AWX Collections for DAB RBAC

Adds new modules for CRUD operations on the
following endpoints:

- api/v2/role_definitions
- api/v2/role_user_assignments
- api/v2/role_team_assignments

Note: assignment is Create or Delete only

Additional changes:
- Currently DAB endpoints do not have "type"
field on the resource list items. So this modifies
the create_or_update_if_needed to allow manually
specifying item type.

Signed-off-by: Seth Foster <fosterbseth@gmail.com>

awx_collection/plugins/modules/role_definition.py

@@ -0,0 +1,114 @@
+#!/usr/bin/python
+# coding: utf-8 -*-
+
+# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+
+from __future__ import absolute_import, division, print_function
+
+__metaclass__ = type
+
+
+ANSIBLE_METADATA = {'metadata_version': '1.1', 'status': ['preview'], 'supported_by': 'community'}
+
+
+DOCUMENTATION = '''
+---
+module: role_definition
+author: "Seth Foster (@fosterseth)"
+short_description: Add role definition to Automation Platform Controller
+description:
+    - Contains a list of permissions and a resource type that can then be assigned to users or teams.
+options:
+    name:
+        description:
+            - Name of this role definition.
+        required: True
+        type: str
+    permissions:
+        description:
+            - List of permissions to include in the role definition.
+        required: True
+        type: list
+        elements: str
+    content_type:
+        description:
+            - The type of resource this applies to.
+        required: True
+        type: str
+    description:
+        description:
+            - Optional description of this role definition.
+        type: str
+    state:
+        description:
+            - The desired state of the role definition.
+        default: present
+        choices:
+            - present
+            - absent
+        type: str
+extends_documentation_fragment: awx.awx.auth
+'''
+
+
+EXAMPLES = '''
+- name: Create Role Definition
+  role_definition:
+    name: test_view_jt
+    permissions:
+      - awx.view_jobtemplate
+      - awx.execute_jobtemplate
+    content_type: awx.jobtemplate
+    description: role definition to view and execute jt
+    state: present
+'''
+
+from ..module_utils.controller_api import ControllerAPIModule
+
+
+def main():
+    # Any additional arguments that are not fields of the item can be added here
+    argument_spec = dict(
+        name=dict(required=True, type='str'),
+        permissions=dict(required=True, type='list', elements='str'),
+        content_type=dict(required=True, type='str'),
+        description=dict(required=False, type='str'),
+        state=dict(default='present', choices=['present', 'absent']),
+    )
+
+    module = ControllerAPIModule(argument_spec=argument_spec)
+
+    name = module.params.get('name')
+    permissions = module.params.get('permissions')
+    content_type = module.params.get('content_type')
+    description = module.params.get('description')
+    state = module.params.get('state')
+    if description is None:
+        description = ''
+
+    role_definition = module.get_one('role_definitions', name_or_id=name)
+
+    if state == 'absent':
+        module.delete_if_needed(
+            role_definition,
+            item_type='role_definition',
+        )
+
+    post_kwargs = {
+        'name': name,
+        'permissions': permissions,
+        'content_type': content_type,
+        'description': description
+    }
+
+    if state == 'present':
+        module.create_or_update_if_needed(
+            role_definition,
+            post_kwargs,
+            endpoint='role_definitions',
+            item_type='role_definition',
+        )
+
+
+if __name__ == '__main__':
+    main()

awx_collection/plugins/modules/role_team_assignment.py

@@ -0,0 +1,123 @@
+#!/usr/bin/python
+# coding: utf-8 -*-
+
+# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+
+from __future__ import absolute_import, division, print_function
+
+__metaclass__ = type
+
+
+ANSIBLE_METADATA = {'metadata_version': '1.1', 'status': ['preview'], 'supported_by': 'community'}
+
+
+DOCUMENTATION = '''
+---
+module: role_team_assignment
+author: "Seth Foster (@fosterseth)"
+short_description: Gives a team permission to a resource or an organization.
+description:
+    - Use this endpoint to give a team permission to a resource or an organization.
+    - After creation, the assignment cannot be edited, but can be deleted to remove those permissions.
+options:
+    role_definition:
+        description:
+            - The name or id of the role definition to assign to the team.
+        required: True
+        type: str
+    object_id:
+        description:
+            - Primary key of the object this assignment applies to.
+        required: True
+        type: int
+    team:
+        description:
+            - The name or id of the team to assign to the object.
+        required: False
+        type: str
+    object_ansible_id:
+        description:
+            - Resource id of the object this role applies to. Alternative to the object_id field.
+        required: False
+        type: int
+    team_ansible_id:
+        description:
+            - Resource id of the team who will receive permissions from this assignment. Alternative to team field.
+        required: False
+        type: int
+    state:
+        description:
+            - The desired state of the role definition.
+        default: present
+        choices:
+            - present
+            - absent
+        type: str
+extends_documentation_fragment: awx.awx.auth
+'''
+
+
+EXAMPLES = '''
+- name: Give Team A JT permissions
+  role_team_assignment:
+    role_definition: launch JT
+    object_id: 1
+    team: Team A
+    state: present
+'''
+
+from ..module_utils.controller_api import ControllerAPIModule
+
+
+def main():
+    # Any additional arguments that are not fields of the item can be added here
+    argument_spec = dict(
+        team=dict(required=False, type='str'),
+        object_id=dict(required=True, type='int'),
+        role_definition=dict(required=True, type='str'),
+        object_ansible_id=dict(required=False, type='int'),
+        team_ansible_id=dict(required=False, type='int'),
+        state=dict(default='present', choices=['present', 'absent']),
+    )
+
+    module = ControllerAPIModule(argument_spec=argument_spec)
+
+    team = module.params.get('team')
+    object_id = module.params.get('object_id')
+    role_definition_str = module.params.get('role_definition')
+    object_ansible_id = module.params.get('object_ansible_id')
+    team_ansible_id = module.params.get('team_ansible_id')
+    state = module.params.get('state')
+
+    role_definition = module.get_one('role_definitions', allow_none=False, name_or_id=role_definition_str)
+    team = module.get_one('teams', allow_none=False, name_or_id=team)
+
+    kwargs = {
+        'role_definition': role_definition['id'],
+        'object_id': object_id,
+        'team': team['id'],
+        'object_ansible_id': object_ansible_id,
+        'team_ansible_id': team_ansible_id,
+    }
+
+    # get rid of None type values
+    kwargs = {k: v for k, v in kwargs.items() if v is not None}
+    role_team_assignment = module.get_one('role_team_assignments', **{'data': kwargs})
+
+    if state == 'absent':
+        module.delete_if_needed(
+            role_team_assignment,
+            item_type='role_team_assignment',
+        )
+
+    if state == 'present':
+        module.create_if_needed(
+            role_team_assignment,
+            kwargs,
+            endpoint='role_team_assignments',
+            item_type='role_team_assignment',
+        )
+
+
+if __name__ == '__main__':
+    main()

