create_svm: add support for identity.project.update

From now on, when the project is updated we look if the UNDERSTACK_SVM
is present on the project.

If it isn't - we log an error message and exit.

If it is - we check if the SVM exists on the Netapp and create it if it
doesn't.

Author: skrobul

python/understack-workflows/tests/json_samples/keystone-project-updated.json

@@ -0,0 +1,4 @@
+{
+  "oslo.version": "2.0",
+  "oslo.message": "{\"message_id\": \"e242b7f2-8228-40ec-9b34-234aee8353bc\", \"publisher_id\": \"identity.keystone-api-795dc7d644-nmm8j\", \"event_type\": \"identity.project.updated\", \"priority\": \"INFO\", \"payload\": {\"typeURI\": \"http://schemas.dmtf.org/cloud/audit/1.0/event\", \"eventType\": \"activity\", \"id\": \"c51b84e2-c4d1-5b0c-bcf1-c91d23002cdc\", \"eventTime\": \"2025-08-21T16:42:50.136659+0000\", \"action\": \"updated.project\", \"outcome\": \"success\", \"observer\": {\"id\": \"ad1c83a7f5f746d2a04fcc8dda226368\", \"typeURI\": \"service/security\"}, \"initiator\": {\"id\": \"e27a1fed41fd51a09221b35a38f7be23\", \"typeURI\": \"service/security/account/user\", \"host\": {\"address\": \"10.2.148.161\", \"agent\": \"python-keystoneclient\"}, \"user_id\": \"5f9179b7e200cd85c55e8a26400e266c6b4f7209f6d3fb2adc3cf8e1113c378c\", \"project_id\": \"32e02632f4f04415bab5895d1e7247b7\", \"request_id\": \"req-1965a371-44ea-4d60-b655-33b3be5caedc\", \"username\": \"[email protected]\"}, \"target\": {\"id\": \"de16994fb2124504b6b3d3623d1dba51\", \"typeURI\": \"data/security/project\"}, \"resource_info\": \"de16994fb2124504b6b3d3623d1dba51\"}, \"timestamp\": \"2025-08-21 16:42:50.137603\", \"_unique_id\": \"7423a282fbcc492dbb00a5700bce4249\"}"
+}

python/understack-workflows/tests/test_keystone_project.py

@@ -1,4 +1,5 @@
 from unittest.mock import MagicMock
+from unittest.mock import call
 from unittest.mock import patch
 
 import pytest
@@ -9,6 +10,7 @@
 from understack_workflows.oslo_event.keystone_project import KeystoneProjectEvent
 from understack_workflows.oslo_event.keystone_project import _keystone_project_tags
 from understack_workflows.oslo_event.keystone_project import handle_project_created
+from understack_workflows.oslo_event.keystone_project import handle_project_updated
 
