Feature request: LDAP/AD role mapping management via role variables #66
Description
Summary
It would be useful if the role could manage Elasticsearch role mappings (for LDAP/AD integration) via role variables, instead of requiring users to write individual uri tasks per mapping.
Current situation
Each role mapping requires a separate ansible.builtin.uri task with full auth boilerplate:
- name: Create role mapping — beheer
ansible.builtin.uri:
url: "https://{{ inventory_hostname }}:9200/_security/role_mapping/beheer_mapping"
method: PUT
user: elastic
password: "{{ vault_pw }}"
validate_certs: false
force_basic_auth: true
headers:
Content-Type: application/json
body:
enabled: true
roles: ["beheer_role"]
rules:
field:
groups: "cn=beheer,cn=groups,cn=accounts,dc=example,dc=com"
body_format: jsonWith 5-10 mappings this becomes 100+ lines of near-identical YAML.
Proposed solution
Add a role variable like:
elasticsearch_role_mappings:
- name: logging_admin
roles: [superuser]
rules:
field:
groups: "cn=logging-admin,cn=groups,cn=accounts,dc=example,dc=com"
- name: beheer_mapping
roles: [beheer_role]
rules:
any:
- field:
groups: "cn=beheer,cn=groups,cn=accounts,dc=example,dc=com"
- field:
groups: "cn=ontwikkeling,cn=groups,cn=accounts,dc=example,dc=com"The role would loop over this list and handle the API calls internally.