Tagging - wafv2_web_acl add support for managing and purging tags

ansible-collections · Jun 7, 2022 · 4a8b388 · 4a8b388
1 parent 01f3274
commit 4a8b388
Show file tree

Hide file tree

Showing 5 changed files with 288 additions and 11 deletions.
diff --git a/changelogs/fragments/1218-tagging-wafv2_web_acl.yml b/changelogs/fragments/1218-tagging-wafv2_web_acl.yml
@@ -0,0 +1,6 @@
+minor_changes:
+- wafv2_web_acl_info - added support for returning tags (https://github.com/ansible-collections/community.aws/pull/1218).
+- wafv2_web_acl - added support for returning tags (https://github.com/ansible-collections/community.aws/pull/1218).
+- wafv2_web_acl - Added support for ``purge_tags`` (https://github.com/ansible-collections/community.aws/pull/1218).
+- wafv2_web_acl - Added support for updating tags (https://github.com/ansible-collections/community.aws/pull/1218).
+- wafv2_web_acl - ``resource_tags`` has been added as an alias for the ``tags`` parameter (https://github.com/ansible-collections/community.aws/pull/1218).
diff --git a/plugins/modules/wafv2_web_acl.py b/plugins/modules/wafv2_web_acl.py
@@ -57,10 +57,6 @@
         - Name of cloudwatch metrics.
         - If not given and cloudwatch_metrics is enabled, the name of the web acl itself will be taken.
       type: str
-    tags:
-      description:
-        - tags for wafv2 web acl.
-      type: dict
     rules:
       description:
         - The Rule statements used to identify the web requests that you want to allow, block, or count.
@@ -102,9 +98,13 @@
       default: yes
       type: bool
 
+notes:
+  - Support for the I(purge_tags) parameter was added in release 4.0.0.
+
 extends_documentation_fragment:
-- amazon.aws.aws
-- amazon.aws.ec2
+  - amazon.aws.aws
+  - amazon.aws.ec2
+  - amazon.aws.tags
 
 '''
 
@@ -323,6 +323,8 @@
 from ansible_collections.amazon.aws.plugins.module_utils.ec2 import camel_dict_to_snake_dict
 from ansible_collections.amazon.aws.plugins.module_utils.ec2 import snake_dict_to_camel_dict
 from ansible_collections.community.aws.plugins.module_utils.wafv2 import compare_priority_rules
+from ansible_collections.community.aws.plugins.module_utils.wafv2 import describe_wafv2_tags
+from ansible_collections.community.aws.plugins.module_utils.wafv2 import ensure_wafv2_tags
 from ansible_collections.community.aws.plugins.module_utils.wafv2 import wafv2_list_web_acls
 from ansible_collections.community.aws.plugins.module_utils.wafv2 import wafv2_snake_dict_to_camel_dict
 
@@ -403,6 +405,8 @@ def get_web_acl(self):
                 )
             except (BotoCoreError, ClientError) as e:
                 self.fail_json_aws(e, msg="Failed to get wafv2 web acl.")
+            tags = describe_wafv2_tags(self.wafv2, arn, self.fail_json_aws)
+            existing_acl['tags'] = tags
         return existing_acl, id, locktoken
 
     def list(self):
@@ -461,9 +465,10 @@ def main():
         sampled_requests=dict(type='bool', default=False),
         cloudwatch_metrics=dict(type='bool', default=True),
         metric_name=dict(type='str'),
-        tags=dict(type='dict'),
+        tags=dict(type='dict', aliases=['resource_tags']),
+        purge_tags=dict(default=True, type='bool'),
         custom_response_bodies=dict(type='dict'),
-        purge_rules=dict(default=True, type='bool')
+        purge_rules=dict(default=True, type='bool'),
     )
 
     module = AnsibleAWSModule(
@@ -482,6 +487,7 @@ def main():
     cloudwatch_metrics = module.params.get("cloudwatch_metrics")
     metric_name = module.params.get("metric_name")
     tags = module.params.get("tags")
+    purge_tags = module.params.get("purge_tags")
     purge_rules = module.params.get("purge_rules")
     check_mode = module.check_mode
 
@@ -506,12 +512,14 @@ def main():
     if not metric_name:
         metric_name = name
 
