#!/usr/bin/python
# -*- coding: utf-8 -*-

# Copyright (c) 2017-present Alibaba Group Holding Limited. He Guimin <heguimin36@163.com.com>
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
#
# This file is part of Ansible
#
# Ansible is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# Ansible is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Ansible. If not, see http://www.gnu.org/licenses/.

from __future__ import (absolute_import, division, print_function)

__metaclass__ = type

ANSIBLE_METADATA = {'metadata_version': '1.1',
                    'status': ['preview'],
                    'supported_by': 'community'}

DOCUMENTATION = """
---
module: ali_ram_role
short_description: Create, Delete, Update Ram Role in Alibaba Cloud.
description:
    - Create, Delete, Update Role in Alibaba Cloud.
    - An unique ali_ram_role module is determined by parameters role_name. 
options:        
  state:
    description:
      - If I(state=present), role will be created.
      - If I(state=present), and assume_role_policy_document exists, role will be updated.
      - If I(state=absent), role will be removed.
    choices: ['present', 'absent']
    default: 'present'
    type: str
  role_name:
    description:
      - The name of the RAM role. The specified name can be up to 64 characters in length. Format(^[a-zA-Z0-9\. @\-]+$)
      - One of I(role_name) and I(role_id) must be specified when operate existing role.
    aliases: ['name']
    type: str
  role_id:
    description:
      - The id of the RAM role.
      - One of I(role_name) and I(role_id) must be specified when operate existing role.
    aliases: ['id']
    type: str
  assume_role_policy_document:
    description:
      - The policy text that specifies one or more entities entrusted to assume the RAM role. 
        The trusted entity can be an Alibaba Cloud account, Alibaba Cloud service, or identity provider (IdP).
      - Required when C(state=present)
    type: str
    aliases: ['policy']
  description:
    description:
      - The description of the RAM role. The description can be up to 1,024 characters in length.
    type: str
requirements:
    - "python >= 3.6"
    - "footmark >= 1.17.0"
extends_documentation_fragment:
    - alicloud
author:
  - "He Guimin (@xiaozhu36)"
"""

EXAMPLES = """
# Note: These examples do not set authentication details, see the Alibaba Cloud Guide for details.
- name: Changed. Create a role
  ali_ram_role:
    role_name: ansible
    policy: '{"Statement": [{"Action": "sts:AssumeRole","Effect": "Allow","Principal": {"Service": ["rds.aliyuncs.com"]}}],"Version": "1"}'
    description: create for ansible

- name: Changed. Update role
  ali_ram_role:
    role_name: ansible
    policy: '{"Statement": [{"Action": "sts:AssumeRole","Effect": "Allow","Principal": {"Service": ["ecs.aliyuncs.com"]}}],"Version": "1"}'

- name: Changed. Delete role
  ali_ram_role:
    state: absent
    role_name: ansible
"""

RETURN = '''
user:
    description: Returns an array of complex objects as described below.
    returned: always
    type: complex
    contains:
        arn:
            description: The Alibaba Cloud Resource Name (ARN) of the RAM role.
            returned: always
            type: str
            sample: acs:ram::123456789012****:role/ECSAdmin
        assume_role_policy_document:
            description: The policy text that specifies one or more entities entrusted to assume the RAM role.
            returned: always
            type: str
            sample: '{ "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "RAM": "acs:ram::123456789012****:root" } } ], "Version": "1" }'
        create_date:
            description: The date and time when the RAM role was created.
            returned: always
            type: str
            sample: '2015-01-23T12:33:18Z'
        description:
            description: The description of the RAM role.
            returned: always
            type: str
            sample: ECS administrator
        role_id:
            description: The ID of the RAM role.
            returned: always
            type: str
            sample: 901234567890****
        role_name:
            description: The name of the RAM role.
            returned: always
            type: str
            sample: ECSAdmin
'''

from ansible.module_utils.basic import AnsibleModule
from ansible.module_utils.alicloud_ecs import ecs_argument_spec, ram_connect

HAS_FOOTMARK = False

try:
    from footmark.exception import RAMResponseError
    HAS_FOOTMARK = True
except ImportError:
    HAS_FOOTMARK = False


def role_exists(module, ram_conn, role_name, role_id):
    try:
        role = None
        for r in ram_conn.list_roles():
            if role_name and r.read()['name'] != role_name:
                continue
            if role_id and r.read()['role_id'] != role_id:
                continue
            role = r
        return role
    except Exception as e:
        module.fail_json(msg="Failed to describe Roles: {0}".format(e))


def main():
    argument_spec = ecs_argument_spec()
    argument_spec.update(dict(
        state=dict(default='present', choices=['present', 'absent']),
        role_name=dict(type='str', aliases=['name']),
        role_id=dict(type='str', aliases=['id']),
        assume_role_policy_document=dict(type='str', aliases=['policy']),
        description=dict(type='str')
    ))

    module = AnsibleModule(argument_spec=argument_spec)

    if HAS_FOOTMARK is False:
        module.fail_json(msg='footmark required for this module.')

    ram_conn = ram_connect(module)

    # Get values of variable
    state = module.params['state']
    role_name = module.params['role_name']
    assume_role_policy_document = module.params['assume_role_policy_document']
    role_id = module.params['role_id']
    changed = False

    # Check if role exists
    role = role_exists(module, ram_conn, role_name, role_id)

    if state == 'absent':
        if not role:
            module.exit_json(changed=changed, role={})
        try:
            module.exit_json(changed=role.delete(), role={})
        except RAMResponseError as ex:
            module.fail_json(msg='Unable to delete role {0}, error: {1}'.format(role_name, ex))

    if not role:
        try:
            role = ram_conn.create_role(**module.params)
            module.exit_json(changed=True, role=role.read())
        except RAMResponseError as e:
            module.fail_json(msg='Unable to create role, error: {0}'.format(e))

    if assume_role_policy_document:
        try:
            changed = role.update_policy(policy=assume_role_policy_document)
            module.exit_json(changed=changed, role=role.get().read())
        except RAMResponseError as e:
            module.fail_json(msg='Unable to update role policy, error: {0}'.format(e))


if __name__ == '__main__':
    main()