Automating PCF Roles and Permissions

This is a follow up post from the earlier post called Automating UAAC LDAP User Import.  Just to review that post, I went over the UAAC curl command to import an existing LDAP user into Pivotal Cloud Foundry (PCF).  I also explained how that command can use parameters so you could automate the import process.  The automation tool that was used in the example was Jenkins.

The goal of this post is to connect that job and the one below into a simple automation pipeline.  With the automation pipeline, you will input a few parameters and the job executes the commands based on your input.  You will no longer have to manually type in the commands every time and execution will be consistent.

I am also suggesting splitting these tasks into two jobs instead of adding all of the commands into one job.  Once you build multiple jobs/tasks like these, you can build more complex automated pipelines around common parameters to perform everyday administrative tasks.  It is easier to piece together smaller jobs than to piece together complex jobs.

Now that the UAAC LDAP import job has been created, we can pass those parameters to another job to assign PCF roles/permissions to orgs and spaces.  Below I have the example of the UAAC curl command from the previous post.

[user@linux_prompt]$ uaac curl -H "Content-Type: application/json" -k /Users -X POST -d "{ \"userName\":\"$LDAP_USERNAME\", \"emails\":[{\"value\":\"$EMAIL\"}], \"origin\":\"ldap\",\"externalId\":\"cn=$CN,$OU\" }"

The parameters in this example are the following:

• $LDAP_USERNAME = The user's login ID
• $EMAIL = The user's primary SMTP address
• $CN = The user's LDAP common name
• $OU = The user's full LDAP organization unit / DNS path

The parameter that we want to pass to the new job would be $LDAP_USERNAME.  This parameter would be used in the command to set an org or space role.  For this example, I will go through setting a space role for the newly imported user.  The cf set-space-role command is the following:

cf set-space-role USERNAME ORGANIZATION_NAME SPACE_NAME ROLE  

We would want to change this command in the automation job to the following: 

cf set-space-role $LDAP_USERNAME ORGANIZATION_NAME SPACE_NAME ROLE

Now that we can see the command's syntax, you can notice we still have "ORGANIZATION_NAME", "SPACE_NAME", and "ROLE" left to enter.  Those are new parameters that we must create.  Here are suggestions on the names of the parameters that you could use.

• $ORG = ORGANIZATION_NAME
• $SPACE = SPACE_NAME
• $SPACE_ROLE = ROLE (I used SPACE_ROLE instead of ROLE in case you also automate the command set-org-role and you need a different parameter name for the org role.)

So putting this all together, the cf set-space-role command would look like the following in the automation job:

cf set-space-role $LDAP_USERNAME $ORG $SPACE $SPACE_ROLE

So how do we get these new parameters into this second job, well we need to update the UAAC LDAP Import job by adding these three new parameters.  Once we add them there, we can pass them to the second job with the parameter $LDAP_USERNAME.

Let me write out a summary of steps to create this automation pipeline using Jenkins.

1. Make sure the Cloud Foundry Plugin is installed on your Jenkins instance and the build server can run the CF CLI commands.
2. Create a free style job in Jenkins for setting the space role.
3. Create string parameters for each of the four parameters needed for the set-space-role command.
4. With the Cloud Foundry Plugin, target your environment's API URL with the proper credentials.
5. Create a build step that executes a shell script.
6. Inside of the shell script run these two commands.
1. CF target the org and space using your string parameters.
2. Run the set-space-role command using your string parameters.
7. Save this job.
8. Update the UAAC LDAP Import job by adding the string parameters for ORGANIZATION_NAME, SPACE_NAME, and ROLE. Make sure to use the same names that you used in the set-space-role job.
9. Add a post build step to trigger a parameterized build.
10. Select the newly created set-space-role job.
11. Pass the four parameters.  In this example, they are $LDAP_USERNAME, $ORG, $SPACE, and $SPACE_ROLE.
12. Save this job.

Now when you build the UAAC LDAP Import job with parameters, you should be able to fill in the three new parameters.  Also after building the first job, the second job will automatically build with the values you inputted from the first job.  Check the output of the jobs for any errors.

Congratulations, you just setup your first automation pipeline using Jenkins to solve a very common administrative task.  With this example, you can build other pipelines for other administrative tasks.  These pipelines will make your job and the jobs of others around you a lot easier.

~RRRII