Merge pull request #8 from apigee/feat/apigee-validation

feat: added apigee-control-plane-check role

playbook.yaml

@@ -25,6 +25,7 @@
   - dc1
   roles:
   - { role: validate-input, tags: ['validate-input'] }
+  - { role: apigee-control-plane-check, tags: ['validate-apigee-mgmt'] }
   - { role: cert-manager, tags: ['cert-manager'] }
   - { role: certificates, vars: { generate_certificates: true }, tags: ['certs'] }
   - { role: prepare-helm, tags: ['prepare-helm'] }
@@ -108,6 +109,7 @@
   - dc2
   roles:
   - { role: validate-input, tags: ['validate-input'] }
+  - { role: apigee-control-plane-check, tags: ['validate-apigee-mgmt'] }
   - { role: cert-manager, tags: ['cert-manager'] }
   - { role: kubectl-ops, vars: { operation: get, k8s_resource_type: namespace, k8s_resource: apigee, kubectl_args: '--kubeconfig {{ kubeconfigs.primary }} -o yaml > {{ setup_path }}/apigee-namespace.yaml'}, tags: ['dc2-prereq'] }
   - { role: kubectl-ops, vars: { operation: get, k8s_resource_type: secret, k8s_resource: apigee-ca, k8s_namespace: cert-manager, kubectl_args: '--kubeconfig {{ kubeconfigs.primary }} -o yaml > {{ setup_path }}/apigee-ca.yaml'}, tags: ['dc2-prereq'] }

roles/apigee-control-plane-check/README.md

@@ -0,0 +1,38 @@
+Role Name
+=========
+
+A brief description of the role goes here.
+
+Requirements
+------------
+
+Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
+
+Role Variables
+--------------
+
+A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
+
+Dependencies
+------------
+
+A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
+
+Example Playbook
+----------------
+
+Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
+
+    - hosts: servers
+      roles:
+         - { role: username.rolename, x: 42 }
+
+License
+-------
+
+BSD
+
+Author Information
+------------------
+
+An optional section for the role authors to include contact information, or a website (HTML is not allowed).

roles/apigee-control-plane-check/defaults/main.yml

@@ -0,0 +1,2 @@
+---
+# defaults file for apigee-control-plane-check

roles/apigee-control-plane-check/files/validate_apigee_objects.py

@@ -0,0 +1,165 @@
+#!/usr/bin/env python3
+
+# Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import sys
+import requests
+import argparse
+import json
+import collections
+
+class Apigee:
+    def __init__(
+        self,
+        apigee_type="x",
+        base_url="https://apigee.googleapis.com/v1",
+        auth_type="oauth",
+        org="validate",
+        access_token='',
+    ):
+        self.org = org
+        self.baseurl = f"{base_url}/organizations/{org}"
+        self.apigee_type = apigee_type
+        self.auth_type = auth_type
+        access_token = self.get_access_token(access_token)
+        self.auth_header = {
+            "Authorization": "Bearer {}".format(access_token)
+            if self.auth_type == "oauth"
+            else "Basic {}".format(access_token)  # noqa
+        }
+
+    def get_token_user(self,token):
+        url = f"https://www.googleapis.com/oauth2/v1/tokeninfo?access_token={token}"  # noqa
+        response = requests.get(url)
+        if response.status_code == 200:
+            return response.json()['email']
+        return ''
+
+    def is_token_valid(self, token):
+        url = f"https://www.googleapis.com/oauth2/v1/tokeninfo?access_token={token}"  # noqa
+        response = requests.get(url)
+        if response.status_code == 200:
+            print(f"Token Validated for user {response.json()['email']}")
+            return True
+        return False
+
+
+    def get_access_token(self,access_token):
+        token = access_token
+        if token is not None:
+            if self.apigee_type == "x":
+                if self.is_token_valid(token):
+                    return token
+                else:
+                    print(
+                        'please run "export APIGEE_ACCESS_TOKEN=$(gcloud auth print-access-token)" first !! '  # noqa type: ignore
+                    )
+                    sys.exit(1)
+            else:
+                return token
+        else:
+            if self.apigee_type == "x":
+                print(
+                    'please run "export APIGEE_ACCESS_TOKEN=$(gcloud auth print-access-token)" first !! '  # noqa
+                )
+            else:
+                print("please export APIGEE_OPDK_ACCESS_TOKEN")
+            sys.exit(1)
+
+    def set_auth_header(self):
+        access_token = self.get_access_token()
+        self.auth_header = {
+            "Authorization": "Bearer {}".format(access_token)
+            if self.auth_type == "oauth"
+            else "Basic {}".format(access_token)
+        }
+
+    def get_org(self):
+        url=f"{self.baseurl}"
+        headers = self.auth_header.copy()
+        response = requests.request("GET", url, headers=headers)
+        if response.status_code == 200:
+            return True
+        else:
+            return False
+
+    def get_environment(self,env):
+        url=f"{self.baseurl}/environments/{env}"
+        headers = self.auth_header.copy()
+        response = requests.request("GET", url, headers=headers)
+        if response.status_code == 200:
+            return True
+        else:
+            return False
+
+    def get_env_group(self,env_group):
+        url=f"{self.baseurl}/envgroups/{env_group}"
+        headers = self.auth_header.copy()
+        response = requests.request("GET", url, headers=headers)
+        if response.status_code == 200:
+            return True,response.json()
+        else:
+            return False,None
+
+def compare_lists(l1,l2):
+    if(collections.Counter(l1)==collections.Counter(l2)):
+      return True
+    else:
+        return False
+
+def main():
+    parser = argparse.ArgumentParser(description='Validates Apigee Objects')
+    parser.add_argument('--input_data', help='Apigee Input data')
+    parser.add_argument('--access_token', help='GCP OAuth Access Token')
+    args = parser.parse_args()
+    input_data = json.loads(args.input_data)
+    apigee_org = input_data['gcp']['projectID']
+    apigee_envs = input_data['envs']
+    apigee_vhosts = input_data['virtualhosts']
+    TargetApigee = Apigee(
+        "x",
+        "https://apigee.googleapis.com/v1",
+        "oauth",
+        apigee_org,
+        args.access_token,
+    )
+    validations = []
+    authenticated_user = TargetApigee.get_token_user(args.access_token)
+    if not TargetApigee.get_org():
+        validations.append(f"Apigee Organization : {apigee_org} doesnt exist OR user {authenticated_user} doesnt have permissions ")
+
+    for apigee_env in apigee_envs:
+        if not TargetApigee.get_environment(apigee_env['name']):
+            validations.append(f"Apigee Environment : {apigee_env['name']} doesnt exist OR user {authenticated_user} doesnt have permissions ")
+
+    for apigee_vhost in apigee_vhosts:
+        apigee_vhost_status, apigee_vhost_info = TargetApigee.get_env_group(apigee_vhost['name'])
+        if not apigee_vhost_status:
+            validations.append(f"Apigee Environment Group : {apigee_vhost['name']} doesnt exist OR user {authenticated_user} doesnt have permissions ")
+
+        if apigee_vhost_status:
+            apigee_vhost_hostname = apigee_vhost.get('hostnames',[])
+            apigee_vhost_info_hostname = apigee_vhost_info.get('hostnames',[])
+            if not compare_lists(apigee_vhost_hostname, apigee_vhost_info_hostname):
+                validations.append(f"Apigee Environmrnt Group {apigee_vhost['name']} hostnames {apigee_vhost_hostname} dont match the hostnames in Apigee Management API: {apigee_vhost_info_hostname}")
+
+    if len(validations) > 0:
+        print('Validation Errors found !')
+        print("\n".join(validations))
+        sys.exit(1)
+    print('Apigee Control plane validations successfull')
+
+if __name__ == '__main__':
+    main()

