Issue with team permission import for a workflow

[przemkalit]

Summary

Hi,
I've discovered that team permissions for a workflow are not populated in the target controller. As a result, user roles for the workflow are added, but team roles are marked as Ok instead of Changed. I tested this with the latest versions of the ansible.controller, with awx.awx controller there is no issue.

Please check it ASAP, because this functionality is crucial.

Issue Type

• Bug Report

Ansible, Collection, Controller details

ansible --version

ansible [core 2.15.8]

ansible-galaxy collection list
Collection                     Version
------------------------------ -------
ansible.controller                        4.5.10
infra.controller_configuration 2.9.0

• ansible installation method: OS package

OS / ENVIRONMENT

RH 9.4

Desired Behavior

Permission roles are imported

Actual Behavior

Permission roles are not imported

TASK [infra.controller_configuration.roles : Managing Role Based Access Entries on Controller] ***********************************************************************************************************************************************************************
ok: [localhost] => (item=Create/Update Role Based Access Entry on Controller execute)

STEPS TO REPRODUCE

---
- name: restore
  hosts: localhost
  connection: local
  gather_facts: false
  vars:
    controller_roles:
      - team: "team-X"
        workflows:
          - "workflow_name"
        role: "execute"

    controller_hostname: ""
    controller_oauthtoken: ""
    controller_validate_certs: false

  tasks:
    - name: Import objects
      ansible.builtin.include_role:
        name: infra.controller_configuration.dispatch

[przemkalit]

Okay, something is not right on our side, I will close this issue.

[przemkalit]

Sorry but in result I found the bug. It occurs in the export of roles: the role looks for workflow/workflows inside the controller_roles structure, but filetree_create exports workflow_job_template/workflow_job_templates into controller_roles. That's why the roles cannot be imported.

/roles/roles/tasks/main.yml

    - name: "Managing Role Based Access Entries on Controller"
      role:
      ...
        workflow:    "{{ __controller_role_item.0.workflow | default(__controller_role_item.workflow) | default(omit, true) }}"
        workflows:   "{{ __controller_role_item.0.workflows | default(__controller_role_item.workflows) | default(([] if controller_configuration_role_enforce_defaults else omit), true) }}"

/roles/filetree_create/templates/current_team_roles.j2

{% if first_team_role | default(true) | bool %}
---
controller_roles:
{% endif %}
{% for role in object_roles %}
...
{% elif (role|dict2items)[0].value.resource_type is match('workflow_job_template') %}
    workflow_job_templates:

I don't know why it works for the user, but I think maybe user is treated differently.

[ivarmu]

So... if I understand well... the key workflow_job_templates should be changed to workflow or workflows to let the dispatch to work. Am I right?

[przemkalit]

Yes, that works in our customised collection, I would create PR but I am kinda busy with something else.