add azure role definition module (#52468)

* add role definition module

* fix sample

* fix lint

* fix lint

* add facts module

* fix lint

* disable test due to no owner permission

* use unsupported

* fix lint

* resolve comments

* fix not_xxx_actions

3 files changed, 144 insertions, 0 deletions

diff --git a/test/integration/targets/azure_rm_roledefinition/aliases b/test/integration/targets/azure_rm_roledefinition/aliases
new file mode 100644
index 0000000000..35b9401151
--- /dev/null
+++ b/test/integration/targets/azure_rm_roledefinition/aliases
@@ -0,0 +1,3 @@
+cloud/azure
+destructive
+unsupported
\ No newline at end of file
diff --git a/test/integration/targets/azure_rm_roledefinition/meta/main.yml b/test/integration/targets/azure_rm_roledefinition/meta/main.yml
new file mode 100644
index 0000000000..95e1952f98
--- /dev/null
+++ b/test/integration/targets/azure_rm_roledefinition/meta/main.yml
@@ -0,0 +1,2 @@
+dependencies:
+  - setup_azure
diff --git a/test/integration/targets/azure_rm_roledefinition/tasks/main.yml b/test/integration/targets/azure_rm_roledefinition/tasks/main.yml
new file mode 100644
index 0000000000..bdf1431c04
--- /dev/null
+++ b/test/integration/targets/azure_rm_roledefinition/tasks/main.yml
@@ -0,0 +1,139 @@
+- name: Fix resource prefix
+  set_fact:
+    role_name: "{{ (resource_group | replace('-','x'))[-8:] }}{{ 1000 | random }}testrole"
+    subscription_id: "{{ lookup('env','AZURE_SUBSCRIPTION_ID') }}"
+  run_once: yes
+
+- name: Create a role definition (Check Mode)
+  azure_rm_roledefinition:
+    name: "{{ role_name }}"
+    scope: "/subscriptions/{{ subscription_id }}/resourceGroups/{{ resource_group }}"
+    permissions:
+      - actions:
+          - "Microsoft.Compute/virtualMachines/read"
+        not_actions:
+          - "Microsoft.Compute/virtualMachines/write"
+        data_actions:
+          - "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read"
+        not_data_actions:
+          - "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write"
+    assignable_scopes:
+        - "/subscriptions/{{ subscription_id }}/resourceGroups/{{ resource_group }}"
+  check_mode: yes
+  register: output
+
+- name: Assert creating role definition check mode
+  assert:
+    that:
+      - output.changed
+
+- name: Create a role definition
+  azure_rm_roledefinition:
+    name: "{{ role_name }}"
+    scope: "/subscriptions/{{ subscription_id }}/resourceGroups/{{ resource_group }}"
+    permissions:
+      - actions:
+          - "Microsoft.Compute/virtualMachines/read"
+        not_actions:
+          - "Microsoft.Compute/virtualMachines/write"
+        data_actions:
+          - "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read"
+        not_data_actions:
+          - "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write"
+    assignable_scopes:
+        - "/subscriptions/{{ subscription_id }}/resourceGroups/{{ resource_group }}"
+  register: output
+
+- name: Assert creating role definition
+  assert:
+    that:
+      - output.changed
+
+- name: Get facts by name
+  azure_rm_roledefinition_facts:
+    scope: "/subscriptions/{{ subscription_id }}/resourceGroups/{{ resource_group }}"
+    type: custom
+  register: facts
+
+- name: Assert facts
+  assert:
+    - facts['roledefinitions'] | length > 1
+
+- name: Get facts
+  azure_rm_roledefinition_facts:
+    scope: "/subscriptions/{{ subscription_id }}/resourceGroups/{{ resource_group }}"
+    role_name: "{{ role_name }}"
+  register: facts
+
+- name: Assert facts
+  assert:
+    - facts['roledefinitions'] | length == 1
+    - facts['roledefinitions']['permissions'] | length == 1
+    - facts['roledefinitions']['permissions'][0]['not_data_actions'] | length == 1
+    - facts['roledefinitions']['permissions'][0]['data_actions'] | length == 1
+
+- name: Update the role definition (idempotent)
+  azure_rm_roledefinition:
+    name: "{{ role_name }}"
+    scope: "/subscriptions/{{ subscription_id }}/resourceGroups/{{ resource_group }}"
+    permissions:
+      - actions:
+          - "Microsoft.Compute/virtualMachines/read"
+        not_actions:
+          - "Microsoft.Compute/virtualMachines/write"
+        data_actions:
+          - "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read"
+        not_data_actions:
+          - "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write"
+    assignable_scopes:
+          - "/subscriptions/{{ subscription_id }}/resourceGroups/{{ resource_group }}"
+  register: output
+
+- name: assert output not changed
+  assert:
+    that:
+      - not output.changed
+
+- name: Update the role definition
+  azure_rm_roledefinition:
+    name: "{{ role_name }}"
+    scope: "/subscriptions/{{ subscription_id }}/resourceGroups/{{ resource_group }}"
+    permissions:
+      - actions:
+          - "Microsoft.Compute/virtualMachines/read"
+          - "Microsoft.Compute/virtualMachines/start/action"
+        not_actions:
+          - "Microsoft.Compute/virtualMachines/write"
+        data_actions:
+          - "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read"
+        not_data_actions:
+          - "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write"
+    assignable_scopes:
+        - "/subscriptions/{{ subscription_id }}/resourceGroups/{{ resource_group }}"
+  register: output
+
+- name: assert output changed
+  assert:
+    that:
+      - output.changed
+
+- name: Delete the role definition (Check Mode)
+  azure_rm_roledefinition:
+    name: "{{ role_name }}"
+    scope: "/subscriptions/{{ subscription_id }}/resourceGroups/{{ resource_group }}"
+  check_mode: yes
+  register: output
+
+- name: assert deleting role definition check mode
+  assert:
+    that: output.changed
+
+- name: Delete the redis cache
+  azure_rm_roledefinition:
+    name: "{{ role_name }}"
+    scope: "/subscriptions/{{ subscription_id }}/resourceGroups/{{ resource_group }}"
+  register: output
+
+- assert:
+    that:
+      - output.changed
\ No newline at end of file