 
 class TestKeystoneProjectEvent:
@@ -288,3 +290,267 @@ def test_handle_project_created_constants_used(
                 aggregate_name="aggr02_n02_NVME",  # AGGREGATE_NAME constant
             )
         mock_open.assert_called()
+
+
+class TestHandleProjectUpdated:
+    """Test cases for handle_project_updated function."""
+
+    @pytest.fixture
+    def mock_conn(self):
+        """Create a mock OpenStack connection."""
+        return MagicMock()
+
+    @pytest.fixture
+    def mock_nautobot(self):
+        """Create a mock Nautobot instance."""
+        return MagicMock()
+
+    @pytest.fixture
+    def valid_update_event_data(self):
+        """Create valid update event data for testing."""
+        return {
+            "event_type": "identity.project.updated",
+            "payload": {"target": {"id": "test-project-123"}},
+        }
+
+    def test_handle_project_updated_wrong_event_type(self, mock_conn, mock_nautobot):
+        """Test handling event with wrong event type."""
+        event_data = {
+            "event_type": "identity.project.created",
+            "payload": {"target": {"id": "test-project-123"}},
+        }
+
+        result = handle_project_updated(mock_conn, mock_nautobot, event_data)
+        assert result == 1
+
+    @patch("understack_workflows.oslo_event.keystone_project.NetAppManager")
+    @patch("understack_workflows.oslo_event.keystone_project._keystone_project_tags")
+    @patch("builtins.open")
+    def test_handle_project_updated_svm_tag_added(
+        self,
+        mock_open,
+        mock_tags,
+        mock_netapp_class,
+        mock_conn,
+        mock_nautobot,
+        valid_update_event_data,
+    ):
+        """Test project update when SVM_UNDERSTACK tag is added."""
+        # Project now has SVM tag
+        mock_tags.return_value = ["tag1", SVM_PROJECT_TAG, "tag2"]
+
+        mock_netapp_manager = MagicMock()
+        mock_netapp_manager.check_if_svm_exists.return_value = (
+            False  # SVM doesn't exist yet
+        )
+        mock_netapp_manager.create_svm.return_value = "os-test-project-123"
+        mock_netapp_class.return_value = mock_netapp_manager
+
+        result = handle_project_updated(
+            mock_conn, mock_nautobot, valid_update_event_data
+        )
+
+        assert result == 0
+        mock_tags.assert_called_once_with(mock_conn, "test-project-123")
+        mock_netapp_manager.check_if_svm_exists.assert_called_once_with(
+            project_id="test-project-123"
+        )
+        mock_netapp_manager.create_svm.assert_called_once_with(
+            project_id="test-project-123", aggregate_name=AGGREGATE_NAME
+        )
+        mock_netapp_manager.create_volume.assert_called_once_with(
+            project_id="test-project-123",
+            volume_size=VOLUME_SIZE,
+            aggregate_name=AGGREGATE_NAME,
+        )
+
+    @patch("understack_workflows.oslo_event.keystone_project.NetAppManager")
+    @patch("understack_workflows.oslo_event.keystone_project._keystone_project_tags")
+    @patch("builtins.open")
+    def test_handle_project_updated_svm_tag_removed(
+        self,
+        mock_open,
+        mock_tags,
+        mock_netapp_class,
+        mock_conn,
+        mock_nautobot,
+        valid_update_event_data,
+    ):
+        """Test project update when SVM_UNDERSTACK tag is removed."""
+        # Project no longer has SVM tag
+        mock_tags.return_value = ["tag1", "tag2"]
+
+        mock_netapp_manager = MagicMock()
+        mock_netapp_manager.check_if_svm_exists.return_value = (
+            True  # SVM exists but tag removed
+        )
+        mock_netapp_class.return_value = mock_netapp_manager
+
+        result = handle_project_updated(
+            mock_conn, mock_nautobot, valid_update_event_data
+        )
+
+        assert result == 0
+        mock_tags.assert_called_once_with(mock_conn, "test-project-123")
+        mock_netapp_manager.check_if_svm_exists.assert_called_once_with(
+            project_id="test-project-123"
+        )
+        # Should not create SVM or volume when tag is removed
+        mock_netapp_manager.create_svm.assert_not_called()
+        mock_netapp_manager.create_volume.assert_not_called()
+
+    @patch("understack_workflows.oslo_event.keystone_project.NetAppManager")
+    @patch("understack_workflows.oslo_event.keystone_project._keystone_project_tags")
+    @patch("builtins.open")
+    def test_handle_project_updated_random_tag_added(
+        self,
+        mock_open,
+        mock_tags,
+        mock_netapp_class,
+        mock_conn,
+        mock_nautobot,
+        valid_update_event_data,
+    ):
+        """Test project update when random_text tag is added (no SVM tag)."""
+        # Project has random tag but not SVM tag
+        mock_tags.return_value = ["tag1", "random_text", "tag2"]
+
+        mock_netapp_manager = MagicMock()
+        mock_netapp_manager.check_if_svm_exists.return_value = False
+        mock_netapp_class.return_value = mock_netapp_manager
+
+        result = handle_project_updated(
+            mock_conn, mock_nautobot, valid_update_event_data
+        )
+
+        assert result == 0
+        mock_tags.assert_called_once_with(mock_conn, "test-project-123")
+        mock_netapp_manager.check_if_svm_exists.assert_called_once_with(
+            project_id="test-project-123"
+        )
