main.yml
All that is created by the create_organization playbook, is undone and more!
The project created for the team config as code is not deleted, to preserve the configuration in there. Just the pipeline is set to nothing, so it can't run.
In the base configurations, all references to the team are set absent, and the pipleine is run.
Then the project is cleaned up, removing the file content for the team, re-run the pipeline.
After running the config as code, some thing stay behing, having no relation to any organization, these are queried from controller and deleted.
---
# This is the complete playbook to remove an organization from rhaap
# in a single environment!
# adjust the code with itterations to clean other environments as well
# For testing purposes only!
- name: Delete organization and disable CaC.
hosts: localhost
gather_facts: false
pre_tasks:
- name: Get vars
ansible.builtin.include_vars: env_vars.yml
no_log: true
# Create a gitlab access token for use in this playbook
- name: GitLab Post | Obtain Access Token
ansible.builtin.include_tasks:
file: get_gitlab_api_token.yml
# When the gitlab_group has slashes, these must be replaced with '%2F'
- name: Create correct url for gitlab_group
ansible.builtin.set_fact:
gitlab_group_safe: "{{ gitlab_group | replace('/', '%2F') }}"
tasks:
# Start Phase 1 disable team cac repository
- name: Disable pipeline on GitLab Project in group
community.general.gitlab_project:
api_url: "{{ gitlab_protocol }}{{ gitlab_url }}"
validate_certs: "{{ gitlab_validate_certs }}"
api_username: "{{ gitlab_user_username }}"
api_password: "{{ gitlab_user_password }}"
name: "{{ team_project_name }}"
group: "{{ gitlab_group }}"
ci_config_path: ''
# End Phase 1 disable team cac repository
# Start Phase 2 rhaap configuration "absent"
# Start rhaap configuration
# clone the rhaap_base repository and add "state: absent" to the organization items
- name: Clone the GitLab repository # noqa: command-instead-of-module
ansible.builtin.shell: |
git config --global user.name "{{ gitlab_user_username }}"
git config --global user.email "{{ gitlab_user_username }}@homelab.wf"
git config --global http.sslVerify "false"
git clone "{{ gitlab_protocol }}oauth:{{ token }}@{{ gitlab_url }}{{ gitlab_group }}/{{ cac_project_name }}.git"
args:
chdir: /tmp
changed_when: true
- name: Absent the Organization
ansible.builtin.blockinfile:
path: "/tmp/{{ cac_project_name }}/group_vars/all/gateway_organizations.yml"
insertbefore: ...
marker: "# {mark} ANSIBLE MANAGED BLOCK {{ organization_long_name | upper }}"
marker_begin: "# BEGIN BLOCK {{ organization_long_name | upper }}"
marker_end: "# END BLOCK {{ organization_long_name | upper }}"
block: |
{% filter indent(width=2, first=true) %}
- name: {{ organization_long_name | upper }}
description: Organization for team {{ organization_short_name | upper }}
state: absent
{% endfilter %}
- name: Absent the organization admin user for the ORG
ansible.builtin.blockinfile:
path: "/tmp/{{ cac_project_name }}/group_vars/all/gateway_users.yml"
insertbefore: ...
marker: "# {mark} ANSIBLE MANAGED BLOCK {{ organization_long_name | upper }}"
marker_begin: "# BEGIN BLOCK {{ organization_long_name | upper }}"
marker_end: "# END BLOCK {{ organization_long_name | upper }}"
block: |
{% filter indent(width=2, first=true) %}
- username: CaC_admin_{{ organization_short_name | upper }}
password: 'we_are_being_deleted'
email:
first_name: admin
last_name: admin for {{ organization_long_name | upper }}
state: absent
{% endfilter %}
- name: Absent admin rights for ORG_ADMIN
ansible.builtin.blockinfile:
path: "/tmp/{{ cac_project_name }}/group_vars/all/gateway_role_user_assignments.yml"
marker: "# {mark} ANSIBLE MANAGED BLOCK {{ organization_long_name | upper }}"
marker_begin: "# BEGIN BLOCK {{ organization_long_name | upper }}"
marker_end: "# END BLOCK {{ organization_long_name | upper }}"
block: ""
state: absent
- name: Set ldap facts
ansible.builtin.set_fact:
ldap_pre: "{{ ldap | selectattr('name', 'match', ldap_name) | map(attribute='ldap_pre_str') | join() }}"
ldap_post: "{{ ldap | selectattr('name', 'match', ldap_name) | map(attribute='ldap_post_str') | join() }}"
when: add_ldap
- name: "Absent the gateway_authenticator_maps for the Organization" # noqa: name[template]
ansible.builtin.blockinfile:
path: "/tmp/{{ cac_project_name }}/group_vars/all/gateway_authenticator_maps.yml"
block: |
{% filter indent(width=2, first=true) %}
- name: {{ organization_long_name | upper }}-members
authenticator: {{ ldap_name }}
revoke: true
map_type: organization
organization: {{ organization_long_name | upper }}
role: Organization Member
triggers:
groups:
state: absent
- name: {{ organization_long_name | upper }}-admins
authenticator: {{ ldap_name }}
revoke: true
map_type: organization
organization: {{ organization_long_name | upper }}
role: Organization Admin
triggers:
groups:
state: absent
- name: {{ organization_long_name | upper }}-admin-team
authenticator: {{ ldap_name }}
revoke: true
map_type: role
organization: {{ organization_long_name | upper }}
team: LDAP_{{ organization_short_name | upper }}_Admins
role: Team Member
triggers:
groups:
state: absent
- name: {{ organization_long_name | upper }}-developers
authenticator: {{ ldap_name }}
revoke: true
map_type: role
organization: {{ organization_long_name | upper }}
team: LDAP_{{ organization_short_name | upper }}_Developers
role: Team Member
triggers:
groups:
state: absent
- name: {{ organization_long_name | upper }}-operators
authenticator: {{ ldap_name }}
revoke: true
map_type: role
organization: {{ organization_long_name | upper }}
team: LDAP_{{ organization_short_name | upper }}_Operators
role: Team Member
triggers:
groups:
state: absent
{% endfilter %}
marker: "# {mark} ANSIBLE MANAGED BLOCK {{ organization_short_name | upper }} TEAM_MAP"
marker_begin: "# BEGIN ANSIBLE MANAGED BLOCK {{ organization_short_name | upper }}"
marker_end: "# END ANSIBLE MANAGED BLOCK {{ organization_short_name | upper }}"
backup: false
insertbefore: ...
when: add_ldap
- name: "Absent the gateway_teams for the Organization" # noqa: name[template]
ansible.builtin.blockinfile:
path: "/tmp/{{ cac_project_name }}/group_vars/all/gateway_teams.yml"
block: |
{% filter indent(width=2, first=true) %}
- name: LDAP_{{ organization_short_name | upper }}_Admins
organization: {{ organization_long_name | upper }}
description: Organization Admins (LDAP)
state: absent
- name: LDAP_{{ organization_short_name | upper }}_Developers
organization: {{ organization_long_name | upper }}
description: Organization Developers (LDAP)
state: absent
- name: LDAP_{{ organization_short_name | upper }}_Operators
organization: {{ organization_long_name | upper }}
description: Organization Operators (LDAP)
state: absent
{% endfilter %}
marker: "# {mark} ANSIBLE MANAGED BLOCK {{ organization_short_name | upper }} ORGANIZATION_MAP"
marker_begin: "# BEGIN ANSIBLE MANAGED BLOCK {{ organization_short_name | upper }}"
marker_end: "# END ANSIBLE MANAGED BLOCK {{ organization_short_name | upper }}"
backup: false
insertbefore: ...
when: add_ldap
- name: "Remove the organization from controller_organization.yml" # noqa: name[template]
ansible.builtin.blockinfile:
path: "/tmp/{{ cac_project_name }}/group_vars/all/controller_organization.yml"
block: ''
marker: "# {mark} ANSIBLE MANAGED BLOCK {{ organization_short_name | upper }} ORGANIZATION_CREDS"
marker_begin: "# BEGIN ANSIBLE MANAGED BLOCK {{ organization_short_name | upper }}"
marker_end: "# END ANSIBLE MANAGED BLOCK {{ organization_short_name | upper }}"
backup: false
state: absent
insertbefore: ...
- name: "Remove the credential rights from controller_roles.yml" # noqa: name[template]
ansible.builtin.lineinfile:
path: "/tmp/{{ cac_project_name }}/group_vars/all/controller_roles.yml"
regexp: '^(.*){{ organization_long_name | upper }}(.*)$'
backup: false
state: absent
- name: Push the updated GitLab repository to dev # noqa: command-instead-of-module
ansible.builtin.shell: |
git config --global user.name "{{ gitlab_user_username }}"
git config --global user.email "{{ gitlab_user_username }}@homelab.wf"
git add --all
git commit -m "Organization branch Absent {{ organization_short_name }} gateway items"
git push origin dev
args:
chdir: "/tmp/{{ cac_project_name }}"
changed_when: false
- name: Wait for 10 secs
ansible.builtin.pause:
seconds: 10
- name: Check the pipeline until it has run
ansible.builtin.uri:
url: "{{ gitlab_protocol }}{{ gitlab_url }}api/v4/projects/{{ gitlab_group_safe }}%2F{{ cac_project_name }}/jobs"
validate_certs: false
headers:
Authorization: "Bearer {{ token }}"
register: _jobs_list
failed_when: _jobs_list.json[0].pipeline.status == "failed"
until: (_jobs_list.json[0].pipeline.status == "success") or (_jobs_list.json[0].pipeline.status == "failed")
retries: 20
delay: 15
- name: Push the updated GitLab repository to prod # noqa: command-instead-of-module
ansible.builtin.shell: |
git config --global user.name "{{ gitlab_user_username }}"
git config --global user.email "{{ gitlab_user_username }}@homelab.wf"
git add --all
git commit -m "Organization branch Absent {{ organization_short_name }} gateway items"
git push origin prod
args:
chdir: "/tmp/{{ cac_project_name }}"
changed_when: false
- name: Wait for 10 secs
ansible.builtin.pause:
seconds: 10
- name: Check the pipeline until it has run
ansible.builtin.uri:
url: "{{ gitlab_protocol }}{{ gitlab_url }}api/v4/projects/{{ gitlab_group_safe }}%2F{{ cac_project_name }}/jobs"
validate_certs: false
headers:
Authorization: "Bearer {{ token }}"
register: _jobs_list
failed_when: _jobs_list.json[0].pipeline.status == "failed"
until: (_jobs_list.json[0].pipeline.status == "success") or (_jobs_list.json[0].pipeline.status == "failed")
retries: 20
delay: 15
# End Phase 2
# Start Phase 3 clean rhaap configuration
- name: Delete the Organization from config as code
ansible.builtin.blockinfile:
path: "/tmp/{{ cac_project_name }}/group_vars/all/gateway_organizations.yml"
marker: "# {mark} ANSIBLE MANAGED BLOCK {{ organization_long_name | upper }}"
marker_begin: "# BEGIN BLOCK {{ organization_long_name | upper }}"
marker_end: "# END BLOCK {{ organization_long_name | upper }}"
block: ""
state: absent
- name: Delete the organization admin from config as code
ansible.builtin.blockinfile:
path: "/tmp/{{ cac_project_name }}/group_vars/all/gateway_users.yml"
marker: "# {mark} ANSIBLE MANAGED BLOCK {{ organization_long_name | upper }}"
marker_begin: "# BEGIN BLOCK {{ organization_long_name | upper }}"
marker_end: "# END BLOCK {{ organization_long_name | upper }}"
block: ""
state: absent
- name: "Delete gateway_authenticator_maps.yml" # noqa: name[template]
ansible.builtin.blockinfile:
path: "/tmp/{{ cac_project_name }}/group_vars/all/gateway_authenticator_maps.yml"
block: ""
marker: "# {mark} ANSIBLE MANAGED BLOCK {{ organization_short_name | upper }} TEAM_MAP"
marker_begin: "# BEGIN ANSIBLE MANAGED BLOCK {{ organization_short_name | upper }}"
marker_end: "# END ANSIBLE MANAGED BLOCK {{ organization_short_name | upper }}"
backup: false
state: absent
when: add_ldap
- name: "Delete the gateway_teams.yml" # noqa: name[template]
ansible.builtin.blockinfile:
path: "/tmp/{{ cac_project_name }}/group_vars/all/gateway_teams.yml"
block: ""
marker: "# {mark} ANSIBLE MANAGED BLOCK {{ organization_short_name | upper }} ORGANIZATION_MAP"
marker_begin: "# BEGIN ANSIBLE MANAGED BLOCK {{ organization_short_name | upper }}"
marker_end: "# END ANSIBLE MANAGED BLOCK {{ organization_short_name | upper }}"
backup: false
state: absent
when: add_ldap
# Run the pipeline for the Development Environment
- name: Push the updated GitLab repository to dev # noqa: command-instead-of-module
ansible.builtin.shell: |
git config --global user.name "{{ gitlab_user_username }}"
git config --global user.email "{{ gitlab_user_username }}@homelab.wf"
git add --all
git commit -m "Organization branch Cleanup files {{ organization_short_name }} removed"
git push origin dev
args:
chdir: "/tmp/{{ cac_project_name }}"
changed_when: false
- name: Wait for 10 secs
ansible.builtin.pause:
seconds: 10
- name: Check the pipeline until it has run
ansible.builtin.uri:
url: "{{ gitlab_protocol }}{{ gitlab_url }}api/v4/projects/{{ gitlab_group_safe }}%2F{{ cac_project_name }}/jobs"
validate_certs: false
headers:
Authorization: "Bearer {{ token }}"
register: _jobs_list
failed_when: _jobs_list.json[0].pipeline.status == "failed"
until: (_jobs_list.json[0].pipeline.status == "success") or (_jobs_list.json[0].pipeline.status == "failed")
retries: 20
delay: 15
# Run the pipeline for the Production Environment
- name: Push the updated GitLab repository to prod # noqa: command-instead-of-module
ansible.builtin.shell: |
git config --global user.name "{{ gitlab_user_username }}"
git config --global user.email "{{ gitlab_user_username }}@homelab.wf"
git add --all
git commit -m "Organization branch Cleanup files {{ organization_short_name }} removed"
git push origin prod
args:
chdir: "/tmp/{{ cac_project_name }}"
changed_when: false
- name: Delete the tempory directory
ansible.builtin.file:
path: /tmp/{{ cac_project_name }}
state: absent
- name: Wait for 10 secs
ansible.builtin.pause:
seconds: 10
- name: Check the pipeline until it has run
ansible.builtin.uri:
url: "{{ gitlab_protocol }}{{ gitlab_url }}api/v4/projects/{{ gitlab_group_safe }}%2F{{ cac_project_name }}/jobs"
validate_certs: false
headers:
Authorization: "Bearer {{ token }}"
register: _jobs_list
failed_when: _jobs_list.json[0].pipeline.status == "failed"
until: (_jobs_list.json[0].pipeline.status == "success") or (_jobs_list.json[0].pipeline.status == "failed")
retries: 20
delay: 15
# End Phase 3
# Start Phase 4 Cleanup
- name: Controller | Read the job_template list
ansible.builtin.uri:
url: "https://{{ controller_dev.name }}/api/controller/v2/job_templates/?organization=null"
user: "{{ controller_dev.aap_admin_user }}"
password: "{{ controller_dev.aap_admin_password }}"
method: GET
body_format: json
force_basic_auth: true
validate_certs: false
register: _controller_job_templates
- name: Get the job_template list of dicts
ansible.builtin.set_fact:
_job_templates: "{{ _controller_job_templates.json.results }}"
- name: Controller | Read the workflow_template list
ansible.builtin.uri:
url: "https://{{ controller_dev.name }}/api/controller/v2/workflow_job_templates/?organization=null"
user: "{{ controller_dev.aap_admin_user }}"
password: "{{ controller_dev.aap_admin_password }}"
method: GET
body_format: json
force_basic_auth: true
validate_certs: false
register: _workflow_job_templates
- name: Get the workflow job_template list of dicts
ansible.builtin.set_fact:
_workflow_job_templates: "{{ _workflow_job_templates.json.results }}"
- name: Controller | Read the project list
ansible.builtin.uri:
url: "https://{{ controller_dev.name }}/api/controller/v2/projects/?organization=null"
user: "{{ controller_dev.aap_admin_user }}"
password: "{{ controller_dev.aap_admin_password }}"
method: GET
body_format: json
force_basic_auth: true
validate_certs: false
register: _controller_projects
- name: Get the projects list of dicts
ansible.builtin.set_fact:
_projects: "{{ _controller_projects.json.results }}"
- name: Remove stale workflow_job_templates
ansible.builtin.uri:
url: "https://{{ controller_dev.name }}/api/controller/v2/workflow_job_templates/{{ workflow_del.id }}/"
user: "{{ controller_dev.aap_admin_user }}"
password: "{{ controller_dev.aap_admin_password }}"
method: DELETE
headers: {Content-Type: application/json}
force_basic_auth: true
validate_certs: false
status_code: 204