awx_collection/plugins/modules/role_user_assignment.py

@@ -0,0 +1,124 @@
+#!/usr/bin/python
+# coding: utf-8 -*-
+
+# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+
+from __future__ import absolute_import, division, print_function
+
+__metaclass__ = type
+
+
+ANSIBLE_METADATA = {'metadata_version': '1.1', 'status': ['preview'], 'supported_by': 'community'}
+
+
+DOCUMENTATION = '''
+---
+module: role_user_assignment
+author: "Seth Foster (@fosterseth)"
+short_description: Gives a user permission to a resource or an organization.
+description:
+    - Use this endpoint to give a user permission to a resource or an organization.
+    - After creation, the assignment cannot be edited, but can be deleted to remove those permissions.
+options:
+    role_definition:
+        description:
+            - The name or id of the role definition to assign to the user.
+        required: True
+        type: str
+    object_id:
+        description:
+            - Primary key of the object this assignment applies to.
+        required: True
+        type: int
+    user:
+        description:
+            - The name or id of the user to assign to the object.
+        required: False
+        type: str
+    object_ansible_id:
+        description:
+            - Resource id of the object this role applies to. Alternative to the object_id field.
+        required: False
+        type: int
+    user_ansible_id:
+        description:
+            - Resource id of the user who will receive permissions from this assignment. Alternative to user field.
+        required: False
+        type: int
+    state:
+        description:
+            - The desired state of the role definition.
+        default: present
+        choices:
+            - present
+            - absent
+        type: str
+extends_documentation_fragment: awx.awx.auth
+'''
+
+
+EXAMPLES = '''
+- name: Give Bob JT permissions
+  role_user_assignment:
+    role_definition: launch JT
+    object_id: 1
+    user: bob
+    state: present
+'''
+
+from ..module_utils.controller_api import ControllerAPIModule
+
+
+def main():
+    # Any additional arguments that are not fields of the item can be added here
+    argument_spec = dict(
+        user=dict(required=False, type='str'),
+        object_id=dict(required=True, type='int'),
+        role_definition=dict(required=True, type='str'),
+        object_ansible_id=dict(required=False, type='int'),
+        user_ansible_id=dict(required=False, type='int'),
+        state=dict(default='present', choices=['present', 'absent']),
+    )
+
+    module = ControllerAPIModule(argument_spec=argument_spec)
+
+    user = module.params.get('user')
+    object_id = module.params.get('object_id')
+    role_definition_str = module.params.get('role_definition')
+    object_ansible_id = module.params.get('object_ansible_id')
+    user_ansible_id = module.params.get('user_ansible_id')
+    state = module.params.get('state')
+
+    role_definition = module.get_one('role_definitions', allow_none=False, name_or_id=role_definition_str)
+    user = module.get_one('users', allow_none=False, name_or_id=user)
+
+    kwargs = {
+        'role_definition': role_definition['id'],
+        'object_id': object_id,
+        'user': user['id'],
+        'object_ansible_id': object_ansible_id,
+        'user_ansible_id': user_ansible_id,
+    }
+
+    # get rid of None type values
+    kwargs = {k: v for k, v in kwargs.items() if v is not None}
+
+    role_user_assignment = module.get_one('role_user_assignments', **{'data': kwargs})
+
+    if state == 'absent':
+        module.delete_if_needed(
+            role_user_assignment,
+            item_type='role_user_assignment',
+        )
+
+    if state == 'present':
+        module.create_if_needed(
+            role_user_assignment,
+            kwargs,
+            endpoint='role_user_assignments',
+            item_type='role_user_assignment',
+        )
+
+
+if __name__ == '__main__':
+    main()