roles problem when adding permissions to a job template

[simon-mags]

Summary

When we are adding a new set of permissions to a job template as code using this collection on latest i.e. 2.5.0 we have a problem when running the controller_roles roles with the variable "teams".

Issue Type

• Bug Report

Ansible, Collection, Controller details

ansible --version
ansible [core 2.15.0]
  config file = /home/maginnsi-adm/git/ansible-automation-platform/ansible.cfg
  configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.9/site-packages/ansible
  ansible collection location = /home/runner/.ansible/collections:/usr/share/ansible/collections:/home/maginnsi-adm/git/ansible-automation-platform/collections
  executable location = /usr/bin/ansible
  python version = 3.9.16 (main, May 31 2023, 12:21:58) [GCC 8.5.0 20210514 (Red Hat 8.5.0-18)] (/usr/bin/python3.9)
  jinja version = 3.1.2
  libyaml = True


ansible-galaxy collection list
Collection                          Version
----------------------------------- -------
ansible.posix                       1.5.1
cba.aap                             1.0.0
redhat_cop.controller_configuration 2.2.5

# /home/runner/.ansible/collections/ansible_collections
Collection                          Version
----------------------------------- -------
ansible.posix                       1.5.4
infra.controller_configuration      2.5.0

# /usr/share/ansible/collections/ansible_collections
Collection                          Version
----------------------------------- -------
amazon.aws                          6.0.1
ansible.controller                  4.4.0
ansible.netcommon                   5.1.1
ansible.network                     2.0.0
ansible.posix                       1.5.4
ansible.scm                         1.0.7
ansible.security                    1.1.0
ansible.snmp                        1.0.1
ansible.utils                       2.9.0
ansible.windows                     1.14.0
ansible.yang                        1.0.0
arista.eos                          6.0.1
cisco.asa                           4.0.1
cisco.ios                           4.6.1
cisco.iosxr                         5.0.2
cisco.nxos                          4.3.0
cloud.common                        2.1.2
cloud.terraform                     1.1.1
community.crypto                    2.14.1
community.general                   7.1.0
community.hashi_vault               5.0.0
frr.frr                             2.0.2
ibm.qradar                          2.1.0
junipernetworks.junos               5.1.0
kubernetes.core                     2.4.0
microsoft.ad                        1.1.0
openvswitch.openvswitch             2.1.1
redhat.amq_broker                   1.3.0
redhat.eap                          1.3.1
redhat.insights                     1.0.7
redhat.openshift                    2.3.0
redhat.redhat_csp_download          1.2.2
redhat.rhel_idm                     1.10.0
redhat.rhel_system_roles            1.21.1
redhat.rhv                          2.4.2
redhat.runtimes_common              1.0.2
redhat.sap_install                  1.2.1
redhat.satellite                    3.10.0
redhat.satellite_operations         1.3.0
redhat.sso                          1.2.1
sap.sap_operations                  1.0.4
servicenow.itsm                     2.1.0
splunk.es                           2.1.0
trendmicro.deepsec                  2.0.0
vmware.vmware_rest                  2.3.1
vyos.vyos                           4.0.2

Controller version
ansible.controller             4.4.0  

Collection Version
infra.controller_configuration 2.5.0  

• ansible installation method: EE

OS / ENVIRONMENT

DESCRIPTION=Red Hat Ansible Automation Platform Supported Execution Environment

Desired Behavior

When attempting to run the role we are unable to use the variable "teams", this appears to be a bug and is easily reproducible. We desire to be able to setup a Job Template so that users across multiple teams can run the Job Template.

