Add new module azure_rm_afdorigin to support Azure Frontdoor Standard and Premium

CHANGELOG.md

@@ -1,41 +1,5 @@
 # Change Log
 
-## v2.6.0 (2024-07-01)
-
-### FEATURE ENHANCEMENT
-  - Minimum supported Ansible core version to v2.15 - Ansible v2.15 EOL(https://docs.ansible.com/ansible/latest/reference_appendices/release_and_maintenance.html#ansible-community-changelogs) 
-
-## v2.5.0 (2024-06-28)
-
-### NEW MODULES
-  - azure_rm_capacityreservationgroup: Add support for managed capacity reservation group ([#1557](https://github.com/ansible-collections/azure/pull/1557))
-  - azure_rm_capacityreservationgroup_info: Add support for get capacity reservation group ([#1557](https://github.com/ansible-collections/azure/pull/1557))
-  - azure_rm_networkwatcher: Add support for managed network watcher ([#1576](https://github.com/ansible-collections/azure/pull/1576))
-  - azure_rm_networkwatcher_info: Add support for get network watcher facts ([#1576](https://github.com/ansible-collections/azure/pull/1576))
-  - azure_rm_networkflowlogs: Add support for managed network flow logs ([#1576](https://github.com/ansible-collections/azure/pull/1576))
-  - azure_rm_networkflowlogs_info: Add support for get network flow logs ([#1576](https://github.com/ansible-collections/azure/pull/1576))
-
-### FEATURE ENHANCEMENT
-  - azure_rm_webapp: Add support for `identity` ([#1566](https://github.com/ansible-collections/azure/pull/1566))
-  - azure_rm_webapp_info: Add support for `identity` ([#1566](https://github.com/ansible-collections/azure/pull/1566))
-  - azure_rm_galleryimageversion: Allow creating gallery image versions from storage accounts ([#1466](https://github.com/ansible-collections/azure/pull/1466))
-  - requirements.txt:
-    - Bump `azure-storage-blob` from 12.11.0 to 12.13.0 ([#1572](https://github.com/ansible-collections/azure/pull/1572))
-    - Update `azure-cli-core` to 2.61.0 ([#1593](https://github.com/ansible-collections/azure/pull/1593))
-    - Bump `azure-identity` from 1.14.0 to 1.16.1 ([#1596](https://github.com/ansible-collections/azure/pull/1596))
-    - Limit `azure-iot-hub` to `x86_64 platforms` ([#1609](https://github.com/ansible-collections/azure/pull/1609))
-  - azure_rm_containerinstance: Add support for `identity` ([#1581](https://github.com/ansible-collections/azure/pull/1581))
-  - azure_rm_containerinstance_info: Add support for `identity` ([#1581](https://github.com/ansible-collections/azure/pull/1581))
-  - azure_rm_storageaccount: Add support for `allow_shared_key_access` ([#1583](https://github.com/ansible-collections/azure/pull/1583))
-  - azure_rm_virtualmachinescaleset: Add support for `identity` ([#1585](https://github.com/ansible-collections/azure/pull/1585))
-  - azure_rm_virtualmachinescaleset_info: Add support for `identity` ([#1585](https://github.com/ansible-collections/azure/pull/1585))
-
-### BUG FIXING
-  - azure_rm_webapp: Delete the imported logging module ([#1567](https://github.com/ansible-collections/azure/pull/1567))
-  - azure_rm_postgresqlflexiblefirewallrule: Delete the imported logging module ([#1567](https://github.com/ansible-collections/azure/pull/1567))
-  - azure_rm_adgroup_info: Return None if not a member of the group ([#1579](https://github.com/ansible-collections/azure/pull/1579))
-
-
 ## v2.4.0 (2024-05-30)
 
 ### NEW MODULES

README.md

@@ -13,7 +13,7 @@ It is recommended to run ansible in [Virtualenv](https://virtualenv.pypa.io/en/l
 
