Protect delete org

roles/object_diff/README.md

@@ -17,6 +17,7 @@ The following Variables set the organization where should be applied the configu
 | `controller_api_plugin` | `ansible.controller` | yes | Full path for the controller_api_plugin to be used. <br/> Can have two possible values: <br/>&nbsp;&nbsp;- awx.awx.controller_api             # For the community Collection version <br/>&nbsp;&nbsp;- ansible.controller.controller_api  # For the Red Hat Certified Collection version|
 | `drop_user_external_accounts` | `False` | no | When is true, all users will be taken to compare with SCM configuration as code |
 | `drop_teams` | `False` | no | When is true, all teams will be taken to compare with SCM configuration as code |
+| `protect_not_empty_orgs` | `N/A` | no | When is true, orgs which are not empty, will not be removed |
 
 ## Role Tags
 

roles/object_diff/defaults/main.yml

@@ -44,4 +44,6 @@ controller_configuration_object_diff_tasks:
 
 controller_configuration_object_diff_secure_logging: "{{ controller_configuration_secure_logging | default('false') }}"
 
+controller_api_version: "v2"
+
 ...

roles/object_diff/tasks/organizations.yml

@@ -1,17 +1,57 @@
 ---
-- name: "Gets current Organizations configured"
+- name: "OBJECT DIFF: Get the current controller user to determine if it is super-admin"
   ansible.builtin.set_fact:
-    __controller_api_organizations: "{{ query(controller_api_plugin, 'organizations',
-      host=controller_hostname, oauth_token=controller_oauthtoken, verify_ssl=controller_validate_certs) }}"
+    __controller_api_current_user_check_is_admin: "{{ lookup(controller_api_plugin, 'users',
+                                                              query_params={'username': controller_username},
+                                                              host=controller_hostname, oauth_token=controller_oauthtoken, verify_ssl=controller_validate_certs)
+                                                   }}"
 
-- name: "OBJECT DIFF: Find the difference of Organizations between what is on the Controller versus curated list."
-  ansible.builtin.set_fact:
-    __organizations_difference: "{{ lookup('redhat_cop.controller_configuration.controller_object_diff',
-                                            api_list=__controller_api_organizations, compare_list=controller_organizations,
-                                            with_present=false, set_absent=true)
-                                 }}"
+- name: "Role differences (block)"
+  when:
+    - __controller_api_current_user_check_is_admin.is_superuser
+  block:
+    - name: "Gets current Organizations configured"
+      ansible.builtin.set_fact:
+        __controller_api_organizations: "{{ query(controller_api_plugin, 'organizations',
+                                                  host=controller_hostname, oauth_token=controller_oauthtoken, verify_ssl=controller_validate_certs)
+                                         }}"
 
-- name: "Sets Organization differences"
-  ansible.builtin.set_fact:
-    controller_organizations: "{{ __organizations_difference }}"
+    - name: "OBJECT DIFF: Find the difference of Organizations between what is on the Controller versus curated list."
+      ansible.builtin.set_fact:
+        __organizations_difference: "{{ lookup('redhat_cop.controller_configuration.controller_object_diff',
+                                                api_list=__controller_api_organizations, compare_list=controller_organizations,
+                                                with_present=false, set_absent=true)
+                                     }}"
+
+    - name: "Set list __list_orgs_empty when protect_not_empty_orgs"
+      ansible.builtin.set_fact:
+        __list_empty_orgs: "{{ __list_empty_orgs | default([]) + [__org.name] }}"
+      loop: "{{ __organizations_difference }}"
+      loop_control:
+        loop_var: __org
+      when:
+        - protect_not_empty_orgs is defined
+        - protect_not_empty_orgs
+        - query(controller_api_plugin, 'api/' + controller_api_version + '/organizations/' + (__org.name | urlencode) + '/users/',
+                host=controller_hostname, oauth_token=controller_oauthtoken, verify_ssl=controller_validate_certs) | length == 0
+        - query(controller_api_plugin, 'api/' + controller_api_version + '/organizations/' + (__org.name | urlencode) + '/admins/',
+                host=controller_hostname, oauth_token=controller_oauthtoken, verify_ssl=controller_validate_certs) | length == 0
+        - query(controller_api_plugin, 'api/' + controller_api_version + '/organizations/' + (__org.name | urlencode) + '/inventories/',
+                host=controller_hostname, oauth_token=controller_oauthtoken, verify_ssl=controller_validate_certs) | length == 0
+        - query(controller_api_plugin, 'api/' + controller_api_version + '/organizations/' + (__org.name | urlencode) + '/teams/',
+                host=controller_hostname, oauth_token=controller_oauthtoken, verify_ssl=controller_validate_certs) | length == 0
+        - query(controller_api_plugin, 'api/' + controller_api_version + '/organizations/' + (__org.name | urlencode) + '/projects/',
+                host=controller_hostname, oauth_token=controller_oauthtoken, verify_ssl=controller_validate_certs) | length == 0
+        - query(controller_api_plugin, 'api/' + controller_api_version + '/organizations/' + (__org.name | urlencode) + '/job_templates/',
+                host=controller_hostname, oauth_token=controller_oauthtoken, verify_ssl=controller_validate_certs) | length == 0
+        - query(controller_api_plugin, 'api/' + controller_api_version + '/organizations/' + (__org.name | urlencode) + '/workflow_job_templates/',
+                host=controller_hostname, oauth_token=controller_oauthtoken, verify_ssl=controller_validate_certs) | length == 0
+
+    - name: "Sets Organization differences"
+      ansible.builtin.set_fact:
+        controller_organizations: "{{ controller_organizations | combine(__org) }}"
+      loop: "{{ __organizations_difference }}"
+      loop_control:
+        loop_var: __org
+      when: protect_not_empty_orgs is not defined or not protect_not_empty_orgs or __org.name in __list_empty_orgs
 ...