Actual Behavior

Please give some details of what is actually happening.
Include a minimum complete verifiable example with:

• playbook / task
• configuration file / list
• error

TASK [redhat_cop.controller_configuration.roles : Configure Roles | Wait for finish the Roles creation] **********************************************************************************************
failed: [my.server.name] (item={'failed': 0, 'started': 1, 'finished': 0, 'ansible_job_id': 'j526170889618.4099005', 'results_file': '/root/.ansible_async/j526170889618.4099005', 'changed': False, '__controller_role_item': [{'job_templates': ['AAP - Testing'], 'teams': 'Ansible Users', 'roles': ['read', 'execute'], 'state': 'present'}, 'read'], 'ansible_loop_var': '__controller_role_item'}) => {"__controller_role_job_async_results_item": {"__controller_role_item": [{"job_templates": ["AAP - Testing"], "roles": ["read", "execute"], "state": "present", "teams": "Ansible Users"}, "read"], "ansible_job_id": "j526170889618.4099005", "ansible_loop_var": "__controller_role_item", "changed": false, "failed": 0, "finished": 0, "results_file": "/root/.ansible_async/j526170889618.4099005", "started": 1}, "ansible_job_id": "j526170889618.4099005", "ansible_loop_var": "__controller_role_job_async_results_item", "attempts": 1, "changed": false, "finished": 1, "msg": "Unsupported parameters for (role) module: teams. Supported parameters include: controller_config_file, controller_host, controller_oauthtoken, controller_password, controller_username, credential, credentials, instance_groups, inventories, inventory, job_template, job_templates, lookup_organization, organization, organizations, project, projects, role, state, target_team, target_teams, team, user, validate_certs, workflow, workflows (tower_config_file, tower_host, tower_oauthtoken, tower_password, tower_username, tower_verify_ssl).", "results_file": "/root/.ansible_async/j526170889618.4099005", "started": 1, "stderr": "", "stderr_lines": [], "stdout": "", "stdout_lines": []}
failed: [my.server.name] (item={'failed': 0, 'started': 1, 'finished': 0, 'ansible_job_id': 'j647266013775.4099029', 'results_file': '/root/.ansible_async/j647266013775.4099029', 'changed': False, '__controller_role_item': [{'job_templates': ['AAP - Testing'], 'teams': 'Ansible Users', 'roles': ['read', 'execute'], 'state': 'present'}, 'execute'], 'ansible_loop_var': '__controller_role_item'}) => {"__controller_role_job_async_results_item": {"__controller_role_item": [{"job_templates": ["AAP - Testing"], "roles": ["read", "execute"], "state": "present", "teams": "Ansible Users"}, "execute"], "ansible_job_id": "j647266013775.4099029", "ansible_loop_var": "__controller_role_item", "changed": false, "failed": 0, "finished": 0, "results_file": "/root/.ansible_async/j647266013775.4099029", "started": 1}, "ansible_job_id": "j647266013775.4099029", "ansible_loop_var": "__controller_role_job_async_results_item", "attempts": 1, "changed": false, "finished": 1, "msg": "Unsupported parameters for (role) module: teams. Supported parameters include: controller_config_file, controller_host, controller_oauthtoken, controller_password, controller_username, credential, credentials, instance_groups, inventories, inventory, job_template, job_templates, lookup_organization, organization, organizations, project, projects, role, state, target_team, target_teams, team, user, validate_certs, workflow, workflows (tower_config_file, tower_host, tower_oauthtoken, tower_password, tower_username, tower_verify_ssl).", "results_file": "/root/.ansible_async/j647266013775.4099029", "started": 1, "stderr": "", "stderr_lines": [], "stdout": "", "stdout_lines": []}

STEPS TO REPRODUCE

controller_roles:
  - job_templates:
      - "AAP - Testing"
    teams:
      - "Ansible Users"
    roles:
      - read
      - execute
    state: present

[Tompage1994]

Hi @simon-mags

The issue here is that the ansible.controller.role module does not yet support the teams option and the only way to get access to this option at the moment is to make use of the upstream awx.awx collection.

As a result if you wanted to keep making use of the certified collection you won't be able to use the teams or users options until at least the next release of the downstream collection.

[simon-mags]

Thanks for the update @Tompage1994 let us know if there is anything we can do to ensure this is added into the next release.

[Tompage1994]

It almost certainly will be added to the next release, but the release cycle is related to the release cycle of AAP itself and as 2.4 only just dropped it'll likely be a couple of months

[sean-m-sullivan]

I am closing this, as of right now the latest update 4.4.7 did not include the improvement, its still waiting to go through QA, but these roles currently support it upstream, its just a matter of time to get to downstream ansible.controller.