Support service tokens

Implement support for service_tokens. For that we convert
role_name to be a list along with renaming corresponding variable.

Additionally service_type is defined now for keystone_authtoken which
enables to validate tokens with restricted access rules

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/845690
Change-Id: Ib5d15aaf56112a776e2b9abb2396f9ea4f4fe319

defaults/main.yml

@@ -130,7 +130,12 @@ heat_profiler_trace_sqlalchemy: false
 heat_service_region: "{{ service_region | default('RegionOne') }}"
 heat_service_project_name: "service"
 heat_service_user_name: "heat"
-heat_service_role_name: admin
+heat_service_role_names:
+  - admin
+  - service
+heat_service_token_roles:
+  - service
+heat_service_token_roles_required: "{{ openstack_service_token_roles_required | default(True) }}"
 heat_service_project_domain_id: default
 heat_service_user_domain_id: default
 heat_keystone_auth_plugin: password

tasks/heat_service_setup.yml

@@ -41,7 +41,7 @@
         password: "{{ heat_service_password }}"
         domain: default
         project: "{{ heat_service_project_name }}"
-        role: "{{ heat_service_role_name }}"
+        role: "{{ heat_service_role_names }}"
         # We add the keystone role used by heat to delegate to the heat service user
         # for performing deferred operations via trusts.
       - name: "{{ heat_service_user_name }}"

templates/heat.conf.j2

@@ -94,6 +94,10 @@ username = {{ heat_service_user_name }}
 password = {{ heat_service_password }}
 region_name = {{ keystone_service_region }}
 
+service_token_roles_required = {{ heat_service_token_roles_required | bool }}
+service_token_roles = {{ heat_service_token_roles | join(',') }}
+service_type = {{ heat_service_type }}
+
 memcached_servers = {{ heat_memcached_servers }}
 
 token_cache_time = 300