 ## Requirements
 
-- ansible version >= 2.15
+- ansible version >= 2.14
 
 To install Azure collection hosted in Galaxy:
 

galaxy.yml

@@ -9,7 +9,7 @@ namespace: azure
 name: azcollection
 
 # The version of the collection. Must be compatible with semantic versioning
-version: 2.6.0
+version: 2.4.0
 
 # The path to the Markdown (.md) readme file. This path is relative to the root of the collection
 readme: README.md

meta/runtime.yml

@@ -14,6 +14,8 @@ action_groups:
     - azure.azcollection.azure_rm_adserviceprincipal_info
     - azure.azcollection.azure_rm_aduser
     - azure.azcollection.azure_rm_aduser_info
+    - azure.azcollection.azure_rm_afdorigin
+    - azure.azcollection.azure_rm_afdorigin_info
     - azure.azcollection.azure_rm_afdendpoint
     - azure.azcollection.azure_rm_afdendpoint_info
     - azure.azcollection.azure_rm_aks

plugins/inventory/azure_rm.py

@@ -101,18 +101,18 @@
 exclude_host_filters:
     # excludes hosts in the eastus region
     - location in ['eastus']
-    - tags['tagkey'] is defined and tags['tagkey'] == 'tagvalue'
-    - tags['tagkey2'] is defined and tags['tagkey2'] == 'tagvalue2'
+    - tags['tagkey'] is defined and tags['tagkey'] == 'tagkey'
+    - tags['tagkey2'] is defined and tags['tagkey2'] == 'tagkey2'
     # excludes hosts that are powered off
     - powerstate != 'running'
 
 # includes a host to the inventory when any of these expressions is true, can refer to any vars defined on the host
 include_host_filters:
     # includes hosts that in the eastus region and power on
     - location in ['eastus'] and powerstate == 'running'
-    # includes hosts in the eastus region and power on OR includes hosts in the eastus2 region and tagkey value is tagvalue
+    # includes hosts in the eastus region and power on OR includes hosts in the eastus2 region and tagkey is tagkey
     - location in ['eastus'] and powerstate == 'running'
-    - location in ['eastus2'] and tags['tagkey'] is defined and tags['tagkey'] == 'tagvalue'
+    - location in ['eastus2'] and tags['tagkey'] is defined and tags['tagkey'] == 'tagkey'
 '''
 
 # FUTURE: do we need a set of sane default filters, separate from the user-defineable ones?

plugins/module_utils/azure_rm_common.py

@@ -700,8 +700,8 @@ def get_blob_service_client(self, resource_group_name, storage_account_name, aut
         try:
             self.log("Getting storage account detail")
             account = self.storage_client.storage_accounts.get_properties(resource_group_name=resource_group_name, account_name=storage_account_name)
-            if auth_mode == 'login' and self.azure_auth.credentials.get('credentials'):
-                credential = self.azure_auth.credentials['credentials']
+            if auth_mode == 'login' and self.azure_auth.credentials.get('credential'):
+                credential = self.azure_auth.credentials['credential']
             elif (auth_mode == 'login' and self.azure_auth.credentials.get('tenant')
                   and self.azure_auth.credentials.get('client_id')
                   and self.azure_auth.credentials.get('secret')):

plugins/module_utils/azure_rm_common_ext.py

@@ -13,50 +13,6 @@
 
 class AzureRMModuleBaseExt(AzureRMModuleBase):
 
-    # This schema should be used when users can add more than one user assigned identity
-    # Also this schema allows the option to append identities in update
-    managed_identity_multiple_spec = dict(
-        type=dict(
-            type='str',
-            choices=['SystemAssigned',
-                     'UserAssigned',
-                     'SystemAssigned, UserAssigned',
-                     'None'],
-            default='None'
-        ),
-        user_assigned_identities=dict(
-            type='dict',
-            options=dict(
-                id=dict(
-                    type='list',
-                    default=[],
-                    elements='str'
-                ),
-                append=dict(
-                    type='bool',
-                    default=True
-                )
-            ),
-            default={}
-        ),
-    )
-
-    # This schema should be used when users can add only one user assigned identity
-    managed_identity_single_spec = dict(
-        type=dict(
-            type="str",
-            choices=[
-                "SystemAssigned",
-                "UserAssigned",
-                "None"
-            ],
-            default="None"
-        ),
-        user_assigned_identity=dict(
-            type="str",
-        ),
-    )
-
     def inflate_parameters(self, spec, body, level):
         if isinstance(body, list):
             for item in body:
@@ -257,61 +213,44 @@ def default_compare(self, modifiers, new, old, path, result):
             else:
                 return True
 
