Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add azure role definition module #52468

Merged
merged 11 commits into from
Mar 6, 2019
Merged

add azure role definition module #52468

merged 11 commits into from
Mar 6, 2019

Conversation

yungezz
Copy link
Contributor

@yungezz yungezz commented Feb 18, 2019

SUMMARY

new module for azure role definition. Test requires test service principal has owner role in test subscription.

ISSUE TYPE
  • New Module Pull Request
COMPONENT NAME
ADDITIONAL INFORMATION

@ansibot
Copy link
Contributor

ansibot commented Feb 18, 2019

cc @haroldwongms @mattclay @nitzmahone @trstringer @xscript @yuwzho @zikalino
click here for bot help

@ansibot
Copy link
Contributor

ansibot commented Feb 18, 2019

@yungezz, just so you are aware we have a dedicated Working Group for azure.
You can find other people interested in this in #ansible-azure on Freenode IRC
For more information about communities, meetings and agendas see https://github.com/ansible/community

click here for bot help

@ansibot ansibot added affects_2.8 This issue/PR affects Ansible v2.8 azure cloud core_review In order to be merged, this PR must follow the core review workflow. module This issue/PR relates to a module. needs_triage Needs a first human triage before being processed. new_module This PR includes a new module. new_plugin This PR includes a new plugin. support:community This issue/PR relates to code supported by the Ansible community. support:core This issue/PR relates to code supported by the Ansible Engineering Team. test This PR relates to tests. labels Feb 18, 2019
@yungezz
Copy link
Contributor Author

yungezz commented Feb 19, 2019

role definition creating failed because of test service principal doesn't have permission

https://app.shippable.com/github/ansible/ansible/runs/108108/82/console

"msg": "Error creating role definition: Azure Error: AuthorizationFailed\nMessage: The client '45641ef5-4510-4c63-897e-5a9ddba13dab' with object id '45641ef5-4510-4c63-897e-5a9ddba13dab' does not have authorization to perform action 'Microsoft.Authorization/roleDefinitions/write' over scope '/subscriptions/6d22db98-3e5f-4ab9-bdf9-2f911a2775f7/resourceGroups/ansible-core-ci-prod-7b90d1d7-ea55-4ef4-9769-c5fe3e25c112-1/providers/Microsoft.Authorization/roleDefinitions/14532484-50c6-40fe-949e-96db2cd028da'."

HI @mattclay could you pls grant owner permissions? any concern?

@ansibot
Copy link
Contributor

ansibot commented Feb 19, 2019

The test ansible-test sanity --test pep8 [explain] failed with 1 error:

lib/ansible/modules/cloud/azure/azure_rm_roledefinition.py:332:17: E265 block comment should start with '# '

click here for bot help

@ansibot ansibot added needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. and removed core_review In order to be merged, this PR must follow the core review workflow. labels Feb 19, 2019
@ansibleazurebot ansibleazurebot mentioned this pull request Feb 19, 2019
Closed
@samdoran samdoran removed the needs_triage Needs a first human triage before being processed. label Feb 19, 2019
@ansibot
Copy link
Contributor

ansibot commented Feb 20, 2019

@yungezz this PR contains more than one new module.

Please submit only one new module per pull request. For a detailed explanation, please read the grouped modules documentation

click here for bot help

@ansibot
Copy link
Contributor

ansibot commented Feb 20, 2019

The test ansible-test sanity --test pylint [explain] failed with 3 errors:

lib/ansible/modules/cloud/azure/azure_rm_roledefinition_facts.py:226:36: trailing-whitespace Trailing whitespace
lib/ansible/modules/cloud/azure/azure_rm_roledefinition_facts.py:235:0: trailing-whitespace Trailing whitespace
lib/ansible/modules/cloud/azure/azure_rm_roledefinition_facts.py:298:0: trailing-newlines Trailing newlines

The test ansible-test sanity --test pep8 [explain] failed with 3 errors:

lib/ansible/modules/cloud/azure/azure_rm_roledefinition_facts.py:226:37: W291 trailing whitespace
lib/ansible/modules/cloud/azure/azure_rm_roledefinition_facts.py:235:1: W293 blank line contains whitespace
lib/ansible/modules/cloud/azure/azure_rm_roledefinition_facts.py:298:1: W391 blank line at end of file

The test ansible-test sanity --test validate-modules [explain] failed with 2 errors:

lib/ansible/modules/cloud/azure/azure_rm_roledefinition_facts.py:0:0: E319 RETURN.roledefinitions.type: not a valid value for dictionary value @ data['roledefinitions']['type']. Got 'complext'
lib/ansible/modules/cloud/azure/azure_rm_roledefinition_facts.py:297:0: E109 Next to last line should be: if __name__ == "__main__":

click here for bot help

@mattclay
Copy link
Member

@yungezz I'm not seeing that authorization issue on the latest test runs. Is it still a problem?

