Blame SOURCES/ansible-freeipa-0.1.12-Fix-forwardzone-issues_rhbz#1843826,1843828,1843829,1843830,1843831.patch

fb9e9a
From f0f933b4630bce810475a519e295828013d301d6 Mon Sep 17 00:00:00 2001
fb9e9a
From: Rafael Guterres Jeffman <rjeffman@redhat.com>
fb9e9a
Date: Wed, 10 Jun 2020 20:40:45 -0300
fb9e9a
Subject: [PATCH] Changed admin password on tests to match other modules.
fb9e9a
fb9e9a
Use of the same password on all module tests ease test automation,
fb9e9a
and this change ensure that dnsforwardzone use the same password as
fb9e9a
other modules.
fb9e9a
---
fb9e9a
 tests/dnsforwardzone/test_dnsforwardzone.yml | 42 ++++++++++----------
fb9e9a
 1 file changed, 21 insertions(+), 21 deletions(-)
fb9e9a
fb9e9a
diff --git a/tests/dnsforwardzone/test_dnsforwardzone.yml b/tests/dnsforwardzone/test_dnsforwardzone.yml
fb9e9a
index 1a45e826..ac08a48f 100644
fb9e9a
--- a/tests/dnsforwardzone/test_dnsforwardzone.yml
fb9e9a
+++ b/tests/dnsforwardzone/test_dnsforwardzone.yml
fb9e9a
@@ -7,13 +7,13 @@
fb9e9a
   tasks:
fb9e9a
   - name: ensure forwardzone example.com is absent - prep
fb9e9a
     ipadnsforwardzone:
fb9e9a
-      ipaadmin_password: password01
fb9e9a
+      ipaadmin_password: SomeADMINpassword
fb9e9a
       name: example.com
fb9e9a
       state: absent
fb9e9a
 
fb9e9a
   - name: ensure forwardzone example.com is created
fb9e9a
     ipadnsforwardzone:
fb9e9a
-      ipaadmin_password: password01
fb9e9a
+      ipaadmin_password: SomeADMINpassword
fb9e9a
       state: present
fb9e9a
       name: example.com
fb9e9a
       forwarders:
fb9e9a
@@ -25,7 +25,7 @@
fb9e9a
 
fb9e9a
   - name: ensure forwardzone example.com is present again
fb9e9a
     ipadnsforwardzone:
fb9e9a
-      ipaadmin_password: password01
fb9e9a
+      ipaadmin_password: SomeADMINpassword
fb9e9a
       state: present
fb9e9a
       name: example.com
fb9e9a
       forwarders:
fb9e9a
@@ -37,7 +37,7 @@
fb9e9a
 
fb9e9a
   - name: ensure forwardzone example.com has two forwarders
fb9e9a
     ipadnsforwardzone:
fb9e9a
-      ipaadmin_password: password01
fb9e9a
+      ipaadmin_password: SomeADMINpassword
fb9e9a
       state: present
fb9e9a
       name: example.com
fb9e9a
       forwarders:
fb9e9a
@@ -50,7 +50,7 @@
fb9e9a
 
fb9e9a
   - name: ensure forwardzone example.com has one forwarder again
fb9e9a
     ipadnsforwardzone:
fb9e9a
-      ipaadmin_password: password01
fb9e9a
+      ipaadmin_password: SomeADMINpassword
fb9e9a
       name: example.com
fb9e9a
       forwarders:
fb9e9a
         - 8.8.8.8
fb9e9a
@@ -62,7 +62,7 @@
fb9e9a
 
fb9e9a
   - name: skip_overlap_check can only be set on creation so change nothing
fb9e9a
     ipadnsforwardzone:
fb9e9a
-      ipaadmin_password: password01
fb9e9a
+      ipaadmin_password: SomeADMINpassword
fb9e9a
       name: example.com
fb9e9a
       forwarders:
fb9e9a
         - 8.8.8.8
fb9e9a
@@ -74,7 +74,7 @@
fb9e9a
 
fb9e9a
   - name: change all the things at once
fb9e9a
     ipadnsforwardzone:
fb9e9a
-      ipaadmin_password: password01
fb9e9a
+      ipaadmin_password: SomeADMINpassword
fb9e9a
       state: present
fb9e9a
       name: example.com
fb9e9a
       forwarders:
fb9e9a
@@ -87,13 +87,13 @@
fb9e9a
 
