redhat-cop
diff --git a/‎changelogs/fragments/aap_26_additions.yml‎
Lines changed: 6 additions & 0 deletions b/‎changelogs/fragments/aap_26_additions.yml‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎roles/gateway_role_definitions/README.md‎
Lines changed: 124 additions & 0 deletions b/‎roles/gateway_role_definitions/README.md‎
Lines changed: 124 additions & 0 deletions
diff --git a/‎roles/gateway_role_definitions/defaults/main.yml‎
Lines changed: 18 additions & 0 deletions b/‎roles/gateway_role_definitions/defaults/main.yml‎
Lines changed: 18 additions & 0 deletions
diff --git a/‎roles/gateway_role_definitions/meta/argument_specs.yml‎
Lines changed: 100 additions & 0 deletions b/‎roles/gateway_role_definitions/meta/argument_specs.yml‎
Lines changed: 100 additions & 0 deletions
diff --git a/‎roles/gateway_role_definitions/meta/main.yml‎
Lines changed: 29 additions & 0 deletions b/‎roles/gateway_role_definitions/meta/main.yml‎
Lines changed: 29 additions & 0 deletions
diff --git a/‎roles/gateway_role_definitions/tasks/main.yml‎
Lines changed: 63 additions & 0 deletions b/‎roles/gateway_role_definitions/tasks/main.yml‎
Lines changed: 63 additions & 0 deletions
@@ -0,0 +1,6 @@
+---
+minor_changes:
+  - Updated `gateway_role_user_assignments` role these changes will only work in AAP 2.6+
+  - Added `gateway_role_team_assignments` role for AAP 2.6+
+  - Added `gateway_role_definitions` role for AAP 2.6+
+...
@@ -0,0 +1,124 @@
+# Ansible Role infra.aap_configuration.gateway_role_definitions
+
+## Description
+
+An Ansible Role to create/update/remove Role Definitions on Ansible gateway.
+
+## Variables
+
+|Variable Name|Default Value|Required|Description|Example|
+|:---|:---:|:---:|:---|:---|
+|`platform_state`|"present"|no|The state all objects will take unless overridden by object default|'absent'|
+|`aap_hostname`|""|yes|URL to the Ansible Automation Platform Server.|127.0.0.1|
+|`aap_validate_certs`|`true`|no|Whether or not to validate the Ansible Automation Platform Server's SSL certificate.||
+|`aap_username`|""|no|Admin User on the Ansible Automation Platform Server. Either username / password or oauthtoken need to be specified.||
+|`aap_password`|""|no|Platform Admin User's password on the Server.  This should be stored in an Ansible Vault at vars/platform-secrets.yml or elsewhere and called from a parent playbook.||
+|`aap_token`|""|no|Controller Admin User's token on the Ansible Automation Platform Server. This should be stored in an Ansible Vault at or elsewhere and called from a parent playbook. Either username / password or oauthtoken need to be specified.||
+|`aap_request_timeout`|""|no|Specify the timeout in seconds Ansible should use in requests to the Ansible Automation Platform host.||
+|`gateway_role_definitions`|`see below`|yes|Data structure describing your role definitions Described below.||
+
+### Enforcing defaults
+
+The following Variables complement each other.
+If Both variables are not set, enforcing default values is not done.
+Enabling these variables enforce default values on options that are optional in the controller API.
+This should be enabled to enforce configuration and prevent configuration drift. It is recommended to be enabled, however it is not enforced by default.
+
+Enabling this will enforce configuration without specifying every option in the configuration files.
+
+'gateway_role_definitions_enforce_defaults' defaults to the value of 'aap_configuration_enforce_defaults' if it is not explicitly called. This allows for enforced defaults to be toggled for the entire suite of controller configuration roles with a single variable, or for the user to selectively use it.
+
+|Variable Name|Default Value|Required|Description|
+|:---:|:---:|:---:|:---:|
+|`gateway_role_definitions_enforce_defaults`|`false`|no|Whether or not to enforce default option values on only the role definitions role|
+|`aap_configuration_enforce_defaults`|`false`|no|This variable enables enforced default values as well, but is shared globally.|
+
+### Secure Logging Variables
+
+The following Variables complement each other.
+If Both variables are not set, secure logging defaults to false.
+The role defaults to false as normally the add role definitions task does not include sensitive information.