-    def update_single_managed_identity(self, curr_identity, new_identity):
-        # Converting from single_managed_identity_spec to managed_identity_spec
-        new_identity = new_identity or dict()
-        new_identity_converted = {
-            'type': new_identity.get('type', 'None'),
-        }
-        user_assigned_identity = new_identity.get('user_assigned_identity', None)
-        if user_assigned_identity is not None:
-            new_identity_converted['user_assigned_identities'] = {
-                'id': [user_assigned_identity]
-            }
-        return self.update_managed_identity(curr_identity=curr_identity, new_identity=new_identity_converted, allow_identities_append=False)
-
-    def update_managed_identity(self, curr_identity=None, new_identity=None, allow_identities_append=True):
+    def update_identities(self, curr_identity):
         curr_identity = curr_identity or dict()
-        # TODO need to remove self.module.params.get('identity', {})
-        # after changing all modules to provide the "new_identity" parameter
-        # curr_identity and new_identity need to be mandatory parameters
-        new_identity = new_identity or self.module.params.get('identity', {}) or dict()
-        curr_managed_type = curr_identity.get('type', 'None')
-        new_managed_type = new_identity.get('type', 'None')
-        # If type set to None, and Resource has None, nothing to do
-        if new_managed_type == 'None' and curr_managed_type == 'None':
-            return False, None
-
         changed = False
+        current_managed_type = curr_identity.get('type', 'None')
+        current_managed_identities = set(curr_identity.get('user_assigned_identities', {}).keys())
+        param_identity = self.module.params.get('identity', {})
+        param_identities = set(param_identity.get('user_assigned_identities', {}).get('id', []))
+        external_identities = param_identities
+
+        # If type set to None, and Resource has None, nothing to do
+        if 'None' in param_identity.get('type', 'None') and current_managed_type == 'None':
+            pass
         # If type set to None, and Resource has current identities, remove UserAssigned identities
-        # Or
+        elif param_identity.get('type', 'None') == 'None':
+            changed = True
         # If type in module args different from current type, update identities
-        if new_managed_type == 'None' or curr_managed_type != new_managed_type:
+        elif current_managed_type != param_identity.get('type', 'None'):
             changed = True
 
-        curr_user_assigned_identities = set(curr_identity.get('user_assigned_identities', {}).keys())
-        new_user_assigned_identities = set(new_identity.get('user_assigned_identities', {}).get('id', []))
-        result_user_assigned_identities = new_user_assigned_identities
-
         # If type in module args contains 'UserAssigned'
-        if allow_identities_append and \
-           'UserAssigned' in new_managed_type and \
-           new_identity.get('user_assigned_identities', {}).get('append', True) is True:
-            result_user_assigned_identities = new_user_assigned_identities.union(curr_user_assigned_identities)
-
-        # Check if module args identities are different as current ones
-        if result_user_assigned_identities.difference(curr_user_assigned_identities) != set():
-            changed = True
+        if 'UserAssigned' in param_identity.get('type', 'None'):
+            if param_identity.get('user_assigned_identities', {}).get('append', False) is True:
+                external_identities = param_identities.union(current_managed_identities)
+                if len(current_managed_identities) != len(external_identities):
+                    # update identities
+                    changed = True
+            # If new identities have to overwrite current identities
+            else:
+                # Check if module args identities are different as current ones
+                if current_managed_identities.difference(external_identities) != set():
+                    changed = True
 
-        result_identity = self.managed_identity['identity'](type=new_managed_type)
+        new_identity = self.managed_identity['identity'](type=param_identity.get('type'))
 
         # Append identities to the model
-        if len(result_user_assigned_identities) > 0:
-            result_identity.user_assigned_identities = {}
-            for identity in result_user_assigned_identities:
-                result_identity.user_assigned_identities[identity] = self.managed_identity['user_assigned']()
-
-        return changed, result_identity
+        if external_identities:
+            new_identity.user_assigned_identities = {}
+            for identity in external_identities:
+                new_identity.user_assigned_identities[identity] = self.managed_identity['user_assigned']()
 
-    # TODO need to be removed after all modules changed to use the new name
-    update_identities = update_managed_identity
+        return changed, new_identity

plugins/modules/azure_rm_adgroup_info.py

@@ -380,12 +380,9 @@ async def get_transitive_group_members(self, group_id, filters=None):
         )
         if filters:
             request_configuration.query_parameters.filter = filters
-        try:
-            response = await self._client.groups.by_group_id(group_id).transitive_members.get(
-                request_configuration=request_configuration)
-            return response.value
-        except Exception:
-            return
+        response = await self._client.groups.by_group_id(group_id).transitive_members.get(
+            request_configuration=request_configuration)
+        return response.value
 
     async def get_raw_group_members(self, group_id, filters=None):
         request_configuration = GroupItemRequestBuilder.GroupItemRequestBuilderGetRequestConfiguration(

