Add vibe-coded role module

.github/labels-issues.yml

@@ -50,6 +50,9 @@ module:notification:
 module:password:
   - 'Component Name: password'
 
+module:role:
+  - 'Component Name: role'
+
 module:rule:
   - 'Component Name: rule'
 
@@ -87,6 +90,10 @@ lookup:ldap_connection:
   - 'Component Name: lookup_ldap_connection'
   - 'Component Name: lookup_ldap_connections'
 
+lookup:role:
+  - 'Component Name: lookup_role'
+  - 'Component Name: lookup_roles'
+
 lookup:rule:
   - 'Component Name: lookup_rule'
   - 'Component Name: lookup_rules'

.github/labels-prs.yml

@@ -79,6 +79,11 @@ module:password:
       - changed-files:
           - any-glob-to-any-file: 'plugins/modules/password.py'
 
+module:role:
+  - any:
+      - changed-files:
+          - any-glob-to-any-file: 'plugins/modules/role.py'
+
 module:rule:
   - any:
       - changed-files:
@@ -138,6 +143,12 @@ lookup:ldap_connection:
           - any-glob-to-any-file: 'plugins/modules/lookup/ldap_connection.py'
           - any-glob-to-any-file: 'plugins/modules/lookup/ldap_connections.py'
 
+lookup:role:
+  - any:
+      - changed-files:
+          - any-glob-to-any-file: 'plugins/lookup/role.py'
+          - any-glob-to-any-file: 'plugins/lookup/roles.py'
+
 lookup:rule:
   - any:
       - changed-files:

.github/workflows/ans-int-test-lkp-role.yaml

@@ -0,0 +1,65 @@
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+name: Lookup Module Role Integration
+
+permissions:
+  contents: read
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '0 0 * * 0'
+  pull_request:
+    branches:
+      - main
+      - devel
+    types:
+      - opened
+    paths:
+      - 'plugins/lookup/role.py'
+      - 'plugins/lookup/roles.py'
+  push:
+    paths:
+      - '.github/workflows/ans-int-test-lkp-role.yaml'
+      - 'plugins/lookup/role.py'
+      - 'plugins/lookup/roles.py'
+      - 'plugins/module_utils/**'
+      - 'tests/integration/files/includes/**'
+      - 'tests/integration/targets/lookup_role/**'
+
+jobs:
+
+  integration:
+    name: "${{ matrix.checkmk_version }}.${{ matrix.checkmk_edition }}"
+    uses: ./.github/workflows/_template-ans-int-test.yaml
+    with:
+      module: lookup_role
+      checkmk_version: ${{ matrix.checkmk_version }}
+      checkmk_edition: ${{ matrix.checkmk_edition }}
+    strategy:
+      fail-fast: false
+      matrix:
+        checkmk_version:
+          - 2.3.0p46
+          - 2.4.0p29
+          - 2.5.0p2
+        checkmk_edition:
+          - raw
+          - managed
+          - community
+          - ultimatemt
+        exclude:
+          - checkmk_version: 2.3.0p46
+            checkmk_edition: community
+          - checkmk_version: 2.3.0p46
+            checkmk_edition: ultimatemt
+          - checkmk_version: 2.4.0p29
+            checkmk_edition: community
+          - checkmk_version: 2.4.0p29
+            checkmk_edition: ultimatemt
+          - checkmk_version: 2.5.0p2
+            checkmk_edition: raw
+          - checkmk_version: 2.5.0p2
+            checkmk_edition: managed

.github/workflows/ans-int-test-role.yaml

@@ -0,0 +1,63 @@
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+name: Module Role Integration
+
+permissions:
+  contents: read
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '0 0 * * 0'
+  pull_request:
+    branches:
+      - main
+      - devel
+    types:
+      - opened
+    paths:
+      - 'plugins/modules/role.py'
+  push:
+    paths:
+      - '.github/workflows/ans-int-test-role.yaml'
+      - 'plugins/modules/role.py'
+      - 'plugins/module_utils/**'
+      - 'tests/integration/files/includes/**'
+      - 'tests/integration/targets/role/**'
+
+jobs:
+
+  integration:
+    name: "${{ matrix.checkmk_version }}.${{ matrix.checkmk_edition }}"
+    uses: ./.github/workflows/_template-ans-int-test.yaml
+    with:
+      module: role
+      checkmk_version: ${{ matrix.checkmk_version }}
+      checkmk_edition: ${{ matrix.checkmk_edition }}
+    strategy:
+      fail-fast: false
+      matrix:
+        checkmk_version:
+          - 2.3.0p46
+          - 2.4.0p29
+          - 2.5.0p2
+        checkmk_edition:
+          - raw
+          - managed
+          - community
+          - ultimatemt
+        exclude:
+          - checkmk_version: 2.3.0p46
+            checkmk_edition: community
+          - checkmk_version: 2.3.0p46
+            checkmk_edition: ultimatemt
+          - checkmk_version: 2.4.0p29
+            checkmk_edition: community
+          - checkmk_version: 2.4.0p29
+            checkmk_edition: ultimatemt
+          - checkmk_version: 2.5.0p2
+            checkmk_edition: raw
+          - checkmk_version: 2.5.0p2
+            checkmk_edition: managed