+gateway_role_definitions_secure_logging defaults to the value of aap_configuration_secure_logging if it is not explicitly called. This allows for secure logging to be toggled for the entire suite of gateway configuration roles with a single variable, or for the user to selectively use it.
+
+|Variable Name|Default Value|Required|Description|
+|:---:|:---:|:---:|:---:|
+|`gateway_role_definitions_secure_logging`|`false`|no|Whether or not to include the sensitive role definitions role tasks in the log.  Set this value to `true` if you will be providing your sensitive values from elsewhere.|
+|`aap_configuration_secure_logging`|`false`|no|This variable enables secure logging as well, but is shared across multiple roles, see above.|
+
+### Asynchronous Retry Variables
+
+The following Variables set asynchronous retries for the role.
+If neither of the retries or delay or retries are set, they will default to their respective defaults.
+This allows for all items to be created, then checked that the task finishes successfully.
+This also speeds up the overall role.
+
+|Variable Name|Default Value|Required|Description|
+|:---:|:---:|:---:|:---:|
+|`aap_configuration_async_retries`|30|no|This variable sets the number of retries to attempt for the role globally.|
+|`gateway_role_definitions_async_retries`|`aap_configuration_async_retries`|no|This variable sets the number of retries to attempt for the role.|
+|`aap_configuration_async_delay`|1|no|This sets the delay between retries for the role globally.|
+|`gateway_role_definitions_async_delay`|`aap_configuration_async_delay`|no|This sets the delay between retries for the role.|
+|`aap_configuration_loop_delay`|0|no|This variable sets the loop_delay for the role globally.|
+|`gateway_role_definitions_loop_delay`|`aap_configuration_loop_delay`|no|This variable sets the loop_delay for the role.|
+|`aap_configuration_async_dir`|`null`|no|Sets the directory to write the results file for async tasks. The default value is set to `null` which uses the Ansible Default of `/root/.ansible_async/`.|
+
+## Data Structure
+
+### Role Definition Variables
+
+**WARNING: This role will only work in AAP 2.6+** Options for the `gateway_role_definitions` variable:
+
+| Variable Name       | Default Value | Required | Type | Description                                                                                           |
+|:--------------------|:-------------:|:--------:|:----:|:------------------------------------------------------------------------------------------------------|
+| `content_type`      |      N/A      |   yes    | str  | The content type for which the role applies (e.g., awx.inventory)                                     |
+| `description`       |      N/A      |    no    | str  | Description of the role definition                                                                    |
+| `name`              |      N/A      |   yes    | str  | The name of the role definition (must be unique)                                                      |
+| `new_name`          |      N/A      |    no    | str  | Setting this option will change the existing name (looked up via the name field)                      |
+| `permissions`       |      N/A      |   yes    | list | List of permission strings to associate with the role (e.g., awx.view_inventory)                      |
+| `state`             |   `present`   |    no    | str  | Desired state of the resource.                                                                        |
+
+### Standard Role Definition Data Structure
+
+#### Json Example
+
+```json
+{
+  "gateway_role_definitions": [
+    {
+      "name": "Create a role definition",
+      "ansible.platform.role_definition": {
+        "name": "Organization Inventory Admin",
+        "description": "Grants full inventory access",
+        "content_type": "awx.inventory",
+        "permissions": [
+          "awx.view_inventory",
+          "awx.change_inventory"
+        ],
+        "state": "present"
+      }
+    }
+  ]
+}
+```
+
+#### Yaml Example
+
+File name: `data/gateway_role_definitions.yml`
+
+```yaml
+---
+gateway_role_definitions:
+- name: Create a role definition
+  ansible.platform.role_definition:
+    name: Organization Inventory Admin
+    description: Grants full inventory access
+    content_type: awx.inventory
+    permissions:
+      - awx.view_inventory
+      - awx.change_inventory
+    state: present
+```
+
+## License
+
+[GPL-3.0](https://github.com/redhat-cop/aap_configuration#licensing)
@@ -0,0 +1,18 @@
+---
+# These are the default variables common to most gateway_configuration roles
+# You shouldn't need to define them again and again but they should be defined
+# aap_hostname: "{{ inventory_hostname }}"
+# gateway_token: ""
+# aap_validate_certs: false
+
+# These are the default variables specific to the license role
+
+# a list of dictionaries describing the gateway role_definitions
+gateway_role_definitions: []
+gateway_role_definitions_secure_logging: "{{ aap_configuration_secure_logging | default('false') }}"
+gateway_role_definitions_async_retries: "{{ aap_configuration_async_retries | default(30) }}"
+gateway_role_definitions_async_delay: "{{ aap_configuration_async_delay | default(1) }}"
+gateway_role_definitions_enforce_defaults: "{{ aap_configuration_enforce_defaults | default(false) }}"
+gateway_role_definitions_loop_delay: "{{ aap_configuration_loop_delay | default(0) }}"
+aap_configuration_async_dir:
+...
