Add elasticsearch_role and elasticsearch_user module (#308)

First draft for a elasticsearch_role module.

With that module you can create, update and delete access roles inside
elasticsearch.
Uses the elasticsearch API.

Example Usage:
```
    - name: Create role
      netways.elasticstack.elasticsearch_role:
        name: new-role
        cluster:
          - manage_own_api_key
          - delegate_pki
        indicies:
          - names:
              - foobar321
              - barfoo123
            privileges:
              - read
              - write
        state: present
        host: https://localhost:9200
        auth_user: elastic
        auth_pass: changeMe123!
        verify_certs: false
        ca_certs: /etc/elasticsearch/certs/http_ca.crt

```

Author: tbauriedel

Diff for: .github/workflows/test_elasticsearch_modules.yml

@@ -0,0 +1,63 @@
+---
+name: Test Elasticsearch modules
+on:
+  workflow_dispatch:
+    inputs:
+      logLevel:
+        description: 'Log level'
+        required: true
+        default: 'warning'
+        type: choice
+        options:
+          - info
+          - warning
+          - debug
+  pull_request:
+    paths:
+      - '.github/workflows/test_elasticsearch_modules.yml'
+      - 'molecule/elasticsearch_test_modules/*'
+
+jobs:
+  molecule_elasticsearch_modules:
+    runs-on: ubuntu-latest
+
+    env:
+      COLLECTION_NAMESPACE: netways
+      COLLECTION_NAME: elasticstack
+
+    strategy:
+      fail-fast: false
+      matrix:
+        distro: [ubuntu2204]
+        scenario:
+          - elasticsearch_test_modules
+        release:
+          - 8
+
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v4
+
+      - name: Set up Python 3.8
+        uses: actions/setup-python@v5
+        with:
+          python-version: 3.8
+
+      - name: Install dependencies
+        run: |
+          python3 -m pip install --upgrade pip
+          python3 -m pip install -r requirements-test.txt
+
+      - name: Install collection
+        run: |
+          mkdir -p ~/.ansible/collections/ansible_collections/$COLLECTION_NAMESPACE
+          cp -a ../ansible-collection-$COLLECTION_NAME ~/.ansible/collections/ansible_collections/$COLLECTION_NAMESPACE/$COLLECTION_NAME
+
+      - name: Test with molecule
+        run: |
+          molecule test -s ${{ matrix.scenario }}
+        env:
+          MOLECULE_DISTRO: ${{ matrix.distro }}
+          PY_COLORS: '1'
+          ANSIBLE_FORCE_COLOR: '1'
+          ELASTIC_RELEASE: ${{ matrix.release }}

Diff for: .gitignore

@@ -1,3 +1,4 @@
 .cache
 *.swp
-__pycache__*
+__pycache__*
+.vscode

Diff for: README.md

@@ -8,14 +8,19 @@ Every role is documented with all variables, please refer to the documentation f
 
 **Please note**: If you are already using this collection before version `1.0.0`, please note that we had to rename a significant amount of variables due to naming schema changes made by Ansible. Please review the variables you have set in your playbooks and variable files.
 
-## Roles Documentation
+## Roles documentation
 
 * [Beats](docs/role-beats.md)
 * [Elasticsearch](docs/role-elasticsearch.md)
 * [Kibana](docs/role-kibana.md)
 * [Logstash](docs/role-logstash.md)
 * [Repos](docs/role-repos.md)
 
+## Modules documentation
+
+* [elasticsearch_role](docs/module-elasticsearch_role.md)
+* [elasticsearch_user](docs/module-elasticsearch_user.md)
+
 ## Installation
 
 You can easily install the collection with the `ansible-galaxy` command.

Diff for: docs/module-elasticsearch_role.md

@@ -0,0 +1,68 @@
+Ansible module: elasticsearch_role
+===
+
+This module creates, updates and deletes roles from your Elasticsearch.
+
+Requirements
+---
+
+As this module uses the Elasticsearch API you will need to install the `elasticsearch` Python3 library.
+```
+pip3 install elasticsearch
+```
+
+Module arguments
+---
+
+* *name*: Name of your role (**Required**)
+* *cluster*: List of clusters
+* *indicies*: List of indicies
+  * *names*: List of names (**Required**)
+  * *privileges*: List of privileges (**Required**)
+* *state*: State of the role (Default: `present`)
+* *host*: API endpoint (**Required**)
+* *auth_user*: User to authenticate on the Elasticsearch API (**Required**)
+* *auth_pass*: Password for the given user (**Required**)
+* *verify_certs*: Verify certificates (Default: `true`)
+* *ca_certs*: Verify HTTPS connection by using ca certificate. Path to ca needs to be given
+
+Example usage
+---
+```
+    - name: Create elasticsearch role 'new-role1'
+      netways.elasticstack.elasticsearch_role:
+        name: new-role1
+        cluster:
+          - manage_own_api_key
+          - delegate_pki
+        indicies:
+          - names:
+              - default01
+            privileges:
+              - read
+              - write
+        state: present
+        host: https://localhost:9200
+        auth_user: elastic
+        auth_pass: changeMe123!
+        verify_certs: true
+        ca_certs: /etc/elasticsearch/certs/http_ca.crt
+
+    - name: Create elasticsearch role 'new-role2'
+      netways.elasticstack.elasticsearch_role:
+        name: new-role2
+        cluster:
+          - manage_own_api_key
+          - delegate_pki
+        indicies:
+          - names:
+              - default01
+            privileges:
+              - read
+              - write
+        state: present
+        host: https://localhost:9200
+        auth_user: elastic
+        auth_pass: changeMe123!
+        verify_certs: false
+```

Diff for: docs/module-elasticsearch_user.md

@@ -0,0 +1,65 @@
+Ansible module: elasticsearch_user
+===
+
+This module creates, updates and deletes users from your Elasticsearch.
+
+Requirements
+---
+
+As this module uses the Elasticsearch API you will need to install the `elasticsearch` Python3 library.
+```
+pip3 install elasticsearch
+```
+
+Module arguments
+---
+
+* *name*: Name of your user (**Required**)
+* *fullname*: Fullname of your user
+* *password*: Password for your user (**Required**)
+* *email*: Email for your user
+* *roles*: List of roles (**Required**)
+* *enabled*: Define wheter this user should be enabled (Default: `true`)
+* *state*: State of the role. `absent` to delete the user (Default: `present`)
+* *host*: API endpoint (**Required**)
+* *auth_user*: User to authenticate on the Elasticsearch API (**Required**)
+* *auth_pass*: Password for the given user (**Required**)
+* *verify_certs*: Verify certificates (Default: `true`)
+* *ca_certs*: Verify HTTPS connection by using ca certificate. Path to ca needs to be given
+
+Example usage
+---
+```
+    - name: Create elasticsearch user 'new-user1'
+      netways.elasticstack.elasticsearch_user:
+        name: new-user1
+        fullname: New User 1
+        password: changeMe321!
+        email: [email protected]
+        roles:
+          - new-role
+          - logstash-writer
+        enabled: true
+        state: present
+        host: https://localhost:9200
+        auth_user: elastic
+        auth_pass: changeMe123!
+        verify_certs: true
+        ca_certs: /etc/elasticsearch/certs/http_ca.crt
+
+    - name: Create elasticsearch user 'new-user2'
+      netways.elasticstack.elasticsearch_user:
+        name: new-user2
+        fullname: New User 2
+        password: changeMe321!
+        email: [email protected]
+        roles:
+          - new-role
+          - logstash-writer
+        enabled: true
+        state: present
+        host: https://localhost:9200
+        auth_user: elastic
+        auth_pass: changeMe123!
+        verify_certs: false
+```

Diff for: molecule/elasticsearch_test_modules/converge.yml

@@ -0,0 +1,65 @@
+---
+# The workaround for arbitrarily named role directory is important because the git repo has one name and the role within it another
+# Found at: https://github.com/ansible-community/molecule/issues/1567#issuecomment-436876722
+- name: Converge
+  collections:
+    - netways.elasticstack
+  hosts: all
+  vars:
+    elasticstack_full_stack: false
+    elasticsearch_jna_workaround: true
+    elasticsearch_disable_systemcallfilterchecks: true
+    #elasticstack_release: "{{ lookup('env', 'ELASTIC_RELEASE') | int}}"
+    elasticstack_release: 8
+    elasticsearch_heap: "1"
+    elasticstack_no_log: false
+  tasks:
+    - name: Include Elastics repos role
+      ansible.builtin.include_role:
+        name: repos
+    - name: Include Elasticsearch
+      ansible.builtin.include_role:
+        name: elasticsearch
+
+    - name: Fetch Elastic password # noqa: risky-shell-pipe
+      ansible.builtin.shell: >
+        if test -n "$(ps -p $$ | grep bash)"; then set -o pipefail; fi;
+        grep "PASSWORD elastic" /usr/share/elasticsearch/initial_passwords |
+        awk {' print $4 '}
+      register: elasticstack_password
+      changed_when: false
+
+    - name: Create elasticsearch role 'new-role'
+      netways.elasticstack.elasticsearch_role:
+        name: new-role1
+        cluster:
+          - manage_own_api_key
+          - delegate_pki
+        indicies:
+          - names:
+              - foobar321
+            privileges:
+              - read
+              - write
+        state: present
+        host: https://localhost:9200
+        auth_user: elastic
+        auth_pass: "{{ elasticstack_password.stdout }}"
+        verify_certs: false
+
+    - name: Create elasticsearch user 'new-user'
+      netways.elasticstack.elasticsearch_user:
+        name: new-user1
+        fullname: New User
+        password: changeMe123!
+        email: [email protected]
+        roles:
+          - new-role1
+          - logstash-writer
+        enabled: true
+        state: present
+        host: https://localhost:9200
+        auth_user: elastic
+        auth_pass: "{{ elasticstack_password.stdout }}"
+        verify_certs: false
+        ca_certs: /etc/elasticsearch/certs/http_ca.crt

Diff for: molecule/elasticsearch_test_modules/molecule.yml

@@ -0,0 +1,24 @@
+---
+dependency:
+  name: galaxy
+  options:
+    requirements-file: requirements.yml
+driver:
+  name: docker
+platforms:
+  - name: elasticsearch_default
+    groups:
+      - elasticsearch
+    image: "geerlingguy/docker-${MOLECULE_DISTRO:-debian11}-ansible:latest"
+    command: ${MOLECULE_DOCKER_COMMAND:-""}
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:rw
+    cgroupns_mode: host
+    privileged: true
+    pre_build_image: true
+provisioner:
+  name: ansible
+  env:
+    ANSIBLE_VERBOSITY: 3
+verifier:
+  name: ansible

Diff for: molecule/elasticsearch_test_modules/prepare.yml

@@ -0,0 +1,22 @@
+---
+- name: Prepare
+  hosts: all
+  tasks:
+    - name: Install packages for Debian
+      ansible.builtin.apt:
+        name:
+          - gpg
+          - gpg-agent
+          - procps
+          - curl
+          - iproute2
+          - git
+          - openssl
+          - python3
+        update_cache: yes
+
+    - name: Install python module dependencies
+      ansible.builtin.pip:
+        name: "{{ item }}"
+      loop:
+        - elasticsearch

Diff for: molecule/elasticsearch_test_modules/requirements.yml

@@ -0,0 +1,3 @@
+---
+collections:
+  - community.general

Diff for: plugins/module_utils/api.py

@@ -0,0 +1,15 @@
+# !/usr/bin/python3
+
+# Copyright (c) 2024, Tobias Bauriedel <[email protected]>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or
+# https://www.gnu.org/licenses/gpl-3.0.txt)
+
+from elasticsearch import Elasticsearch
+import ssl
+
+class Api():
+    def new_client_basic_auth(host, auth_user, auth_pass, ca_certs, verify_certs) -> Elasticsearch:
+        ctx = ssl.create_default_context(cafile=ca_certs)
+        ctx.check_hostname = False
+        ctx.verify_mode = False
+        return Elasticsearch(hosts=[host], basic_auth=(auth_user, auth_pass), ssl_context=ctx, verify_certs=verify_certs)