- name: Fix resource prefix set_fact: role_name: "{{ (resource_group | replace('-','x'))[-8:] }}{{ 1000 | random }}testrole" subscription_id: "{{ lookup('env','AZURE_SUBSCRIPTION_ID') }}" principal_id: "{{ lookup('env','AZURE_CLIENT_ID') }}" run_once: yes - name: Create a role definition (Check Mode) azure_rm_roledefinition: name: "{{ role_name }}" scope: "/subscriptions/{{ subscription_id }}/resourceGroups/{{ resource_group }}" permissions: - actions: - "Microsoft.Compute/virtualMachines/read" not_actions: - "Microsoft.Compute/virtualMachines/write" data_actions: - "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read" not_data_actions: - "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write" assignable_scopes: - "/subscriptions/{{ subscription_id }}/resourceGroups/{{ resource_group }}" check_mode: yes register: output - name: Assert creating role definition check mode assert: that: - output.changed - name: Create a role definition azure_rm_roledefinition: name: "{{ role_name }}" scope: "/subscriptions/{{ subscription_id }}/resourceGroups/{{ resource_group }}" permissions: - actions: - "Microsoft.Compute/virtualMachines/read" not_actions: - "Microsoft.Compute/virtualMachines/write" data_actions: - "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read" not_data_actions: - "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write" assignable_scopes: - "/subscriptions/{{ subscription_id }}/resourceGroups/{{ resource_group }}" register: output - name: Assert creating role definition assert: that: - output.changed - name: Get facts by type azure_rm_roledefinition_facts: scope: "/subscriptions/{{ subscription_id }}/resourceGroups/{{ resource_group }}" type: custom register: facts - name: Assert facts assert: that: - facts['roledefinitions'] | length > 1 - name: Get facts by name azure_rm_roledefinition_facts: scope: "/subscriptions/{{ subscription_id }}/resourceGroups/{{ resource_group }}" role_name: "{{ role_name }}" register: facts until: facts.roledefinitions | length > 0 retries: 50 delay: 60 - name: Assert facts assert: that: - facts['roledefinitions'] | length == 1 - facts['roledefinitions'][0]['permissions'] | length == 1 - facts['roledefinitions'][0]['permissions'][0]['not_data_actions'] | length == 1 - facts['roledefinitions'][0]['permissions'][0]['data_actions'] | length == 1 - name: Update the role definition (idempotent) azure_rm_roledefinition: name: "{{ role_name }}" scope: "/subscriptions/{{ subscription_id }}/resourceGroups/{{ resource_group }}" permissions: - actions: - "Microsoft.Compute/virtualMachines/read" not_actions: - "Microsoft.Compute/virtualMachines/write" data_actions: - "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read" not_data_actions: - "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write" assignable_scopes: - "/subscriptions/{{ subscription_id }}/resourceGroups/{{ resource_group }}" register: output - name: assert output not changed assert: that: - not output.changed - name: Update the role definition azure_rm_roledefinition: name: "{{ role_name }}" scope: "/subscriptions/{{ subscription_id }}/resourceGroups/{{ resource_group }}" permissions: - actions: - "Microsoft.Compute/virtualMachines/read" - "Microsoft.Compute/virtualMachines/start/action" not_actions: - "Microsoft.Compute/virtualMachines/write" data_actions: - "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read" not_data_actions: - "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write" assignable_scopes: - "/subscriptions/{{ subscription_id }}/resourceGroups/{{ resource_group }}" register: output - name: assert output changed assert: that: - output.changed - name: Get role definition facts azure_rm_roledefinition_facts: role_name: "{{ role_name }}" scope: "/subscriptions/{{ subscription_id }}/resourceGroups/{{ resource_group }}" type: custom register: roledef until: "{{ roledef.roledefinitions | length > 0 }}" retries: 50 delay: 60 - name: Assert role definition facts assert: that: - roledef['roledefinitions'] | length == 1 - roledef['roledefinitions'][0]['id'] - name: Create a role assignment (Check Mode) azure_rm_roleassignment: scope: "/subscriptions/{{ subscription_id }}/resourceGroups/{{ resource_group }}" assignee_object_id: "{{ principal_id }}" role_definition_id: "{{ roledef['roledefinitions'][0]['id'] }}" check_mode: yes register: output - name: Assert creating role definition check mode assert: that: - output.changed - name: Create a role assignment azure_rm_roleassignment: scope: "/subscriptions/{{ subscription_id }}/resourceGroups/{{ resource_group }}" assignee_object_id: "{{ principal_id }}" role_definition_id: "{{ roledef['roledefinitions'][0]['id'] }}" register: output - name: Assert creating role assignment assert: that: - output.changed - name: Get facts azure_rm_roleassignment_facts: scope: "/subscriptions/{{ subscription_id }}/resourceGroups/{{ resource_group }}" assignee: "{{ principal_id }}" role_definition_id: "{{ roledef['roledefinitions'][0]['id'] }}" register: facts - name: assert role assignment facts assert: that: - facts['roleassignments'] | length > 0 - facts['roleassignments'][0]['id'] - name: delete role assignment azure_rm_roleassignment: name: "{{ facts['roleassignments'][0]['id'].split('/')[-1] }}" scope: "/subscriptions/{{ subscription_id }}" state: absent - name: Delete the role definition (Check Mode) azure_rm_roledefinition: name: "{{ role_name }}" scope: "/subscriptions/{{ subscription_id }}/resourceGroups/{{ resource_group }}" state: absent check_mode: yes register: output - name: assert deleting role definition check mode assert: that: output.changed - name: Delete the role definition azure_rm_roledefinition: name: "{{ role_name }}" scope: "/subscriptions/{{ subscription_id }}/resourceGroups/{{ resource_group }}" state: absent register: output - assert: that: - output.changed