loop:
"{{ _workflow_job_templates }}"
loop_control:
loop_var: workflow_del
when: _workflow_job_templates | length > 0
- name: Remove stale job_templates
ansible.builtin.uri:
url: "https://{{ controller_dev.name }}/api/controller/v2/job_templates/{{ template_del.id }}/"
user: "{{ controller_dev.aap_admin_user }}"
password: "{{ controller_dev.aap_admin_password }}"
method: DELETE
headers: {Content-Type: application/json}
force_basic_auth: true
validate_certs: false
status_code: 204
loop:
"{{ _job_templates }}"
loop_control:
loop_var: template_del
when: _job_templates | length > 0
- name: Remove stale projects
ansible.builtin.uri:
url: "https://{{ controller_dev.name }}/api/controller/v2/projects/{{ project_del.id }}/"
user: "{{ controller_dev.aap_admin_user }}"
password: "{{ controller_dev.aap_admin_password }}"
method: DELETE
headers: {Content-Type: application/json}
force_basic_auth: true
validate_certs: false
status_code: 204
loop:
"{{ _projects }}"
loop_control:
loop_var: project_del
when: _projects | length > 0
- name: Controller | Read the job_template list
ansible.builtin.uri:
url: "https://{{ controller_prod.name }}/api/controller/v2/job_templates/?organization=null"
user: "{{ controller_prod.aap_admin_user }}"
password: "{{ controller_prod.aap_admin_password }}"
method: GET
body_format: json
force_basic_auth: true
validate_certs: false
register: _controller_job_templates
- name: Get the job_template list of dicts
ansible.builtin.set_fact:
_job_templates: "{{ _controller_job_templates.json.results }}"
- name: Controller | Read the workflow_template list
ansible.builtin.uri:
url: "https://{{ controller_prod.name }}/api/controller/v2/workflow_job_templates/?organization=null"
user: "{{ controller_prod.aap_admin_user }}"
password: "{{ controller_prod.aap_admin_password }}"
method: GET
body_format: json
force_basic_auth: true
validate_certs: false
register: _workflow_job_templates
- name: Get the workflow job_template list of dicts
ansible.builtin.set_fact:
_workflow_job_templates: "{{ _workflow_job_templates.json.results }}"
- name: Controller | Read the project list
ansible.builtin.uri:
url: "https://{{ controller_prod.name }}/api/controller/v2/projects/?organization=null"
user: "{{ controller_prod.aap_admin_user }}"
password: "{{ controller_prod.aap_admin_password }}"
method: GET
body_format: json
force_basic_auth: true
validate_certs: false
register: _controller_projects
- name: Get the projects list of dicts
ansible.builtin.set_fact:
_projects: "{{ _controller_projects.json.results }}"
- name: Remove stale workflow_job_templates
ansible.builtin.uri:
url: "https://{{ controller_prod.name }}/api/controller/v2/workflow_job_templates/{{ workflow_del.id }}/"
user: "{{ controller_prod.aap_admin_user }}"
password: "{{ controller_prod.aap_admin_password }}"
method: DELETE
headers: {Content-Type: application/json}
force_basic_auth: true
validate_certs: false
status_code: 204
loop:
"{{ _workflow_job_templates }}"
loop_control:
loop_var: workflow_del
when: _workflow_job_templates | length > 0
- name: Remove stale job_templates
ansible.builtin.uri:
url: "https://{{ controller_prod.name }}/api/controller/v2/job_templates/{{ template_del.id }}/"
user: "{{ controller_prod.aap_admin_user }}"
password: "{{ controller_prod.aap_admin_password }}"
method: DELETE
headers: {Content-Type: application/json}
force_basic_auth: true
validate_certs: false
status_code: 204
loop:
"{{ _job_templates }}"
loop_control:
loop_var: template_del
when: _job_templates | length > 0
- name: Remove stale projects
ansible.builtin.uri:
url: "https://{{ controller_prod.name }}/api/controller/v2/projects/{{ project_del.id }}/"
user: "{{ controller_prod.aap_admin_user }}"
password: "{{ controller_prod.aap_admin_password }}"
method: DELETE
headers: {Content-Type: application/json}
force_basic_auth: true
validate_certs: false
status_code: 204
loop:
"{{ _projects }}"
loop_control:
loop_var: project_del
when: _projects | length > 0
# End Phase 4