.github/workflows/ans-unit-test-role.yaml

@@ -0,0 +1,34 @@
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+name: Module Role Unit Tests
+
+permissions:
+  contents: read
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '0 0 * * 0'
+  pull_request:
+    branches:
+      - main
+      - devel
+    paths:
+      - 'plugins/modules/role.py'
+  push:
+    paths:
+      - '.github/workflows/ans-unit-test-role.yaml'
+      - 'plugins/modules/role.py'
+      - 'plugins/module_utils/**'
+      - 'tests/unit/plugins/module_utils/**'
+      - 'tests/unit/plugins/modules/test_role.py'
+
+jobs:
+
+  integration:
+    name: "Unit Tests"
+    uses: ./.github/workflows/_template-ans-unit-test.yaml
+    with:
+      testpath: tests/unit/plugins/modules/test_role.py

README.md

@@ -64,6 +64,8 @@ Name | Description | Tests
 [checkmk.general.folders](https://github.com/Checkmk/ansible-collection-checkmk.general/blob/main/plugins/lookup/folders.py)|Look up all folders.|[![Integration Tests for Folders Lookup Module](https://github.com/Checkmk/ansible-collection-checkmk.general/actions/workflows/ans-int-test-lkp-folder.yaml/badge.svg)](https://github.com/Checkmk/ansible-collection-checkmk.general/actions/workflows/ans-int-test-lkp-folder.yaml)
 [checkmk.general.host](https://github.com/Checkmk/ansible-collection-checkmk.general/blob/main/plugins/lookup/host.py)|Look up host attributes.|[![Integration Tests for Host Lookup Module](https://github.com/Checkmk/ansible-collection-checkmk.general/actions/workflows/ans-int-test-lkp-host.yaml/badge.svg)](https://github.com/Checkmk/ansible-collection-checkmk.general/actions/workflows/ans-int-test-lkp-host.yaml)
 [checkmk.general.hosts](https://github.com/Checkmk/ansible-collection-checkmk.general/blob/main/plugins/lookup/hosts.py)|Look up all hosts.|[![Integration Tests for Hosts Lookup Module](https://github.com/Checkmk/ansible-collection-checkmk.general/actions/workflows/ans-int-test-lkp-host.yaml/badge.svg)](https://github.com/Checkmk/ansible-collection-checkmk.general/actions/workflows/ans-int-test-lkp-host.yaml)
+[checkmk.general.role](https://github.com/Checkmk/ansible-collection-checkmk.general/blob/main/plugins/lookup/role.py)|Look up role attributes.|[![Integration Tests for Role Lookup Module](https://github.com/Checkmk/ansible-collection-checkmk.general/actions/workflows/ans-int-test-lkp-role.yaml/badge.svg)](https://github.com/Checkmk/ansible-collection-checkmk.general/actions/workflows/ans-int-test-lkp-role.yaml)
+[checkmk.general.roles](https://github.com/Checkmk/ansible-collection-checkmk.general/blob/main/plugins/lookup/roles.py)|Look up all roles.|[![Integration Tests for Roles Lookup Module](https://github.com/Checkmk/ansible-collection-checkmk.general/actions/workflows/ans-int-test-lkp-role.yaml/badge.svg)](https://github.com/Checkmk/ansible-collection-checkmk.general/actions/workflows/ans-int-test-lkp-role.yaml)
 [checkmk.general.rule](https://github.com/Checkmk/ansible-collection-checkmk.general/blob/main/plugins/lookup/rule.py)|Look up rule attributes.|[![Integration Tests for Rule Lookup Module](https://github.com/Checkmk/ansible-collection-checkmk.general/actions/workflows/ans-int-test-lkp-rules.yaml/badge.svg)](https://github.com/Checkmk/ansible-collection-checkmk.general/actions/workflows/ans-int-test-lkp-rules.yaml)
 [checkmk.general.rules](https://github.com/Checkmk/ansible-collection-checkmk.general/blob/main/plugins/lookup/rules.py)|Look up all rules.|[![Integration Tests for Rules Lookup Module](https://github.com/Checkmk/ansible-collection-checkmk.general/actions/workflows/ans-int-test-lkp-rules.yaml/badge.svg)](https://github.com/Checkmk/ansible-collection-checkmk.general/actions/workflows/ans-int-test-lkp-rules.yaml)
