Update enforced defauilts (#569)

* An inventory source is not ever assigned to an organization (#563) * an inventory source is not ever assigned to an organization * if no organization, no output for organization field * linting * update workflow * update enforced defaults --------- Co-authored-by: Ivan Aragonés Muniesa <[email protected]>
redhat-cop · Apr 12, 2023 · 9569fd8 · 9569fd8
1 parent 1904d54
commit 9569fd8
Show file tree

Hide file tree

Showing 22 changed files with 136 additions and 33 deletions.
diff --git a/changelogs/fragments/enforce_defaults.yml b/changelogs/fragments/enforce_defaults.yml
@@ -1,4 +1,5 @@
 ---
 minor_changes:
-  - added option to multiple roles to enforce defaults. This is described in each of the roles readmes and will slowly be rolled out to all applicable roles. This option enforces module/api defaults in order to prevent config drift. This makes it so if an option is NOT specified in a configuration it enforces the default value. It is not enabled by default.
+  - Added option to multiple roles to enforce defaults. This is described in each of the roles readmes and will slowly be rolled out to all applicable roles. This option enforces module/api defaults in order to prevent config drift. This makes it so if an option is NOT specified in a configuration it enforces the default value. It is not enabled by default.
+  - Credentials role credential type set to mandatory. This would fail in the past if it was not set, this just codifies it.
 ...
diff --git a/roles/credential_input_sources/README.md b/roles/credential_input_sources/README.md
@@ -26,6 +26,22 @@ Currently:
 |`controller_oauthtoken`|""|no|Controller Admin User's token on the Ansible Controller Server. This should be stored in an Ansible Vault at or elsewhere and called from a parent playbook. Either username / password or oauthtoken need to be specified.||
 |`controller_credential_input_sources`|`see below`|yes|Data structure describing your credential input sources Described below.||
 
+### Enforcing defaults
+
+The following Variables compliment each other.
+If Both variables are not set, enforcing default values is not done.
+Enabling these variables enforce default values on options that are optional in the controller API.
+This should be enabled to enforce configuration and prevent configuration drift. It is recomended to be enabled, however it is not enforced by default.
+
+Enabling this will enforce configurtion without specifying every option in the configuration files.
+
+'controller_configuration_credential_input_sources_enforce_defaults' defaults to the value of 'controller_configuration_enforce_defaults' if it is not explicitly called. This allows for enforced defaults to be toggled for the entire suite of controller configuration roles with a single variable, or for the user to selectively use it.
+
+|Variable Name|Default Value|Required|Description|
+|:---:|:---:|:---:|:---:|
+|`controller_configuration_credential_input_sources_enforce_defaults`|`False`|no|Whether or not to enforce default option values on only the applications role|
+|`controller_configuration_enforce_defaults`|`False`|no|This variable enables enforced default values as well, but is shared across multiple roles, see above.|
+
 ### Secure Logging Variables
 
 The following Variables compliment each other.

diff --git a/roles/credential_input_sources/defaults/main.yml b/roles/credential_input_sources/defaults/main.yml
@@ -4,4 +4,5 @@ controller_credential_input_sources: []
 controller_configuration_credential_input_sources_secure_logging: "{{ controller_configuration_secure_logging | default('false') }}"
 controller_configuration_credential_input_sources_async_retries: "{{ controller_configuration_async_retries | default(30) }}"
 controller_configuration_credential_input_sources_async_delay: "{{ controller_configuration_async_delay | default(1) }}"
+controller_configuration_credential_input_sources_enforce_defaults: "{{ controller_configuration_enforce_defaults | default('false') }}"
 ...
diff --git a/roles/credential_input_sources/tasks/main.yml b/roles/credential_input_sources/tasks/main.yml
@@ -4,8 +4,8 @@
     target_credential:              "{{ __cred_input_src_item.target_credential | mandatory }}"
     input_field_name:               "{{ __cred_input_src_item.input_field_name | mandatory }}"
     source_credential:              "{{ __cred_input_src_item.source_credential | default(omit, true) }}"
-    description:                    "{{ __cred_input_src_item.description | default(omit, true) }}"
-    metadata:                       "{{ __cred_input_src_item.metadata | default(omit, true) }}"
+    description:                    "{{ __cred_input_src_item.description | default(lookup('infra.controller_configuration.enforce_defaults', enforce_default=controller_configuration_credential_input_sources_enforce_defaults , default_value='', omit_value=omit), true) }}"
+    metadata:                       "{{ __cred_input_src_item.metadata | default(lookup('infra.controller_configuration.enforce_defaults', enforce_default=controller_configuration_credential_input_sources_enforce_defaults , default_value={}, omit_value=omit), true) }}"
     state:                          "{{ __cred_input_src_item.state | default(controller_state | default('present')) }}"
 