@yungezz
Copy link
Contributor Author

yungezz commented Feb 26, 2019

add manual test output here for reference:

playbook code snippet:

   - name: Create a role definition (Check Mode)
      azure_rm_roledefinition:
        name: "{{ role_name }}"
        scope: "/subscriptions/{{ subscription_id }}/resourceGroups/{{ resource_group }}"
        permissions:
          - actions:
              - "Microsoft.Compute/virtualMachines/read"
            data_actions:
              - "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write"
        assignable_scopes:
          - "/subscriptions/{{ subscription_id }}/resourceGroups/{{ resource_group }}"
      check_mode: yes
      register: output

    - name: Assert creating role definition check mode
      assert:
        that:
          - output.changed

    - name: Create a role definition
      azure_rm_roledefinition:
        name: "{{ role_name }}"
        scope: "/subscriptions/{{ subscription_id }}/resourceGroups/{{ resource_group }}"
        permissions:
          - actions:
              - "Microsoft.Compute/virtualMachines/read"
            data_actions:
              - "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write"
        assignable_scopes:
            - "/subscriptions/{{ subscription_id }}/resourceGroups/{{ resource_group }}"
      register: output

    - name: Assert creating role definition
      assert:
        that:
          - output.changed
    - name: Get facts
      azure_rm_roledefinition_facts:
        role_name: "{{ role_name }}"
        scope: "/subscriptions/{{ subscription_id }}/resourceGroups/{{ resource_group }}"
        type: "custom"
      register: facts
    - name: dump output
      debug:
        var: facts

   - name: lsit
      azure_rm_roledefinition_facts:
        scope: "/subscriptions/{{ subscription_id }}/resourceGroups/{{ resource_group }}"
        type: custom
      register: output

    - name: dump output
      debug:
        var: output

    - name: get by name
      azure_rm_roledefinition_facts:
        scope: "/subscriptions/{{ subscription_id }}/resourceGroups/{{ resource_group }}"
        role_name: "{{ role_name }}"
      register: output

    - name: dump output
      debug:
        var: output

facts output snippet

TASK [Create a role definition (Check Mode)] **************************************************************************************************************************************************************
task path: /home/yungez/src/ansible-testapp/roledefinition.yml:19
Tuesday 26 February 2019  13:35:11 +0800 (0:00:02.344)       0:00:04.821 ******
<127.0.0.1> ESTABLISH LOCAL CONNECTION FOR USER: yungez
<127.0.0.1> EXEC /bin/sh -c 'echo ~yungez && sleep 0'
<127.0.0.1> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /home/yungez/.ansible/tmp/ansible-tmp-1551159311.9925406-89353712743308 `" && echo ansible-tmp-1551159311.9925406-89353712743308="` echo /home/yungez/.ansible/tmp/ansible-tmp-1551159311.9925406-89353712743308 `" ) && sleep 0'
Using module file /home/yungez/.ansible/roles/azure_preview_modules/library/azure_rm_roledefinition.py
<127.0.0.1> PUT /home/yungez/.ansible/tmp/ansible-local-1017475mac0wz/tmpwcnl7k91 TO /home/yungez/.ansible/tmp/ansible-tmp-1551159311.9925406-89353712743308/AnsiballZ_azure_rm_roledefinition.py
<127.0.0.1> EXEC /bin/sh -c 'chmod u+x /home/yungez/.ansible/tmp/ansible-tmp-1551159311.9925406-89353712743308/ /home/yungez/.ansible/tmp/ansible-tmp-1551159311.9925406-89353712743308/AnsiballZ_azure_rm_roledefinition.py && sleep 0'
<127.0.0.1> EXEC /bin/sh -c '/home/yungez/src/ansible/venv/bin/python /home/yungez/.ansible/tmp/ansible-tmp-1551159311.9925406-89353712743308/AnsiballZ_azure_rm_roledefinition.py && sleep 0'
<127.0.0.1> EXEC /bin/sh -c 'rm -f -r /home/yungez/.ansible/tmp/ansible-tmp-1551159311.9925406-89353712743308/ > /dev/null 2>&1 && sleep 0'
 [WARNING]: Azure API profile latest does not define an entry for AuthorizationManagementClient

changed: [localhost] => changed=true
  id: null
  invocation:
    module_args:
      ad_user: null
      adfs_authority_url: null
      api_profile: latest
      assignable_scopes:
      - /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/ansible-roledefinition1
      auth_source: null
      cert_validation_mode: null
      client_id: null
      cloud_environment: AzureCloud
      description: null
      name: xxxxxxxx-007d-457d-abb4-c31803a8857e
      password: null
      permissions:
      - actions:
        - Microsoft.Compute/virtualMachines/read
        data_actions:
        - Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
        not_actions: null
        not_data_actions: null
      profile: null
      scope: /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/ansible-roledefinition1
      secret: null
      state: present
      subscription_id: null
      tenant: null

TASK [Assert creating role definition check mode] *********************************************************************************************************************************************************
task path: /home/yungez/src/ansible-testapp/roledefinition.yml:33
Tuesday 26 February 2019  13:35:14 +0800 (0:00:02.954)       0:00:07.775 ******
ok: [localhost] => changed=false
  msg: All assertions passed

