Move heat domain setup into service setup tasks

The heat domain setup tasks use the old keystone plugin.
In this patch we switch it to using the ansible modules
instead, and move the tasks into the same place as all
the other tasks doing similar things.

Change-Id: Idcb79f43ab33b58829e6a07a2c2c13774ed3148b

tasks/heat_domain_setup.yml

@@ -1,83 +0,0 @@
----
-# Copyright 2014, Rackspace US, Inc.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-# This is the role assigned to users created within Heat stacks themselves
-- name: Ensure heat_stack_user role
-  keystone:
-    command: ensure_role
-    role_name: "heat_stack_user"
-    login_user: "{{ keystone_admin_user_name }}"
-    login_password: "{{ keystone_auth_admin_password }}"
-    login_project_name: "{{ keystone_admin_tenant_name }}"
-    endpoint: "{{ keystone_service_adminurl }}"
-    insecure: "{{ keystone_service_adminuri_insecure }}"
-  no_log: True
-
-- name: Ensure heat domain
-  keystone:
-    command: ensure_domain
-    domain_name: "{{ heat_stack_user_domain_name }}"
-    endpoint: "{{ keystone_service_adminurl }}"
-    login_user: "{{ keystone_admin_user_name }}"
-    login_password: "{{ keystone_auth_admin_password }}"
-    login_project_name: "{{ keystone_admin_tenant_name }}"
-    insecure: "{{ keystone_service_adminuri_insecure }}"
-  no_log: True
-
-- name: Ensure heat project
-  keystone:
-    command: ensure_project
-    project_name: "{{ heat_project_name }}"
-    domain_name: "{{ heat_stack_user_domain_name }}"
-    endpoint: "{{ keystone_service_adminurl }}"
-    login_user: "{{ keystone_admin_user_name }}"
-    login_password: "{{ keystone_auth_admin_password }}"
-    login_project_name: "{{ keystone_admin_tenant_name }}"
-    insecure: "{{ keystone_service_adminuri_insecure }}"
-  no_log: True
-
-- name: Ensure heat user
-  keystone:
-    command: "ensure_user"
-    endpoint: "{{ keystone_service_adminurl }}"
-    login_user: "{{ keystone_admin_user_name }}"
-    login_password: "{{ keystone_auth_admin_password }}"
-    login_project_name: "{{ keystone_admin_tenant_name }}"
-    user_name: "{{ heat_stack_domain_admin }}"
-    domain_name: "{{ heat_stack_user_domain_name }}"
-    password: "{{ heat_stack_domain_admin_password }}"
-    insecure: "{{ keystone_service_adminuri_insecure }}"
-  register: add_service
-  until: add_service is success
-  retries: 5
-  delay: 10
-  no_log: True
-
-- name: Ensure heat role
-  keystone:
-    command: "ensure_user_role"
-    endpoint: "{{ keystone_service_adminurl }}"
-    login_user: "{{ keystone_admin_user_name }}"
-    login_password: "{{ keystone_auth_admin_password }}"
-    login_project_name: "{{ keystone_admin_tenant_name }}"
-    user_name: "{{ heat_stack_domain_admin }}"
-    role_name: "{{ keystone_role_name | default('admin') }}"
-    domain_name: "{{ heat_stack_user_domain_name }}"
-    insecure: "{{ keystone_service_adminuri_insecure }}"
-  register: add_service
-  until: add_service is success
-  retries: 5
-  delay: 10
-  no_log: True

tasks/heat_service_setup.yml

@@ -47,14 +47,55 @@
       loop_control:
         label: "{{ item.name }}"
 
