fix idempotency of policy and user creation (#9)

* fix idempotency of policy and user creation

.github/workflows/ci.yml

@@ -15,29 +15,43 @@ jobs:
   cookstylelint:
     uses: Stromweld/github-workflows/.github/workflows/cookstyle-lint.yml@main
 
-  integration-dokken:
+  integration:
     runs-on: ubuntu-latest
     strategy:
       matrix:
         os:
-          - amazonlinux-2023
           - centos-7
-          - centos-stream-8
-          - centos-stream-9
           - almalinux-8
           - almalinux-9
           - rockylinux-8
           - rockylinux-9
           - ubuntu-2004
           - ubuntu-2204
         suite:
-          - default
+          - server
           - automate
           - supermarket
+        exclude:
+          - os: almalinux-9
+            suite: supermarket
+          - os: rockylinux-8
+            suite: server
+          - os: rockylinux-8
+            suite: supermarket
+          - os: rockylinux-9
+            suite: server
+          - os: rockylinux-9
+            suite: supermarket
+          - os: ubuntu-2204
+            suite: supermarket
       fail-fast: false
     steps:
       - name: Check out code
         uses: actions/checkout@main
+      - name: Install Vagrant
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y vagrant virtualbox
       - name: Install Chef
         uses: actionshub/chef-install@main
       - name: Test-Kitchen Converge
@@ -48,7 +62,6 @@ jobs:
           action: converge
         env:
           CHEF_LICENSE: accept-no-persist
-          KITCHEN_LOCAL_YAML: kitchen.dokken.yml
       - name: Test-Kitchen Verify
         uses: actionshub/test-kitchen@main
         with:
@@ -57,7 +70,6 @@ jobs:
           action: verify
         env:
           CHEF_LICENSE: accept-no-persist
-          KITCHEN_LOCAL_YAML: kitchen.dokken.yml
 
   check:
     if: always()
@@ -66,7 +78,7 @@ jobs:
       - yamllint
       - jsonlint
       - cookstylelint
-      - integration-dokken
+      - integration
     runs-on: Ubuntu-latest
     steps:
       - name: Decide whether the needed jobs succeeded or failed

CHANGELOG.md

@@ -2,6 +2,10 @@
 
 This file is used to list changes made in each version of the chef_software cookbook.
 
+## 2.2.0 (2024-03-04)
+
+- [Corey Hemminger] - Moved iam_policy and iam_user creation to resources, fixed idempotency in resources
+
 ## 2.1.2 (2023-03-31)
 
 - [Corey Hemminger] - Hacky way of adding idempotency to chef-server org admin association

README.md

@@ -10,24 +10,6 @@ Please refer to the chef-ingredient cookbook <https://github.com/chef-cookbooks/
 
 - Linux
 
-## Attributes
-
-### default attributes
-
-| Attribute | Default | Comment |
-| -------------  | -------------  | -------------  |
-| ['chef_software']['chef_server_api_fqdn'] | 'chef-server.example.com' | (String) Hostname to connect to chef-server |
-| ['chef_software']['chef_automate_api_fqdn'] | 'chef-automate.example.com' | (String) Hostname to connect to chef-automatev2 |
-| ['chef_software']['chef_supermarket_api_fqdn'] | 'chef-supermarket.example.com' | (String) Hostname to connect to chef-supermarket |
-| ['chef_software']['automate_admin_token'] | nil | (String) Token used for api access by cookbook |
-| ['chef_software']['chef_automatev2'] | {accept_license: true, config: <<~EOC [global.v1] fqdn = "#{node['chef_software']['chef_automate_api_fqdn']}" EOC} | (Hash) Used to add configuration options to chef-automatev2 |
-| ['chef_software']['chef_automatev2']['local_users'] | {test1:{ full_name: 'Test 1', password: 'Test1234!',},} | (Hash) Hash of hashes definign automatev2 users |
-| ['chef_software']['chef_automatev2']['iam_policies'] | {team_ldap: {policy_json: {subjects: ['user:local:test1'], action: '*', resource: '*',},},} | (Hash) Hash of hashes defining automate IAM policies in json format |
-| ['chef_software']['chef_server'] | {accept_license: true, addons: {'manage' => {accept_license: true,},}, config: <<~EOC api_fqdn "#{node['chef_software']['chef_server_api_fqdn']}" topology "standalone" #{"data_collector['root_url'] = 'https://#{node['chef_software']['chef_automate_api_fqdn']}/data-collector/v0/' data_collector['proxy'] = true profiles['root_url'] = 'https://#{node['chef_software']['chef_supermarket_api_fqdn']}'" if node['chef_software']['chef_automate_api_fqdn']} #{"oc_id['applications'] ||= {} oc_id['applications']['supermarket'] = {'redirect_uri' => 'https://#{node['chef_software']['chef_supermarket_api_fqdn']}/auth/chef_oauth2/callback',}" if node['chef_software']['chef_supermarket_api_fqdn']} EOC} | (Hash) Used to add configuration options to chef-server |
-| ['chef_software']['chef_user'] | {test1: {first_name: 'Test',last_name: '1',email: 'test1@example.com',password: 'Test1234!',},} | (Hash) Hash of hashes used to manage chef-server users |
-| ['chef_software']['chef_org'] | {testing: {org_full_name: 'Testing Chef Server', admins: %w(test1), users: %w(),},} | (Hash) Hash of hashes used to manage chef-server organizations |
-| ['chef_software']['chef_supermarket'] | {chef_server_url: "https://#{node['chef_software']['chef_server_api_fqdn']}", chef_oauth2_app_id: 'testGUID', chef_oauth2_secret: 'testGUID', chef_oauth2_verify_ssl: false, accept_license: true, config: {fqdn: node['chef_software']['chef_supermarket_api_fqdn'], smtp_address: 'localhost', smtp_port: 25, from_email: 'chef-supermarket.example.com', features: 'tools,gravatar,github,announcement,fieri', fieri_key: 'randomstuff', fieri_supermarket_endpoint: node['chef_software']['chef_supermarket_api_fqdn'],},} | (Hash) Used to add configuration options to chef-supermarket |
-
 ## Recipes
 
 ### default recipe

attributes/default.rb

@@ -22,13 +22,13 @@
 default['chef_software']['automate_admin_token'] = nil
 
 default['chef_software']['chef_automatev2'] = {
-  products: %w(automate infra-server builder desktop),
+  products: %w(automate infra-server builder),
   accept_license: true,
-  config: (<<~EOC
+  config: <<~EOC,
     [global.v1]
       fqdn = "#{node['chef_software']['chef_automate_api_fqdn']}"
-    EOC
-          ),
+  EOC
+
 }
 
 default['chef_software']['automatev2_local_users'] = {
@@ -53,24 +53,26 @@
           effect: 'ALLOW',
           actions: ['*'],
           projects: ['*'],
-          role: 'owner'
-        }
-      ]
+          role: 'owner',
+        },
+      ],
     },
   },
 }
 
 default['chef_software']['chef_server'] = {
   accept_license: true,
-  config: (<<~EOC
-    api_fqdn "#{node['chef_software']['chef_server_api_fqdn']}"
-    topology "standalone"
-    #{"oc_id['applications'] ||= {}
-oc_id['applications']['supermarket'] = {
-  'redirect_uri' => 'https://#{node['chef_software']['chef_supermarket_api_fqdn']}/auth/chef_oauth2/callback'
-}" if node['chef_software']['chef_supermarket_api_fqdn']}
-    EOC
-          ),
+  config: <<~EOC,
+        api_fqdn "#{node['chef_software']['chef_server_api_fqdn']}"
+        topology "standalone"
+        #{if node['chef_software']['chef_supermarket_api_fqdn']
+            "oc_id['applications'] ||= {}
+    oc_id['applications']['supermarket'] = {
+      'redirect_uri' => 'https://#{node['chef_software']['chef_supermarket_api_fqdn']}/auth/chef_oauth2/callback'
+    }"
+          end}
+  EOC
+
 }
 
