wafv2_rule_group - tagging

ansible-collections · Jun 3, 2022 · 02065ed · 02065ed
1 parent 72be46e
commit 02065ed
Show file tree

Hide file tree

Showing 10 changed files with 1,203 additions and 39 deletions.
diff --git a/changelogs/fragments/1210-tagging-wafv2_rule_group.yml b/changelogs/fragments/1210-tagging-wafv2_rule_group.yml
@@ -0,0 +1,8 @@
+bugfixes:
+- wafv2_rule_group - fix bug where updating just the description did not update the changed state (https://github.com/ansible-collections/community.aws/pull/1210).
+- wafv2_rule_group - fix bug where description of resource state was missing when rule groups were updated (https://github.com/ansible-collections/community.aws/pull/1210).
+minor_changes:
+- wafv2_rule_group - Added support for ``purge_tags`` parameter (https://github.com/ansible-collections/community.aws/pull/1210).
+- wafv2_rule_group - Added support for updating tags (https://github.com/ansible-collections/community.aws/pull/1210).
+- wafv2_rule_group - Added support for returning tags (https://github.com/ansible-collections/community.aws/pull/1210).
+- wafv2_rule_group_info - Added support for returning tags (https://github.com/ansible-collections/community.aws/pull/1210).
diff --git a/plugins/modules/wafv2_rule_group.py b/plugins/modules/wafv2_rule_group.py
@@ -60,10 +60,6 @@
       description:
         - capacity of wafv2 rule group.
       type: int
-    tags:
-      description:
-        - tags for wafv2 rule group.
-      type: dict
     purge_rules:
       description:
         - When set to C(no), keep the existing load balancer rules in place. Will modify and add, but will not delete.
@@ -73,6 +69,7 @@
 extends_documentation_fragment:
 - amazon.aws.aws
 - amazon.aws.ec2
+- amazon.aws.tags
 
 '''
 
@@ -213,15 +210,18 @@
 from ansible_collections.community.aws.plugins.module_utils.wafv2 import compare_priority_rules
 from ansible_collections.community.aws.plugins.module_utils.wafv2 import wafv2_list_rule_groups
 from ansible_collections.community.aws.plugins.module_utils.wafv2 import wafv2_snake_dict_to_camel_dict
+from ansible_collections.community.aws.plugins.module_utils.wafv2 import describe_wafv2_tags
+from ansible_collections.community.aws.plugins.module_utils.wafv2 import ensure_wafv2_tags
 
 
 class RuleGroup:
     def __init__(self, wafv2, name, scope, fail_json_aws):
         self.wafv2 = wafv2
+        self.id = None
         self.name = name
         self.scope = scope
         self.fail_json_aws = fail_json_aws
-        self.existing_group, self.id, self.locktoken = self.get_group()
+        self.existing_group = self.get_group()
 
     def update(self, description, rules, sampled_requests, cloudwatch_metrics, metric_name):
         req_obj = {
@@ -244,32 +244,39 @@ def update(self, description, rules, sampled_requests, cloudwatch_metrics, metri
             response = self.wafv2.update_rule_group(**req_obj)
         except (BotoCoreError, ClientError) as e:
             self.fail_json_aws(e, msg="Failed to update wafv2 rule group.")
-        return response
+        return self.refresh_group()
 
     def get_group(self):
-        response = self.list()
-        id = None
-        locktoken = None
-        arn = None
+        if self.id is None:
+            response = self.list()
+
+            for item in response.get('RuleGroups'):
+                if item.get('Name') == self.name:
+                    self.id = item.get('Id')
+                    self.locktoken = item.get('LockToken')
+                    self.arn = item.get('ARN')
+
+        return self.refresh_group()
 
-        for item in response.get('RuleGroups'):
-            if item.get('Name') == self.name:
-                id = item.get('Id')
-                locktoken = item.get('LockToken')
-                arn = item.get('ARN')
 
+    def refresh_group(self):
         existing_group = None
-        if id:
+        if self.id:
             try:
-                existing_group = self.wafv2.get_rule_group(
+                response = self.wafv2.get_rule_group(
                     Name=self.name,
                     Scope=self.scope,
-                    Id=id
+                    Id=self.id
                 )
+                existing_group = response.get('RuleGroup')
+                self.locktoken = response.get('LockToken')
             except (BotoCoreError, ClientError) as e:
                 self.fail_json_aws(e, msg="Failed to get wafv2 rule group.")
 