TASK [Create a role definition] ***************************************************************************************************************************************************************************
task path: /home/yungez/src/ansible-testapp/roledefinition.yml:38
Tuesday 26 February 2019  13:35:14 +0800 (0:00:00.055)       0:00:07.831 ******
<127.0.0.1> ESTABLISH LOCAL CONNECTION FOR USER: yungez
<127.0.0.1> EXEC /bin/sh -c 'echo ~yungez && sleep 0'
<127.0.0.1> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /home/yungez/.ansible/tmp/ansible-tmp-1551159315.003723-17541038200418 `" && echo ansible-tmp-1551159315.003723-17541038200418="` echo /home/yungez/.ansible/tmp/ansible-tmp-1551159315.003723-17541038200418 `" ) && sleep 0'
Using module file /home/yungez/.ansible/roles/azure_preview_modules/library/azure_rm_roledefinition.py
<127.0.0.1> PUT /home/yungez/.ansible/tmp/ansible-local-1017475mac0wz/tmpfdlljsez TO /home/yungez/.ansible/tmp/ansible-tmp-1551159315.003723-17541038200418/AnsiballZ_azure_rm_roledefinition.py
<127.0.0.1> EXEC /bin/sh -c 'chmod u+x /home/yungez/.ansible/tmp/ansible-tmp-1551159315.003723-17541038200418/ /home/yungez/.ansible/tmp/ansible-tmp-1551159315.003723-17541038200418/AnsiballZ_azure_rm_roledefinition.py && sleep 0'
<127.0.0.1> EXEC /bin/sh -c '/home/yungez/src/ansible/venv/bin/python /home/yungez/.ansible/tmp/ansible-tmp-1551159315.003723-17541038200418/AnsiballZ_azure_rm_roledefinition.py && sleep 0'
<127.0.0.1> EXEC /bin/sh -c 'rm -f -r /home/yungez/.ansible/tmp/ansible-tmp-1551159315.003723-17541038200418/ > /dev/null 2>&1 && sleep 0'
changed: [localhost] => changed=true
  id: /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/providers/Microsoft.Authorization/roleDefinitions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
  invocation:
    module_args:
      ad_user: null
      adfs_authority_url: null
      api_profile: latest
      assignable_scopes:
      - /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/ansible-roledefinition1
      auth_source: null
      cert_validation_mode: null
      client_id: null
      cloud_environment: AzureCloud
      description: null
      name: xxxxxxxx-007d-457d-abb4-c31803a8857e
      password: null
      permissions:
      - actions:
        - Microsoft.Compute/virtualMachines/read
        data_actions:
        - Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
        not_actions: null
        not_data_actions: null
      profile: null
      scope: /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/ansible-roledefinition1
      secret: null
      state: present
      subscription_id: null
      tenant: null

TASK [Assert creating role definition] ********************************************************************************************************************************************************************
task path: /home/yungez/src/ansible-testapp/roledefinition.yml:51
Tuesday 26 February 2019  13:35:25 +0800 (0:00:10.638)       0:00:18.470 ******
ok: [localhost] => changed=false
  msg: All assertions passed


TASK [lsit] ***********************************************************************************************************************************************************************************************
task path: /home/yungez/src/ansible-testapp/roledefinition.yml:19
Tuesday 26 February 2019  13:29:42 +0800 (0:00:03.178)       0:00:04.986 ******
<127.0.0.1> ESTABLISH LOCAL CONNECTION FOR USER: yungez
<127.0.0.1> EXEC /bin/sh -c 'echo ~yungez && sleep 0'
<127.0.0.1> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /home/yungez/.ansible/tmp/ansible-tmp-1551158982.6961415-99415513096161 `" && echo ansible-tmp-1551158982.6961415-99415513096161="` echo /home/yungez/.ansible/tmp/ansible-tmp-1551158982.6961415-99415513096161 `" ) && sleep 0'
Using module file /home/yungez/.ansible/roles/azure_preview_modules/library/azure_rm_roledefinition_facts.py
<127.0.0.1> PUT /home/yungez/.ansible/tmp/ansible-local-9958zt5ltdlz/tmpxf795vpq TO /home/yungez/.ansible/tmp/ansible-tmp-1551158982.6961415-99415513096161/AnsiballZ_azure_rm_roledefinition_facts.py
<127.0.0.1> EXEC /bin/sh -c 'chmod u+x /home/yungez/.ansible/tmp/ansible-tmp-1551158982.6961415-99415513096161/ /home/yungez/.ansible/tmp/ansible-tmp-1551158982.6961415-99415513096161/AnsiballZ_azure_rm_roledefinition_facts.py && sleep 0'
<127.0.0.1> EXEC /bin/sh -c '/home/yungez/src/ansible/venv/bin/python /home/yungez/.ansible/tmp/ansible-tmp-1551158982.6961415-99415513096161/AnsiballZ_azure_rm_roledefinition_facts.py && sleep 0'
<127.0.0.1> EXEC /bin/sh -c 'rm -f -r /home/yungez/.ansible/tmp/ansible-tmp-1551158982.6961415-99415513096161/ > /dev/null 2>&1 && sleep 0'
 [WARNING]: Azure API profile latest does not define an entry for AuthorizationManagementClient