fb9e9a
   - name: ensure forwardzone example.com is absent for next testset
fb9e9a
     ipadnsforwardzone:
fb9e9a
-      ipaadmin_password: password01
fb9e9a
+      ipaadmin_password: SomeADMINpassword
fb9e9a
       name: example.com
fb9e9a
       state: absent
fb9e9a
 
fb9e9a
   - name: ensure forwardzone example.com is created with minimal args
fb9e9a
     ipadnsforwardzone:
fb9e9a
-      ipaadmin_password: password01
fb9e9a
+      ipaadmin_password: SomeADMINpassword
fb9e9a
       state: present
fb9e9a
       name: example.com
fb9e9a
       skip_overlap_check: true
fb9e9a
@@ -104,7 +104,7 @@
fb9e9a
 
fb9e9a
   - name: add a forwarder to any existing ones
fb9e9a
     ipadnsforwardzone:
fb9e9a
-      ipaadmin_password: password01
fb9e9a
+      ipaadmin_password: SomeADMINpassword
fb9e9a
       state: present
fb9e9a
       name: example.com
fb9e9a
       forwarders:
fb9e9a
@@ -115,7 +115,7 @@
fb9e9a
 
fb9e9a
   - name: check the list of forwarders is what we expect
fb9e9a
     ipadnsforwardzone:
fb9e9a
-      ipaadmin_password: password01
fb9e9a
+      ipaadmin_password: SomeADMINpassword
fb9e9a
       state: present
fb9e9a
       name: example.com
fb9e9a
       forwarders:
fb9e9a
@@ -127,7 +127,7 @@
fb9e9a
 
fb9e9a
   - name: remove a single forwarder
fb9e9a
     ipadnsforwardzone:
fb9e9a
-      ipaadmin_password: password01
fb9e9a
+      ipaadmin_password: SomeADMINpassword
fb9e9a
       state: absent
fb9e9a
       name: example.com
fb9e9a
       forwarders:
fb9e9a
@@ -138,7 +138,7 @@
fb9e9a
 
fb9e9a
   - name: check the list of forwarders is what we expect now
fb9e9a
     ipadnsforwardzone:
fb9e9a
-      ipaadmin_password: password01
fb9e9a
+      ipaadmin_password: SomeADMINpassword
fb9e9a
       state: present
fb9e9a
       name: example.com
fb9e9a
       forwarders:
fb9e9a
@@ -149,13 +149,13 @@
fb9e9a
 
fb9e9a
   - name: ensure forwardzone example.com is absent again
fb9e9a
     ipadnsforwardzone:
fb9e9a
-      ipaadmin_password: password01
fb9e9a
+      ipaadmin_password: SomeADMINpassword
fb9e9a
       name: example.com
fb9e9a
       state: absent
fb9e9a
 
fb9e9a
   - name: try to create a new forwarder with action=member
fb9e9a
     ipadnsforwardzone:
fb9e9a
-      ipaadmin_password: password01
fb9e9a
+      ipaadmin_password: SomeADMINpassword
fb9e9a
       state: present
fb9e9a
       name: example.com
fb9e9a
       forwarders:
fb9e9a
@@ -167,13 +167,13 @@
fb9e9a
 
fb9e9a
   - name: ensure forwardzone example.com is absent - tidy up
fb9e9a
     ipadnsforwardzone:
fb9e9a
-      ipaadmin_password: password01
fb9e9a
+      ipaadmin_password: SomeADMINpassword
fb9e9a
       name: example.com
fb9e9a
       state: absent
fb9e9a
 
fb9e9a
   - name: try to create a new forwarder is disabled state
fb9e9a
     ipadnsforwardzone:
fb9e9a
-      ipaadmin_password: password01
fb9e9a
+      ipaadmin_password: SomeADMINpassword
fb9e9a
       state: disabled
fb9e9a
       name: example.com
fb9e9a
       forwarders:
fb9e9a
@@ -184,7 +184,7 @@
fb9e9a
 
fb9e9a
   - name: enable the forwarder
fb9e9a
     ipadnsforwardzone:
fb9e9a
-      ipaadmin_password: password01
fb9e9a
+      ipaadmin_password: SomeADMINpassword
fb9e9a
       name: example.com
fb9e9a
       state: enabled
fb9e9a
     register: result
fb9e9a
@@ -192,7 +192,7 @@
fb9e9a
 
fb9e9a
   - name: disable the forwarder again
fb9e9a
     ipadnsforwardzone:
fb9e9a
-      ipaadmin_password: password01
fb9e9a
+      ipaadmin_password: SomeADMINpassword
fb9e9a
       name: example.com
fb9e9a
       state: disabled
fb9e9a
       action: member
fb9e9a
@@ -201,7 +201,7 @@
fb9e9a
 
