natemccurdy · May 20, 2016 18:41
diff --git a/rbac_deploy_code.pp b/rbac_deploy_code.pp
 # This requires the pltraining/rbac module from the Forge. https://forge.puppet.com/pltraining/rbac
 # Last tested on Puppet Enterprise 2016.1.2
 #
 # If an RBAC role already exists, the curl will return "There was a database conflict".
 # This isn't perfect.... try at your own risk.

 $deploy_role_name        = 'Deploy Code'
 $deploy_role_description = 'Users that are able to deploy code using Code Manager'
 $console_master_certname = $::trusted['certname']

 $create_role_curl = @(EOT)
  /opt/puppetlabs/puppet/bin/curl -s -k -X POST -H 'Content-Type: application/json' \
  https://<%= $console_master_certname %>:4433/rbac-api/v1/roles \
  -d '{"permissions": [{"object_type": "environment", "action": "deploy_code", "instance": "*"},
  {"object_type": "tokens", "action": "override_lifetime", "instance": "*"}],"user_ids": [], "group_ids": [], "display_name": "<%= $deploy_role_name %>", "description": "<%= $deploy_role_description %>"}' \
  --cert <%= $::settings::certdir %>/<%= $console_master_certname %>.pem  \
  --key <%= $::settings::privatekeydir %>/<%= $console_master_certname %>.pem  \
  --cacert <%= $::settings::certdir %>/ca.pem;
  touch /var/tmp/deploy_role_created
  | EOT

 exec { 'create deploy environments role' :
  command   => inline_epp( $create_role_curl ),
  creates   => '/var/tmp/deploy_role_created',
  logoutput => true,
  path      => $::path,
 }

 rbac_user { 'bob':
  ensure       => 'present',
  name         => 'bob',
  display_name => "Hi, I'm Bob",
  email        => '[email protected]',
  roles        => [ $deploy_role_name ],
  require      => Exec['create deploy environments role'],
 }

 rbac_user { 'tom':
  ensure       => 'present',
  name         => 'bob',
  display_name => "Hi, I'm tom",
  email        => '[email protected]',
  roles        => [ $deploy_role_name ],
  require      => Exec['create deploy environments role'],
 }
	# This requires the pltraining/rbac module from the Forge. https://forge.puppet.com/pltraining/rbac
	# Last tested on Puppet Enterprise 2016.1.2
	#
	# If an RBAC role already exists, the curl will return "There was a database conflict".
	# This isn't perfect.... try at your own risk.

	$deploy_role_name = 'Deploy Code'
	$deploy_role_description = 'Users that are able to deploy code using Code Manager'
	$console_master_certname = $::trusted['certname']

	$create_role_curl = @(EOT)
	/opt/puppetlabs/puppet/bin/curl -s -k -X POST -H 'Content-Type: application/json' \
	https://<%= $console_master_certname %>:4433/rbac-api/v1/roles \
	-d '{"permissions": [{"object_type": "environment", "action": "deploy_code", "instance": "*"},
	{"object_type": "tokens", "action": "override_lifetime", "instance": "*"}],"user_ids": [], "group_ids": [], "display_name": "<%= $deploy_role_name %>", "description": "<%= $deploy_role_description %>"}' \
	--cert <%= $::settings::certdir %>/<%= $console_master_certname %>.pem \
	--key <%= $::settings::privatekeydir %>/<%= $console_master_certname %>.pem \
	--cacert <%= $::settings::certdir %>/ca.pem;
	touch /var/tmp/deploy_role_created
	\| EOT

	exec { 'create deploy environments role' :
	command => inline_epp( $create_role_curl ),
	creates => '/var/tmp/deploy_role_created',
	logoutput => true,
	path => $::path,
	}

	rbac_user { 'bob':
	ensure => 'present',
	name => 'bob',
	display_name => "Hi, I'm Bob",
	email => '[email protected]',
	roles => [ $deploy_role_name ],
	require => Exec['create deploy environments role'],
	}

	rbac_user { 'tom':
	ensure => 'present',
	name => 'bob',
	display_name => "Hi, I'm tom",
	email => '[email protected]',
	roles => [ $deploy_role_name ],
	require => Exec['create deploy environments role'],
	}