ok: [localhost] => changed=false
  invocation:
    module_args:
      ad_user: null
      adfs_authority_url: null
      api_profile: latest
      auth_source: null
      cert_validation_mode: null
      client_id: null
      cloud_environment: AzureCloud
      id: null
      password: null
      profile: null
      role_name: null
      scope: /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/ansible-roledefinition1
      secret: null
      subscription_id: null
      tenant: null
      type: custom
  roledefinitions:
  - assignable_scopes:
    - /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/ansible-roledefinition1
    description: null
    id: /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/providers/Microsoft.Authorization/roleDefinitions/xxxxxxxx-007d-457d-abb4-c31803a8857e
    name: xxxxxxxx-007d-457d-abb4-c31803a8857e
    permissions:
    - actions:
      - Microsoft.Compute/virtualMachines/read
      data_actions:
      - Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
      not_actions: []
      not_data_actions: []
    role_name: xxxxxxxx-ec64-4c98-8fb0-54dd09ab2a99
    type: CustomRole

TASK [dump output] ****************************************************************************************************************************************************************************************
task path: /home/yungez/src/ansible-testapp/roledefinition.yml:25
Tuesday 26 February 2019  13:29:45 +0800 (0:00:02.421)       0:00:07.408 ******
ok: [localhost] =>
  output:
    changed: false
    failed: false
    roledefinitions:
    - assignable_scopes:
      - /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/ansible-roledefinition1
      description: null
      id: /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/providers/Microsoft.Authorization/roleDefinitions/xxxxxxxx-007d-457d-abb4-c31803a8857e
      name: xxxxxxx-007d-457d-abb4-c31803a8857e
      permissions:
      - actions:
        - Microsoft.Compute/virtualMachines/read
        data_actions:
        - Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
        not_actions: []
        not_data_actions: []
      role_name: xxxxxxx-ec64-4c98-8fb0-54dd09ab2a99
      type: CustomRole
    warnings:
    - Azure API profile latest does not define an entry for AuthorizationManagementClient

TASK [get by name] ****************************************************************************************************************************************************************************************
task path: /home/yungez/src/ansible-testapp/roledefinition.yml:29
Tuesday 26 February 2019  13:29:45 +0800 (0:00:00.057)       0:00:07.465 ******
<127.0.0.1> ESTABLISH LOCAL CONNECTION FOR USER: yungez
<127.0.0.1> EXEC /bin/sh -c 'echo ~yungez && sleep 0'
<127.0.0.1> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /home/yungez/.ansible/tmp/ansible-tmp-1551158985.1766756-93796864095079 `" && echo ansible-tmp-1551158985.1766756-93796864095079="` echo /home/yungez/.ansible/tmp/ansible-tmp-1551158985.1766756-93796864095079 `" ) && sleep 0'
Using module file /home/yungez/.ansible/roles/azure_preview_modules/library/azure_rm_roledefinition_facts.py
<127.0.0.1> PUT /home/yungez/.ansible/tmp/ansible-local-9958zt5ltdlz/tmp1j3ld3wr TO /home/yungez/.ansible/tmp/ansible-tmp-1551158985.1766756-93796864095079/AnsiballZ_azure_rm_roledefinition_facts.py
<127.0.0.1> EXEC /bin/sh -c 'chmod u+x /home/yungez/.ansible/tmp/ansible-tmp-1551158985.1766756-93796864095079/ /home/yungez/.ansible/tmp/ansible-tmp-1551158985.1766756-93796864095079/AnsiballZ_azure_rm_roledefinition_facts.py && sleep 0'
<127.0.0.1> EXEC /bin/sh -c '/home/yungez/src/ansible/venv/bin/python /home/yungez/.ansible/tmp/ansible-tmp-1551158985.1766756-93796864095079/AnsiballZ_azure_rm_roledefinition_facts.py && sleep 0'
<127.0.0.1> EXEC /bin/sh -c 'rm -f -r /home/yungez/.ansible/tmp/ansible-tmp-1551158985.1766756-93796864095079/ > /dev/null 2>&1 && sleep 0'
ok: [localhost] => changed=false
  invocation:
    module_args:
      ad_user: null
      adfs_authority_url: null
      api_profile: latest
      auth_source: null
      cert_validation_mode: null
      client_id: null
      cloud_environment: AzureCloud
      id: null
      password: null
      profile: null
      role_name: xxxxxxxxx-ec64-4c98-8fb0-54dd09ab2a99
      scope: /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/ansible-roledefinition1
      secret: null
      subscription_id: null
      tenant: null
      type: null
  roledefinitions:
    assignable_scopes:
    - /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/ansible-roledefinition1
    description: null
    id: /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/providers/Microsoft.Authorization/roleDefinitions/xxxxxxx-007d-457d-abb4-c31803a8857e
    name: xxxxxxx-007d-457d-abb4-c31803a8857e
    permissions:
    - actions:
      - Microsoft.Compute/virtualMachines/read
      data_actions:
      - Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
      not_actions: []
      not_data_actions: []
    role_name: xxxxxxx-ec64-4c98-8fb0-54dd09ab2a99
    type: CustomRole

