From d883d186154d055c7e4f5533edb88c413e96deb8 Mon Sep 17 00:00:00 2001
From: betanummeric <40263343+betanummeric@users.noreply.github.com>
Date: Wed, 25 May 2022 11:47:39 +0200
Subject: [PATCH] mysql_role - don't add members to a role when creating the
 role and detach_members true is set

---
 .../367-mysql_role-fix-deatch-members.yml     |  2 ++
 plugins/modules/mysql_role.py                 |  3 +++
 .../targets/test_mysql_role/defaults/main.yml |  1 +
 .../tasks/mysql_role_initial.yml              | 27 +++++++++++++++++++
 4 files changed, 33 insertions(+)
 create mode 100644 changelogs/fragments/367-mysql_role-fix-deatch-members.yml

diff --git a/changelogs/fragments/367-mysql_role-fix-deatch-members.yml b/changelogs/fragments/367-mysql_role-fix-deatch-members.yml
new file mode 100644
index 00000000..5a4d4148
--- /dev/null
+++ b/changelogs/fragments/367-mysql_role-fix-deatch-members.yml
@@ -0,0 +1,2 @@
+bugfixes:
+  - "mysql_role - don't add members to a role when creating the role and ``detach_members: true`` is set (https://github.com/ansible-collections/community.mysql/pull/367)."
diff --git a/plugins/modules/mysql_role.py b/plugins/modules/mysql_role.py
index f3a0165d..76e70af9 100644
--- a/plugins/modules/mysql_role.py
+++ b/plugins/modules/mysql_role.py
@@ -119,6 +119,7 @@
 
 author:
   - Andrew Klychkov (@Andersson007)
+  - Felix Hamme (@betanummeric)
 
 extends_documentation_fragment:
   - community.mysql.mysql
@@ -1006,6 +1007,8 @@ def main():
     try:
         if state == 'present':
             if not role.exists:
+                if detach_members:
+                    members = None  # avoid adding unwanted members
                 changed = role.add(members, priv, module.check_mode, admin,
                                    set_default_role_all)
 
diff --git a/tests/integration/targets/test_mysql_role/defaults/main.yml b/tests/integration/targets/test_mysql_role/defaults/main.yml
index 744ba345..0da95761 100644
--- a/tests/integration/targets/test_mysql_role/defaults/main.yml
+++ b/tests/integration/targets/test_mysql_role/defaults/main.yml
@@ -14,3 +14,4 @@ nonexistent: user3
 
 role0: role0
 role1: role1
+role3: role3
diff --git a/tests/integration/targets/test_mysql_role/tasks/mysql_role_initial.yml b/tests/integration/targets/test_mysql_role/tasks/mysql_role_initial.yml
index a2167c67..95616df8 100644
--- a/tests/integration/targets/test_mysql_role/tasks/mysql_role_initial.yml
+++ b/tests/integration/targets/test_mysql_role/tasks/mysql_role_initial.yml
@@ -1248,6 +1248,32 @@
       that:
       - result is not changed
 
+  - name: '"detach" users when creating a new role'
+    <<: *task_params
+    mysql_role:
+      <<: *mysql_params
+      name: '{{ role3 }}'
+      state: present
+      detach_members: yes
+      members:
+        - '{{ user1 }}@localhost'
+
+  - name: Check the role was created
+    assert:
+      that:
+        - result is changed
+
+  - name: Check grants
+    <<: *task_params
+    mysql_query:
+      <<: *mysql_params
+      query: "SHOW GRANTS FOR {{ user1 }}@localhost"
+
+  - name: asssert detach_members did not add a user to the role
+    assert:
+      that:
+        - "'{{ role3 }}' not in result.query_result.0.0['Grants for {{ user1 }}@localhost']"
+
   # ##########
   # Test privs
   # ##########
@@ -1561,3 +1587,4 @@
     loop:
     - '{{ role0 }}'
     - test
+    - '{{ role3 }}'