_kind }}" + service_account_file: "{{ gcp_cred_file }}" + scopes: + - https://www.googleapis.com/auth/devstorage.full_control + state: present + register: bucket +- name: create a bucket access control + gcp_storage_bucket_access_control: + bucket: "{{ bucket }}" + entity: 'user-alexstephen@google.com' + role: 'WRITER' + project: testProject + auth_kind: service_account + service_account_file: /tmp/auth.pem + scopes: + - https://www.googleapis.com/auth/devstorage.full_control + state: present +''' + +RETURN = ''' + bucket: + description: + - A reference to Bucket resource. + returned: success + type: dict + domain: + description: + - The domain associated with the entity. + returned: success + type: str + email: + description: + - The email address associated with the entity. + returned: success + type: str + entity: + description: + - 'The entity holding the permission, in one of the following + forms: user-userId user-email group-groupId group-email + domain-domain project-team-projectId allUsers + allAuthenticatedUsers Examples: The user liz@example.com would be + user-liz@example.com.' + - The group example@googlegroups.com would be group-example@googlegroups.com. + - To refer to all members of the Google Apps for Business domain example.com, the + entity would be domain-example.com. + returned: success + type: str + entity_id: + description: + - The ID for the entity. + returned: success + type: str + id: + description: + - The ID of the access-control entry. + returned: success + type: str + project_team: + description: + - The project team associated with the entity. + returned: success + type: complex + contains: + project_number: + description: + - The project team associated with the entity. + returned: success + type: str + team: + description: + - The team. + returned: success + type: str + role: + description: + - The access permission for the entity. + returned: success + type: str +''' + +################################################################################ +# Imports +################################################################################ + +from ansible.module_utils.gcp_utils import navigate_hash, GcpSession, GcpModule, GcpRequest, remove_nones_from_dict, replace_resource_dict +import json + +################################################################################ +# Main +################################################################################ + + +def main(): + """Main function""" + + module = GcpModule( + argument_spec=dict( + state=dict(default='present', choices=['present', 'absent'], type='str'), + bucket=dict(required=True, type='dict'), + entity=dict(required=True, type='str'), + entity_id=dict(type='str'), + project_team=dict(type='dict', options=dict( + project_number=dict(type='str'), + team=dict(type='str', choices=['editors', 'owners', 'viewers']) + )), + role=dict(type='str', choices=['OWNER', 'READER', 'WRITER']) + ) + ) + + state = module.params['state'] + kind = 'storage#bucketAccessControl' + + fetch = fetch_resource(module, self_link(module), kind) + changed = False + + if fetch: + if state == 'present': + if is_different(module, fetch): + fetch = update(module, self_link(module), kind) + changed = True + else: + delete(module, self_link(module), kind) + fetch = {} + changed = True + else: + if state == 'present': + fetch = create(module, collection(module), kind) + changed = True + else: + fetch = {} + + fetch.update({'changed': changed}) + + module.exit_json(**fetch) + + +def create(module, link, kind): + auth = GcpSession(module, 'storage') + return return_if_object(module, auth.post(link, resource_to_request(module)), kind) + + +def update(module, link, kind): + auth = GcpSession(module, 'storage') + return return_if_object(module, auth.put(link, resource_to_request(module)), kind) + + +def delete(module, link, kind): + auth = GcpSession(module, 'storage') + return return_if_object(module, auth.delete(link), kind) + + +def resource_to_request(module): + request = { + u'kind': 'storage#bucketAccessControl', + u'bucket': replace_resource_dict(module.params.get(u'bucket', {}), 'name'), + u'entity': module.params.get('entity'), + u'entityId': module.params.get('entity_id'), + u'projectTeam': BuckAcceContProjTeam(module.params.get('project_team', {}), module).to_request(), + u'role': module.params.get('role') + } + return_vals = {} + for k, v in request.items(): + if v: + return_vals[k] = v + + return return_vals + + +def fetch_resource(module, link, kind): + auth = GcpSession(module, 'storage') + return return_if_object(module, auth.get(link), kind) + + +def self_link(module): + return "https://www.googleapis.com/storage/v1/b/{bucket}/acl/{entity}".format(**module.params) + + +def collection(module): + return "https://www.googleapis.com/storage/v1/b/{bucket}/acl".format(**module.params) + + +def return_if_object(module, response, kind): + # If not found, return nothing. + if response.status_code == 404: + return None + + # If no content, return nothing. + if response.status_code == 204: + return None + + try: + module.raise_for_status(response) + result = response.json() + except getattr(json.decoder, 'JSONDecodeError', ValueError) as inst: + module.fail_json(msg="Invalid JSON response with error: %s" % inst) + + if navigate_hash(result, ['error', 'errors']): + module.fail_json(msg=navigate_hash(result, ['error', 'errors'])) + if result['kind'] != kind: + module.fail_json(msg="Incorrect result: {kind}".format(**result)) + + return result + + +def is_different(module, response): + request = resource_to_request(module) + response = response_to_hash(module, response) + + # Remove all output-only from response. + response_vals = {} + for k, v in response.items(): + if k in request: + response_vals[k] = v + + request_vals = {} + for k, v in request.items(): + if k in response: + request_vals[k] = v + + return GcpRequest(request_vals) != GcpRequest(response_vals) + + +# Remove unnecessary properties from the response. +# This is for doing comparisons with Ansible's current parameters. +def response_to_hash(module, response): + return { + u'bucket': response.get(u'bucket'), + u'domain': response.get(u'domain'), + u'email': response.get(u'email'), + u'entity': response.get(u'entity'), + u'entityId': response.get(u'entityId'), + u'id': response.get(u'id'), + u'projectTeam': BuckAcceContProjTeam(response.get(u'projectTeam', {}), module).from_response(), + u'role': response.get(u'role') + } + + +class BuckAcceContProjTeam(object): + def __init__(self, request, module): + self.module = module + if request: + self.request = request + else: + self.request = {} + + def to_request(self): + return remove_nones_from_dict({ + u'projectNumber': self.request.get('project_number'), + u'team': self.request.get('team') + }) + + def from_response(self): + return remove_nones_from_dict({ + u'projectNumber': self.request.get(u'projectNumber'), + u'team': self.request.get(u'team') + }) + +if __name__ == '__main__': + main() diff --git a/test/integration/targets/gcp_storage_bucket_access_control/aliases b/test/integration/targets/gcp_storage_bucket_access_control/aliases new file mode 100644 index 00000000000..9812f019ca4 --- /dev/null +++ b/test/integration/targets/gcp_storage_bucket_access_control/aliases @@ -0,0 +1,2 @@ +cloud/gcp +unsupported diff --git a/test/integration/targets/gcp_storage_bucket_access_control/defaults/main.yml b/test/integration/targets/gcp_storage_bucket_access_control/defaults/main.yml new file mode 100644 index 00000000000..aa87a2a8e0e --- /dev/null +++ b/test/integration/targets/gcp_storage_bucket_access_control/defaults/main.yml @@ -0,0 +1,3 @@ +--- +# defaults file +resource_name: '{{resource_prefix}}' diff --git a/test/integration/targets/gcp_storage_bucket_access_control/meta/main.yml b/test/integration/targets/gcp_storage_bucket_access_control/meta/main.yml new file mode 100644 index 00000000000..e69de29bb2d diff --git a/test/integration/targets/gcp_storage_bucket_access_control/tasks/main.yml b/test/integration/targets/gcp_storage_bucket_access_control/tasks/main.yml new file