Add opa_query_path to collection modules for inventory and job template

[derekwaters]

SUMMARY

The current awx.awx / ansible.controller collections do not support the setting and modifying of the opa_query_path parameter for the following objects:

• job_template
• inventory
  Note that modifying the opa_query_path for organization must be done using the ansible.platform collection, which will need to be modified separately.

ISSUE TYPE

• New or Enhanced Feature

COMPONENT NAME

• Collection

ADDITIONAL INFORMATION

The opa_query_path can be obtained for existing inventories, and added for new inventories, from the API at:
/api/controller/v2/inventories/
And similarly for job templates:
/api/controller/v2/job_templates/

Although this PR also updates the awx.awx.organization role, as of AAP 2.5 the organization endpoint should be read-only. Organizations should be created and modified via the platform API (and the ansible.platform collection).

Summary by CodeRabbit

• New Features

  • Added an optional OPA query path parameter to Inventory, Job Template, and Organization modules; included in create/update payloads when provided.

• Documentation

  • Updated documentation and examples to describe the new OPA query path option and usage.

• Tests

  • Added and updated tests to validate OPA query path handling across Inventory, Job Template, and Organization.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds an optional string parameter opa_query_path to the inventory, job_template, and organization Ansible modules. The parameter is declared in module DOCUMENTATION and argument_spec, read from module.params, and included in create/update payloads when provided. Tests were added/updated to assert the new field.

Changes

Cohort / File(s)	Summary
Modules: inventory, job_template, organization awx_collection/plugins/modules/inventory.py, awx_collection/plugins/modules/job_template.py, awx_collection/plugins/modules/organization.py	Added optional opa_query_path to each module's DOCUMENTATION and argument_spec; modules now read opa_query_path from module.params and include it in create/update payloads (inventory_fields, new_fields, org_fields) when present.
Tests: inventory, job_template, organization awx_collection/test/awx/test_inventory.py, awx_collection/test/awx/test_job_template.py, awx_collection/test/awx/test_organization.py	Added/updated tests to pass opa_query_path in module args and assert the corresponding model fields (inv.opa_query_path, jt.opa_query_path, org.opa_query_path) after create/reset flows.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically summarizes the main change: adding the opa_query_path parameter to collection modules, mentioning the primary modules (inventory and job_template).

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

awx_collection/test/awx/test_inventory.py (1)

20-20: opa_query_path added to test_inventory_create args but never asserted in that test.

Since test_inventory_create_with_opa already covers opa_query_path storage, either add the assertion here or remove the field from this test's module_args to avoid confusion.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@awx_collection/test/awx/test_inventory.py` at line 20, The
test_inventory_create includes 'opa_query_path' in module_args but never asserts
it; either remove 'opa_query_path' from the module_args in test_inventory_create
or add an assertion that the created inventory stores it (mirror the check used
in test_inventory_create_with_opa). Locate test_inventory_create and its
module_args and either delete the 'opa_query_path': 'foo/bar' entry or add an
assertion (e.g., assert the returned/created inventory's opa_query_path equals
'foo/bar') consistent with how test_inventory_create_with_opa verifies storage.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@awx_collection/plugins/modules/job_template.py`:
- Around line 318-321: The description for the parameter opa_query_path
incorrectly mentions "Inventory"; update the string in the job_template module
so the description references "Job Template" instead—locate the opa_query_path
parameter definition in awx_collection/plugins/modules/job_template.py and
change the sentence "to an OPA policy to be applied to the Inventory" to "to an
OPA policy to be applied to the Job Template" (preserve formatting and type:
str).

In `@awx_collection/plugins/modules/organization.py`:
- Around line 87-90: The description for the opa_query_path parameter
incorrectly references "Inventory" instead of "Organization"; update the
description string for opa_query_path in
awx_collection/plugins/modules/organization.py to say "Organization" (e.g., "The
optional path (formatted as package/rule) to an OPA policy to be applied to the
Organization") so the parameter documentation correctly targets Organization.

---

Nitpick comments:
In `@awx_collection/test/awx/test_inventory.py`:
- Line 20: The test_inventory_create includes 'opa_query_path' in module_args
but never asserts it; either remove 'opa_query_path' from the module_args in
test_inventory_create or add an assertion that the created inventory stores it
(mirror the check used in test_inventory_create_with_opa). Locate
test_inventory_create and its module_args and either delete the
'opa_query_path': 'foo/bar' entry or add an assertion (e.g., assert the
returned/created inventory's opa_query_path equals 'foo/bar') consistent with
how test_inventory_create_with_opa verifies storage.

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

awx_collection/test/awx/test_inventory.py (1)

20-28: Consider asserting opa_query_path was persisted.