TASK [dump output] ****************************************************************************************************************************************************************************************
task path: /home/yungez/src/ansible-testapp/roledefinition.yml:35
Tuesday 26 February 2019  13:29:47 +0800 (0:00:02.780)       0:00:10.246 ******
ok: [localhost] =>
  output:
    changed: false
    failed: false
    roledefinitions:
      assignable_scopes:
      - /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/ansible-roledefinition1
      description: null
      id: /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/providers/Microsoft.Authorization/roleDefinitions/xxxxxxx-007d-457d-abb4-c31803a8857e
      name: xxxxxxx-007d-457d-abb4-c31803a8857e
      permissions:
      - actions:
        - Microsoft.Compute/virtualMachines/read
        data_actions:
        - Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
        not_actions: []
        not_data_actions: []
      role_name: xxxxxxxx-ec64-4c98-8fb0-54dd09ab2a99
      type: CustomRole
    warnings:
    - Azure API profile latest does not define an entry for AuthorizationManagementClient

@yungezz
Copy link
Contributor Author

yungezz commented Feb 26, 2019

ready_for_review

@ansibot
Copy link
Contributor

ansibot commented Feb 26, 2019

The test ansible-test sanity --test integration-aliases [explain] failed with 1 error:

test/integration/targets/azure_rm_roledefinition/aliases:0:0: conflicting alias `shippable/azure/group[1-8]` and `unsupported`

click here for bot help

@ansibot ansibot added the ci_verified Changes made in this PR are causing tests to fail. label Feb 26, 2019
@ansibot ansibot removed the ci_verified Changes made in this PR are causing tests to fail. label Feb 26, 2019
@yungezz yungezz closed this Feb 26, 2019
@yungezz yungezz reopened this Feb 26, 2019
zikalino
zikalino suggested changes Feb 27, 2019
View reviewed changes
Copy link
Contributor

@zikalino zikalino left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nothing major, just that fail when delete should be fixed i think.

nitzmahone
nitzmahone requested changes Feb 27, 2019
View reviewed changes
Copy link
Member

@nitzmahone nitzmahone left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks like not_*actions are broken and not tested; once that's fixed, LGTM

lib/ansible/modules/cloud/azure/azure_rm_roledefinition.py Outdated Show resolved Hide resolved
lib/ansible/modules/cloud/azure/azure_rm_roledefinition.py Outdated Show resolved Hide resolved
@yungezz
Copy link
Contributor Author

yungezz commented Feb 28, 2019

test result after resolving comments:

TASK [Create a role definition (Check Mode)] *************************************************************************************************************************************************
task path: /home/yungez/src/ansible-testapp/roledefinition.yml:19
Thursday 28 February 2019  11:26:17 +0800 (0:00:02.285)       0:00:03.780 *****
<127.0.0.1> ESTABLISH LOCAL CONNECTION FOR USER: yungez
<127.0.0.1> EXEC /bin/sh -c 'echo ~yungez && sleep 0'
<127.0.0.1> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /home/yungez/.ansible/tmp/ansible-tmp-1551324377.7568047-75761710646670 `" && echo ansible-tmp-1551324377.7568047-75761710646670="` echo /home/yungez/.ansible/tmp/ansible-tmp-1551324377.7568047-75761710646670 `" ) && sleep 0'
Using module file /home/yungez/.ansible/roles/azure_preview_modules/library/azure_rm_roledefinition.py
<127.0.0.1> PUT /home/yungez/.ansible/tmp/ansible-local-54514icrrtn_/tmp1urfiy0f TO /home/yungez/.ansible/tmp/ansible-tmp-1551324377.7568047-75761710646670/AnsiballZ_azure_rm_roledefinition.py
<127.0.0.1> EXEC /bin/sh -c 'chmod u+x /home/yungez/.ansible/tmp/ansible-tmp-1551324377.7568047-75761710646670/ /home/yungez/.ansible/tmp/ansible-tmp-1551324377.7568047-75761710646670/AnsiballZ_azure_rm_roledefinition.py && sleep 0'
<127.0.0.1> EXEC /bin/sh -c '/home/yungez/src/ansible/venv/bin/python /home/yungez/.ansible/tmp/ansible-tmp-1551324377.7568047-75761710646670/AnsiballZ_azure_rm_roledefinition.py && sleep 0'
<127.0.0.1> EXEC /bin/sh -c 'rm -f -r /home/yungez/.ansible/tmp/ansible-tmp-1551324377.7568047-75761710646670/ > /dev/null 2>&1 && sleep 0'
 [WARNING]: Azure API profile latest does not define an entry for AuthorizationManagementClient

changed: [localhost] => changed=true
  id: null
  invocation:
    module_args:
      ad_user: null
      adfs_authority_url: null
      api_profile: latest
      assignable_scopes:
      - /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/ansible-roledefinition1
      auth_source: null
      cert_validation_mode: null
      client_id: null
      cloud_environment: AzureCloud
      description: null
      name: yungez0228role
      password: null
      permissions:
      - actions:
        - Microsoft.Compute/virtualMachines/read
        data_actions:
        - Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
        not_actions:
        - Microsoft.Compute/virtualMachines/write
        not_data_actions:
        - Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
      profile: null
      scope: /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/ansible-roledefinition1
      secret: null
      state: present
      subscription_id: null
      tenant: null

