---
- set_fact:
    api_path: '/internal/security/users'
    user_exists: False
    elastic_user_cleaned__create: {}
    elastic_user_cleaned__update: {}

- name: "Get all users in elasticsearch"
  delegate_to: localhost
  uri:
    url: "https://{{ api_endpoint }}{{ api_path }}"
    method: GET
    status_code: [200]
    user: "{{ elastic_admin_username_vault }}" 
    password: "{{ elastic_admin_password_vault }}"
    force_basic_auth: yes
  register: all_users
  become: false

- set_fact:
    lookup_user_object: '{{ all_users.json | community.general.json_query(users_query)  }}'
  vars:
    users_query: "[?username=='{{ elastic_user.username }}']"

- set_fact:
    user_exists: True 
  when:
    - lookup_user_object | length > 0

- set_fact:
    elastic_user_cleaned__create: "{{ elastic_user_cleaned__create | combine({item.key: item.value}) }}"
  with_dict: '{{ elastic_user }}'
  when:
    - item.key not in ['elastic_state']

# make sure to not override userdefined password with initial password
- set_fact:
    elastic_user_cleaned__update: "{{ elastic_user_cleaned__update | combine({item.key: item.value}) }}"
  with_dict: '{{ elastic_user_cleaned__create }}'
  when:
    - item.key not in ['password']

- name: "Create user <<{{ elastic_user.username }}>>"
  delegate_to: localhost
  uri:
    url: "https://{{ api_endpoint }}{{ api_path }}/{{ elastic_user.username }}"
    method: POST
    status_code: [200]
    user: "{{ elastic_admin_username_vault }}" 
    password: "{{ elastic_admin_password_vault }}"
    force_basic_auth: yes
    headers:
      Content-Type: application/json
      kbn-xsrf: true
    body_format: json
    body: '{{ elastic_user_cleaned__create | to_json }}'
  become: false
  when:
    - not user_exists
    - elastic_user.elastic_state == 'present'

- name: "Update user <<{{ elastic_user.username }}>>"
  delegate_to: localhost
  uri:
    url: "https://{{ api_endpoint }}{{ api_path }}/{{ elastic_user.username }}"
    method: POST
    status_code: [200]
    user: "{{ elastic_admin_username_vault }}" 
    password: "{{ elastic_admin_password_vault }}"
    force_basic_auth: yes
    headers:
      Content-Type: application/json
      kbn-xsrf: true
    body_format: json
    body: '{{ elastic_user_cleaned__update | to_json }}'
  become: false
  when:
    - user_exists
    - elastic_user.elastic_state == 'present'

- name: "DELETE user << elastic_user.username >>"
  delegate_to: localhost
  uri:
    url: "https://{{ api_endpoint }}{{ api_path }}/{{ elastic_user.username }}"
    method: DELETE
    status_code: [204]
    user: "{{ elastic_admin_username_vault }}" 
    password: "{{ elastic_admin_password_vault }}"
    force_basic_auth: yes
    headers:
      Content-Type: application/json
      kbn-xsrf: true
  become: false
  when:
    - user_exists
    - elastic_user.elastic_state == 'absent'