     # Role specific options

diff --git a/roles/credential_types/README.md b/roles/credential_types/README.md
@@ -26,6 +26,22 @@ Currently:
 |`controller_oauthtoken`|""|no|Controller Admin User's token on the Ansible Controller Server. This should be stored in an Ansible Vault at or elsewhere and called from a parent playbook. Either username / password or oauthtoken need to be specified.||
 |`controller_credential_types`|`see below`|yes|Data structure describing your credential types Described below.||
 
+### Enforcing defaults
+
+The following Variables compliment each other.
+If Both variables are not set, enforcing default values is not done.
+Enabling these variables enforce default values on options that are optional in the controller API.
+This should be enabled to enforce configuration and prevent configuration drift. It is recomended to be enabled, however it is not enforced by default.
+
+Enabling this will enforce configurtion without specifying every option in the configuration files.
+
+'controller_configuration_credential_types_enforce_defaults' defaults to the value of 'controller_configuration_enforce_defaults' if it is not explicitly called. This allows for enforced defaults to be toggled for the entire suite of controller configuration roles with a single variable, or for the user to selectively use it.
+
+|Variable Name|Default Value|Required|Description|
+|:---:|:---:|:---:|:---:|
+|`controller_configuration_credential_types_enforce_defaults`|`False`|no|Whether or not to enforce default option values on only the applications role|
+|`controller_configuration_enforce_defaults`|`False`|no|This variable enables enforced default values as well, but is shared across multiple roles, see above.|
+
 ### Secure Logging Variables
 
 The following Variables compliment each other.
@@ -35,8 +51,8 @@ controller_configuration_credential_types_secure_logging defaults to the value o
 
 |Variable Name|Default Value|Required|Description|
 |:---:|:---:|:---:|:---:|
-|`controller_configuration_secure_logging`|`False`|no|Whether or not to include the sensitive Credential Type role tasks in the log.  Set this value to `True` if you will be providing your sensitive values from elsewhere.|
-|`controller_configuration_credential_types_secure_logging`|`False`|no|This variable enables secure logging as well, but is shared across multiple roles, see above.|
+|`controller_configuration_credential_types_secure_logging`|`False`|no|Whether or not to include the sensitive Credential Type role tasks in the log. Set this value to `True` if you will be providing your sensitive values from elsewhere.|
+|`controller_configuration_secure_logging`|`False`|no|This variable enables secure logging as well, but is shared across multiple roles, see above.|
 
 ### Asynchronous Retry Variables
 

diff --git a/roles/credential_types/defaults/main.yml b/roles/credential_types/defaults/main.yml
@@ -4,4 +4,5 @@ controller_credential_types: []
 controller_configuration_credential_types_secure_logging: "{{ controller_configuration_secure_logging | default('false') }}"
 controller_configuration_credential_types_async_retries: "{{ controller_configuration_async_retries | default(30) }}"
 controller_configuration_credential_types_async_delay: "{{ controller_configuration_async_delay | default(1) }}"
+controller_configuration_credential_types_enforce_defaults: "{{ controller_configuration_enforce_defaults | default('false') }}"
 ...
diff --git a/roles/credential_types/tasks/main.yml b/roles/credential_types/tasks/main.yml
@@ -3,9 +3,9 @@
   credential_type:
     name:                           "{{ __controller_credential_type_item.name | mandatory }}"
     new_name:                       "{{ __controller_credential_type_item.new_name | default(omit, true) }}"
-    description:                    "{{ __controller_credential_type_item.description | default(omit, true) }}"
-    injectors:                      "{{ __controller_credential_type_item.injectors | default(omit, true) | regex_replace('[ ]{2,}', '') }}"
-    inputs:                         "{{ __controller_credential_type_item.inputs | default(omit, true) }}"
+    description:                    "{{ __controller_credential_type_item.description | default(lookup('infra.controller_configuration.enforce_defaults', enforce_default=controller_configuration_credential_types_enforce_defaults , default_value='', omit_value=omit), true) }}"
+    injectors:                      "{{ __controller_credential_type_item.injectors | default(lookup('infra.controller_configuration.enforce_defaults', enforce_default=controller_configuration_credential_types_enforce_defaults , default_value={}, omit_value=omit), true) | regex_replace('[ ]{2,}', '') }}"
+    inputs:                         "{{ __controller_credential_type_item.inputs | default(lookup('infra.controller_configuration.enforce_defaults', enforce_default=controller_configuration_credential_types_enforce_defaults , default_value={}, omit_value=omit), true) }}"
     kind:                           "{{ __controller_credential_type_item.kind | default('cloud') }}"
     state:                          "{{ __controller_credential_type_item.state | default(controller_state | default('present')) }}"
 

diff --git a/roles/credentials/README.md b/roles/credentials/README.md
@@ -26,6 +26,22 @@ Currently:
 |`controller_oauthtoken`|""|no|Controller Admin User's token on the Ansible Controller Server. This should be stored in an Ansible Vault at or elsewhere and called from a parent playbook. Either username / password or oauthtoken need to be specified.||
 |`controller_credentials`|`see below`|yes|Data structure describing your credentials Described below.||
 
