[collection] Add "exists" state for credential module

[l3acon]

SUMMARY

Add the enumeration exists to state for the credential module. This is a relatively simple change that allows the module to be used in the following situation:

1. we want to ensure a credential resource of a particular name is available, but
2. if the resource is already configured we do not want to modify any inputs (including secrets)

Since credentials have protections in place to safeguard their privacy, overwriting them can be (at best) annoying or (at worst) dangerous. This is an attempt to address #13169.

ISSUE TYPE

• New or Enhanced Feature

COMPONENT NAME

• Collection

[john-westcott-iv]

In the collection there is an controller_api lookup that you could leverage to see if a credential exists. So this could be implemented like so:

    - name: Create credential if needed
      awx.awx.credential:
        credential_type: Machine
        inputs:
          username: John
          password: 'test'
        name: Test Machine Credential
        organization: Default
      when: "lookup('awx.awx.controller_api', 'credentials', query_params={ 'name': 'Test Machine Credential' }) | length == 0"

That being said, I'm not opposed to an exists option in the state but we would probably want to look at the other modules to see if we should add exists in other areas as well for consistency.

[john-westcott-iv]

Perhaps we could discuss this at the next community meeting? If that would be something you are interested in could you leave a comment on #13687?

[willtome]

@john-westcott-iv I was unaware of the api lookup. That's pretty cool. I'm not sure how that would integrate to work with the controller_collection though.

@sean-m-sullivan do you think a lookup could work with the way the roles are today or would an additional parameter be better?

[sean-m-sullivan]

@willtome like this?
https://github.com/redhat-cop/controller_configuration/blob/devel/roles/object_diff/tasks/credentials.yml
However this will not remove the item from being updated if it already exists, its more for cleaning up controllers.

[sean-m-sullivan]

I think this state for credentials is worth it, as you would stop changing credentials in a simple way, most of the other modules its just putting in settings, this prevents a password change unless it specifically is needed, but John is right like with all things ansible, there are 20 ways of doing it.

[john-westcott-iv]

@l3acon Can you add some testing around this PR. Specifically in https://github.com/ansible/awx/blob/devel/awx_collection/tests/integration/targets/credential/tasks/main.yml and in https://github.com/ansible/awx/blob/devel/awx_collection/test/awx/test_credential.py.

[l3acon]

@john-westcott-iv thanks for pointing those out. I wasn't sure what the unit test should look like since the integration tests seem to cover the use-cases I have. Totally open to suggestions or ideas.

[thedoubl3j]

kicking CI

[john-westcott-iv]

I was thinking about this PR this morning and I am wondering if you were hitting the issue in #13704. tldr; the password was always being changed even when it should have been skipped because the user api page did not contain "password": "$encrypted$" which threw off the module_util logic.