 [checkmk.general.ruleset](https://github.com/Checkmk/ansible-collection-checkmk.general/blob/main/plugins/lookup/ruleset.py)|Look up ruleset attributes.|[![Integration Tests for Ruleset Lookup Module](https://github.com/Checkmk/ansible-collection-checkmk.general/actions/workflows/ans-int-test-lkp-rulesets.yaml/badge.svg)](https://github.com/Checkmk/ansible-collection-checkmk.general/actions/workflows/ans-int-test-lkp-rulesets.yaml)
@@ -85,6 +87,7 @@ Name | Description | Tests
 [checkmk.general.folder](https://github.com/Checkmk/ansible-collection-checkmk.general/blob/main/plugins/modules/folder.py)|Manage folders.|[![Integration Tests for Folder Module](https://github.com/Checkmk/ansible-collection-checkmk.general/actions/workflows/ans-int-test-folder.yaml/badge.svg)](https://github.com/Checkmk/ansible-collection-checkmk.general/actions/workflows/ans-int-test-folder.yaml)
 [checkmk.general.host_group](https://github.com/Checkmk/ansible-collection-checkmk.general/blob/main/plugins/modules/host_group.py)|Manage host groups.|[![Integration Tests for Host Group Module](https://github.com/Checkmk/ansible-collection-checkmk.general/actions/workflows/ans-int-test-host_group.yaml/badge.svg)](https://github.com/Checkmk/ansible-collection-checkmk.general/actions/workflows/ans-int-test-host_group.yaml)
 [checkmk.general.host](https://github.com/Checkmk/ansible-collection-checkmk.general/blob/main/plugins/modules/host.py)|Manage hosts.|[![Integration Tests for Host Module](https://github.com/Checkmk/ansible-collection-checkmk.general/actions/workflows/ans-int-test-host.yaml/badge.svg)](https://github.com/Checkmk/ansible-collection-checkmk.general/actions/workflows/ans-int-test-host.yaml)
+[checkmk.general.role](https://github.com/Checkmk/ansible-collection-checkmk.general/blob/main/plugins/modules/role.py)|Manage roles and permissions.|[![Integration Tests for Role Module](https://github.com/Checkmk/ansible-collection-checkmk.general/actions/workflows/ans-int-test-role.yaml/badge.svg)](https://github.com/Checkmk/ansible-collection-checkmk.general/actions/workflows/ans-int-test-role.yaml)
 [checkmk.general.rule](https://github.com/Checkmk/ansible-collection-checkmk.general/blob/main/plugins/modules/rule.py)|Manage rules.|[![Integration Tests for Rule Module](https://github.com/Checkmk/ansible-collection-checkmk.general/actions/workflows/ans-int-test-rule.yaml/badge.svg)](https://github.com/Checkmk/ansible-collection-checkmk.general/actions/workflows/ans-int-test-rule.yaml)
 [checkmk.general.service_group](https://github.com/Checkmk/ansible-collection-checkmk.general/blob/main/plugins/modules/service_group.py)|Manage service groups.|[![Integration Tests for Service Group Module](https://github.com/Checkmk/ansible-collection-checkmk.general/actions/workflows/ans-int-test-service_group.yaml/badge.svg)](https://github.com/Checkmk/ansible-collection-checkmk.general/actions/workflows/ans-int-test-service_group.yaml)
 [checkmk.general.site](https://github.com/Checkmk/ansible-collection-checkmk.general/blob/main/plugins/modules/site.py)|Manage sites.|[![Integration Tests for Site Module](https://github.com/Checkmk/ansible-collection-checkmk.general/actions/workflows/ans-int-test-site.yaml/badge.svg)](https://github.com/Checkmk/ansible-collection-checkmk.general/actions/workflows/ans-int-test-site.yaml)

changelogs/fragments/role.yml

@@ -0,0 +1,4 @@
+major_changes:
+  - Role module - Add module to manage roles and permissions.
+  - Role lookup - Add lookup plugin to fetch a single role's configuration.
+  - Roles lookup - Add lookup plugin to list all configured roles.