 default['chef_software']['chef_user'] = {

kitchen.yml

@@ -32,21 +32,23 @@ platforms:
   - name: ubuntu-22.04
 
 suites:
-  - name: default
+  - name: server
     named_run_list: 'chef_server'
     driver:
       customize:
-        memory: 3328
+        memory: 4096
     verifier:
       inspec_tests:
         - test/integration/default
         - test/integration/chef_server
     attributes:
+      chef_software:
+        automate_admin_token: mIUYdbBD6U8a9wg3IAbXScEjiXs=
   - name: automate
     named_run_list: 'chef_automatev2'
     driver:
       customize:
-        memory: 3072
+        memory: 4096
     verifier:
       inspec_tests:
         - test/integration/default

libraries/helpers.rb

@@ -1,36 +1,15 @@
 module ChefSoftware
   module Helpers
-    def get_iam_user(user)
-      Mash.new(JSON.parse(shell_out("curl --insecure -s -H \"api-token: #{node['chef_software']['automate_admin_token']}\" https://localhost/apis/iam/v2/users/#{user}").stdout))
+    def get_iam_user(user, token)
+      Mash.new(JSON.parse(shell_out("curl --insecure -s -H \"api-token: #{token}\" https://localhost/apis/iam/v2/users/#{user}").stdout))
     end
 
-    def get_iam_policy(policy_name)
-      Mash.new(JSON.parse(shell_out("curl --insecure -s -H \"api-token: #{node['chef_software']['automate_admin_token']}\" https://localhost/apis/iam/v2/policies/#{policy_name}").stdout))
+    def get_iam_policy(policy_name, token)
+      Mash.new(JSON.parse(shell_out("curl --insecure -s -H \"api-token: #{token}\" https://localhost/apis/iam/v2/policies/#{policy_name}").stdout))
     end
 
-    def create_iam_user(user_json)
-      json = user_json.to_json
-      execute "create local user #{user_json['id']}" do
-        command "curl --insecure -s -H \"api-token: #{node['chef_software']['automate_admin_token']}\" -H \"Content-Type: application/json\" -d '#{json}' https://localhost/apis/iam/v2/users"
-        not_if { user_json['id'].eql?(get_iam_user(user_json['id'])['user']['id'])  }
-        #sensitive true
-      end
-    end
-
-    def create_iam_policy(policy_json)
-      json = policy_json.to_json
-      test_policy_statements = get_iam_policy(policy_json['id'])['policy']['statements']&.each do |state|
-        state.delete('resources')
-      end
-      execute "generate iam policy #{policy_json['id']}" do
-        command "curl --insecure -s -H \"api-token: #{node['chef_software']['automate_admin_token']}\" -H \"Content-Type: application/json\" -d '#{json}' https://localhost/apis/iam/v2/policies"
-        not_if {
-          policy_json['id'].eql?(get_iam_policy(policy_json['id'])['policy']['id']) &&
-          policy_json['members'].eql?(get_iam_policy(policy_json['id'])['policy']['members']) &&
-          policy_json['statements'].eql?(test_policy_statements)
-        }
-        #sensitive true
-      end
+    def kitchen_create_api_token(name)
+      shell_out("chef-automate iam token create #{name} --admin").stdout.strip
     end
   end
 end

metadata.rb

@@ -3,7 +3,7 @@
 maintainer_email 'hemminger@hotmail.com'
 license 'Apache-2.0'
 description 'Installs/Configures chef server, chef automate2, chef supermarket'
-version '2.1.2'
+version '2.2.0'
 chef_version '>= 16.4'
 
 issues_url 'https://github.com/Stromweld/chef_software/issues'

recipes/chef_automatev2.rb

@@ -22,13 +22,27 @@
   end
 end
 
-if node['chef_software']['automate_admin_token']
-  node['chef_software']['automatev2_local_users']&.each do |name, hash|
-    create_iam_user(hash['user_json'])
+if kitchen?
+  ruby_block 'create_automate_admin_token' do
+    block do
+      node.run_state['automate_admin_token'] = kitchen_create_api_token('admin')
+    end
   end
+end
+
+node['chef_software']['automatev2_local_users']&.each do |name, hash|
+  iam_user name do
+    user_hash hash['user_json']
+    api_token lazy { kitchen? ? node.run_state['automate_admin_token'] : node['chef_software']['automate_admin_token'] }
+    action :create
+  end
+end
 
