Prevent leaks when tasks fail - pulp_user

Author: Alex-Welsh

roles/pulp_user/tasks/main.yml

@@ -1,13 +1,15 @@
 ---
 - name: Get information for each user
   uri:
-    url: "{{ pulp_user_url }}?username={{ item.username }}"
+    url: "{{ pulp_user_url }}?username={{ pulp_users[user_index].username }}"
     user: "{{ pulp_username }}"
     password: "{{ pulp_password }}"
     method: GET
     status_code: 200
     force_basic_auth: true
-  loop: "{{ pulp_users }}"
+  loop: "{{ pulp_users | map(attribute='username') }}"
+  loop_control:
+    index_var: user_index
   register: users_get_result
 
 - name: Reset users facts
@@ -18,37 +20,37 @@
 
 - name: Set users to delete fact
   set_fact:
-    remove_users: "{{ remove_users + [user.json.results[0]] }}"
-  loop: "{{ users_get_result.results }}"
+    remove_users: "{{ remove_users + [users_get_result.results[user_index].json.results[0]] }}"
+  loop: "{{ users_get_result.results | map(attribute='item') }}"
   loop_control:
-    loop_var: "user"
-    label: "{{ user.item.username }}"
+    index_var: user_index
   when:
-    - user.json.count == 1
-    - user.item.state is defined
-    - user.item.state == "absent"
+    - users_get_result.results[user_index].json.count == 1
+    - pulp_users[user_index].state is defined
+    - pulp_users[user_index].state == "absent"
 
 - name: Set users to create fact
   set_fact:
-    create_users: "{{ create_users + [user.item] }}"
-  loop: "{{ users_get_result.results }}"
+    create_users: "{{ create_users + [pulp_users[user_index]] }}"
+  loop: "{{ users_get_result.results | map(attribute='item') }}"
   loop_control:
-    loop_var: "user"
-    label: "{{ user.item.username }}"
+    index_var: user_index
   when:
-   - user.json.count == 0
-   - user.item.state is not defined or user.item.state != "absent"
+    - users_get_result.results[user_index].json.count == 0
+    - pulp_users[user_index].state is not defined or pulp_users[user_index].state != "absent"
 
 - name: Set users to update fact
   set_fact:
-    update_users: "{{ update_users + [user.json.results[0] | combine(user.item) | combine({'existing_groups': user.json.results[0]['groups']}) ] }}"
-  loop: "{{ users_get_result.results }}"
+    update_users: >-
+      {{- update_users + [users_get_result.results[user_index].json.results[0]
+      | combine(pulp_users[user_index])
+      | combine({'existing_groups': users_get_result.results[user_index].json.results[0]['groups']})] -}}
+  loop: "{{ users_get_result.results | map(attribute='item') }}"
   loop_control:
-    loop_var: "user"
-    label: "{{ user.item.username }}"
+    index_var: user_index
   when:
-   - user.json.count == 1
-   - user.item.state is not defined or user.item.state != "absent"
+    - users_get_result.results[user_index].json.count == 1
+    - pulp_users[user_index].state is not defined or pulp_users[user_index].state != "absent"
 
 - name: Create users
   uri:
@@ -59,59 +61,61 @@
     method: POST
     status_code: 201
     body:
-      username: "{{ item.username }}"
-      password: "{{ item.password | default(None) }}"
-      first_name: "{{ item.first_name | default(None) }}"
-      last_name: "{{ item.last_name | default(None) }}"
-      email: "{{ item.email | default(None) }}"
-      is_staff: "{{ item.is_staff | default(None) }}"
-      is_active: "{{ item.is_active | default(None) }}"
+      username: "{{ create_users[user_index].username }}"
+      password: "{{ create_users[user_index].password | default(None) }}"
+      first_name: "{{ create_users[user_index].first_name | default(None) }}"
+      last_name: "{{ create_users[user_index].last_name | default(None) }}"
+      email: "{{ create_users[user_index].email | default(None) }}"
+      is_staff: "{{ create_users[user_index].is_staff | default(None) }}"
+      is_active: "{{ create_users[user_index].is_active | default(None) }}"
     body_format: form-urlencoded
-  loop: "{{ create_users }}"
+  loop: "{{ create_users | map(attribute='username') }}"
   loop_control:
-    label: "{{ item.username }}"
+    index_var: user_index
   changed_when: true
 
+# Will always mark as changed even if user is the same as described
 - name: Update existing users
   uri:
-    url: "{{ pulp_url }}{{ item.pulp_href }}"
+    url: "{{ pulp_url }}{{ update_users[user_index].pulp_href }}"
     user: "{{ pulp_username }}"
     password: "{{ pulp_password }}"
     force_basic_auth: true
     method: PATCH
     body:
-      username: "{{ item.username }}"
-      password: "{{ item.password | default(None) }}"
-      first_name: "{{ item.first_name | default(None) }}"
-      last_name: "{{ item.last_name | default(None) }}"
-      email: "{{ item.email | default(None) }}"
-      is_staff: "{{ item.is_staff | default(None) }}"
-      is_active: "{{ item.is_active | default(None) }}"
+      username: "{{ update_users[user_index].username }}"
+      password: "{{ update_users[user_index].password | default(None) }}"
+      first_name: "{{ update_users[user_index].first_name | default(None) }}"
+      last_name: "{{ update_users[user_index].last_name | default(None) }}"
+      email: "{{ update_users[user_index].email | default(None) }}"
+      is_staff: "{{ update_users[user_index].is_staff | default(None) }}"
+      is_active: "{{ update_users[user_index].is_active | default(None) }}"
     body_format: form-urlencoded
-  loop: "{{ update_users }}"
+  loop: "{{ update_users | map(attribute='username') }}"
   loop_control:
-    label: "{{ item.username }}"
+    index_var: user_index
   register: result
   changed_when: true
 
 - name: Add or remove user from group(s)
+  vars:
+    exist_users: "{{ create_users + update_users }}"
   include_tasks: user_groups/add_or_remove_users.yml
   # All users that aren't state: absent are in play here
-  loop: "{{ create_users + update_users }}"
+  loop: "{{ exist_users | map(attribute='username') }}"
   loop_control:
-    loop_var: user
-    label: "{{ user.username }}"
+    index_var: user_index
 
 - name: Delete users
   uri:
-    url: "{{ pulp_url }}{{ item.pulp_href }}"
+    url: "{{ pulp_url }}{{ remove_users[user_index].pulp_href }}"
     user: "{{ pulp_username }}"
     password: "{{ pulp_password }}"
     force_basic_auth: true
     method: DELETE
     status_code: 204
     body_format: form-urlencoded
-  loop: "{{ remove_users }}"
+  loop: "{{ remove_users | map(attribute='username') }}"
   loop_control:
-    label: "{{ item.username }}"
+    index_var: user_index
   changed_when: true

roles/pulp_user/tasks/user_groups/add_or_remove_users.yml

@@ -2,13 +2,13 @@
 
 - name: Remove user from groups not defined in pulp_users
   include_tasks: remove_user_from_groups.yml
-  loop: "{{ user.existing_groups | map(attribute='name') | difference(user.groups | default([], true)) }}"
+  loop: "{{ exist_users[user_index].existing_groups | map(attribute='name') | difference(exist_users[user_index].groups | default([], true)) }}"
   loop_control:
     loop_var: remove_group
-  when: user.existing_groups is defined
+  when: exist_users[user_index].existing_groups is defined
 
 - name: Add user to groups defined in pulp_users
   include_tasks: add_user_to_groups.yml
-  loop: "{{ user.groups | default([], true) | difference(user.existing_groups | default([]) | map(attribute='name') ) }}"
+  loop: "{{ exist_users[user_index].groups | default([], true) | difference(exist_users[user_index].existing_groups | default([]) | map(attribute='name')) }}"
   loop_control:
     loop_var: add_group

roles/pulp_user/tasks/user_groups/add_user_to_groups.yml

@@ -29,7 +29,7 @@
     user: "{{ pulp_username }}"
     password: "{{ pulp_password }}"
     body:
-      username: "{{ user.username }}"
+      username: "{{ exist_users[user_index].username }}"
     body_format: json
     method: POST
     force_basic_auth: true

roles/pulp_user/tasks/user_groups/remove_user_from_groups.yml

@@ -5,7 +5,7 @@
 - name: Remove user from group
   # DELETE {{ pulp_url }}/pulp/api/v3/groups/880/users/11/
   uri:
-    url: "{{ pulp_url }}{{ user_group.pulp_href }}users/{{ user.id }}/"
+    url: "{{ pulp_url }}{{ user_group.pulp_href }}users/{{ exist_users[user_index].id }}/"
     user: "{{ pulp_username }}"
     password: "{{ pulp_password }}"
     method: DELETE
@@ -14,7 +14,7 @@
     force_basic_auth: true
   # If we get here, we're always changing something
   changed_when: true
-  loop: "{{ user.existing_groups | selectattr('name', 'equalto', remove_group) }}"
+  loop: "{{ exist_users[user_index].existing_groups | selectattr('name', 'equalto', remove_group) }}"
   loop_control:
     loop_var: user_group
-    label: "{{ user.username }} {{ user_group.name }}"
+    label: "{{ exist_users[user_index].username }} {{ user_group.name }}"