-        return existing_group, id, locktoken
+            tags = describe_wafv2_tags(self.wafv2, self.arn, self.fail_json_aws)
+            existing_group['tags'] = tags or {}
+
+        return existing_group
 
     def list(self):
         return wafv2_list_rule_groups(self.wafv2, self.scope, self.fail_json_aws)
@@ -315,7 +322,7 @@ def create(self, capacity, description, rules, sampled_requests, cloudwatch_metr
         except (BotoCoreError, ClientError) as e:
             self.fail_json_aws(e, msg="Failed to create wafv2 rule group.")
 
-        self.existing_group, self.id, self.locktoken = self.get_group()
+        self.existing_group = self.get_group()
 
         return self.existing_group
 
@@ -332,8 +339,9 @@ def main():
         sampled_requests=dict(type='bool', default=False),
         cloudwatch_metrics=dict(type='bool', default=True),
         metric_name=dict(type='str'),
-        tags=dict(type='dict'),
-        purge_rules=dict(default=True, type='bool')
+        tags=dict(type='dict', aliases=['resource_tags']),
+        purge_tags=dict(default=True, type='bool'),
+        purge_rules=dict(default=True, type='bool'),
     )
 
     module = AnsibleAWSModule(
@@ -352,6 +360,7 @@ def main():
     cloudwatch_metrics = module.params.get("cloudwatch_metrics")
     metric_name = module.params.get("metric_name")
     tags = module.params.get("tags")
+    purge_tags = module.params.get("purge_tags")
     purge_rules = module.params.get("purge_rules")
     check_mode = module.check_mode
 
@@ -363,26 +372,34 @@ def main():
     if not metric_name:
         metric_name = name
 
-    rule_group = RuleGroup(module.client('wafv2'), name, scope, module.fail_json_aws)
+    wafv2 = module.client('wafv2')
+    rule_group = RuleGroup(wafv2, name, scope, module.fail_json_aws)
 
     change = False
     retval = {}
 
     if state == 'present':
         if rule_group.get():
-            change, rules = compare_priority_rules(rule_group.get().get('RuleGroup').get('Rules'), rules, purge_rules, state)
-            change = change or rule_group.get().get('RuleGroup').get('Description') != description
-
-            if change and not check_mode:
+            tagging_change = ensure_wafv2_tags(wafv2, rule_group.arn, tags, purge_tags,
+                                               module.fail_json_aws, module.check_mode)
+            rules_change, rules = compare_priority_rules(rule_group.get().get('Rules'), rules, purge_rules, state)
+            description_change = bool(description) and (rule_group.get().get('Description') != description)
+            change = tagging_change or rules_change or description_change
+            retval = rule_group.get()
+            if module.check_mode:
+                # In check mode nothing changes...
+                pass
+            elif rules_change or description_change:
                 retval = rule_group.update(
                     description,
                     rules,
                     sampled_requests,
                     cloudwatch_metrics,
                     metric_name
                 )
-            else:
-                retval = rule_group.get().get('RuleGroup')
+            elif tagging_change:
+                retval = rule_group.refresh_group()
+
 
         else:
             change = True
@@ -401,7 +418,7 @@ def main():
         if rule_group.get():
             if rules:
                 if len(rules) > 0:
-                    change, rules = compare_priority_rules(rule_group.get().get('RuleGroup').get('Rules'), rules, purge_rules, state)
+                    change, rules = compare_priority_rules(rule_group.get().get('Rules'), rules, purge_rules, state)
                     if change and not check_mode:
                         retval = rule_group.update(
                             description,
@@ -415,7 +432,7 @@ def main():
                 if not check_mode:
                     retval = rule_group.remove()
 