+### Enforcing defaults
+
+The following Variables compliment each other.
+If Both variables are not set, enforcing default values is not done.
+Enabling these variables enforce default values on options that are optional in the controller API.
+This should be enabled to enforce configuration and prevent configuration drift. It is recomended to be enabled, however it is not enforced by default.
+
+Enabling this will enforce configurtion without specifying every option in the configuration files.
+
+'controller_configuration_credentials_enforce_defaults' defaults to the value of 'controller_configuration_enforce_defaults' if it is not explicitly called. This allows for enforced defaults to be toggled for the entire suite of controller configuration roles with a single variable, or for the user to selectively use it.
+
+|Variable Name|Default Value|Required|Description|
+|:---:|:---:|:---:|:---:|
+|`controller_configuration_credentials_enforce_defaults`|`False`|no|Whether or not to enforce default option values on only the applications role|
+|`controller_configuration_enforce_defaults`|`False`|no|This variable enables enforced default values as well, but is shared across multiple roles, see above.|
+
 ### Secure Logging Variables
 
 The following Variables compliment each other.

diff --git a/roles/credentials/defaults/main.yml b/roles/credentials/defaults/main.yml
@@ -4,4 +4,5 @@ controller_credentials: []
 controller_configuration_credentials_secure_logging: "{{ controller_configuration_secure_logging | default(true) }}"
 controller_configuration_credentials_async_retries: "{{ controller_configuration_async_retries | default(30) }}"
 controller_configuration_credentials_async_delay: "{{ controller_configuration_async_delay | default(1) }}"
+controller_configuration_credentials_enforce_defaults: "{{ controller_configuration_enforce_defaults | default('false') }}"
 ...
diff --git a/roles/credentials/tasks/main.yml b/roles/credentials/tasks/main.yml
@@ -4,13 +4,13 @@
     name:                           "{{ __controller_credentials_item.name | mandatory }}"
     new_name:                       "{{ __controller_credentials_item.new_name | default(omit, true) }}"
     copy_from:                      "{{ __controller_credentials_item.copy_from | default(omit, true) }}"
-    description:                    "{{ __controller_credentials_item.description | default(omit, true) }}"
-    organization:                   "{{ __controller_credentials_item.organization.name | default(__controller_credentials_item.organization | default(omit, true)) }}"
-    credential_type:                "{{ __controller_credentials_item.credential_type.name | default(__controller_credentials_item.credential_type | default(omit, true)) }}"
-    inputs:                         "{{ __controller_credentials_item.inputs | default(omit, true) }}"
-    user:                           "{{ __controller_credentials_item.user.username | default(__controller_credentials_item.user | default(omit, true)) }}"
-    team:                           "{{ __controller_credentials_item.team.name | default(__controller_credentials_item.team | default(omit, true)) }}"
-    update_secrets:                 "{{ __controller_credentials_item.update_secrets | default(omit) }}"
+    description:                    "{{ __controller_credentials_item.description | default(lookup('infra.controller_configuration.enforce_defaults', enforce_default=controller_configuration_credentials_enforce_defaults , default_value='', omit_value=omit), true) }}"
+    organization:                   "{{ __controller_credentials_item.organization.name | default(__controller_credentials_item.organization | default(lookup('infra.controller_configuration.enforce_defaults', enforce_default=controller_configuration_credentials_enforce_defaults , default_value='', omit_value=omit), true)) }}"
+    credential_type:                "{{ __controller_credentials_item.credential_type.name | default(__controller_credentials_item.credential_type | mandatory ) }}"
+    inputs:                         "{{ __controller_credentials_item.inputs | default(lookup('infra.controller_configuration.enforce_defaults', enforce_default=controller_configuration_credentials_enforce_defaults , default_value={}, omit_value=omit), true) }}"
+    user:                           "{{ __controller_credentials_item.user.username | default(__controller_credentials_item.user | default(lookup('infra.controller_configuration.enforce_defaults', enforce_default=controller_configuration_credentials_enforce_defaults , default_value='', omit_value=omit), true)) }}"
+    team:                           "{{ __controller_credentials_item.team.name | default(__controller_credentials_item.team | default(lookup('infra.controller_configuration.enforce_defaults', enforce_default=controller_configuration_credentials_enforce_defaults , default_value='', omit_value=omit), true)) }}"
+    update_secrets:                 "{{ __controller_credentials_item.update_secrets | default(lookup('infra.controller_configuration.enforce_defaults', enforce_default=controller_configuration_credentials_enforce_defaults , default_value=true, omit_value=omit), true) }}"
     state:                          "{{ __controller_credentials_item.state | default(controller_state | default('present')) }}"
 