plugins/modules/azure_rm_aduser.py

@@ -75,17 +75,6 @@
             - The password for the user.
             - Used when either creating or updating a user account.
         type: str
-    password_force_change:
-        description:
-            - Whether or not the user will be forced to change their password at next logon.
-            - If unspecified, Azure defaults this to true for new users.
-            - Used when either creating or updating a user account.
-        type: bool
-    password_force_change_mfa:
-        description:
-            - Identical behavior to password_force_change except multi-factor authentication (MFA) must be performed prior to changing the password.
-            - Used when either creating or updating a user account.
-        type: bool
     usage_location:
         description:
             - A two letter country code, ISO standard 3166.
@@ -271,8 +260,6 @@ def __init__(self):
             account_enabled=dict(type='bool'),
             display_name=dict(type='str'),
             password_profile=dict(type='str', no_log=True),
-            password_force_change=dict(type='bool', no_log=False),
-            password_force_change_mfa=dict(type='bool', no_log=False),
             mail_nickname=dict(type='str'),
             on_premises_immutable_id=dict(type='str', aliases=['immutable_id']),
             usage_location=dict(type='str'),
@@ -293,8 +280,6 @@ def __init__(self):
         self.account_enabled = None
         self.display_name = None
         self.password_profile = None
-        self.password_force_change = None
-        self.password_force_change_mfa = None
         self.mail_nickname = None
         self.on_premises_immutable_id = None
         self.usage_location = None
@@ -342,11 +327,12 @@ def exec_module(self, **kwargs):
 
                 if ad_user:  # Update, changed
 
-                    password_profile = PasswordProfile(
-                        password=self.password_profile,
-                        force_change_password_next_sign_in=self.password_force_change,
-                        force_change_password_next_sign_in_with_mfa=self.password_force_change_mfa
-                    )
+                    password = None
+
+                    if self.password_profile:
+                        password = PasswordProfile(
+                            password=self.password_profile,
+                        )
 
                     should_update = False
                     if self.on_premises_immutable_id and ad_user.on_premises_immutable_id != self.on_premises_immutable_id:
@@ -363,11 +349,7 @@ def exec_module(self, **kwargs):
                         should_update = True
                     if should_update or self.display_name and ad_user.display_name != self.display_name:
                         should_update = True
-                    if should_update or self.password_profile is not None:
-                        should_update = True
-                    if should_update or self.password_force_change is not None:
-                        should_update = True
-                    if should_update or self.password_force_change_mfa is not None:
+                    if should_update or password:
                         should_update = True
                     if should_update or self.user_principal_name and ad_user.user_principal_name != self.user_principal_name:
                         should_update = True
@@ -380,7 +362,7 @@ def exec_module(self, **kwargs):
                             self.on_premises_extension_attributes_to_dict(ad_user.on_premises_extension_attributes) != self.on_premises_extension_attributes):
                         should_update = True
                     if should_update:
-                        asyncio.get_event_loop().run_until_complete(self.update_user(ad_user, password_profile, extension_attributes))
+                        asyncio.get_event_loop().run_until_complete(self.update_user(ad_user, password, extension_attributes))
 
                         self.results['changed'] = True
 
@@ -471,7 +453,7 @@ def to_dict(self, object):
             on_premises_extension_attributes=self.on_premises_extension_attributes_to_dict(object.on_premises_extension_attributes)
         )
 
-    async def update_user(self, ad_user, password_profile, extension_attributes):
+    async def update_user(self, ad_user, password, extension_attributes):
         request_body = User(
             on_premises_immutable_id=self.on_premises_immutable_id,
             usage_location=self.usage_location,
@@ -480,7 +462,7 @@ async def update_user(self, ad_user, password_profile, extension_attributes):
             user_type=self.user_type,
             account_enabled=self.account_enabled,
             display_name=self.display_name,
-            password_profile=password_profile,
+            password_profile=password,
             user_principal_name=self.user_principal_name,
             mail_nickname=self.mail_nickname,
             company_name=self.company_name,
@@ -489,15 +471,13 @@ async def update_user(self, ad_user, password_profile, extension_attributes):
         return await self._client.users.by_user_id(ad_user.id).patch(body=request_body)
 
     async def create_user(self, extension_attributes):
-        password_profile = PasswordProfile(
-            password=self.password_profile,
-            force_change_password_next_sign_in=self.password_force_change,
-            force_change_password_next_sign_in_with_mfa=self.password_force_change_mfa
+        password = PasswordProfile(
+            password=self.password_profile
         )
         request_body = User(
             account_enabled=self.account_enabled,
             display_name=self.display_name,
-            password_profile=password_profile,
+            password_profile=password,
             user_principal_name=self.user_principal_name,
             mail_nickname=self.mail_nickname,
             on_premises_immutable_id=self.on_premises_immutable_id,