- name: Centurion ERP Teams Setup
  hosts: |-
    {%- if nfc_pb_host is defined -%}
      {{ nfc_pb_host }}
    {%- else -%}
      all
    {%- endif %}
  become: false
  gather_facts: false
  connection: local # Play uses HTTP requests ONLY!


  tasks:


    - name: Confirm required vars exist
      ansible.builtin.assert:
        that:
          - centurion_erp.teams is defined
          - |
            centurion_erp.teams is not mapping
              and
            centurion_erp.teams  is iterable
              and
            centurion_erp.teams is not string

        msg: "Missing required variable or it's of the incorrect type[list]"
      run_once: true
      delegate_to: localhost


    - name: Collect organizations from centurion ERP
      ansible.builtin.uri:
        url: |-
          {{ lookup('env', 'CENTURION_API') }}/api/organization/
        method: GET
        body_format: json
        headers:  
          authorization: Token {{ lookup('env', 'CENTURION_TOKEN') }}
        validate_certs: "{{ lookup('env', 'VALIDATE_CENTURION_CERTS') | default(true) | bool }}"
        return_content: true
        status_code:
          - 200
      register: api_get_organizations
      run_once: true
      delegate_to: localhost
      no_log: >    # Contains a secret that logging shows
          {{ nfc_pb_disable_log | default(true) }}


    - name: Collect teams from centurion ERP
      ansible.builtin.uri:
        url: "{{ item }}"
        method: GET
        body_format: json
        headers:  
          authorization: Token {{ lookup('env', 'CENTURION_TOKEN') }}
        validate_certs: "{{ lookup('env', 'VALIDATE_CENTURION_CERTS') | default(true) | bool }}"
        return_content: true
        status_code:
          - 200
      loop: "{{ api_get_organizations.json.results | map(attribute='url') | list }}"
      register: api_get_permissions
      run_once: true
      delegate_to: localhost
      no_log: >    # Contains a secret that logging shows
          {{ nfc_pb_disable_log | default(true) }}


    - name: Create list of Teams
      ansible.builtin.set_fact:
        team_permissions: |
          [  
              {% for config_organisation in centurion_erp.teams %}

                {% set ns = namespace(added_teams = []) %}

                {% for config_team in config_organisation.teams %}

                      {% for organization in api_get_permissions.results %}

                        {% if organization.json.name == config_organisation.name %}

                          {% for team in organization.json.teams %}

                            {% if team.team_name == config_team.name %}

                              { 
                                "organization_id": "{{ organization.json.id }}",
                                "team_name": "{{ team.team_name }}",
                                "url": "{{ team.url }}",
                                "notes": "{{ config_team.notes }}",
                                "permissions": 
                                  {{ config_team.permissions }}
                              },

                              {% set ns.added_teams = ns.added_teams + [ config_team.name ] %}

                            {% endif %}

                          {% endfor %}

                        {% endif %}

                      {% endfor %}

                        {% if config_team.name not in ns.added_teams %}                            
                          { 
                              "organization_id": 
                                {% for organization in api_get_permissions.results %}
                                  {% if organization.json.name == config_organisation.name %}
                                    "{{ organization.json.id }}",
                                  {% endif %}
                                {% endfor %}
                              "team_name": "{{ config_team.name }}",
                              "notes": "{{ config_team.notes }}",
                              "permissions": 
                                {{ config_team.permissions }}
                          },
                          {% set ns.added_teams = ns.added_teams + [ config_team.name ] %}

                        {% endif %}

                {% endfor %}

              {% endfor %}
          ]
      delegate_to: localhost
      run_once: true
      no_log: >    # Contains a secret that logging shows
          {{ nfc_pb_disable_log | default(true) }}