@@ -0,0 +1,100 @@
+---
+argument_specs:
+  main:
+    short_description: An Ansible Role to create role_definitions on Ansible gateway for AAP 2.6+.
+    options:
+      gateway_role_definitions:
+        description: Data structure describing your role_definitions
+        type: list
+        required: true
+        elements: dict
+        options:
+          content_type:
+            required: true
+            type: str
+            description: The content type for which the role applies (e.g., awx.inventory)
+          description:
+            type: str
+            description: Description of the role definition
+          name:
+            required: true
+            type: str
+            description: The name of the role definition (must be unique)
+          new_name:
+            type: str
+            description: Setting this option will change the existing name (looked up via the name field)
+          permissions:
+            required: true
+            type: list
+            description: List of permission strings to associate with the role (e.g., awx.view_inventory)
+          state:
+            default: present
+            type: str
+            description: Desired state of the role definition
+
+      # Async variables
+      role_definitions_async_retries:
+        default: "{{ aap_configuration_async_retries | default(30) }}"
+        required: false
+        description: This variable sets the number of retries to attempt for the role.
+      aap_configuration_async_retries:
+        default: 30
+        required: false
+        description: This variable sets number of retries across all roles as a default.
+      role_definitions_async_delay:
+        default: "{{ aap_configuration_async_delay | default(1) }}"
+        required: false
+        description: This variable sets delay between retries for the role.
+      aap_configuration_async_delay:
+        default: 1
+        required: false
+        description: This variable sets delay between retries across all roles as a default.
+      aap_configuration_async_dir:
+        default:
+        required: false
+        description: Sets the directory to write the results file for async tasks. The default value is set to `null` which uses the Ansible Default of `/root/.ansible_async/`.
+
+      # No_log variables
+      gateway_role_definitions_secure_logging:
+        default: "{{ aap_configuration_secure_logging | default(false) }}"
+        required: false
+        type: bool
+        description: Whether or not to include the sensitive tasks from this role in the log. Set this value to `true` if you will be providing your sensitive values from elsewhere.
+      aap_configuration_secure_logging:
+        default: false
+        required: false
+        type: bool
+        description: This variable enables secure logging across all roles as a default.
+
+      # Generic across all roles
+      platform_state:
+        default: present
+        required: false
+        description: The state all objects will take unless overridden by object default
+        type: str
+      aap_hostname:
+        default: None
+        required: false
+        description: URL to the Ansible gateway Server.
+        type: str
+      aap_validate_certs:
+        default: true
+        required: false
+        description: Whether or not to validate the Ansible gateway Server's SSL certificate.
+        type: str
+      aap_username:
+        default: None
+        required: false
+        description: Admin User on the Ansible gateway Server. Either username / password or oauthtoken need to be specified.
+        type: str
+      aap_password:
+        default: None
+        required: false
+        description: Gateway Admin User's password on the Ansible gateway Server. This should be stored in an Ansible Vault at vars/gateway-secrets.yml or elsewhere and called from a parent playbook. Either username / password or oauthtoken need to be specified.
+        type: str
+      aap_token:
+        default: None
+        required: false
+        description: Gateway Admin User's token on the Ansible gateway Server. This should be stored in an Ansible Vault at or elsewhere and called from a parent playbook. Either username / password or oauthtoken need to be specified.
+        type: str
+...
@@ -0,0 +1,29 @@
+---
+galaxy_info:
+  role_name: gateway_role_definitions
+  author: Auto Generated
+  description: An Ansible Role to create role_definitions in Ansible gateway.
