cloudera.cloud.iam_group module – Create, update, or destroy CDP IAM Groups

Note

This module is part of the cloudera.cloud collection (version 3.1.0).

It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install cloudera.cloud.

To use it in a playbook, specify: cloudera.cloud.iam_group.

New in cloudera.cloud 1.0.0

Synopsis

  • Create, update, and destroy CDP IAM Groups.

  • A group is a named collection of users and machine users.

  • Roles and resource roles can be assigned to a group impacting all members of the group.

Parameters

Parameter

Comments

access_key

string

If provided, the Cloudera on cloud API will use this value as its access key.

If not provided, the API will attempt to use the value from the environment variable CDP_ACCESS_KEY_ID.

Required if private_key is provided.

Mutually exclusive with credentials_path.

credentials_path

string

If provided, the Cloudera on cloud API will use this value as its credentials path.

If not provided, the API will attempt to use the value from the environment variable CDP_CREDENTIALS_PATH.

Default: "~/.cdp/credentials"

debug

aliases: debug_endpoints

boolean

If true, the module will capture the Cloudera on cloud HTTP log and return it in the sdk_out and sdk_out_lines fields.

Choices:

  • false ← (default)

  • true

endpoint

aliases: endpoint_url, url

string

The Cloudera on cloud API endpoint to use.

Mutually exclusive with endpoint_region.

endpoint_region

aliases: cdp_endpoint_region, cdp_region, region

string

Specify the Cloudera on cloud API endpoint region.

See Cloudera Control Plane regions for more information.

If not provided, the API will attempt to use the value from the environment variable CDP_REGION.

default is an alias for the us-west-1 region.

Mutually exclusive with endpoint.

Choices:

  • "default"

  • "us-west-1" ← (default)

  • "eu-1"

  • "ap-1"

endpoint_tls

aliases: verify_endpoint_tls, verify_tls, verify_api_tls

boolean

Verify the TLS certificates for the Cloudera on cloud API endpoint.

Choices:

  • false

  • true ← (default)

http_agent

aliases: agent_header

string

The HTTP user agent to use for Cloudera on cloud API requests.

Default: "cloudera.cloud"

name

aliases: group_name

string / required

The name of the group.

The name must be unique, must have a maximum of 32 characters, and must contain only alphanumeric characters, “-”, and “_”.

The first character of the name must be alphabetic or an underscore.

Names are are not case-sensitive.

The group named “administrators” is reserved.

private_key

string

If provided, the Cloudera on cloud API will use this value as its private key.

If not provided, the API will attempt to use the value from the environment variable CDP_PRIVATE_KEY.

Required if access_key is provided.

profile

string

If provided, the Cloudera on cloud API will use this value as its profile.

If not provided, the API will attempt to use the value from the environment variable CDP_PROFILE.

Default: "default"

purge

aliases: replace

boolean

Flag to replace roles, users, and resource_roles with their specified values.

Choices:

  • false ← (default)

  • true

resource_roles

list / elements=dictionary

A list of resource role assignments.

resource

aliases: resourceCrn, resource_crn

string / required

The resource CRN for the rights assignment.

role

aliases: resourceRoleCrn, resource_role_crn

string / required

The resource role CRN to be assigned.

roles

list / elements=string

A single role or list of roles assigned to the group.

The role must be identified by its full CRN.

state

string

The state of the group.

Choices:

  • "present" ← (default)

  • "absent"

strict

aliases: strict_errors

boolean

Legacy CDPy SDK error handling.

Choices:

  • false ← (default)

  • true

sync

aliases: sync_membership, sync_on_login, sync_membership_on_user_login

boolean

Whether group membership is synced when a user logs in.

The default is to sync group membership.

Choices:

  • false

  • true ← (default)

users

list / elements=string

A single user or list of users assigned to the group.

Users can be regular users or machine users.

The user can be either the name or CRN.

Examples

# Note: These examples do not set authentication details.

# Create a group
- cloudera.cloud.iam_group:
    name: group-example

# Create a group with membership sync disabled
- cloudera.cloud.iam_group:
    state: present
    name: group-example
    sync: false

# Delete a group
- cloudera.cloud.iam_group:
    state: absent
    name: group-example

# Assign users to a group
- cloudera.cloud.iam_group:
    name: group-example
    users:
      - user-a
      - user-b

# Assign roles to a group
- cloudera.cloud.iam_group:
    name: group-example
    roles:
      - role-a
      - role-b

# Replace resource roles a group
- cloudera.cloud.iam_group:
    name: group-example
    resource_roles:
      - role-c
      - role-d
    purge: true

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key

Description

group

dictionary

The information about the Group

Returned: always

creationDate

string

The date when this group record was created.

Returned: on success

Sample: "2020-07-06T12:24:05.531000+00:00"

crn

string

The CRN of the group.

Returned: on success

groupName

string

The group name.

Returned: on success

Sample: "example-01"

members

list / elements=string

List of member CRNs (users and machine users) which are members of the group.

Returned: on success

resourceAssignments

list / elements=dictionary

List of Resource-to-Role assignments that are associated with the group.

Returned: on success

resourceCrn

string

The CRN of the resource granted the rights of the role.

Returned: on success

resourceRoleCrn

string

The CRN of the resource role.

Returned: on success

roles

list / elements=string

List of Role CRNs assigned to the group.

Returned: on success

syncMembershipOnUserLogin

boolean

Flag indicating whether group membership is synced when a user logs in. The default is to sync group membership.

Returned: when supported

sdk_out

string

Returns the captured CDP SDK log.

Returned: when supported

sdk_out_lines

list / elements=string

Returns a list of each line of the captured CDP SDK log.

Returned: when supported

Authors

  • Webster Mudge (@wmudge)

  • Dan Chaffelson (@chaffelson)

  • Ronald Suplina (@rsuplina)