-    - name: Add service user
+    - name: Add owner/user roles
+      os_keystone_role:
+        cloud: default
+        state: present
+        name: "{{ item }}"
+        endpoint_type: admin
+        verify: "{{ not keystone_service_adminuri_insecure }}"
+      register: add_service
+      when: not heat_service_in_ldap | bool
+      until: add_service is success
+      retries: 5
+      delay: 10
+      with_items:
+        - "{{ heat_stack_owner_name }}"
+        - "heat_stack_user"
+
+    - name: Add stack user domain
+      os_keystone_domain:
+        cloud: default
+        state: present
+        name: "{{ heat_stack_user_domain_name }}"
+        endpoint_type: admin
+        verify: "{{ not keystone_service_adminuri_insecure }}"
+      register: add_stack_user_domain
+      until: add_stack_user_domain is success
+      retries: 5
+      delay: 10
+
+    - name: Add heat project
+      os_project:
+        cloud: default
+        state: present
+        name: "{{ heat_project_name }}"
+        domain_id: "{{ heat_project_domain_name }}"
+        endpoint_type: admin
+        verify: "{{ not keystone_service_adminuri_insecure }}"
+      register: add_project
+      until: add_project is success
+      retries: 5
+      delay: 10
+
+    - name: Add service/heat user
       os_user:
         cloud: default
         state: present
-        name: "{{ heat_service_user_name }}"
-        password: "{{ heat_service_password }}"
-        domain: default
-        default_project: "{{ heat_service_project_name }}"
+        name: "{{ item.name }}"
+        password: "{{ item.password }}"
+        domain: "{{ item.domain }}"
+        default_project: "{{ item.default_project }}"
         endpoint_type: admin
         verify: "{{ not keystone_service_adminuri_insecure }}"
       register: add_service
@@ -63,19 +104,15 @@
       retries: 5
       delay: 10
       no_log: True
-
-    - name: Ensure stack_owner role
-      os_keystone_role:
-        cloud: default
-        state: present
-        name: "{{ heat_stack_owner_name }}"
-        endpoint_type: admin
-        verify: "{{ not keystone_service_adminuri_insecure }}"
-      register: add_service
-      when: not heat_service_in_ldap | bool
-      until: add_service is success
-      retries: 5
-      delay: 10
+      with_items:
+        - name: "{{ heat_service_user_name }}"
+          password: "{{ heat_service_password }}"
+          domain: default
+          default_project: "{{ heat_service_project_name }}"
+        - name: "{{ heat_stack_domain_admin }}"
+          password: "{{ heat_stack_domain_admin_password }}"
+          domain: "{{ heat_stack_user_domain_name }}"
+          default_project: "{{ heat_project_name }}"
 
     - name: Add service user to roles
       os_user_role:
@@ -83,7 +120,7 @@
         state: present
         user: "{{ item.user }}"
         role: "{{ item.role }}"
-        project: "{{ heat_service_project_name }}"
+        project: "{{ item.project }}"
         endpoint_type: admin
         verify: "{{ not keystone_service_adminuri_insecure }}"
       register: add_service
@@ -94,14 +131,20 @@
       with_items:
         - user: "{{ heat_service_user_name }}"
           role: "{{ heat_service_role_name }}"
+          project: "{{ heat_service_project_name }}"
         # We add the keystone role used by heat to delegate to the heat service user
         # for performing deferred operations via trusts.
         - user: "{{ heat_service_user_name }}"
           role: "{{ heat_stack_owner_name }}"
+          project: "{{ heat_service_project_name }}"
         # Any user creating stacks needs to have the 'heat_stack_owner' role assigned.
         # We add to admin user here for testing purposes.
         - user: "{{ keystone_admin_user_name }}"
           role: "{{ heat_stack_owner_name }}"
+          project: "{{ heat_service_project_name }}"
+        - user: "{{ heat_stack_domain_admin }}"
+          role: "{{ keystone_role_name | default('admin') }}"
+          project: "{{ heat_project_name }}"
 
     - name: Add endpoints to keystone endpoint catalog
       os_keystone_endpoint:

tasks/main.yml

@@ -87,12 +87,6 @@
     - heat-config
     - systemd-service
 
-- include_tasks: heat_domain_setup.yml
-  when:
-    - "inventory_hostname == ansible_play_hosts[0]"
-  tags:
-    - heat-config
-
 - import_tasks: mq_setup.yml
   when:
     - "heat_services['heat-api']['group'] in group_names"