+        # Should not create SVM or volume when no SVM tag
+        mock_netapp_manager.create_svm.assert_not_called()
+        mock_netapp_manager.create_volume.assert_not_called()
+
+    @patch("understack_workflows.oslo_event.keystone_project.NetAppManager")
+    @patch("understack_workflows.oslo_event.keystone_project._keystone_project_tags")
+    @patch("builtins.open")
+    def test_handle_project_updated_svm_exists_and_tag_exists(
+        self,
+        mock_open,
+        mock_tags,
+        mock_netapp_class,
+        mock_conn,
+        mock_nautobot,
+        valid_update_event_data,
+    ):
+        """Test project update when SVM tag exists and SVM already exists."""
+        # Project has SVM tag and SVM already exists
+        mock_tags.return_value = [SVM_PROJECT_TAG, "tag1"]
+
+        mock_netapp_manager = MagicMock()
+        mock_netapp_manager.check_if_svm_exists.return_value = True
+        mock_netapp_class.return_value = mock_netapp_manager
+
+        result = handle_project_updated(
+            mock_conn, mock_nautobot, valid_update_event_data
+        )
+
+        assert result == 0
+        mock_tags.assert_called_once_with(mock_conn, "test-project-123")
+        mock_netapp_manager.check_if_svm_exists.assert_called_once_with(
+            project_id="test-project-123"
+        )
+        # Should not create SVM or volume when both exist
+        mock_netapp_manager.create_svm.assert_not_called()
+        mock_netapp_manager.create_volume.assert_not_called()
+
+    @patch("understack_workflows.oslo_event.keystone_project.NetAppManager")
+    @patch("understack_workflows.oslo_event.keystone_project._keystone_project_tags")
+    @patch("builtins.open")
+    def test_handle_project_updated_netapp_manager_failure(
+        self,
+        mock_open,
+        mock_tags,
+        mock_netapp_class,
+        mock_conn,
+        mock_nautobot,
+        valid_update_event_data,
+    ):
+        """Test handling when NetAppManager creation fails during update."""
+        mock_tags.return_value = [SVM_PROJECT_TAG]
+        mock_netapp_class.side_effect = Exception("NetApp connection failed")
+
+        with pytest.raises(Exception, match="NetApp connection failed"):
+            handle_project_updated(mock_conn, mock_nautobot, valid_update_event_data)
+
+        mock_tags.assert_called_once_with(mock_conn, "test-project-123")
+        mock_netapp_class.assert_called_once()
+
+    @patch("understack_workflows.oslo_event.keystone_project.NetAppManager")
+    @patch("understack_workflows.oslo_event.keystone_project._keystone_project_tags")
+    @patch("builtins.open")
+    def test_handle_project_updated_svm_creation_failure(
+        self,
+        mock_open,
+        mock_tags,
+        mock_netapp_class,
+        mock_conn,
+        mock_nautobot,
+        valid_update_event_data,
+    ):
+        """Test handling when SVM creation fails during update."""
+        mock_tags.return_value = [SVM_PROJECT_TAG]
+
+        mock_netapp_manager = MagicMock()
+        mock_netapp_manager.check_if_svm_exists.return_value = False
+        mock_netapp_manager.create_svm.side_effect = Exception("SVM creation failed")
+        mock_netapp_class.return_value = mock_netapp_manager
+
+        with pytest.raises(Exception, match="SVM creation failed"):
+            handle_project_updated(mock_conn, mock_nautobot, valid_update_event_data)
+
+        mock_tags.assert_called_once_with(mock_conn, "test-project-123")
+        mock_netapp_manager.check_if_svm_exists.assert_called_once_with(
+            project_id="test-project-123"
+        )
+        mock_netapp_manager.create_svm.assert_called_once_with(
+            project_id="test-project-123", aggregate_name=AGGREGATE_NAME
+        )
+
+    def test_handle_project_updated_invalid_event_data(self, mock_conn, mock_nautobot):
+        """Test handling update with invalid event data."""
+        invalid_event_data = {
+            "event_type": "identity.project.updated",
+            "payload": {},  # Missing target
+        }
+
+        with pytest.raises(Exception, match="no target information in payload"):
+            handle_project_updated(mock_conn, mock_nautobot, invalid_event_data)
+
+    @patch("understack_workflows.oslo_event.keystone_project._keystone_project_tags")
+    @patch("builtins.open")
+    def test_handle_project_updated_output_files_written(
+        self, mock_open, mock_tags, mock_conn, mock_nautobot, valid_update_event_data
+    ):
+        """Test that output files are written correctly during update."""
+        mock_tags.return_value = ["random_tag"]
+
+        with patch(
+            "understack_workflows.oslo_event.keystone_project.NetAppManager"
+        ) as mock_netapp_class:
+            mock_netapp_manager = MagicMock()
+            mock_netapp_manager.check_if_svm_exists.return_value = False
+            mock_netapp_class.return_value = mock_netapp_manager
+
+            result = handle_project_updated(
+                mock_conn, mock_nautobot, valid_update_event_data
+            )
+
+            assert result == 0
+            # Verify output files are written
+            expected_calls = [
+                call("/var/run/argo/output.svm_enabled", "w"),
+                call("/var/run/argo/output.svm_name", "w"),
+            ]
+            mock_open.assert_has_calls(expected_calls, any_order=True)

