Add task to create token

add defaults
remove extra hosts from inventory for now
2024-01-21 17:13:54 -05:00 · 2024-01-21 17:12:36 -05:00 · 2024-01-21 17:12:27 -05:00 · 2024-01-21 17:12:13 -05:00 · 2024-01-21 15:20:14 -05:00 · 2024-01-21 14:18:09 -05:00
10 changed files with 164 additions and 0 deletions
--- a/.editorconfig
+++ b/.editorconfig
@@ -13,4 +13,6 @@ insert_final_newline = true

 [*.md]
 trim_trailing_whitespace = false
+
+[*.{yml,md}]
 indent_size = 2
--- a/playbooks/create-api-user.yml
+++ b/playbooks/create-api-user.yml
@@ -0,0 +1,12 @@
+---
+
+# * This playbook will use the root user account that
+# * has an ssh key to create a new user for API access
+
+- name: Create Proxmox API User
+  gather_facts: false
+  hosts: proxmox_hosts
+  roles:
+    - role: create-api-user
+
+...
--- a/playbooks/inventories/.gitkeep
+++ b/playbooks/inventories/.gitkeep
--- a/playbooks/inventories/group_vars/all.yml
+++ b/playbooks/inventories/group_vars/all.yml
@@ -0,0 +1,9 @@
+---
+
+#~ always loaded ~#
+
+api_user_name: terraform
+api_group_role: PVEVMAdmin  # Virtual Machine Administrator
+api_object_path: /vms  # Access to VMs
+
+...
--- a/playbooks/inventories/inventory.yml
+++ b/playbooks/inventories/inventory.yml
@@ -0,0 +1,5 @@
+proxmox_hosts:
+  hosts:
+    vulpes.c0de.online:
+  vars:
+    ansible_user: root
--- a/playbooks/roles/.gitkeep
+++ b/playbooks/roles/.gitkeep
--- a/playbooks/roles/create-api-user/defaults/main.yml
+++ b/playbooks/roles/create-api-user/defaults/main.yml
@@ -0,0 +1,8 @@
+---
+
+api_group_name: provisioning
+api_user_name: ansible
+api_auth_realm: pve
+api_object_path: /
+
+...
--- a/playbooks/roles/create-api-user/meta/argument_spec.yml
+++ b/playbooks/roles/create-api-user/meta/argument_spec.yml
@@ -0,0 +1,59 @@
+---
+
+# roles/create-api-user/meta/argument_specs.yml
+
+argument_specs:
+  main:
+    author:
+      - Code Fox
+    short_description: Creates an API user in proxmox using SSH key auth
+    description:
+      - Creates an API user in proxmox using SSH key auth
+      - The root user should already exist, and have an ssh key configured
+      - If nothing is provided, a provisioning group will be created, with
+      - an ansible user that has NoAccess
+      - Group permission assignment should be preferred
+
+    options:
+      api_group_role:
+        type: str
+        required: false
+        default: NoAccess
+        description:
+          - The Proxmox role to assign to the group
+          - By default NoAccess is allowed
+          - Default Roles can be found in the documentation
+          - https://pve.proxmox.com/wiki/User_Management#pveum_permission_management
+
+      api_group_name:
+        type: str
+        required: false
+        default: provisioning
+        description:
+          - The group that will be assigned permissions
+          - Users get their permissions from the group
+          - Subsequent runs will put the users in the same group
+
+      api_user_name:
+        type: str
+        required: false
+        default: ansible
+        description: The user-name of the account that will get an API token
+
+      api_auth_realm:
+        type: str
+        required: false
+        default: pve
+        description: The authentication backend provider
+
+      api_object_path:
+        type: str
+        required: false
+        default: /
+        description:
+          - The path to resources in the Proxmox Object Permission schema
+          - The default is all objects
+          - More details can be found in the documentation in the objects and paths section
+          - https://pve.proxmox.com/wiki/User_Management#pveum_permission_management
+
+...
--- a/playbooks/roles/create-api-user/tasks/main.yml
+++ b/playbooks/roles/create-api-user/tasks/main.yml
@@ -0,0 +1,63 @@
+---
+
+- name: Get list of users
+  ansible.builtin.shell: pveum user list --output-format json
+  register: user_list
+
+- name: Determine if our user is in the list
+  set_fact:
+    found_users: "{{ user_list.stdout | from_json | community.general.json_query(jq) }}"
+  vars:
+    jq: "[?userid == '{{ api_user_name }}@{{ api_auth_realm }}'].userid"
+
+- name: "Fail if {{ api_user_name }} User exists"
+  ansible.builtin.fail:
+    msg: "{{ api_user_name }} already exists. Nothing to do."