meta/runtime.yml

@@ -14,6 +14,7 @@ action_groups:
     - host
     - notification
     - password
+    - role
     - rule
     - service_group
     - site

plugins/lookup/role.py

@@ -0,0 +1,134 @@
+# Copyright: (c) 2026, Robin Gierse <robin.gierse@checkmk.com>
+# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+
+from __future__ import absolute_import, division, print_function
+
+__metaclass__ = type
+
+DOCUMENTATION = """
+    name: role
+    author: Robin Gierse (@robin-checkmk)
+    version_added: "7.7.0"
+
+    short_description: Get the configuration of a role
+
+    description:
+      - Returns the configuration of a user role, including its
+        alias, base role, and assigned permissions.
+
+    options:
+
+      _terms:
+        description: role ID
+        required: True
+
+    extends_documentation_fragment: [checkmk.general.common_lookup]
+
+    notes:
+      - Like all lookups, this runs on the Ansible controller and is unaffected by other keywords such as 'become'.
+        If you need to use different permissions, you must change the command or run Ansible as another user.
+      - Alternatively, you can use a shell/command task that runs against localhost and registers the result.
+      - The directory of the play is used as the current working directory.
+      - It is B(NOT) possible to assign other variables to the variables mentioned in the C(vars) section!
+        This is a limitation of Ansible itself.
+
+    seealso:
+      - module: checkmk.general.role
+      - plugin: checkmk.general.roles
+        plugin_type: lookup
+"""
+
+EXAMPLES = """
+- name: "Get the configuration of a role."
+  ansible.builtin.debug:
+    msg: "Role host_manager: {{ role_config }}"
+  vars:
+    role_config: "{{
+      lookup('checkmk.general.role',
+        'host_manager',
+        server_url='https://myserver/',
+        site='mysite',
+        api_user='myuser',
+        api_secret='mysecret',
+        validate_certs=False
+      )
+    }}"
+
+# ---------------------------------------------------------------------------
+# Using variables from inventory
+# ---------------------------------------------------------------------------
+# Connection parameters can be provided via inventory variables instead of
+# lookup parameters. The supported variables are:
+#   checkmk_var_server_url, checkmk_var_site,
+#   checkmk_var_api_user, checkmk_var_api_secret,
+#   checkmk_var_validate_certs
+
+- name: "Get a role configuration using inventory variables."
+  ansible.builtin.debug:
+    msg: "Role host_manager: {{ role_config }}"
+  vars:
+    checkmk_var_server_url: "https://myserver/"
+    checkmk_var_site: "mysite"
+    checkmk_var_api_user: "myuser"
+    checkmk_var_api_secret: "mysecret"
+    checkmk_var_validate_certs: false
+    role_config: "{{ lookup('checkmk.general.role', 'host_manager') }}"
+"""
+
+RETURN = """
+  _list:
+    description:
+      - The configuration of a particular role.
+    type: list
+    elements: dict
+"""
+
+import json
+
+from ansible.errors import AnsibleError
+from ansible.plugins.lookup import LookupBase
+from ansible_collections.checkmk.general.plugins.module_utils.lookup_api import (
+    CheckMKLookupAPI,
+)
+
+
+class LookupModule(LookupBase):
+    def run(self, terms, variables, **kwargs):
+        self.set_options(var_options=variables, direct=kwargs)
+        server_url = self.get_option("server_url")
+        site = self.get_option("site")
+        api_auth_type = self.get_option("api_auth_type") or "bearer"
+        api_auth_cookie = self.get_option("api_auth_cookie")
+        api_user = self.get_option("api_user")
+        api_secret = self.get_option("api_secret")
+        validate_certs = self.get_option("validate_certs")
+
+        site_url = server_url + "/" + site
+
+        api = CheckMKLookupAPI(
+            site_url=site_url,
+            api_auth_type=api_auth_type,
+            api_auth_cookie=api_auth_cookie,
+            api_user=api_user,
+            api_secret=api_secret,
+            validate_certs=validate_certs,
+        )
+
+        ret = []
+
+        for term in terms:
+            response = json.loads(api.get("/objects/user_role/" + term))
+
+            if "code" in response:
+                raise AnsibleError(
+                    "Received error for %s - %s: %s"
+                    % (
+                        response.get("url", ""),
+                        response.get("code", ""),
+                        response.get("msg", ""),
+                    )
+                )
+
+            ret.append(response.get("extensions", {}))
+
+        return ret