-    module.exit_json(changed=change, **camel_dict_to_snake_dict(retval))
+    module.exit_json(changed=change, **camel_dict_to_snake_dict(retval, ignore_list=['tags']))
 
 
 if __name__ == '__main__':

diff --git a/plugins/modules/wafv2_rule_group_info.py b/plugins/modules/wafv2_rule_group_info.py
@@ -17,9 +17,8 @@
 options:
     state:
       description:
-        - Whether the rule is present or absent.
-      choices: ["present", "absent"]
-      required: true
+        - This option does nothing, has been deprecated, and will be removed in a release after 2022-12-01.
+      required: false
       type: str
     name:
       description:
@@ -34,8 +33,8 @@
       type: str
 
 extends_documentation_fragment:
-- amazon.aws.aws
-- amazon.aws.ec2
+  - amazon.aws.aws
+  - amazon.aws.ec2
 
 '''
 
@@ -102,6 +101,7 @@
 from ansible_collections.amazon.aws.plugins.module_utils.core import AnsibleAWSModule
 from ansible_collections.amazon.aws.plugins.module_utils.ec2 import camel_dict_to_snake_dict
 from ansible_collections.community.aws.plugins.module_utils.wafv2 import wafv2_list_rule_groups
+from ansible_collections.community.aws.plugins.module_utils.wafv2 import describe_wafv2_tags
 
 
 def get_rule_group(wafv2, name, scope, id, fail_json_aws):
@@ -118,7 +118,7 @@ def get_rule_group(wafv2, name, scope, id, fail_json_aws):
 
 def main():
     arg_spec = dict(
-        state=dict(type='str', required=True, choices=['present', 'absent']),
+        state=dict(type='str', required=False),
         name=dict(type='str', required=True),
         scope=dict(type='str', required=True, choices=['CLOUDFRONT', 'REGIONAL'])
     )
@@ -134,6 +134,11 @@ def main():
 
     wafv2 = module.client('wafv2')
 
+    if state:
+        module.deprecate(
+            'The state parameter does nothing, has been deprecated, and will be removed in a future release.',
+            version='6.0.0', collection_name='community.aws')
+
     # check if rule group exists
     response = wafv2_list_rule_groups(wafv2, scope, module.fail_json_aws)
     id = None
@@ -142,11 +147,14 @@ def main():
     for item in response.get('RuleGroups'):
         if item.get('Name') == name:
             id = item.get('Id')
+            arn = item.get('ARN')
 
     existing_group = None
     if id:
         existing_group = get_rule_group(wafv2, name, scope, id, module.fail_json_aws)
         retval = camel_dict_to_snake_dict(existing_group.get('RuleGroup'))
+        tags = describe_wafv2_tags(wafv2, arn, module.fail_json_aws)
+        retval['tags'] = tags or {}
 
     module.exit_json(**retval)
 

diff --git a/tests/integration/targets/wafv2/aliases b/tests/integration/targets/wafv2/aliases
@@ -4,7 +4,5 @@ disabled
 
 wafv2_resources
 wafv2_resources_info
-wafv2_rule_group
-wafv2_rule_group_info
 wafv2_web_acl
 wafv2_web_acl_info
diff --git a/tests/integration/targets/wafv2_rule_group/aliases b/tests/integration/targets/wafv2_rule_group/aliases
@@ -0,0 +1,3 @@
+cloud/aws
+
+wafv2_rule_group_info
diff --git a/tests/integration/targets/wafv2_rule_group/defaults/main.yml b/tests/integration/targets/wafv2_rule_group/defaults/main.yml
@@ -0,0 +1,11 @@
+---
+web_acl_name: '{{ tiny_prefix }}-web-acl'
+rule_group_name: '{{ tiny_prefix }}-rule-group'
+alb_name: "my-alb-{{ tiny_prefix }}"
+tg_name: "my-tg-{{ tiny_prefix }}"
+cidr:
+  main: 10.228.228.0/22
+  a: 10.228.228.0/24
+  b: 10.228.229.0/24
+  c: 10.228.230.0/24
+  d: 10.228.231.0/24
diff --git a/tests/integration/targets/wafv2_rule_group/meta/main.yml b/tests/integration/targets/wafv2_rule_group/meta/main.yml
@@ -0,0 +1 @@
+dependencies: []