python/understack-workflows/understack_workflows/main/openstack_oslo_event.py

@@ -65,6 +65,7 @@ class NoEventHandlerError(Exception):
     "baremetal.port.update.end": ironic_port.handle_port_create_update,
     "baremetal.port.delete.end": ironic_port.handle_port_delete,
     "identity.project.created": keystone_project.handle_project_created,
+    "identity.project.updated": keystone_project.handle_project_updated,
 }
 
 

python/understack-workflows/understack_workflows/netapp_manager.py

@@ -105,6 +105,15 @@ def create_volume(
             logger.error("Error creating Volume: %s", e)
             exit(1)
 
+    def check_if_svm_exists(self, project_id):
+        svm_name = self._svm_name(project_id)
+
+        try:
+            if Svm.find(name=svm_name):
+                return True
+        except NetAppRestError:
+            return False
+
     def _svm_name(self, project_id):
         return f"os-{project_id}"
 

python/understack-workflows/understack_workflows/oslo_event/keystone_project.py

@@ -66,21 +66,64 @@ def handle_project_created(
     svm_name = None
     try:
         netapp_manager = NetAppManager()
-        svm_name = netapp_manager.create_svm(
-            project_id=event.project_id, aggregate_name=AGGREGATE_NAME
-        )
-        netapp_manager.create_volume(
-            project_id=event.project_id,
-            volume_size=VOLUME_SIZE,
-            aggregate_name=AGGREGATE_NAME,
-        )
+        svm_name = _create_svm_and_volume(netapp_manager, event)
     finally:
         if not svm_name:
             svm_name = "not_returned"
         _save_output("svm_name", svm_name)
     return 0
 
 
+def handle_project_updated(
+    conn: Connection, _nautobot: Nautobot, event_data: dict
+) -> int:
+    if event_data.get("event_type") != "identity.project.updated":
+        logger.error("Received event that is not identity.project.updated")
+        return 1
+
+    event = KeystoneProjectEvent.from_event_dict(event_data)
+    logger.info("Starting ONTAP SVM and Volume create/update workflow.")
+    tags = _keystone_project_tags(conn, event.project_id)
+    logger.debug("Project %s has tags: %s", event.project_id, tags)
+
+    project_is_svm_enabled = SVM_PROJECT_TAG in tags
+    _save_output("svm_enabled", str(project_is_svm_enabled))
+
+    svm_name = None
+    try:
+        netapp_manager = NetAppManager()
+        svm_exists = netapp_manager.check_if_svm_exists(project_id=event.project_id)
+
+        # Tag removed
+        if not project_is_svm_enabled and svm_exists:
+            logger.error(
+                "SVM os-%s exists on NetApp but project %s is no longer tagged with %s",
+                event.project_id,
+                event.project_id,
+                SVM_PROJECT_TAG,
+            )
+        # Tag added
+        elif project_is_svm_enabled and not svm_exists:
+            svm_name = _create_svm_and_volume(netapp_manager, event)
+    finally:
+        if not svm_name:
+            svm_name = "not_returned"
+        _save_output("svm_name", svm_name)
+    return 0
+
+
+def _create_svm_and_volume(netapp_manager, event) -> str:
+    svm_name = netapp_manager.create_svm(
+        project_id=event.project_id, aggregate_name=AGGREGATE_NAME
+    )
+    netapp_manager.create_volume(
+        project_id=event.project_id,
+        volume_size=VOLUME_SIZE,
+        aggregate_name=AGGREGATE_NAME,
+    )
+    return svm_name
+
+
 def _save_output(name, value):
     with open(f"{OUTPUT_BASE_PATH}/output.{name}", "w") as f:
         return f.write(value)

workflows/openstack/sensors/sensor-keystone-oslo-event.yaml

@@ -9,6 +9,7 @@ metadata:
       Triggers on the following Keystone Events:
 
       - identity.project.created
+      - identity.project.updated
       - other events are silently ignored now
 
       Resulting code should be very similar to:
@@ -37,6 +38,7 @@ spec:
           type: "string"
           value:
             - "identity.project.created"
+            - "identity.project.updated"
   template:
     serviceAccountName: sensor-submit-workflow
   triggers: