From 82bb8033ec6ed89e20d7e542657e014459140dde Mon Sep 17 00:00:00 2001
From: sean-m-sullivan <ssulliva@redhat.com>
Date: Fri, 16 Oct 2020 13:27:28 -0500
Subject: [PATCH] update to approval role

---
 awx_collection/plugins/modules/tower_role.py  |  4 ++--
 awx_collection/test/awx/test_role.py          | 20 +++++++++++++++++++
 .../targets/tower_role/tasks/main.yml         | 12 +++++++++++
 3 files changed, 34 insertions(+), 2 deletions(-)

diff --git a/awx_collection/plugins/modules/tower_role.py b/awx_collection/plugins/modules/tower_role.py
index eab7c3d250..10c143864a 100644
--- a/awx_collection/plugins/modules/tower_role.py
+++ b/awx_collection/plugins/modules/tower_role.py
@@ -34,7 +34,7 @@ options:
       description:
         - The role type to grant/revoke.
       required: True
-      choices: ["admin", "read", "member", "execute", "adhoc", "update", "use", "auditor", "project_admin", "inventory_admin", "credential_admin",
+      choices: ["admin", "read", "member", "execute", "adhoc", "update", "use", "approval", "auditor", "project_admin", "inventory_admin", "credential_admin",
                 "workflow_admin", "notification_admin", "job_template_admin"]
       type: str
     target_team:
@@ -97,7 +97,7 @@ def main():
     argument_spec = dict(
         user=dict(),
         team=dict(),
-        role=dict(choices=["admin", "read", "member", "execute", "adhoc", "update", "use", "auditor", "project_admin", "inventory_admin", "credential_admin",
+        role=dict(choices=["admin", "read", "member", "execute", "adhoc", "update", "use", "approval", "auditor", "project_admin", "inventory_admin", "credential_admin",
                            "workflow_admin", "notification_admin", "job_template_admin"], required=True),
         target_team=dict(),
         inventory=dict(),
diff --git a/awx_collection/test/awx/test_role.py b/awx_collection/test/awx/test_role.py
index a97bdb76a8..436d189a1d 100644
--- a/awx_collection/test/awx/test_role.py
+++ b/awx_collection/test/awx/test_role.py
@@ -48,6 +48,26 @@ def test_grant_workflow_permission(run_module, admin_user, organization, state):
     else:
         assert rando not in wfjt.execute_role
 
+@pytest.mark.django_db
+@pytest.mark.parametrize('state', ('present', 'absent'))
+def test_grant_workflow_approval_permission(run_module, admin_user, organization, state):
+    wfjt = WorkflowJobTemplate.objects.create(organization=organization, name='foo-workflow')
+    rando = User.objects.create(username='rando')
+    if state == 'absent':
+        wfjt.execute_role.members.add(rando)
+
+    result = run_module('tower_role', {
+        'user': rando.username,
+        'workflow': wfjt.name,
+        'role': 'approval',
+        'state': state
+    }, admin_user)
+    assert not result.get('failed', False), result.get('msg', result)
+
+    if state == 'present':
+        assert rando in wfjt.approval_role
+    else:
+        assert rando not in wfjt.approval_role
 
 @pytest.mark.django_db
 def test_invalid_role(run_module, admin_user, project):
diff --git a/awx_collection/tests/integration/targets/tower_role/tasks/main.yml b/awx_collection/tests/integration/targets/tower_role/tasks/main.yml
index 4102a11402..b1d2a98881 100644
--- a/awx_collection/tests/integration/targets/tower_role/tasks/main.yml
+++ b/awx_collection/tests/integration/targets/tower_role/tasks/main.yml
@@ -96,6 +96,18 @@
         that:
           - "result is not changed"
 
+    - name: Add Joe to workflow approve role
+      tower_role:
+        user: "{{ username }}"
+        role: approval
+        workflow: test-role-workflow
+        state: present
+      register: result
+
+    - assert:
+        that:
+          - "result is changed"
+
   always:
     - name: Delete a User
       tower_user: