This extension gives you more control over the variable merging process of the lookup plugin `merge_variables`. It closes the gap between Puppet's Hiera merging capabilities and the limitations of Ansible's default variable plugin `host_group_vars` regarding fragment-based value definition. You can now decide which merge strategy should be applied to dicts, lists, and other types. Furthermore, you can specify a merge strategy that should be applied in case of type conflicts.
The default behavior of the plugin has been preserved so that it is fully backward-compatible with the already implemented state.
Signed-off-by: Fiehe Christoph <c.fiehe@eurodata.de>
* adds parameter delimiters to from_ini filter
fixes issue #11506
* adds changelog fragment
* fixes pylint dangerous-default-value / W0102
* does not assume default delimiters
let that be decided in the super class
* Update plugins/filter/from_ini.py
verbose description
Co-authored-by: Felix Fontein <felix@fontein.de>
* Update changelogs/fragments/11512-from_ini-delimiters.yaml
Co-authored-by: Felix Fontein <felix@fontein.de>
* adds input validation
* adss check for delimiters not None
* adds missing import
* removes the negation
* adds suggestions from russoz
* adds ruff format suggestion
---------
Co-authored-by: Felix Fontein <felix@fontein.de>
* feat: Icinga 2 downtime module added allowing to schedule and remove downtimes through its REST API.
Signed-off-by: Fiehe Christoph <c.fiehe@eurodata.de>
* ensure compatibility with ModuleTestCase
feat: errors raised from MH now contain the changed flag
ref: move module exit out of the decorated run method
Signed-off-by: Fiehe Christoph <c.fiehe@eurodata.de>
* revised module
ref: module refactored using StateModuleHelper now
ref: suggested changes by reviewer added
Signed-off-by: Fiehe Christoph <c.fiehe@eurodata.de>
* revert change regarding changed flag in MH
Signed-off-by: Fiehe Christoph <c.fiehe@eurodata.de>
* refactoring and set changed flag explicitly on error
Signed-off-by: Fiehe Christoph <c.fiehe@eurodata.de>
* Check whether there was a state change on module failure removed.
Signed-off-by: Fiehe Christoph <c.fiehe@eurodata.de>
* ref: test cases migrated to the new feature that allows passing through exceptions
Signed-off-by: Fiehe Christoph <c.fiehe@eurodata.de>
* Update plugins/module_utils/icinga2.py
Co-authored-by: Felix Fontein <felix@fontein.de>
* Update plugins/module_utils/icinga2.py
Co-authored-by: Felix Fontein <felix@fontein.de>
* Update plugins/modules/icinga2_downtime.py
Co-authored-by: Felix Fontein <felix@fontein.de>
* ref: make module helper private
Signed-off-by: Fiehe Christoph <c.fiehe@eurodata.de>
* fix: ensure that all non-null values are added to the request otherwise a `false` value is dropped
Signed-off-by: Fiehe Christoph <c.fiehe@eurodata.de>
* ref: module description extended with the note that check mode is not supported
Signed-off-by: Fiehe Christoph <c.fiehe@eurodata.de>
* Update plugins/modules/icinga2_downtime.py
Co-authored-by: Felix Fontein <felix@fontein.de>
* fix: documentation updated
Signed-off-by: Fiehe Christoph <c.fiehe@eurodata.de>
* ref: documentation updated
ref: doc fragment added
Signed-off-by: Fiehe Christoph <c.fiehe@eurodata.de>
* Update plugins/doc_fragments/icinga2_api.py
Co-authored-by: Felix Fontein <felix@fontein.de>
* ref: doc fragment renamed to `_icinga2_api.py`
Signed-off-by: Fiehe Christoph <c.fiehe@eurodata.de>
* ref: maintainer to doc fragment in BOTMETA.yml added
Signed-off-by: Fiehe Christoph <c.fiehe@eurodata.de>
* Update plugins/modules/icinga2_downtime.py
Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com>
* Update plugins/modules/icinga2_downtime.py
Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com>
* Update plugins/modules/icinga2_downtime.py
Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com>
---------
Signed-off-by: Fiehe Christoph <c.fiehe@eurodata.de>
Co-authored-by: Fiehe Christoph <c.fiehe@eurodata.de>
Co-authored-by: Felix Fontein <felix@fontein.de>
Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com>
* add support for localizationTexts in keycloak_realm.py
* add changelog fragment
* change version added to next minor release
* Update changelogs/fragments/11513-keycloak-realm-localizationTexts-support.yml
Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com>
* Update plugins/modules/keycloak_realm.py
Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com>
---------
Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com>
* reduce build time with build_ignore
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
* just ignore .nox
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
---------
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
* Add Azure Log Analytics Ingestion API plugin
The Ingestion API allows sending data to a Log Analytics workspace in
Azure Monitor.
* Fix LogAnalytics Ingestion shebang
* Fix Log Analytics Ingestion pep8 tests
* Fix Log Analytics Ingestion pylint tests
* Fix Log Analytics Ingestion import tests
* Fix Log Analytics Ingestion pylint test
* Add Log Analytics Ingestion auth timeout
Previous behavior was to use the 'request' module's default timeout;
this makes auth timeout value consistent with the task submission
timeout value.
* Display Log Analytics Ingestion event data as JSON
Previous behavior was to display the data as a Python dictionary.
The new behavior makes it easier to generate a sample JSON file in order
to import into Azure when creating the table.
* Add Azure Log Analytics Ingestion timeout param
This parameter controls how long the plugin will wait for an HTTP response
from the Azure Log Analytics API before considering the request a failure.
Previous behavior was hardcoded to 2 seconds.
* Fix Azure Log Ingestion unit test
The class instantiation was missing an additional argument that was added
in a previous patch; add it. Converting to JSON also caused the Mock
TaskResult object to throw a serialization error; override the function
for JSON conversion to just return bogus data instead.
* Fix loganalytics_ingestion linter errors
* Fix LogAnalytics Ingestion env vars
Prefix the LogAnalytics Ingestion plugin's environment variable names
with 'ANSIBLE_' in order to align with plugin best practices.
* Remove LogAnalytics 'requests' dep from docs
The LogAnalytics callback plugin does not actually require 'requests',
so remove it from the documented dependencies.
* Refactor LogAnalytics Ingestion to use URL utils
This replaces the previous behavior of depending on the external
'requests' library.
* Simplify LogAnalytics Ingestion token valid check
Co-authored-by: Felix Fontein <felix@fontein.de>
* Remove LogAnalytics Ingestion extra arg validation
Argument validation should be handled by ansible-core, so remove the
extra argument validation in the plugin itself.
* Update LogAnalytics Ingestion version added
* Remove LogAnalytics Ingestion coding marker
The marker is no longer needed as Python2 is no longer supported.
* Fix some LogAnalytics Ingestion grammar errors
* Refactor LogAnalytics Ingestion plugin messages
Consistently use "plugin" instead of module, and refer to the module by
its FQCN instead of its prose name.
* Remove LogAnalytics Ingestion extra logic
A few unused vars were being set; stop setting them.
* Fix LogAnalytics Ingestion nox sanity tests
* Fix LogAnalytics Ingestion unit tests
The refactor to move away from the 'requests' dependency to use
module_utils broke the plugin's unit tests; re-write the plugin's unit
tests for module_utils.
* Add nox formatting to LogAnalytics Ingestion
* Fix Log Analytics Ingestion urllib import
Remove the compatibility import via 'six' for 'urllib' since Python 2
support is no longer supported.
* Bump LogAnalytics Ingestion plugin version added
* Remove LogAnalytics Ingestion required: false docs
Required being false is the default, so no need to explicitly add it.
* Simplify LogAnalytics Ingestion role name logic
* Clean LogAnalytics Ingestion redundant comments
* Clean LogAnalytics Ingestion unit test code
Rename all Mock objects to use snake_case and consistently use '_mock'
as a suffix instead of sometimes using it as a prefix and sometimes
using it as a suffix.
* Refactor LogAnalytics Ingestion unit tests
Move all of the tests outside of the 'setUp' method.
