Add application_credential module

Create or delete a Keystone application credential. When the secret parameter is not set a secret will be generated and returned in the response. Existing credentials cannot be modified so running this module against an existing credential will result in it being deleted and recreated. This needs to be taken into account when the secret is generated, as the secret will change on each run of the module. The returned result also includes a usable cloud config which allows playbooks to easily run openstack tasks using the credential created by this module. Change-Id: I0ed86dc8785b0e9d10cc89cd9137a11d02d03945
2026-03-26 21:43:02 +00:00 · 2024-02-28 17:07:55 +13:00
parent 032a5222c1
commit 94afde008b
4 changed files with 403 additions and 0 deletions
--- a/ci/roles/application_credential/defaults/main.yml
+++ b/ci/roles/application_credential/defaults/main.yml
@@ -0,0 +1,9 @@
+expected_fields:
+  - description
+  - expires_at
+  - id
+  - name
+  - project_id
+  - roles
+  - secret
+  - unrestricted
--- a/ci/roles/application_credential/tasks/main.yml
+++ b/ci/roles/application_credential/tasks/main.yml
@@ -0,0 +1,61 @@
+---
+
+- name: Create application credentials
+  openstack.cloud.application_credential:
+    cloud: "{{ cloud }}"
+    state: present
+    name: ansible_creds
+    description: dummy description
+  register: appcred
+
+- name: Assert return values of application_credential module
+  assert:
+    that:
+      - appcred is changed
+      # allow new fields to be introduced but prevent fields from being removed
+      - expected_fields|difference(appcred.application_credential.keys())|length == 0
+
+- name: Create the application credential again
+  openstack.cloud.application_credential:
+    cloud: "{{ cloud }}"
+    state: present
+    name: ansible_creds
+    description: dummy description
+  register: appcred
+
+- name: Assert return values of ansible_credential module
+  assert:
+    that:
+      # credentials are immutable so creating twice will cause delete and create
+      - appcred is changed
+      # allow new fields to be introduced but prevent fields from being removed
+      - expected_fields|difference(appcred.application_credential.keys())|length == 0
+
+- name: Update the application credential again
+  openstack.cloud.application_credential:
+    cloud: "{{ cloud }}"
+    state: present
+    name: ansible_creds
+    description: new description
+  register: appcred
+
+- name: Assert application credential changed
+  assert:
+     that:
+       - appcred is changed
+       - appcred.application_credential.description == 'new description'
+
+- name: Get list of all keypairs using application credential
+  openstack.cloud.keypair_info:
+    cloud: "{{ appcred.cloud }}"
+
+- name: Delete application credential
+  openstack.cloud.application_credential:
+    cloud: "{{ cloud }}"
+    state: absent
+    name: ansible_creds
+  register: appcred
+
+- name: Assert application credential changed
+  assert:
+     that: appcred is changed
--- a/ci/run-collection.yml
+++ b/ci/run-collection.yml
@@ -5,6 +5,7 @@

  roles:
    - { role: address_scope, tags: address_scope }
+    - { role: application_credential, tags: application_credential }
    - { role: auth, tags: auth }
    - { role: catalog_service, tags: catalog_service }
    - { role: coe_cluster, tags: coe_cluster }