gateway_role_user_assignments
In this file we configure the role a user has within automation platform.
The infra.aap_configuration collection expects the vaules in the variable: gateway_role_user_assignments.
As we intend to configure everything just once, we spit the set of vars into the environments and join the lists in the main.yml, before calling the collection.
If there are no role_user_assignments defined, do not add this file.
If you do, ensure the file is present in all branches, with the correct content, described below.
group_vars/all/gateway_role_user_assignments.yml
---
gateway_role_user_assignments_all:
- role_definition: Organization Member
user: wilco
object_ids: MGT
- role_definition: Organization Member
user: coll_upload
object_ids: MGT
- role_definition: Team Member
user: coll_upload
object_ids: hub_coll_team
- role_definition: Organization Member
user: coll_get
object_ids: MGT
- role_definition: Team Member
user: coll_get
object_ids: hub_coll_team
- role_definition: Organization Member
user: ee_upload
object_ids: MGT
- role_definition: Team Member
user: ee_upload
object_ids: hub_ee_team
- role_definition: Organization Member
user: ee_pull
object_ids: MGT
- role_definition: Team Member
user: ee_pull
object_ids: hub_ee_team
- role_definition: Organization Admin
user: mgt
object_ids: MGT
- role_definition: Organization Admin
user: CaC_admin_MGT
object_ids: MGT
...
But you can already see that the variable name used here has the "_all" extension, so the variable will not be overridden as this is not quite a inventory.
Why we do this, will become clear in a moment.
group_vars/dev/gateway_role_user_assignments.yml
As we do not configure extra role_user_assignments in rhaap, this file is an empty set.
---
gateway_role_user_assignments_dev: []
# No extra config exists
...
Here the variable has the "_dev" extension, so the variable will not be overridden.
group_vars/prod/gateway_role_user_assignments.yml
As we do not configure extra role_user_asignments in rhaap, this file is an empty set.
---
gateway_role_user_assignments_prod: []
# No extra config exists
...
Here the variable has the "_prod" extension, so the variable will not be overridden.
When we run a pipeline for a certain environment, the inventory structure will provide us with 2 variables:
- gateway_role_user_assignments_all
- gateway_role_user_assignments_
We will merge these 2 variables into 1: gateway_role_user_assignments and feed this to the infra.aap_configuration.gateway_role_user_assignments role.
In main.yml the merge of the variables is done by this piece of code:
- name: Set the gateway vars
ansible.builtin.set_fact:
gateway_role_user_assignments: >
{{ gateway_role_user_assignments_all |
community.general.lists_mergeby(vars['gateway_role_user_assignments_' + branch_name],
'role_definition', recursive=true, list_merge='append') }}
This results in the gateway_role_user_assignments variable the collection needs.