    - name: Create new teams in centurion_ERP
      ansible.builtin.uri:
        url: |-
          {{ lookup('env', 'CENTURION_API') }}/api/organization/{{ item.organization_id }}/team
        method: POST
        body_format: json
        body: |-
          {
          "team_name": "{{ item.team_name }}"
          }
        headers:
          Authorization: Token {{ lookup('env', 'CENTURION_TOKEN') }}
        validate_certs: "{{ lookup('env', 'VALIDATE_CENTURION_CERTS') | default(true) | bool }}"
        status_code:
          - 201
      when: >
            item.url is not defined
      loop: "{{ team_permissions | list }}"
      register: api_post_teams
      delegate_to: localhost
      run_once: true
      no_log: >    # Contains a secret that logging shows
          {{ nfc_pb_disable_log | default(true) }}


    - name: update permissions to include newly created teams
      ansible.builtin.set_fact:
        team_permissions: |
          [
            {% for team in team_permissions %}

                    {
                      "organization_id": "{{ team.organization_id }}",
                      "team_name": "{{ team.team_name }}",
                      "notes": "{{ team.notes }}",
                      "permissions": 
                        {{ team.permissions }},
                      "url": 
                        {% if team.url is defined %}
                          "{{ team.url }}",
                          
                        {% elif team.url is not defined %}
                                            
                          {% for api_values in api_post_teams.results %}

                            {% if api_values.item.organization_id == team.organization_id %}

                              {% if api_values.json.team_name == team.team_name %}

                                "{{ api_values.json.url }}",

                                {% endif %}

                              {% endif %}

                          {% endfor %}

                        {% endif %}
                    },

            {% endfor %}
          ]
      delegate_to: localhost
      run_once: true
      no_log: >    # Contains a secret that logging shows
          {{ nfc_pb_disable_log | default(true) }}


    - name: Patch team permissions
      ansible.builtin.uri:
        url: |-
          {{ item.url }}permissions
        method: PATCH
        body_format: json
        body: "{{ item.permissions }}"
        headers:
          Authorization: Token {{ lookup('env', 'CENTURION_TOKEN') }}
        validate_certs: "{{ lookup('env', 'VALIDATE_CENTURION_CERTS') | default(true) | bool }}"
        status_code:
          - 200
      when: >
             item.url is defined
      loop: "{{ team_permissions | list }}"
      delegate_to: localhost
      run_once: true
      no_log: >    # Contains a secret that logging shows
          {{ nfc_pb_disable_log | default(true) }}


    - name: Patch team notes
      ansible.builtin.uri:
        url: |-
          {{ item.url }}
        method: PATCH
        body_format: json
        body: |-
          {
          "model_notes": "{{ item.notes }}"
          }
        headers:
          Authorization: Token {{ lookup('env', 'CENTURION_TOKEN') }}
        validate_certs: "{{ lookup('env', 'VALIDATE_CENTURION_CERTS') | default(true) | bool }}"
        status_code:
          - 200
      when: >
             item.url is defined
      loop: "{{ team_permissions | list }}"
      delegate_to: localhost
      run_once: true
      no_log: >    # Contains a secret that logging shows
          {{ nfc_pb_disable_log | default(true) }}


  vars:

  nfc_pb_awx_tower_template:

    - name: "Centurion/access/teams"
      ask_tags_on_launch: false
      ask_inventory_on_launch: true
      ask_credential_on_launch: true
      ask_limit_on_launch: true
      concurrent_jobs_enabled: true
      description: Creation and patching of teams and permissions
      execution_environment: "No Fuss Computing EE"
      job_type: "run"
      # job_tags: complete
      labels:
        - centurion_erp
        - itsm
        - itam
        - access
        - permissions
        - teams
      use_fact_cache: true
      credential_types:
        - name: 'Playbook/teams/centurion'
          description: |
            Credentials for authentication to centurion_erp
          inputs: |
            fields:
              - id: centurion_url
                type: string
                label: centurion url
                help_text: Ensure that `https://` is prefixed to url
              - id: centurion_token
                type: string
                label: api token
                secret: true
              - id: centurion_validate_certs
                type: boolean
                label: Validate SSL Certificate
            required:
              - itsm_api
              - itsm_token
          injectors: >
            env:
              CENTURION_API: '{{ centurion_url }}'
              CENTURION_TOKEN: '{{ centurion_token }}'
              CENTURION_VALIDATE_CERTS: '{{ centurion_validate_certs | default(true) }}'