Add an exec to create the Deploy Environments RBAC Role

Prior to this commit there was a requirement for the user of this repo to create a RBAC role in order for code manager to work. After this commit an exec statement will curl the RBAC API to create the role one time and hopefully it works otherwise the exec will not run again.
author: mail_redacted_for_web 2015-12-21 17:47:05 -0800
committer: mail_redacted_for_web 2015-12-28 16:42:40 -0800
commit: ad00dd7a9a5e06d1aadbd68043979d4e060b6c04 (patch)
tree: aa63f8ba0c7fd053e6ace0c6550aadafbe4d11c6 /site/profile/manifests
parent: ec7a8d81a65051503e9f27e142f29b187327959b (diff)
download: control-repo-template-ad00dd7a9a5e06d1aadbd68043979d4e060b6c04.tar.bz2
1 files changed, 23 insertions, 1 deletions
diff --git a/site/profile/manifests/git_webhook/code_manager.pp b/site/profile/manifests/git_webhook/code_manager.pp
index 60cabf4..7470e1c 100644
--- a/site/profile/manifests/git_webhook/code_manager.pp
+++ b/site/profile/manifests/git_webhook/code_manager.pp
@@ -35,13 +35,35 @@ class profile::git_webhook::code_manager {
     unless  => "/usr/bin/test \$(stat -c %U ${::settings::codedir}/environments/production) = 'pe-puppet'",
   }
 
+  $code_manager_role_name = 'Deploy Environments'
+  $create_role_creates_file = '/etc/puppetlabs/puppetserver/.puppetlabs/deploy_environments_created'
+  $create_role_curl = @(EOT)
+    /opt/puppetlabs/puppet/bin/curl -k -X POST -H 'Content-Type: application/json' \
+    https://<%= $::trusted['certname'] %>:4433/rbac-api/v1/roles \
+    -d '{"permissions": [{"object_type": "environment", "action": "deploy_code", "instance": "*"},
+    {"object_type": "tokens", "action": "override_lifetime", "instance": "*"}],"user_ids": [], "group_ids": [], "display_name": "<%= $code_manager_role_name  %>", "description": ""}' \
+    --cert <%= $::settings::certdir %>/<%= $::trusted['certname'] %>.pem  \
+    --key <%= $::settings::privatekeydir %>/<%= $::trusted['certname'] %>.pem  \
+    --cacert <%= $::settings::certdir %>/ca.pem;
+    touch <%= $create_role_creates_file %>
+    | EOT
+
+  exec { 'create deploy environments role' :
+    command   => inline_epp( $create_role_curl ),
+    creates   => $create_role_creates_file,
+    logoutput => true,
+    path      => $::path,
+    require   => File[$token_directory],
+  }
+
   rbac_user { $code_manager_service_user :
     ensure       => 'present',
     name         => $code_manager_service_user,
     email        => "${code_manager_service_user}@example.com",
     display_name => 'Code Manager Service Account',
     password     => $code_manager_service_user_password,
-    roles        => [ 'Deploy Environments' ],
+    roles        => [ $code_manager_role_name ],
+    require      => Exec['create deploy environments role'],
   }
 
   file { $token_directory :
author	mail_redacted_for_web	2015-12-21 17:47:05 -0800
committer	mail_redacted_for_web	2015-12-28 16:42:40 -0800
commit	ad00dd7a9a5e06d1aadbd68043979d4e060b6c04 (patch)
tree	aa63f8ba0c7fd053e6ace0c6550aadafbe4d11c6 /site/profile/manifests
parent	ec7a8d81a65051503e9f27e142f29b187327959b (diff)
download	control-repo-template-ad00dd7a9a5e06d1aadbd68043979d4e060b6c04.tar.bz2