The test sends opa_query_path but doesn't verify it was saved to the inventory. Once the module bug is fixed, add an assertion to confirm the value is persisted.

💡 Suggested assertion

     inv = Inventory.objects.get(name='foo-inventory')
     assert inv.variables == '{"foo": "bar", "another-foo": {"barz": "bar2"}}'
+    assert inv.opa_query_path == 'foo/bar'

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@awx_collection/test/awx/test_inventory.py` around lines 20 - 28, Add an
assertion that the sent opa_query_path was persisted: after retrieving the
Inventory instance (inv = Inventory.objects.get(name='foo-inventory')), assert
that inv.opa_query_path == 'foo/bar' (or the exact persisted representation used
by the Inventory model) to verify the module saved the value.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@awx_collection/plugins/modules/inventory.py`:
- Line 176: The parameter opa_query_path is read from module.params but never
added to the payload dictionary, so the API never receives it; update the
inventory payload assembly (the inventory_fields dict used when
creating/updating inventories) to include the opa_query_path key when
module.params contains a value (same pattern used for other fields in this file
and as in job_template.py/organization.py), and apply the same addition in the
other payload-building blocks around the 201-212 area so the field is sent on
both create and update flows.

In `@awx_collection/test/awx/test_inventory.py`:
- Around line 82-86: Remove the unresolved Git merge conflict markers (<<<<<<<,
=======, >>>>>>>) in the test file and keep a single correct assertion line (the
assert comparing result to {"name": "foo-inventory-opa", "id": inv.id,
"changed": True}); ensure only one assert remains and no conflict markers are
left so the test function that uses result and inv runs with valid Python
syntax.

---

Nitpick comments:
In `@awx_collection/test/awx/test_inventory.py`:
- Around line 20-28: Add an assertion that the sent opa_query_path was
persisted: after retrieving the Inventory instance (inv =
Inventory.objects.get(name='foo-inventory')), assert that inv.opa_query_path ==
'foo/bar' (or the exact persisted representation used by the Inventory model) to
verify the module saved the value.

---

ℹ️ Review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between f43384b and 6c8f6e5.

📒 Files selected for processing (2)

• awx_collection/plugins/modules/inventory.py
• awx_collection/test/awx/test_inventory.py

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

awx_collection/test/awx/test_inventory.py (1)

20-29: ⚠️ Potential issue | 🔴 Critical

Test will always fail due to value mismatch.

Line 20 sets opa_query_path to 'foo/bar', but line 29 asserts it equals 'foo/baz'. This inconsistency will cause the test to fail.

🐛 Proposed fix

         'name': 'foo-inventory',
         'organization': organization.name,
         'variables': {'foo': 'bar', 'another-foo': {'barz': 'bar2'}},
-        'opa_query_path': 'foo/bar',
+        'opa_query_path': 'foo/baz',
         'state': 'present',

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@awx_collection/test/awx/test_inventory.py` around lines 20 - 29, The test
sets opa_query_path to 'foo/bar' but asserts inv.opa_query_path == 'foo/baz',
causing a guaranteed failure; fix by making the values consistent—either change
the input in the inventory creation call to use 'opa_query_path': 'foo/baz' or
update the assertion to expect 'foo/bar' (refer to the inventory creation call
where Inventory.objects.get(name='foo-inventory') is used and the
inv.opa_query_path assertion).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@awx_collection/test/awx/test_inventory.py`:
- Around line 20-29: The test sets opa_query_path to 'foo/bar' but asserts
inv.opa_query_path == 'foo/baz', causing a guaranteed failure; fix by making the
values consistent—either change the input in the inventory creation call to use
'opa_query_path': 'foo/baz' or update the assertion to expect 'foo/bar' (refer
to the inventory creation call where Inventory.objects.get(name='foo-inventory')
is used and the inv.opa_query_path assertion).

---

ℹ️ Review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between 6c8f6e5 and a726a34.

📒 Files selected for processing (4)

• awx_collection/plugins/modules/inventory.py
• awx_collection/plugins/modules/job_template.py
• awx_collection/plugins/modules/organization.py
• awx_collection/test/awx/test_inventory.py

🚧 Files skipped from review as they are similar to previous changes (3)

• awx_collection/plugins/modules/organization.py
• awx_collection/plugins/modules/inventory.py
• awx_collection/plugins/modules/job_template.py

[coderabbitai]

🧹 Nitpick comments (2)

awx_collection/test/awx/test_inventory.py (1)

64-83: Consider de-duplicating overlapping OPA create tests.

test_inventory_create now already validates create + opa_query_path persistence, so this new test largely repeats the same path. Keeping one focused OPA create test and one baseline non-OPA create test would reduce maintenance churn.