TASK [Assert creating role definition check mode] ********************************************************************************************************************************************
task path: /home/yungez/src/ansible-testapp/roledefinition.yml:37
Thursday 28 February 2019  11:26:20 +0800 (0:00:02.979)       0:00:06.760 *****
ok: [localhost] => changed=false
  msg: All assertions passed

TASK [Create a role definition] **************************************************************************************************************************************************************
task path: /home/yungez/src/ansible-testapp/roledefinition.yml:42
Thursday 28 February 2019  11:26:20 +0800 (0:00:00.055)       0:00:06.816 *****
<127.0.0.1> ESTABLISH LOCAL CONNECTION FOR USER: yungez
<127.0.0.1> EXEC /bin/sh -c 'echo ~yungez && sleep 0'
<127.0.0.1> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /home/yungez/.ansible/tmp/ansible-tmp-1551324380.7901793-185390353818687 `" && echo ansible-tmp-1551324380.7901793-185390353818687="` echo /home/yungez/.ansible/tmp/ansible-tmp-1551324380.7901793-185390353818687 `" ) && sleep 0'
Using module file /home/yungez/.ansible/roles/azure_preview_modules/library/azure_rm_roledefinition.py
<127.0.0.1> PUT /home/yungez/.ansible/tmp/ansible-local-54514icrrtn_/tmpfjnzb2qd TO /home/yungez/.ansible/tmp/ansible-tmp-1551324380.7901793-185390353818687/AnsiballZ_azure_rm_roledefinition.py
<127.0.0.1> EXEC /bin/sh -c 'chmod u+x /home/yungez/.ansible/tmp/ansible-tmp-1551324380.7901793-185390353818687/ /home/yungez/.ansible/tmp/ansible-tmp-1551324380.7901793-185390353818687/AnsiballZ_azure_rm_roledefinition.py && sleep 0'
<127.0.0.1> EXEC /bin/sh -c '/home/yungez/src/ansible/venv/bin/python /home/yungez/.ansible/tmp/ansible-tmp-1551324380.7901793-185390353818687/AnsiballZ_azure_rm_roledefinition.py && sleep 0'
<127.0.0.1> EXEC /bin/sh -c 'rm -f -r /home/yungez/.ansible/tmp/ansible-tmp-1551324380.7901793-185390353818687/ > /dev/null 2>&1 && sleep 0'
changed: [localhost] => changed=true
  id: /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/providers/Microsoft.Authorization/roleDefinitions/2e6f64dc-xxxx-xxxx-xxxx-d68365d38a40
  invocation:
    module_args:
      ad_user: null
      adfs_authority_url: null
      api_profile: latest
      assignable_scopes:
      - /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/ansible-roledefinition1
      auth_source: null
      cert_validation_mode: null
      client_id: null
      cloud_environment: AzureCloud
      description: null
      name: yungez0228role
      password: null
      permissions:
      - actions:
        - Microsoft.Compute/virtualMachines/read
        data_actions:
        - Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
        not_actions:
        - Microsoft.Compute/virtualMachines/write
        not_data_actions:
        - Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
      profile: null
      scope: /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/ansible-roledefinition1
      secret: null
      state: present
      subscription_id: null
      tenant: null

TASK [Assert creating role definition] *******************************************************************************************************************************************************
task path: /home/yungez/src/ansible-testapp/roledefinition.yml:60
Thursday 28 February 2019  11:26:27 +0800 (0:00:07.174)       0:00:13.991 *****
ok: [localhost] => changed=false
  msg: All assertions passed

  TASK [Get facts] *****************************************************************************************************************************************************************************
task path: /home/yungez/src/ansible-testapp/roledefinition.yml:64
Thursday 28 February 2019  11:30:16 +0800 (0:00:03.004)       0:00:04.516 *****
<127.0.0.1> ESTABLISH LOCAL CONNECTION FOR USER: yungez
<127.0.0.1> EXEC /bin/sh -c 'echo ~yungez && sleep 0'
<127.0.0.1> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /home/yungez/.ansible/tmp/ansible-tmp-1551324616.7636352-27074515237659 `" && echo ansible-tmp-1551324616.7636352-27074515237659="` echo /home/yungez/.ansible/tmp/ansible-tmp-1551324616.7636352-27074515237659 `" ) && sleep 0'
Using module file /home/yungez/.ansible/roles/azure_preview_modules/library/azure_rm_roledefinition_facts.py
<127.0.0.1> PUT /home/yungez/.ansible/tmp/ansible-local-6070d65d5ft5/tmpba1k0lqa TO /home/yungez/.ansible/tmp/ansible-tmp-1551324616.7636352-27074515237659/AnsiballZ_azure_rm_roledefinition_facts.py
<127.0.0.1> EXEC /bin/sh -c 'chmod u+x /home/yungez/.ansible/tmp/ansible-tmp-1551324616.7636352-27074515237659/ /home/yungez/.ansible/tmp/ansible-tmp-1551324616.7636352-27074515237659/AnsiballZ_azure_rm_roledefinition_facts.py && sleep 0'
<127.0.0.1> EXEC /bin/sh -c '/home/yungez/src/ansible/venv/bin/python /home/yungez/.ansible/tmp/ansible-tmp-1551324616.7636352-27074515237659/AnsiballZ_azure_rm_roledefinition_facts.py && sleep 0'
<127.0.0.1> EXEC /bin/sh -c 'rm -f -r /home/yungez/.ansible/tmp/ansible-tmp-1551324616.7636352-27074515237659/ > /dev/null 2>&1 && sleep 0'
 [WARNING]: Azure API profile latest does not define an entry for AuthorizationManagementClient

