Move ansible puppet code into a module

If the logic is just in a role, it's hard to re-use it in a one-off
manner on the command line. By putting it into a module, we can
run:

  ansible git0* -m puppet

To run puppet on the git farm, for instance.

Also, the file is completely not openstack specific, so do it in
such a way that we can submit it as a module upstream.

Change-Id: I35b2850e02ec5da2b41ad14eec9fd6d5a356bc93

modules/ansible/files/ansible.cfg

@@ -1,3 +1,4 @@
 [defaults]
 hostfile=/usr/local/bin/puppet-inventory
+library=/usr/share/ansible:/etc/ansible/library
 log_path=/var/log/ansible.log

modules/ansible/files/library/config_management/puppet

@@ -0,0 +1,107 @@
+#!/usr/bin/python
+
+# Copyright (c) 2014 Hewlett-Packard Development Company, L.P.
+#
+# This module is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This software is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this software.  If not, see <http://www.gnu.org/licenses/>.
+
+import pipes
+
+DOCUMENTATION = '''
+---
+module: puppet
+short_description: Runs puppet
+description:
+  - Runs I(puppet) agent in a reliable manner
+version_added: "1.5.6"
+options:
+  timeout:
+    description:
+      - How long to wait for I(puppet) to finish.
+    required: false
+    default: 30m
+  show_diff:
+    description:
+      - Should puppet return diffs of changes applied. Defaults to off to avoid leaking secret changes by default.
+    required: false
+    default: no
+    choices: [ "yes", "no" ]
+requirements: [ puppet ]
+author: Monty Taylor
+'''
+
+EXAMPLES = '''
+# Run puppet and fail if anything goes wrong
+- puppet
+
+# Run puppet and timeout in 5 minutes
+- puppet: timeout=5m
+'''
+
+
+def main():
+    module = AnsibleModule(
+        argument_spec=dict(
+            timeout=dict(default="30m"),
+            show_diff=dict(
+                default=False, aliases=['show-diff'], type='bool'),
+        ),
+    )
+    p = module.params
+
+    global PUPPET_CMD
+    PUPPET_CMD = module.get_bin_path("puppet", False)
+
+    if not PUPPET_CMD:
+        module.fail_json(
+            msg="Could not find puppet. Please ensure it is installed.")
+
+    cmd = ("timeout -s 9 %(timeout)s %(puppet_cmd)s agent --onetime"
+           " --ignorecache --no-daemonize --no-usecacheonfailure --no-splay"
+           " --detailed-exitcodes --verbose") % dict(
+               timeout=pipes.quote(p['timeout']), puppet_cmd=PUPPET_CMD)
+    if p['show_diff']:
+        cmd += " --show-diff"
+    rc, stdout, stderr = module.run_command(cmd)
+
+    if rc == 0:
+        # success
+        module.exit_json(rc=rc, changed=False, stdout=stdout)
+    elif rc == 1:
+        # rc==1 could be because it's disabled
+        # rc==1 could also mean there was a compilation failure
+        disabled = "administratively disabled" in stdout
+        if disabled:
+            msg = "puppet is disabled"
+        else:
+            msg = "puppet did not run"
+        module.exit_json(
+            rc=rc, disabled=disabled, msg=msg,
+            error=True, stdout=stdout, stderr=stderr)
+    elif rc == 2:
+        # success with changes
+        module.exit_json(rc=0, changed=True)
+    elif rc == 124:
+        # timeout
+        module.exit_json(
+            rc=rc, msg="%s timed out" % cmd, stdout=stdout, stderr=stderr)
+    else:
+        # failure
+        module.fail_json(
+            rc=rc, msg="%s failed with return code: %d" % (cmd, rc),
+            stdout=stdout, stderr=stderr)
+
+# import module snippets
+from ansible.module_utils.basic import *
+
+main()

modules/ansible/files/roles/puppet/tasks/main.yml

@@ -1,6 +1,3 @@
 ---
 - name: run puppet
-  command: timeout -s 9 30m puppet agent --onetime --ignorecache --no-daemonize --no-usecacheonfailure --no-splay --detailed-exitcodes --verbose
-  register: result
-  failed_when: "result.rc != 0 and result.rc != 2"
-  changed_when: "result.rc == 4 or result.rc == 6"
+  puppet:

modules/ansible/manifests/init.pp

@@ -37,6 +37,13 @@ class ansible {
     require => File['/etc/ansible'],
   }
 
+  file { '/etc/ansible/library':
+    ensure  => directory,
+    recurse => true,
+    source  => 'puppet:///modules/ansible/library',
+    require => File['/etc/ansible'],
+  }
+
   include logrotate
   logrotate::file { 'ansible':
     log     => '/var/log/ansible.log',

run_all.sh

@@ -24,4 +24,4 @@ git fetch -a && git reset -q --hard @{u}
 touch manifests/site.pp
 
 # Run this as an external script so that the above pull will get new changes
-ansible-playbook -v /etc/ansible/remote_puppet.yaml >> /var/log/puppet_run_all.log 2>&1
+ansible-playbook /etc/ansible/remote_puppet.yaml >> /var/log/puppet_run_all.log 2>&1