* Refactor LogAnalytics Ingestion test
Add a test to validate that part of the contents sent match what was
supposed to be sent.
* Refactor LogAnalytics Ingestion test
Make the names consistent again.
* Add LogAnalytics Ingestion sample data docs
* Apply suggestions from code review
Co-authored-by: Felix Fontein <felix@fontein.de>
---------
Co-authored-by: Felix Fontein <felix@fontein.de>
* fix(keycloak_user_rolemapping): handle None response for client role lookup
When adding a client role to a user who has no existing roles for that
client, get_client_user_rolemapping_by_id() returns None. The existing
code indexed directly into the result causing a TypeError. Add the same
None check that already existed for realm roles since PR #11256.
Fixes#10960
* fix(tests): use dict format for task vars in keycloak_user_rolemapping tests
Task-level vars requires a YAML mapping, not a sequence. The leading
dash (- roles:) produced a list instead of a dict, which ansible-core
2.20 rejects with "Vars in a Task must be specified as a dictionary".
* Update changelogs/fragments/keycloak-user-rolemapping-client-none-check.yml
Co-authored-by: Felix Fontein <felix@fontein.de>
---------
Co-authored-by: Felix Fontein <felix@fontein.de>
* feat(keycloak_realm_key): add support for auto-generated key providers
Add support for Keycloak's auto-generated key providers where Keycloak
manages the key material automatically:
- rsa-generated: Auto-generates RSA signing keys
- hmac-generated: Auto-generates HMAC signing keys
- aes-generated: Auto-generates AES encryption keys
- ecdsa-generated: Auto-generates ECDSA signing keys
New algorithms:
- HMAC: HS256, HS384, HS512
- ECDSA: ES256, ES384, ES512
- AES: AES (no algorithm parameter needed)
New config options:
- secret_size: For HMAC/AES providers (key size in bytes)
- key_size: For RSA-generated provider (key size in bits)
- elliptic_curve: For ECDSA-generated provider (P-256, P-384, P-521)
Changes:
- Make private_key/certificate optional (only required for rsa/rsa-enc)
- Add provider-algorithm validation with clear error messages
- Fix KeyError when managing default realm keys (issue #11459)
- Maintain backward compatibility: RS256 default works for rsa/rsa-generated
Fixes: #11459
* fix: address sanity test failures
- Add 'default: RS256' to algorithm documentation to match spec
- Add no_log=True to secret_size parameter per sanity check
* feat(keycloak_realm_key): extend support for all Keycloak key providers
Add support for remaining auto-generated key providers:
- rsa-enc-generated (RSA encryption keys with RSA1_5, RSA-OAEP, RSA-OAEP-256)
- ecdh-generated (ECDH key exchange with ECDH_ES, ECDH_ES_A128KW/A192KW/A256KW)
- eddsa-generated (EdDSA signing with Ed25519, Ed448 curves)
Changes:
- Add provider-specific elliptic curve config key mapping
(ecdsaEllipticCurveKey, ecdhEllipticCurveKey, eddsaEllipticCurveKey)
- Add PROVIDERS_WITHOUT_ALGORITHM constant for providers that don't need algorithm
- Add elliptic curve validation per provider type
- Update documentation with all supported algorithms and examples
- Add comprehensive integration tests for all new providers
This completes full coverage of all Keycloak key provider types.
* style: apply ruff formatting
* feat(keycloak_realm_key): add java-keystore provider and update_password
Add support for java-keystore provider to import keys from Java
Keystore (JKS or PKCS12) files on the Keycloak server filesystem.
Add update_password parameter to control password handling for
java-keystore provider:
- always (default): Always send passwords to Keycloak
- on_create: Only send passwords when creating, preserve existing
passwords when updating (enables idempotent playbooks)
The on_create mode sends the masked value ("**********") that Keycloak
recognizes as "preserve existing password", matching the behavior when
re-importing an exported realm.
Replace password_checksum with update_password - the checksum approach
was complex and error-prone. The update_password parameter is simpler
and follows the pattern used by ansible.builtin.user module.
Also adds key_info return value containing kid, certificate fingerprint,
status, and expiration for java-keystore keys.
* address PR review feedback
- Remove no_log=True from secret_size (just an int, not sensitive)
- Add version_added: 12.4.0 to new parameters and return values
- Remove "Added in community.general 12.4.0" from description text
- Consolidate changelog entries into 4 focused entries
- Remove bugfix from changelog (now in separate PR #11470)
* address review feedback from russoz and felixfontein
- remove docstrings from module-local helpers
- remove line-by-line comments and unnecessary null guard
- use specific exceptions instead of bare except Exception
- use module.params["key"] instead of .get("key")
- consolidate changelog into single entry
- avoid "complete set" claim, reference Keycloak 26 instead
* address round 2 review feedback
- Extract remove_sensitive_config_keys() helper (DRY refactor)
- Simplify RS256 validation to single code path
- Add TypeError to inner except in compute_certificate_fingerprint()
- Remove redundant comments (L812, L1031)
- Switch .get() to direct dict access for module.params
* ModuleHelper: ensure compatibility with `ModuleTestCase`.
This change allows to configure the `module_fails_on_exception` decorator by passing a tuple of exception types that should not be handled by the decorator itself. In the context of `ModuleTestCase`, use `(AnsibleExitJson, AnsibleFailJson)` to let them pass through the decorator without modification.
Signed-off-by: Fiehe Christoph <c.fiehe@eurodata.de>
* Another approach allowing user-defined exception types to pass through the decorator. When the decorator should have no arguments at all, we must hard code the name of the attribute that is looked up on self.
Signed-off-by: Fiehe Christoph <c.fiehe@eurodata.de>
* Approach that removes decorator parametrization and relies on an object/class variable named `unhandled_exceptions`.
Signed-off-by: Fiehe Christoph <c.fiehe@eurodata.de>
* context manager implemented that allows to pass through some exception types
Signed-off-by: Fiehe Christoph <c.fiehe@eurodata.de>
* Update changelogs/fragments/11488-mh-ensure-compatibiliy-with-module-tests.yml
Co-authored-by: Felix Fontein <felix@fontein.de>
* Exception placeholder added
Signed-off-by: Fiehe Christoph <c.fiehe@eurodata.de>
---------
Signed-off-by: Fiehe Christoph <c.fiehe@eurodata.de>
Co-authored-by: Fiehe Christoph <c.fiehe@eurodata.de>
Co-authored-by: Felix Fontein <felix@fontein.de>
* add support for management of keycloak localizations
* unit test for keycloak localization support
* keycloak_realm_localization botmeta record
* rev: improvements after code review
* Updated get_group_by_name with a query based lookup for improved speed
* Add changelog fragment for keycloak group search optimization
* Address review feedback: update changelog text and reformat code with ruff
* improved changelog fragment
* Update changelogs/fragments/11503-keycloak-group-search-optimization.yml
Co-authored-by: Felix Fontein <felix@fontein.de>
---------
Co-authored-by: Felix Fontein <felix@fontein.de>
* fix(maven_artifact): resolve SNAPSHOT to latest using snapshot metadata block
Prefer the <snapshot> block (timestamp + buildNumber) from maven-metadata.xml
which always points to the latest build, instead of scanning <snapshotVersions>
and returning on the first match. Repositories like GitHub Packages keep all
historical entries in <snapshotVersions> (oldest first), causing the module to
resolve to the oldest snapshot instead of the latest.
Fixes#5117Fixes#11489
* fix(maven_artifact): address review feedback
- Check both timestamp and buildNumber before using snapshot block,
preventing IndexError when buildNumber is missing
- Remove unreliable snapshotVersions scanning fallback; use literal
-SNAPSHOT version for non-unique snapshot repos instead
- Add tests for incomplete snapshot block and non-SNAPSHOT versions
* fix(maven_artifact): restore snapshotVersions scanning with last-match
Restore <snapshotVersions> scanning as primary resolution (needed for
per-extension accuracy per MNG-5459), but collect the last match instead
of returning on the first. Fall back to <snapshot> block when no
<snapshotVersions> match is found, then to literal -SNAPSHOT version.