roles/apigee-control-plane-check/handlers/main.yml

@@ -0,0 +1,2 @@
+---
+# handlers file for apigee-control-plane-check

roles/apigee-control-plane-check/meta/main.yml

@@ -0,0 +1,52 @@
+galaxy_info:
+  author: your name
+  description: your role description
+  company: your company (optional)
+
+  # If the issue tracker for your role is not on github, uncomment the
+  # next line and provide a value
+  # issue_tracker_url: http://example.com/issue/tracker
+
+  # Choose a valid license ID from https://spdx.org - some suggested licenses:
+  # - BSD-3-Clause (default)
+  # - MIT
+  # - GPL-2.0-or-later
+  # - GPL-3.0-only
+  # - Apache-2.0
+  # - CC-BY-4.0
+  license: license (GPL-2.0-or-later, MIT, etc)
+
+  min_ansible_version: 2.1
+
+  # If this a Container Enabled role, provide the minimum Ansible Container version.
+  # min_ansible_container_version:
+
+  #
+  # Provide a list of supported platforms, and for each platform a list of versions.
+  # If you don't wish to enumerate all versions for a particular platform, use 'all'.
+  # To view available platforms and versions (or releases), visit:
+  # https://galaxy.ansible.com/api/v1/platforms/
+  #
+  # platforms:
+  # - name: Fedora
+  #   versions:
+  #   - all
+  #   - 25
+  # - name: SomePlatform
+  #   versions:
+  #   - all
+  #   - 1.0
+  #   - 7
+  #   - 99.99
+
+  galaxy_tags: []
+    # List tags for your role here, one per line. A tag is a keyword that describes
+    # and categorizes the role. Users find roles by searching for tags. Be sure to
+    # remove the '[]' above, if you add tags to this list.
+    #
+    # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
+    #       Maximum 20 tags per role.
+
+dependencies: []
+  # List your role dependencies here, one per line. Be sure to remove the '[]' above,
+  # if you add dependencies to this list.

roles/apigee-control-plane-check/tasks/main.yml

@@ -0,0 +1,33 @@
+---
+# tasks file for apigee-control-plane-check
+
+- name: overrides
+  set_fact:
+    overrides_string: "{{ overrides |to_json }}"
+
+- name: execute validate apigee-control-plane script
+  block:
+
+  - name: Get Gcloud oAuth Token
+    shell: gcloud auth print-access-token
+    register: access_token
+
+  - script: |
+      validate_apigee_objects.py \
+      --input_data '{{ overrides_string }}' \
+      --access_token {{ access_token.stdout }}
+    register: validate_control_plane
+  - name: Check validate_control_plane operation output
+    debug:
+      msg: "{{ validate_control_plane }}"
+
+  rescue:
+  - name: Check validate_control_plane operation output
+    debug:
+      msg: "{{ validate_control_plane }}"
+
+  - name: Fail Control Plane validation
+    fail:
+      msg: |
+        apigee-control-plane Validation Failed .
+        Please rectify the inputs OR ensure all Apigee Control plane objects Exists

roles/apigee-control-plane-check/tests/inventory

@@ -0,0 +1,2 @@
+localhost
+

roles/apigee-control-plane-check/tests/test.yml

@@ -0,0 +1,5 @@
+---
+- hosts: localhost
+  remote_user: root
+  roles:
+    - apigee-control-plane-check

roles/apigee-control-plane-check/vars/main.yml

@@ -0,0 +1,2 @@
+---
+# vars file for apigee-control-plane-check