-    web_acl = WebACL(module.client('wafv2'), name, scope, module.fail_json_aws)
+    wafv2 = module.client('wafv2')
+    web_acl = WebACL(wafv2, name, scope, module.fail_json_aws)
     change = False
     retval = {}
 
     if state == 'present':
         if web_acl.get():
+            tags_changed = ensure_wafv2_tags(wafv2, web_acl.get().get('WebACL').get('ARN'), tags, purge_tags, module.fail_json_aws, module.check_mode)
             change, rules = compare_priority_rules(web_acl.get().get('WebACL').get('Rules'), rules, purge_rules, state)
             change = change or (description and web_acl.get().get('WebACL').get('Description') != description)
             change = change or (default_action and web_acl.get().get('WebACL').get('DefaultAction') != default_action)
@@ -526,9 +534,12 @@ def main():
                     metric_name,
                     custom_response_bodies
                 )
-
+            elif tags_changed:
+                retval, id, locktoken = web_acl.get_web_acl()
             else:
-                retval = web_acl.get().get('WebACL')
+                retval = web_acl.get()
+
+            change |= tags_changed
 
         else:
             change = True

diff --git a/plugins/modules/wafv2_web_acl_info.py b/plugins/modules/wafv2_web_acl_info.py
@@ -96,6 +96,7 @@
 
 from ansible_collections.amazon.aws.plugins.module_utils.core import AnsibleAWSModule
 from ansible_collections.amazon.aws.plugins.module_utils.ec2 import camel_dict_to_snake_dict
+from ansible_collections.community.aws.plugins.module_utils.wafv2 import describe_wafv2_tags
 from ansible_collections.community.aws.plugins.module_utils.wafv2 import wafv2_list_web_acls
 
 
@@ -132,15 +133,19 @@ def main():
     response = wafv2_list_web_acls(wafv2, scope, module.fail_json_aws)
 
     id = None
+    arn = None
     retval = {}
 
     for item in response.get('WebACLs'):
         if item.get('Name') == name:
             id = item.get('Id')
+            arn = item.get('ARN')
 
     if id:
         existing_acl = get_web_acl(wafv2, name, scope, id, module.fail_json_aws)
         retval = camel_dict_to_snake_dict(existing_acl.get('WebACL'))
+        tags = describe_wafv2_tags(wafv2, arn, module.fail_json_aws)
+        retval['tags'] = tags
 
     module.exit_json(**retval)
 

diff --git a/tests/integration/targets/wafv2_web_acl/tasks/main.yml b/tests/integration/targets/wafv2_web_acl/tasks/main.yml
@@ -512,6 +512,7 @@
           - out.rules[0].statement.geo_match_statement.country_codes[0] == 'DE'
 
     - include_tasks: 'description.yml'
+    - include_tasks: 'tags.yml'
 
     - name: re-read webacl
       wafv2_web_acl_info:

