Add an exec to create the Deploy Environments RBAC Role

Prior to this commit there was a requirement for the user of this
repo to create a RBAC role in order for code manager to work.

After this commit an exec statement will curl the RBAC API to
create the role one time and hopefully it works otherwise the exec
will not run again.

Author: npwalker

README.md

@@ -25,7 +25,7 @@ Table of Contents
 
 This control repo and the steps below are intended to be used during a new installation of PE.
 
-This control repo has only been tested against PE2015.2.z, it's likely close to working on PE3.8.z but has not been tested.
+This control repo has only been tested against PE2015.2.z and PE2015.3.z.  It is likely close to working on PE3.8.z but has not been tested.
 
 If you intend to use it on an existing installation then be warned that if you've already written or downloaded modules when you start using r10k it will remove all of the existing modules and replace them with what you define in your Puppetfile.  Please copy or move your existing modules to another directory to ensure you do not lose any work you've already started.  
 
@@ -144,13 +144,7 @@ So, we'll set up a deploy key in the git server that will allow a ssh-key we mak
  - Paste in the public key from above
  - `cat /etc/puppetlabs/puppetserver/code_manager.key.pub`
 3. Login to the PE console
-4. Select Access Control in the left hand panel
-5. On the User Roles page, add a new role called `Deploy Environments`
- - NOTE: Make sure to name it exactly as I have because the puppet code expects that exact name
-6. After creating the role click through and select the permissions tab
- - Add Puppet Environment type, Deploy Code permission, and All object
- - Add Tokens type, override default expiry permission
-7. Still in the PE Console, navigate to the Classification page
+7. Navigate to the Classification page
  - Click on the PE Master group
  - Click the Classes tab
  - Add the `puppet_enterprise::profile::master`

site/profile/manifests/git_webhook/code_manager.pp

@@ -35,13 +35,35 @@
     unless  => "/usr/bin/test \$(stat -c %U ${::settings::codedir}/environments/production) = 'pe-puppet'",
   }
 
+  $code_manager_role_name = 'Deploy Environments'
+  $create_role_creates_file = '/etc/puppetlabs/puppetserver/.puppetlabs/deploy_environments_created'
+  $create_role_curl = @(EOT)
+    /opt/puppetlabs/puppet/bin/curl -k -X POST -H 'Content-Type: application/json' \
+    https://<%= $::trusted['certname'] %>:4433/rbac-api/v1/roles \
+    -d '{"permissions": [{"object_type": "environment", "action": "deploy_code", "instance": "*"},
+    {"object_type": "tokens", "action": "override_lifetime", "instance": "*"}],"user_ids": [], "group_ids": [], "display_name": "<%= $code_manager_role_name  %>", "description": ""}' \
+    --cert <%= $::settings::certdir %>/<%= $::trusted['certname'] %>.pem  \
+    --key <%= $::settings::privatekeydir %>/<%= $::trusted['certname'] %>.pem  \
+    --cacert <%= $::settings::certdir %>/ca.pem;
+    touch <%= $create_role_creates_file %>
+    | EOT
+
+  exec { 'create deploy environments role' :
+    command   => inline_epp( $create_role_curl ),
+    creates   => $create_role_creates_file,
+    logoutput => true,
+    path      => $::path,
+    require   => File[$token_directory],
+  }
+
   rbac_user { $code_manager_service_user :
     ensure       => 'present',
     name         => $code_manager_service_user,
     email        => "${code_manager_service_user}@example.com",
     display_name => 'Code Manager Service Account',
     password     => $code_manager_service_user_password,
-    roles        => [ 'Deploy Environments' ],
+    roles        => [ $code_manager_role_name ],
+    require      => Exec['create deploy environments role'],
   }
 
   file { $token_directory :