---
- name: "Initlize VARs"
  set_fact:
    api_path: '/api/security/role'
    role_exists: False
    elastic_role_cleaned: {}

- name: "Get all roles in elasticsearch"
  delegate_to: localhost
  uri:
    url: "https://{{ kibana_api_endpoint }}{{ api_path }}"
    method: GET
    status_code: [200]
    user: "{{ elastic_admin_username }}" 
    password: "{{ elastic_admin_password }}"
    force_basic_auth: yes
  register: all_roles
  become: false

- name: "Lookup role object if exists"
  set_fact:
    lookup_role_object: '{{ all_roles.json | community.general.json_query(roles_query)  }}'
  vars:
    roles_query: "[?name=='{{ elastic_role.name }}']"

- name: "Set switch VAR"
  set_fact:
    role_exists: True 
  when:
    - lookup_role_object | length > 0

- name: "Drop not needed keys from dict"
  set_fact:
    elastic_role_cleaned: "{{ elastic_role_cleaned | combine({item.key: item.value}) }}"
  with_dict: '{{ elastic_role }}'
  when:
    - item.key not in ['elastic_state','name']

- name: "Create role <<{{ elastic_role.name }}>>"
  delegate_to: localhost
  uri:
    url: "https://{{ kibana_api_endpoint }}{{ api_path }}/{{ elastic_role.name }}"
    method: PUT
    status_code: [204]
    user: "{{ elastic_admin_username }}" 
    password: "{{ elastic_admin_password }}"
    force_basic_auth: yes
    headers:
      Content-Type: application/json
      kbn-xsrf: true
    body_format: json
    body: '{{ elastic_role_cleaned | to_json }}'
  become: false
  when:
    - not role_exists
    - elastic_role.elastic_state == 'present'

- name: "Update role <<{{ elastic_role.name }}>>"
  delegate_to: localhost
  uri:
    url: "https://{{ kibana_api_endpoint }}{{ api_path }}/{{ elastic_role.name }}"
    method: PUT
    status_code: [204]
    user: "{{ elastic_admin_username }}" 
    password: "{{ elastic_admin_password }}"
    force_basic_auth: yes
    headers:
      Content-Type: application/json
      kbn-xsrf: true
    body_format: json
    body: '{{ elastic_role_cleaned | to_json }}'
  become: false
  when:
    - role_exists
    - elastic_role.elastic_state == 'present'

- name: "DELETE role <<{{ elastic_role.name }}>>"
  delegate_to: localhost
  uri:
    url: "https://{{ kibana_api_endpoint }}{{ api_path }}/{{ elastic_role.name }}"
    method: DELETE
    status_code: [204]
    user: "{{ elastic_admin_username }}" 
    password: "{{ elastic_admin_password }}"
    force_basic_auth: yes
    headers:
      Content-Type: application/json
      kbn-xsrf: true
  become: false
  when:
    - role_exists
    - elastic_role.elastic_state == 'absent'