-  node['chef_software']['automatev2_iam_policies']&.each do |name, hash|
-    create_iam_policy(hash['policy_json'])
+node['chef_software']['automatev2_iam_policies']&.each do |name, hash|
+  iam_policy name do
+    policy_hash hash['policy_json']
+    api_token lazy { kitchen? ? node.run_state['automate_admin_token'] : node['chef_software']['automate_admin_token'] }
+    action :create
   end
 end
 

resources/iam_policy.rb

@@ -0,0 +1,100 @@
+# To learn more about Custom Resources, see https://docs.chef.io/custom_resources.html
+#
+# Author:: Corey Hemminger
+# Cookbook:: chef_software
+# Resource:: iam_policy
+#
+# Copyright:: 2024, Corey Hemminger
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+unified_mode true
+provides :iam_policy
+
+description 'manage IAM policies'
+
+property :name, String,
+         name_property: true,
+         description: 'Name of the IAM policy'
+
+property :policy_hash, Hash,
+         required: true,
+         description: 'Policy json in ruby hash format'
+
+property :api_token, String,
+         required: true,
+         sensitive: true,
+         description: 'Automate API token'
+
+action :create do
+  description 'Create a new IAM user'
+
+  name = new_resource.name
+  policy_hash = new_resource.policy_hash
+  policy_json = policy_hash.to_json
+  api_token = new_resource.api_token
+  # Try to fetch policy from server
+  srv_policy = get_iam_policy(policy_hash['id'], api_token)
+  # Test if policy on server exists and any errors contacting server
+  test_result = if srv_policy['error'].eql?("no policy with ID \"#{policy_hash['id']}\" found")
+                  true
+                elsif srv_policy['error']
+                  raise srv_policy['error'].inspect
+                elsif srv_policy['policy']['id'].eql?(policy_hash['id'])
+                  false
+                else
+                  raise "Unable to determine status of policy ensure this policy_hash id doesn't match an existing srv_policy\npolicy_hash: #{policy_hash['id'].inspect}\nsrv_policy: #{srv_policy['id'].inspect}\nor the error message from server says \"no policy with ID \"#{policy_hash['id']}\" found\"\nError_msg: #{srv_policy['error'].inspect}\n"
+                end
+  execute "create iam policy #{name}" do
+    command "curl --insecure -s -H \"api-token: #{api_token}\" -H \"Content-Type: application/json\" -d '#{policy_json}' https://localhost/apis/iam/v2/policies"
+    only_if { test_result }
+    sensitive true
+  end
+end
+
+action :update do
+  name = new_resource.name
+  policy_hash = new_resource.policy_hash
+  policy_json = policy_hash.to_json
+  api_token = new_resource.api_token
+  # Try to fetch policy from server
+  srv_policy = get_iam_policy(policy_json['id'], api_token)
+  Chef::Log.info("\nuserpolicy: #{policy_json.inspect}\nsrv_policy: #{srv_policy.inspect}\n")
+  # Test policy from server and desired policy match key by key from desired policy
+  test_result = if srv_policy['error']
+                  raise srv_policy['error'].inspect
+                else
+                  test = true
+                  policy_hash.each_key do |key|
+                    if key.eql?('statements')
+                      policy_hash['statements'].each_index do |i|
+                        policy_hash['statements'][i].each_key do |statement_key|
+                          test = policy_hash['statements'][i][statement_key].eql?(srv_policy['policy']['statements'][i][statement_key])
+                          break if test.eql?(false)
+                        end
+                        break if test.eql?(false)
+                      end
+                      break if test.eql?(false)
+                      next
+                    end
+                    break if test.eql?(false)
+                    test = policy_hash[key].eql?(srv_policy['policy'][key])
+                    break if test.eql?(false)
+                  end
+                  test
+                end
+  execute "update iam policy #{name}" do
+    command "curl -X PUT --insecure -s -H \"api-token: #{api_token}\" -H \"Content-Type: application/json\" -d '#{policy_json}' https://localhost/apis/iam/v2/policies/#{policy_hash['id']}"
+    not_if { test_result }
+    sensitive true
+  end
+end