mode 100644 index 00000000000..cc2e8b3ea04 --- /dev/null +++ b/test/integration/targets/gcp_storage_bucket_access_control/tasks/main.yml @@ -0,0 +1,120 @@ +--- +# ---------------------------------------------------------------------------- +# +# *** AUTO GENERATED CODE *** AUTO GENERATED CODE *** +# +# ---------------------------------------------------------------------------- +# +# This file is automatically generated by Magic Modules and manual +# changes will be clobbered when the file is regenerated. +# +# Please read more about how to change this file at +# https://www.github.com/GoogleCloudPlatform/magic-modules +# +# ---------------------------------------------------------------------------- +# Pre-test setup +- name: create a bucket + gcp_storage_bucket: + name: 'bucket-bac' + project: "{{ gcp_project }}" + auth_kind: "{{ gcp_cred_kind }}" + service_account_file: "{{ gcp_cred_file }}" + scopes: + - https://www.googleapis.com/auth/devstorage.full_control + state: present + register: bucket +- name: delete a bucket access control + gcp_storage_bucket_access_control: + bucket: "{{ bucket }}" + entity: 'user-alexstephen@google.com' + role: 'WRITER' + project: "{{ gcp_project }}" + auth_kind: "{{ gcp_cred_kind }}" + service_account_file: "{{ gcp_cred_file }}" + scopes: + - https://www.googleapis.com/auth/devstorage.full_control + state: absent +#---------------------------------------------------------- +- name: create a bucket access control + gcp_storage_bucket_access_control: + bucket: "{{ bucket }}" + entity: 'user-alexstephen@google.com' + role: 'WRITER' + project: "{{ gcp_project }}" + auth_kind: "{{ gcp_cred_kind }}" + service_account_file: "{{ gcp_cred_file }}" + scopes: + - https://www.googleapis.com/auth/devstorage.full_control + state: present + register: result +- name: assert changed is true + assert: + that: + - result.changed == true + - "result.kind == 'storage#bucketAccessControl'" +# ---------------------------------------------------------------------------- +- name: create a bucket access control that already exists + gcp_storage_bucket_access_control: + bucket: "{{ bucket }}" + entity: 'user-alexstephen@google.com' + role: 'WRITER' + project: "{{ gcp_project }}" + auth_kind: "{{ gcp_cred_kind }}" + service_account_file: "{{ gcp_cred_file }}" + scopes: + - https://www.googleapis.com/auth/devstorage.full_control + state: present + register: result +- name: assert changed is false + assert: + that: + - result.changed == false + - "result.kind == 'storage#bucketAccessControl'" +#---------------------------------------------------------- +- name: delete a bucket access control + gcp_storage_bucket_access_control: + bucket: "{{ bucket }}" + entity: 'user-alexstephen@google.com' + role: 'WRITER' + project: "{{ gcp_project }}" + auth_kind: "{{ gcp_cred_kind }}" + service_account_file: "{{ gcp_cred_file }}" + scopes: + - https://www.googleapis.com/auth/devstorage.full_control + state: absent + register: result +- name: assert changed is true + assert: + that: + - result.changed == true + - result.has_key('kind') == False +# ---------------------------------------------------------------------------- +- name: delete a bucket access control that does not exist + gcp_storage_bucket_access_control: + bucket: "{{ bucket }}" + entity: 'user-alexstephen@google.com' + role: 'WRITER' + project: "{{ gcp_project }}" + auth_kind: "{{ gcp_cred_kind }}" + service_account_file: "{{ gcp_cred_file }}" + scopes: + - https://www.googleapis.com/auth/devstorage.full_control + state: absent + register: result +- name: assert changed is false + assert: + that: + - result.changed == false + - result.has_key('kind') == False +#--------------------------------------------------------- +# Post-test teardown +- name: delete a bucket + gcp_storage_bucket: + name: 'bucket-bac' + project: "{{ gcp_project }}" + auth_kind: "{{ gcp_cred_kind }}" + service_account_file: "{{ gcp_cred_file }}" + scopes: + - https://www.googleapis.com/auth/devstorage.full_control + state: absent + register: bucket