ok: [localhost] => changed=false
  invocation:
    module_args:
      ad_user: null
      adfs_authority_url: null
      api_profile: latest
      auth_source: null
      cert_validation_mode: null
      client_id: null
      cloud_environment: AzureCloud
      id: null
      password: null
      profile: null
      role_name: yungez0228role
      scope: /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/ansible-roledefinition1
      secret: null
      subscription_id: null
      tenant: null
      type: custom
  roledefinitions:
    assignable_scopes:
    - /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/ansible-roledefinition1
    description: null
    id: /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/providers/Microsoft.Authorization/roleDefinitions/xxxxxxxx-xxxx-xxxx-xxxx-d68365d38a40
    name: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
    permissions:
    - actions:
      - Microsoft.Compute/virtualMachines/read
      data_actions:
      - Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
      not_actions:
      - Microsoft.Compute/virtualMachines/write
      not_data_actions:
      - Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
    role_name: yungez0228role
    type: CustomRole

TASK [dump output] ***************************************************************************************************************************************************************************
task path: /home/yungez/src/ansible-testapp/roledefinition.yml:71
Thursday 28 February 2019  11:30:19 +0800 (0:00:03.179)       0:00:07.696 *****
ok: [localhost] =>
  facts:
    changed: false
    failed: false
    roledefinitions:
      assignable_scopes:
      - /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/ansible-roledefinition1
      description: null
      id: /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/providers/Microsoft.Authorization/roleDefinitions/xxxxxxxx-xxxx-xxxx-xxxx-d68365d38a40
      name: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
      permissions:
      - actions:
        - Microsoft.Compute/virtualMachines/read
        data_actions:
        - Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
        not_actions:
        - Microsoft.Compute/virtualMachines/write
        not_data_actions:
        - Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
      role_name: yungez0228role
      type: CustomRole
    warnings:
    - Azure API profile latest does not define an entry for AuthorizationManagementClient

TASK [Update the role definition (idempotent)] ***********************************************************************************************************************************************
task path: /home/yungez/src/ansible-testapp/roledefinition.yml:75
Thursday 28 February 2019  11:30:19 +0800 (0:00:00.065)       0:00:07.762 *****
<127.0.0.1> ESTABLISH LOCAL CONNECTION FOR USER: yungez
<127.0.0.1> EXEC /bin/sh -c 'echo ~yungez && sleep 0'
<127.0.0.1> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /home/yungez/.ansible/tmp/ansible-tmp-1551324620.009144-14330818308190 `" && echo ansible-tmp-1551324620.009144-14330818308190="` echo /home/yungez/.ansible/tmp/ansible-tmp-1551324620.009144-14330818308190 `" ) && sleep 0'
Using module file /home/yungez/.ansible/roles/azure_preview_modules/library/azure_rm_roledefinition.py
<127.0.0.1> PUT /home/yungez/.ansible/tmp/ansible-local-6070d65d5ft5/tmpirs8mmw0 TO /home/yungez/.ansible/tmp/ansible-tmp-1551324620.009144-14330818308190/AnsiballZ_azure_rm_roledefinition.py
<127.0.0.1> EXEC /bin/sh -c 'chmod u+x /home/yungez/.ansible/tmp/ansible-tmp-1551324620.009144-14330818308190/ /home/yungez/.ansible/tmp/ansible-tmp-1551324620.009144-14330818308190/AnsiballZ_azure_rm_roledefinition.py && sleep 0'
<127.0.0.1> EXEC /bin/sh -c '/home/yungez/src/ansible/venv/bin/python /home/yungez/.ansible/tmp/ansible-tmp-1551324620.009144-14330818308190/AnsiballZ_azure_rm_roledefinition.py && sleep 0'
<127.0.0.1> EXEC /bin/sh -c 'rm -f -r /home/yungez/.ansible/tmp/ansible-tmp-1551324620.009144-14330818308190/ > /dev/null 2>&1 && sleep 0'
ok: [localhost] => changed=false
  id: /subscriptions/4933a9cb-6207-4501-96e3-23a04a383ad0/providers/Microsoft.Authorization/roleDefinitions/2e6f64dc-461d-45d4-9027-d68365d38a40
  invocation:
    module_args:
      ad_user: null
      adfs_authority_url: null
      api_profile: latest
      assignable_scopes:
      - /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/ansible-roledefinition1
      auth_source: null
      cert_validation_mode: null
      client_id: null
      cloud_environment: AzureCloud
      description: null
      name: yungez0228role
      password: null
      permissions:
      - actions:
        - Microsoft.Compute/virtualMachines/read
        data_actions:
        - Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
        not_actions:
        - Microsoft.Compute/virtualMachines/write
        not_data_actions:
        - Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
      profile: null
      scope: /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/ansible-roledefinition1
      secret: null
      state: present
      subscription_id: null
      tenant: null