Optional simplification

-@pytest.mark.django_db
-def test_inventory_create_with_opa(run_module, admin_user, organization):
-    result = run_module(
-        'inventory',
-        {
-            'name': 'foo-inventory-opa',
-            'organization': organization.name,
-            'opa_query_path': 'foo/baz',
-            'state': 'present',
-        },
-        admin_user,
-    )
-    assert not result.get('failed', False), result.get('msg', result)
-
-    inv = Inventory.objects.get(name='foo-inventory-opa')
-    assert inv.opa_query_path == 'foo/baz'
-
-    result.pop('module_args', None)
-    result.pop('invocation', None)
-    assert result == {"name": "foo-inventory-opa", "id": inv.id, "changed": True}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@awx_collection/test/awx/test_inventory.py` around lines 64 - 83, The new test
test_inventory_create_with_opa duplicates coverage already provided by
test_inventory_create; consolidate by keeping one focused OPA-specific test and
one baseline create test: either remove test_inventory_create_with_opa and
enhance test_inventory_create to assert both non-OPA and OPA behaviors in
separate cases, or change test_inventory_create_with_opa to only assert
OPA-specific behavior (e.g., only verify opa_query_path persistence and related
OPA logic) while ensuring test_inventory_create only verifies baseline create
semantics (name, id, changed) without asserting opa_query_path; update or delete
the redundant assertions accordingly in the test functions to avoid overlap.

awx_collection/plugins/modules/organization.py (1)

211-212: Add safeguards or documentation for opa_query_path AAP version compatibility.

The module writes opa_query_path unconditionally to the organization endpoint without version checks or capability guards. If this field is read-only or unsupported on specific AAP 2.5 deployments, failures will occur silently. Either add version/capability checks before writing (similar to the base module's version handling) or explicitly document AAP version constraints in the module docstring, following the pattern used for custom_virtualenv.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@awx_collection/plugins/modules/organization.py` around lines 211 - 212, The
code unconditionally sets org_fields['opa_query_path'] when opa_query_path is
provided; add the same AAP version/capability guard used elsewhere (or document
the constraint) so we don't send unsupported/read-only fields to older AAP 2.5
endpoints. Update organization.py to either: a) check the controller/version
capability before assigning opa_query_path to org_fields (mirror the pattern
used for custom_virtualenv/version checks in the base module) and skip or raise
a clear error if unsupported, or b) add docstring/docs noting the minimum AAP
version that supports opa_query_path; reference the opa_query_path variable,
org_fields dict, and the organization module's version-handling helper functions
to implement the guard.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@awx_collection/plugins/modules/organization.py`:
- Around line 211-212: The code unconditionally sets
org_fields['opa_query_path'] when opa_query_path is provided; add the same AAP
version/capability guard used elsewhere (or document the constraint) so we don't
send unsupported/read-only fields to older AAP 2.5 endpoints. Update
organization.py to either: a) check the controller/version capability before
assigning opa_query_path to org_fields (mirror the pattern used for
custom_virtualenv/version checks in the base module) and skip or raise a clear
error if unsupported, or b) add docstring/docs noting the minimum AAP version
that supports opa_query_path; reference the opa_query_path variable, org_fields
dict, and the organization module's version-handling helper functions to
implement the guard.

In `@awx_collection/test/awx/test_inventory.py`:
- Around line 64-83: The new test test_inventory_create_with_opa duplicates
coverage already provided by test_inventory_create; consolidate by keeping one
focused OPA-specific test and one baseline create test: either remove
test_inventory_create_with_opa and enhance test_inventory_create to assert both
non-OPA and OPA behaviors in separate cases, or change
test_inventory_create_with_opa to only assert OPA-specific behavior (e.g., only
verify opa_query_path persistence and related OPA logic) while ensuring
test_inventory_create only verifies baseline create semantics (name, id,
changed) without asserting opa_query_path; update or delete the redundant
assertions accordingly in the test functions to avoid overlap.

---

ℹ️ Review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between f4791cf and 7b169d5.

📒 Files selected for processing (6)

• awx_collection/plugins/modules/inventory.py
• awx_collection/plugins/modules/job_template.py
• awx_collection/plugins/modules/organization.py
• awx_collection/test/awx/test_inventory.py
• awx_collection/test/awx/test_job_template.py
• awx_collection/test/awx/test_organization.py

🚧 Files skipped from review as they are similar to previous changes (3)

• awx_collection/plugins/modules/job_template.py
• awx_collection/test/awx/test_job_template.py
• awx_collection/test/awx/test_organization.py