---
# This playbook is meant to be used with callable variables, like adhoc or AWX.
# What: Disables users in the idm infrastructure based on the variables provided.
#       This is primarily used in the event a user wishes to have their personal
#       information removed from the project. However, signing of the agreements
#       in Account Services cannot be removed and should still be available
#       for the RESF to query.

- name: Disable a User - PDR
  hosts: "{{ host|default('ipaserver') }}"
  become: false
  gather_facts: false
  vars:
    cleanup_attributes:
      fasGPGKeyId: []
      fasGitHubUsername: []
      fasGitLabUsername: []
      fasIRCNick: []
      fasRHBZEmail: []
      fasWebsiteURL: []
      fasgpgkeyid: []
      fasLocale: []
      fasTimezone: []
      homePhone: []
      homePostalAddress: []
      postalAddress: []
      postalCode: []
      postOfficeBox: []
      st: []
      street: []
      ipaSshPubKey: []
      telephoneNumber: []
  collections:
    - freeipa.ansible_freeipa

  tasks:
    - name: "Checking for user variables"
      ansible.builtin.assert:
        that:
          - ipaadmin_principal | mandatory
          - ipaadmin_password | mandatory
          - ipa_name | mandatory
          - ticket_id | mandatory
        success_msg: "Required variables provided"
        fail_msg: "We are missing user information or ipa admin password"

    - name: "Disabling User Account"
      freeipa.ansible_freeipa.ipauser:
        ipaadmin_principal: "{{ ipaadmin_principal }}"
        ipaadmin_password: "{{ ipaadmin_password }}"
        name: "{{ ipa_name }}"
        state: disabled
      tags:
        - users

    - name: "Remove personal information attributes"
      community.general.ldap_attrs:
        dn: "uid={{ ipa_name }},cn=users,cn=accounts,dc=rockylinux,dc=org"
        attributes: "{{ cleanup_attributes }}"
        state: exact
        server_uri: ldap://localhost/
        bind_dn: "uid={{ ipaadmin_principal }},cn=users,cn=accounts,dc=rockylinux,dc=org"
        bind_pw: "{{ ipaadmin_password }}"

    - name: "Set FAS Status Note and set isprivate"
      community.general.ldap_attrs:
        dn: "uid={{ ipa_name }},cn=users,cn=accounts,dc=rockylinux,dc=org"
        attributes: "{{ item }}"
        state: exact
        server_uri: ldap://localhost/
        bind_dn: "uid={{ ipaadmin_principal }},cn=users,cn=accounts,dc=rockylinux,dc=org"
        bind_pw: "{{ ipaadmin_password }}"
      loop:
        - fasStatusNote: "Account Disabled: {{ ticket_id }}"
        - fasisprivate: true
...