diff --git a/tests/integration/targets/wafv2_web_acl/tasks/tags.yml b/tests/integration/targets/wafv2_web_acl/tasks/tags.yml
@@ -0,0 +1,254 @@
+- name: Tests relating to setting tags on wavf2_web_acl
+  vars:
+    first_tags:
+      'Key with Spaces': Value with spaces
+      CamelCaseKey: CamelCaseValue
+      pascalCaseKey: pascalCaseValue
+      snake_case_key: snake_case_value
+    second_tags:
+      'New Key with Spaces': Value with spaces
+      NewCamelCaseKey: CamelCaseValue
+      newPascalCaseKey: pascalCaseValue
+      new_snake_case_key: snake_case_value
+    third_tags:
+      'Key with Spaces': Value with spaces
+      CamelCaseKey: CamelCaseValue
+      pascalCaseKey: pascalCaseValue
+      snake_case_key: snake_case_value
+      'New Key with Spaces': Updated Value with spaces
+    final_tags:
+      'Key with Spaces': Value with spaces
+      CamelCaseKey: CamelCaseValue
+      pascalCaseKey: pascalCaseValue
+      snake_case_key: snake_case_value
+      'New Key with Spaces': Updated Value with spaces
+      NewCamelCaseKey: CamelCaseValue
+      newPascalCaseKey: pascalCaseValue
+      new_snake_case_key: snake_case_value
+  # Mandatory settings
+  module_defaults:
+    community.aws.wafv2_web_acl:
+      name: '{{ web_acl_name }}'
+      state: present
+      scope: REGIONAL
+      purge_rules: no
+      rules: []
+      default_action: Allow
+    community.aws.wafv2_web_acl_info:
+      name: '{{ web_acl_name }}'
+      scope: REGIONAL
+  block:
+
+  - name: test adding tags to wafv2_web_acl (check mode)
+    wafv2_web_acl:
+      tags: '{{ first_tags }}'
+      purge_tags: True
+    register: update_result
+    check_mode: yes
+  - name: assert that update succeeded
+    assert:
+      that:
+      - update_result is changed
+
+  - name: test adding tags to wafv2_web_acl
+    wafv2_web_acl:
+      tags: '{{ first_tags }}'
+      purge_tags: True
+    register: update_result
+  - name: assert that update succeeded
+    assert:
+      that:
+      - update_result is changed
+      - update_result.tags == first_tags
+
+  - name: test adding tags to wafv2_web_acl - idempotency (check mode)
+    wafv2_web_acl:
+      tags: '{{ first_tags }}'
+      purge_tags: True
+    register: update_result
+    check_mode: yes
+  - name: assert that update succeeded
+    assert:
+      that:
+      - update_result is not changed
+
+  - name: test adding tags to wafv2_web_acl - idempotency
+    wafv2_web_acl:
+      tags: '{{ first_tags }}'
+      purge_tags: True
+    register: update_result
+  - name: assert that update succeeded
+    assert:
+      that:
+      - update_result is not changed
+      - update_result.tags == first_tags
+
+  ###
+
+  - name: test updating tags with purge on wafv2_web_acl (check mode)
+    wafv2_web_acl:
+      tags: '{{ second_tags }}'
+      purge_tags: True
+    register: update_result
+    check_mode: yes
+  - name: assert that update succeeded
+    assert:
+      that:
+      - update_result is changed
+
+  - name: test updating tags with purge on wafv2_web_acl
+    wafv2_web_acl:
+      tags: '{{ second_tags }}'
+      purge_tags: True
+    register: update_result
+  - name: assert that update succeeded
+    assert:
+      that:
+      - update_result is changed
+      - update_result.tags == second_tags
+
+  - name: test updating tags with purge on wafv2_web_acl - idempotency (check mode)
+    wafv2_web_acl:
+      tags: '{{ second_tags }}'
+      purge_tags: True
+    register: update_result
+    check_mode: yes
+  - name: assert that update succeeded
+    assert:
+      that:
+      - update_result is not changed
+
+  - name: test updating tags with purge on wafv2_web_acl - idempotency
+    wafv2_web_acl:
+      tags: '{{ second_tags }}'
+      purge_tags: True
+    register: update_result
+  - name: assert that update succeeded
+    assert:
+      that:
+      - update_result is not changed
+      - update_result.tags == second_tags
+
+  ###
+
+  - name: test updating tags without purge on wafv2_web_acl (check mode)
+    wafv2_web_acl:
+      tags: '{{ third_tags }}'
+      purge_tags: False
+    register: update_result
+    check_mode: yes
+  - name: assert that update succeeded
+    assert:
+      that:
+      - update_result is changed
+
+  - name: test updating tags without purge on wafv2_web_acl
+    wafv2_web_acl:
+      tags: '{{ third_tags }}'
+      purge_tags: False
+    register: update_result
+  - name: assert that update succeeded
+    assert:
+      that:
+      - update_result is changed
+      - update_result.tags == final_tags
+
+  - name: test updating tags without purge on wafv2_web_acl - idempotency (check mode)
+    wafv2_web_acl:
+      tags: '{{ third_tags }}'
+      purge_tags: False
+    register: update_result
+    check_mode: yes
+  - name: assert that update succeeded
+    assert:
+      that:
+      - update_result is not changed
+
+  - name: test updating tags without purge on wafv2_web_acl - idempotency
+    wafv2_web_acl:
+      tags: '{{ third_tags }}'
+      purge_tags: False
+    register: update_result
+  - name: assert that update succeeded
+    assert:
+      that:
+      - update_result is not changed
+      - update_result.tags == final_tags
+
+  ###
+
+  - name: test that wafv2_web_acl_info returns the tags
+    wafv2_web_acl_info:
+    register: tag_info
+  - name: assert tags present
+    assert:
+      that:
+      - tag_info.tags == final_tags
+
+  ###
+
+  - name: test no tags param wafv2_web_acl (check mode)
+    wafv2_web_acl: {}
+    register: update_result
+    check_mode: yes
+  - name: assert no change
+    assert:
+      that:
+      - update_result is not changed
+      - update_result.tags == final_tags
+
+
+  - name: test no tags param wafv2_web_acl
+    wafv2_web_acl: {}
+    register: update_result
+  - name: assert no change
+    assert:
+      that:
+      - update_result is not changed
+      - update_result.tags == final_tags
+
+  ###
+
+  - name: test removing tags from wafv2_web_acl (check mode)
+    wafv2_web_acl:
+      tags: {}
+      purge_tags: True
+    register: update_result
+    check_mode: yes
+  - name: assert that update succeeded
+    assert:
+      that:
+      - update_result is changed
+
+  - name: test removing tags from wafv2_web_acl
+    wafv2_web_acl:
+      tags: {}
+      purge_tags: True
+    register: update_result
+  - name: assert that update succeeded
+    assert:
+      that:
+      - update_result is changed
+      - update_result.tags == {}
+
+  - name: test removing tags from wafv2_web_acl - idempotency (check mode)
+    wafv2_web_acl:
+      tags: {}
+      purge_tags: True
+    register: update_result
+    check_mode: yes
+  - name: assert that update succeeded
+    assert:
+      that:
+      - update_result is not changed
+
+  - name: test removing tags from wafv2_web_acl - idempotency
+    wafv2_web_acl:
+      tags: {}
+      purge_tags: True
+    register: update_result
+  - name: assert that update succeeded
+    assert:
+      that:
+      - update_result is not changed
+      - update_result.tags == {}