TASK [assert output not changed] *************************************************************************************************************************************************************
task path: /home/yungez/src/ansible-testapp/roledefinition.yml:93
Thursday 28 February 2019  11:30:22 +0800 (0:00:02.891)       0:00:10.654 *****
ok: [localhost] => changed=false
  msg: All assertions passed

TASK [Update the role definition] ************************************************************************************************************************************************************
task path: /home/yungez/src/ansible-testapp/roledefinition.yml:98
Thursday 28 February 2019  11:30:22 +0800 (0:00:00.058)       0:00:10.713 *****
<127.0.0.1> ESTABLISH LOCAL CONNECTION FOR USER: yungez
<127.0.0.1> EXEC /bin/sh -c 'echo ~yungez && sleep 0'
<127.0.0.1> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /home/yungez/.ansible/tmp/ansible-tmp-1551324622.9607058-158560230777015 `" && echo ansible-tmp-1551324622.9607058-158560230777015="` echo /home/yungez/.ansible/tmp/ansible-tmp-1551324622.9607058-158560230777015 `" ) && sleep 0'
Using module file /home/yungez/.ansible/roles/azure_preview_modules/library/azure_rm_roledefinition.py
<127.0.0.1> PUT /home/yungez/.ansible/tmp/ansible-local-6070d65d5ft5/tmp64_aj6pi TO /home/yungez/.ansible/tmp/ansible-tmp-1551324622.9607058-158560230777015/AnsiballZ_azure_rm_roledefinition.py
<127.0.0.1> EXEC /bin/sh -c 'chmod u+x /home/yungez/.ansible/tmp/ansible-tmp-1551324622.9607058-158560230777015/ /home/yungez/.ansible/tmp/ansible-tmp-1551324622.9607058-158560230777015/AnsiballZ_azure_rm_roledefinition.py && sleep 0'
<127.0.0.1> EXEC /bin/sh -c '/home/yungez/src/ansible/venv/bin/python /home/yungez/.ansible/tmp/ansible-tmp-1551324622.9607058-158560230777015/AnsiballZ_azure_rm_roledefinition.py && sleep 0'
<127.0.0.1> EXEC /bin/sh -c 'rm -f -r /home/yungez/.ansible/tmp/ansible-tmp-1551324622.9607058-158560230777015/ > /dev/null 2>&1 && sleep 0'
changed: [localhost] => changed=true
  id: /subscriptions/4933a9cb-6207-4501-96e3-23a04a383ad0/providers/Microsoft.Authorization/roleDefinitions/e6abde0a-6126-44f6-8bbe-d769847cf8c1
  invocation:
    module_args:
      ad_user: null
      adfs_authority_url: null
      api_profile: latest
      assignable_scopes:
      - /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/ansible-roledefinition1
      auth_source: null
      cert_validation_mode: null
      client_id: null
      cloud_environment: AzureCloud
      description: null
      name: yungez0228role1
      password: null
      permissions:
      - actions:
        - Microsoft.Compute/virtualMachines/read
        - Microsoft.Compute/virtualMachines/start/action
        data_actions:
        - Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
        not_actions:
        - Microsoft.Compute/virtualMachines/write
        not_data_actions:
        - Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
      profile: null
      scope: /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/ansible-roledefinition1
      secret: null
      state: present
      subscription_id: null
      tenant: null

TASK [assert output changed] *****************************************************************************************************************************************************************
task path: /home/yungez/src/ansible-testapp/roledefinition.yml:117
Thursday 28 February 2019  11:30:34 +0800 (0:00:11.249)       0:00:21.962 *****
ok: [localhost] => changed=false
  msg: All assertions passed

@yungezz yungezz closed this Feb 28, 2019
@yungezz yungezz reopened this Feb 28, 2019
@yungezz
Copy link
Contributor Author

yungezz commented Feb 28, 2019

ready_for_review

@Fred-sun
Copy link
Contributor

Fred-sun commented Mar 4, 2019

@nitzmahone Please help review this PR when you're available! Thanks!

@nitzmahone nitzmahone merged commit 5ef7b7d into ansible:devel Mar 6, 2019
@yungezz yungezz deleted the yungez-roledefinition branch March 7, 2019 01:33
@ansible ansible locked and limited conversation to collaborators Jul 25, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@mattclay mattclay mattclay left review comments

@nitzmahone nitzmahone nitzmahone approved these changes

@zikalino zikalino zikalino approved these changes

Assignees
No one assigned
Labels
affects_2.8 This issue/PR affects Ansible v2.8 azure cloud module This issue/PR relates to a module. needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. new_module This PR includes a new module. new_plugin This PR includes a new plugin. support:community This issue/PR relates to code supported by the Ansible community. support:core This issue/PR relates to code supported by the Ansible Engineering Team. test This PR relates to tests.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
7 participants
@yungezz @ansibot @mattclay @Fred-sun @nitzmahone @zikalino @samdoran