     # Role specific options

diff --git a/roles/execution_environments/README.md b/roles/execution_environments/README.md
@@ -26,6 +26,22 @@ Currently:
 |`controller_oauthtoken`|""|no|Controller Admin User's token on the Ansible Controller Server. This should be stored in an Ansible Vault at or elsewhere and called from a parent playbook. Either username / password or oauthtoken need to be specified.||
 |`controller_execution_environments`|`see below`|yes|Data structure describing your organization or organizations Described below.||
 
+### Enforcing defaults
+
+The following Variables compliment each other.
+If Both variables are not set, enforcing default values is not done.
+Enabling these variables enforce default values on options that are optional in the controller API.
+This should be enabled to enforce configuration and prevent configuration drift. It is recomended to be enabled, however it is not enforced by default.
+
+Enabling this will enforce configurtion without specifying every option in the configuration files.
+
+'controller_configuration_execution_environments_enforce_defaults' defaults to the value of 'controller_configuration_enforce_defaults' if it is not explicitly called. This allows for enforced defaults to be toggled for the entire suite of controller configuration roles with a single variable, or for the user to selectively use it.
+
+|Variable Name|Default Value|Required|Description|
+|:---:|:---:|:---:|:---:|
+|`controller_configuration_execution_environments_enforce_defaults`|`False`|no|Whether or not to enforce default option values on only the applications role|
+|`controller_configuration_enforce_defaults`|`False`|no|This variable enables enforced default values as well, but is shared across multiple roles, see above.|
+
 ### Secure Logging Variables
 
 The following Variables compliment each other.

diff --git a/roles/execution_environments/defaults/main.yml b/roles/execution_environments/defaults/main.yml
@@ -3,4 +3,5 @@
 controller_configuration_execution_environments_secure_logging: "{{ controller_configuration_secure_logging | default('false') }}"
 controller_configuration_execution_environments_async_retries: "{{ controller_configuration_async_retries | default(30) }}"
 controller_configuration_execution_environments_async_delay: "{{ controller_configuration_async_delay | default(1) }}"
+controller_configuration_execution_environments_enforce_defaults: "{{ controller_configuration_enforce_defaults | default('false') }}"
 ...
diff --git a/roles/execution_environments/tasks/main.yml b/roles/execution_environments/tasks/main.yml
@@ -4,11 +4,11 @@
   execution_environment:
     name:                           "{{ __execution_environments_item.name | mandatory }}"
     new_name:                       "{{ __execution_environments_item.new_name | default(omit, true) }}"
-    description:                    "{{ __execution_environments_item.description | default(omit, true) }}"
+    description:                    "{{ __execution_environments_item.description | default(lookup('infra.controller_configuration.enforce_defaults', enforce_default=controller_configuration_execution_environments_enforce_defaults , default_value='', omit_value=omit), true) }}"
     image:                          "{{ __execution_environments_item.image | mandatory }}"
-    organization:                   "{{ __execution_environments_item.organization.name | default(__execution_environments_item.organization | default(omit, true)) }}"
-    credential:                     "{{ __execution_environments_item.credential | default(omit, true) }}"
-    pull:                           "{{ __execution_environments_item.pull | default(omit, true) }}"
+    organization:                   "{{ __execution_environments_item.organization.name | default(__execution_environments_item.organization | default(lookup('infra.controller_configuration.enforce_defaults', enforce_default=controller_configuration_execution_environments_enforce_defaults , default_value='', omit_value=omit), true)) }}"
+    credential:                     "{{ __execution_environments_item.credential | default(lookup('infra.controller_configuration.enforce_defaults', enforce_default=controller_configuration_execution_environments_enforce_defaults , default_value='', omit_value=omit), true) }}"
+    pull:                           "{{ __execution_environments_item.pull | default(lookup('infra.controller_configuration.enforce_defaults', enforce_default=controller_configuration_execution_environments_enforce_defaults , default_value='missing', omit_value=omit), true) }}"
     state:                          "{{ __execution_environments_item.state | default(controller_state | default('present')) }}"
 
     # Role specific options