Ensure role when to assigning a role for a service user to a project

This makes sure that the role exists when wanting to assign a service
user to a role in a project.

Change-Id: I92c721fc697d9cfb28ad7069d5898ca4db82897f

manifests/resource/service_identity.pp

@@ -170,6 +170,13 @@ define keystone::resource::service_identity(
   }
 
   if $configure_user_role {
+    if $ensure == 'present' {
+      # NOTE(jaosorior): We only handle ensure 'present' here, since deleting a
+      # role might be conflicting in some cases. e.g. the deployer removing a
+      # role from one service but adding it to another in the same puppet run.
+      # So role deletion should be handled elsewhere.
+      ensure_resource('keystone_role', $roles, { 'ensure' => 'present' })
+    }
     ensure_resource('keystone_user_role', "${auth_name}@${tenant}", {
       'ensure' => $ensure,
       'roles'  => $roles,

releasenotes/notes/autocreate-keystone-role-98c565ce590d9d32.yaml

@@ -0,0 +1,5 @@
+---
+features:
+    - Calls to the '::keystone::resource::service_identity' will automatically
+      create roles as needed. So if a role is specified, the resource will
+      make sure it exists.

spec/defines/keystone_resource_service_identity_spec.rb

@@ -159,6 +159,9 @@ describe 'keystone::resource::service_identity' do
         :email    => 'neutron@localhost',
         :domain   => 'userdomain',
       )}
+      it { is_expected.to contain_keystone_role('admin').with(
+        :ensure => 'present',
+      )}
       it { is_expected.to contain_keystone_user_role("#{title}@services").with(
         :ensure => 'present',
         :roles  => ['admin'],