* docs: update changelog fragment to match final implementation
* fix(maven_artifact): use updated timestamp for snapshot resolution
Use the <updated> attribute to select the newest snapshotVersion entry
instead of relying on list order. This works independently of how the
repository manager sorts entries in maven-metadata.xml.
Also fix test docstring and update changelog fragment per reviewer
feedback.
* test(maven_artifact): shuffle entries to verify updated timestamp sorting
Reorder snapshotVersion entries so the newest JAR is in the middle,
not at the end. This ensures the test actually validates that resolution
uses the <updated> timestamp rather than relying on list position.
Add claims example for oidc-advanced-group-idp-mapper
For me it wasn't clear how to create claims using oidc-advanced-group-idp-mapper, perhaps other people can benefit from the following example.
* fix(keycloak_realm_key): handle missing config fields for default keys
Keycloak API may not return 'active', 'enabled', or 'algorithm' fields
in the config response for default/auto-generated realm keys. This caused
a KeyError when the module tried to compare these fields during state
detection.
Use .get() with the expected value as default to handle missing fields
gracefully, treating them as unchanged if not present in the API response.
Fixes: #11459
* add PR link to changelog entry per review feedback
At first glance, includepkgs seems to be something that would install
the package name from the given copr repo. This isn't helped by the
example that says "Install caddy" which very much looks like it is
installing the package from the repo. Not only did I, a human,
hallucinate this behaviour, so did a large search engine's AI
responses to related queries.
In fact these are labels to vary what packages DNF sees. Clarify this
by using wording and examples closer to the upstream documentation [1]
[1] https://dnf.readthedocs.io/en/latest/conf_ref.html
* feat(keycloak_client): add valid_post_logout_redirect_uris and backchannel_logout_url
Add two new convenience parameters that map to client attributes:
- valid_post_logout_redirect_uris: sets post.logout.redirect.uris
attribute (list items joined with ##)
- backchannel_logout_url: sets backchannel.logout.url attribute
These fields are not top-level in the Keycloak REST API but are stored
as client attributes. The new parameters provide a user-friendly
interface without requiring users to know the internal attribute names
and ##-separator format.
Fixes#6812, fixes#4892
* consolidate changelog and add PR link per review feedback
* fix(keycloak): URL-encode query params for usernames with special chars
get_user_by_username() concatenates the username directly into the URL
query string. When the username contains a +, it is interpreted as a
space by the server, returning no match and causing a TypeError.
Use urllib.parse.quote() (already imported) for the username parameter.
Also replace three fragile .replace(' ', '%20') calls in the authz
search methods with proper quote() calls.
Fixes#10305
* Update changelogs/fragments/keycloak-url-encode-query-params.yml
Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com>
---------
Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com>
* 11453 remove id's as change from diff for protocol mappers
* Update changelogs/fragments/11453-keycloak-client-protocol-mapper-ids.yml
Co-authored-by: Felix Fontein <felix@fontein.de>
---------
Co-authored-by: Felix Fontein <felix@fontein.de>
* fix gem module compatibility with ruby-4-rubygems
rubygem's `query` command has recently been removed, see ruby/rubygems#9083.
address this by using the `list` command instead.
resolves#11397
* add changelog
* Adjust changelog fragment.
---------
Co-authored-by: Felix Fontein <felix@fontein.de>
* Adding 'project' parameter support for the Scaleway SG module.
* Adding changelog fragment.
* Fixing documentation, organization is deprecated (although still available).
* Updating docs to show both org and project ID options.
* Incrementing version.
Co-authored-by: Felix Fontein <felix@fontein.de>
* Moving deprecated example to the end.
---------
Co-authored-by: Felix Fontein <felix@fontein.de>
* Adding 'project' parameter to Scaleway IP module.
* Adding changelog fragment.
* Incrementing version.
Co-authored-by: Felix Fontein <felix@fontein.de>
* Updating docs to show both org and project ID options.
* Moving deprecated example to the end.
---------
Co-authored-by: Felix Fontein <felix@fontein.de>