+  when: found_users | length >= 1
+
+- name: Get list of groups
+  ansible.builtin.shell: pveum group list --output-format json
+  register: group_list
+
+- name: "Determine if {{ api_group_name }} is in the list"
+  set_fact:
+    found_groups: "{{ group_list.stdout | from_json | community.general.json_query(jq) }}"
+  vars:
+    jq: "[?groupid == '{{ api_group_name }}'].groupid"
+
+- name: "Create {{ api_group_name }} Group if it does not already exist"
+  ansible.builtin.shell: "pveum group add {{ api_group_name }}"
+  when: found_groups | length <= 0
+
+- name: "Assign {{ api_group_role }} Role to {{ api_group_name }} on {{ api_object_path }} Objects"
+  ansible.builtin.shell: "pveum acl modify {{ api_object_path }} -group {{ api_group_name }} -role {{ api_group_role }}"
+  when: found_groups | length <= 0
+
+- name: "Create {{ api_user_name }} User and add it to the {{ api_group_name }} Group"
+  ansible.builtin.shell: "pveum user add {{ api_user_name }}@{{ api_auth_realm }} -groups {{ api_group_name }}"
+
+- name: "Create API Token for {{ api_user_name }}"
+  ansible.builtin.shell: >
+    pveum user token add {{ api_user_name }}@{{ api_auth_realm }} api_token -privsep 0 --output-format json | jq '.value'
+  register: api_user_token
+
+- name: Print the token secret
+  debug:
+    msg: >
+      Token ID: {{ api_user_name }}@{{ api_auth_realm }}!api_token
+      Token Secret: {{ api_user_token.stdout }}
+
+# FIXME: We're failing to auth here
+# TASK [create-api-user : Verify API Token works] ********************************
+# An exception occurred during task execution. To see the full traceback, use -vvv. The error was: proxmoxer.core.ResourceException: 401 Unauthorized: invalid token value! - {'errors': b''}
+# fatal: [vulpes.c0de.online -> localhost]: FAILED! => {"changed": false, "msg": "401 Unauthorized: invalid token value! - {'errors': b''}"}
+- name: Verify API Token works
+  community.general.proxmox_vm_info:
+    api_host: "{{ inventory_hostname }}"
+    validate_certs: true
+    api_user: "{{ api_user_name }}@{{ api_auth_realm }}"
+    api_token_id: "api_token"
+    api_token_secret: "{{ api_user_token.stdout }}"
+  delegate_to: localhost
+
+...
--- a/requirements.txt
+++ b/requirements.txt
@@ -5,10 +5,13 @@ ansible-lint==6.22.2
 attrs==23.2.0
 black==23.12.1
 bracex==2.4
+certifi==2023.11.17
 cffi==1.16.0
+charset-normalizer==3.3.2
 click==8.1.7
 cryptography==41.0.7
 filelock==3.13.1
+idna==3.6
 Jinja2==3.1.3
 jsonschema==4.21.1
 jsonschema-specifications==2023.12.1
@@ -19,15 +22,18 @@ mypy-extensions==1.0.0
 packaging==23.2
 pathspec==0.12.1
 platformdirs==4.1.0
+proxmoxer==2.0.1
 pycparser==2.21
 Pygments==2.17.2
 PyYAML==6.0.1
 referencing==0.32.1
+requests==2.31.0
 resolvelib==1.0.1
 rich==13.7.0
 rpds-py==0.17.1
 ruamel.yaml==0.18.5
 ruamel.yaml.clib==0.2.8
 subprocess-tee==0.4.1
+urllib3==2.1.0
 wcmatch==8.5
 yamllint==1.33.0
Author	SHA1	Message	Date
c0de	eca9b4d382	Add task to create token	2024-01-21 17:13:54 -05:00
c0de	7c34fc53d3	add defaults	2024-01-21 17:12:36 -05:00
c0de	3a353d1e9a	remove extra hosts from inventory for now	2024-01-21 17:12:27 -05:00
c0de	f8f5563ca3	add auth realm to arg spec	2024-01-21 17:12:13 -05:00
c0de	dded3a13b4	change var name to match group	2024-01-21 15:20:14 -05:00
c0de	75c4a665f4	Add role: create-api-user	2024-01-21 14:18:09 -05:00
c0de	852841036d	update all variables	2024-01-21 14:17:50 -05:00
c0de	b36b672c18	add playbook for creating api user	2024-01-21 14:17:38 -05:00
c0de	3a23b5d7be	install proxmoxer and requests	2024-01-21 14:16:38 -05:00
c0de	0f858f2cf3	create inventory	2024-01-21 13:29:29 -05:00
c0de	709c5bf674	update editorconfig for yml files	2024-01-21 13:29:14 -05:00
c0de	65d3a37ec5	Add all group_vars	2024-01-21 13:22:12 -05:00