+  company: Red Hat
+
+  # If the issue tracker for your role is not on github, uncomment the
+  # next line and provide a value
+  # issue_tracker_url: http://example.com/issue/tracker
+  license: GPLv3
+
+  min_ansible_version: 2.16.0
+
+  platforms:
+    - name: EL
+      versions:
+        - all
+
+  galaxy_tags:
+    - gateway
+    - aap
+    - configuration
+    - roledefinition
+    - roledefinitions
+
+dependencies:
+  - role: global_vars
+...
@@ -0,0 +1,63 @@
+---
+- name: Manage Gateway Role definitions Block
+  vars:
+    ansible_async_dir: "{{ aap_configuration_async_dir }}"
+  no_log: "{{ gateway_role_definitions_secure_logging }}"
+  block:
+    - name: Role definitions | Configuration
+      ansible.platform.role_definition:
+        name: "{{ __gateway_role_definition_item.name | mandatory }}"
+        new_name: "{{ __gateway_role_definition_item.new_name | default(omit, true) }}"
+        description: "{{ __gateway_role_definition_item.description | default(('' if gateway_role_definitions_enforce_defaults else omit), true) }}"
+        content_type: "{{ __gateway_role_definition_item.content_type | mandatory }}"
+        permissions: "{{ __gateway_role_definition_item.permissions | mandatory }}"
+        state: "{{ __gateway_role_definition_item.state | default(platform_state | default(omit, true)) }}"
+
+        # Role Standard Options
+        gateway_hostname: "{{ aap_hostname | default(omit, true) }}"
+        gateway_username: "{{ aap_username | default(omit, true) }}"
+        gateway_password: "{{ aap_password | default(omit, true) }}"
+        gateway_token: "{{ aap_token | default(omit, true) }}"
+        gateway_request_timeout: "{{ aap_request_timeout | default(omit, true) }}"
+        gateway_validate_certs: "{{ aap_validate_certs | default(omit) }}"
+      loop: "{{ gateway_role_definitions }}"
+      loop_control:
+        loop_var: __gateway_role_definitions_item
+        label: "{{ __operation.verb }} Role Based Access Entry on Controller {{ __gateway_role_definitions_item.1 | default(__gateway_role_definitions_item.role_definition) }}"
+        pause: "{{ gateway_role_definitions_loop_delay }}"
+      async: 1000
+      poll: 0
+      register: __gateway_role_definitions_job_async
+      changed_when: not __gateway_role_definitions_job_async.changed
+      vars:
+        __operation: "{{ operation_translate[__gateway_role_definitions_item.state | default(platform_state) | default('present')] }}"
+
+    - name: Role definitions | Wait for finish the configuration
+      when:
+        - not ansible_check_mode
+        - __gateway_role_definitions_job_async_results_item.ansible_job_id is defined
+      ansible.builtin.include_role:
+        name: infra.aap_configuration.collect_async_status
+      loop: "{{ __gateway_role_definitions_job_async.results }}"
+      loop_control:
+        loop_var: __gateway_role_definitions_job_async_results_item
+        label: "{{ __operation.verb }} Role {{ __gateway_role_definitions_job_async_results_item.__gateway_role_definitions_item.1 | default(__gateway_role_definitions_job_async_results_item.__gateway_role_definitions_item.role_definition) }} | Wait for finish the Roles {{ __operation.action }}"
+      vars:
+        cas_secure_logging: "{{ gateway_role_definitions_secure_logging }}"
+        cas_job_async_results_item: "{{ __gateway_role_definitions_job_async_results_item }}"
+        cas_error_list_var_name: "gateway_role_definitions_errors"
+        __operation: "{{ operation_translate[__gateway_role_definitions_job_async_results_item.__controller_role_item.state | default(platform_state) | default('present')] }}"
+
+  always:
+    - name: Cleanup async results files
+      when:
+        - not ansible_check_mode
+        - __gateway_role_definitions_job_async_results_item.ansible_job_id is defined
+      ansible.builtin.async_status:
+        jid: "{{ __gateway_role_definitions_job_async_results_item.ansible_job_id }}"
+        mode: cleanup
+      loop: "{{ __gateway_role_definitions_job_async.results }}"
+      loop_control:
+        loop_var: __gateway_role_definitions_job_async_results_item
+        label: "Cleaning up job results file: {{ __gateway_role_definitions_job_async_results_item.results_file | default('Unknown') }}"
+...