user/tenant/user-role pattern is broken for empty tenants

The pattern shown on the README for making a user, a tenant, and then a role for said user in said tenant is broken unless a tenant is specified.

Here is the broken pattern:

    keystone_tenant { $monitor_project:
      ensure => present,
      enabled => True,
    }

    keystone_user { $monitor_user:
      ensure => present,
      enabled => True,
      email => $monitor_email,
      password => $monitor_password,
    }

    keystone_user_role { "${monitor_user}@${monitor_project}":
      ensure => present,
      roles => ['_member_']
    }

The issue manifests itself like this:

Error: /Stage[main]/Cirrus::Profile::Keystone/Keystone_user_role[monitoring@icinga]: Could not evaluate: Execution of '/usr/bin/keystone --os-endpoint http://1.2.3.4:35357/v2.0/ user-role-list --user-id --tenant-id 4dbbc53632a547d78db47653e67d888b' returned 1: Unknown Attribute: auth_user_id

The issue there is that --user-id is followed by nothing. I traced the Ruby code to the best of my limited Ruby skills and found that it is first trying to find the ID of the new user "monitoring" by doing this: keystone user-list --tenant-id icinga. Since the icinga tenant is new, there are no users, so when that fails, it doesn't find the user ID. It then takes this empty user-id and tries to see if the role for it already is set, leading to the error message.

The work-around is to set the tenant property on the $monitor_user, this seeds them into the tenant properly, but this is annoying and should be fixed.

This happened in stable/icehouse.