fb9e9a
   - name: ensure it stays disabled
fb9e9a
     ipadnsforwardzone:
fb9e9a
-      ipaadmin_password: password01
fb9e9a
+      ipaadmin_password: SomeADMINpassword
fb9e9a
       name: example.com
fb9e9a
       state: disabled
fb9e9a
     register: result
fb9e9a
@@ -209,6 +209,6 @@
fb9e9a
 
fb9e9a
   - name: ensure forwardzone example.com is absent - tidy up
fb9e9a
     ipadnsforwardzone:
fb9e9a
-      ipaadmin_password: password01
fb9e9a
+      ipaadmin_password: SomeADMINpassword
fb9e9a
       name: example.com
fb9e9a
       state: absent
fb9e9a
From f8ebca760dbaaf38c7b74b0c855b05d26e9cb812 Mon Sep 17 00:00:00 2001
fb9e9a
From: Rafael Guterres Jeffman <rjeffman@redhat.com>
fb9e9a
Date: Wed, 10 Jun 2020 22:14:27 -0300
fb9e9a
Subject: [PATCH] Allow processing of multiple names for deleting
fb9e9a
 dnsforwardzones.
fb9e9a
fb9e9a
---
fb9e9a
 plugins/modules/ipadnsforwardzone.py | 189 ++++++++++++++-------------
fb9e9a
 1 file changed, 98 insertions(+), 91 deletions(-)
fb9e9a
fb9e9a
diff --git a/plugins/modules/ipadnsforwardzone.py b/plugins/modules/ipadnsforwardzone.py
fb9e9a
index 90bd3876..b28f28db 100644
fb9e9a
--- a/plugins/modules/ipadnsforwardzone.py
fb9e9a
+++ b/plugins/modules/ipadnsforwardzone.py
fb9e9a
@@ -134,7 +134,7 @@ def main():
fb9e9a
             # general
fb9e9a
             ipaadmin_principal=dict(type="str", default="admin"),
fb9e9a
             ipaadmin_password=dict(type="str", required=False, no_log=True),
fb9e9a
-            name=dict(type="str", aliases=["cn"], default=None,
fb9e9a
+            name=dict(type="list", aliases=["cn"], default=None,
fb9e9a
                       required=True),
fb9e9a
             forwarders=dict(type='list', aliases=["idnsforwarders"],
fb9e9a
                             required=False),
fb9e9a
@@ -158,7 +158,7 @@ def main():
fb9e9a
                                            "ipaadmin_principal")
fb9e9a
     ipaadmin_password = module_params_get(ansible_module,
fb9e9a
                                           "ipaadmin_password")
fb9e9a
-    name = module_params_get(ansible_module, "name")
fb9e9a
+    names = module_params_get(ansible_module, "name")
fb9e9a
     action = module_params_get(ansible_module, "action")
fb9e9a
     forwarders = module_params_get(ansible_module, "forwarders")
fb9e9a
     forwardpolicy = module_params_get(ansible_module, "forwardpolicy")
fb9e9a
@@ -166,6 +166,12 @@ def main():
fb9e9a
                                            "skip_overlap_check")
fb9e9a
     state = module_params_get(ansible_module, "state")
fb9e9a
 
fb9e9a
+    if state == 'present' and len(names) != 1:
fb9e9a
+        ansible_module.fail_json(
fb9e9a
+            msg="Only one dnsforwardzone can be added at a time.")
fb9e9a
+    if state == 'absent' and len(names) < 1:
fb9e9a
+        ansible_module.fail_json(msg="No name given.")
fb9e9a
+
fb9e9a
     # absent stae means delete if the action is NOT member but update if it is
fb9e9a
     # if action is member then update an exisiting resource
fb9e9a
     # and if action is not member then create a resource
fb9e9a
@@ -207,101 +213,102 @@ def main():
fb9e9a
                                                  ipaadmin_password)
fb9e9a
         api_connect()
fb9e9a
 
fb9e9a
-        # Make sure forwardzone exists
fb9e9a
-        existing_resource = find_dnsforwardzone(ansible_module, name)
fb9e9a
-
fb9e9a
-        if existing_resource is None and operation == "update":
fb9e9a
-            # does not exist and is updating
fb9e9a
-            # trying to update something that doesn't exist, so error
fb9e9a
-            ansible_module.fail_json(msg="""dnsforwardzone '%s' is not
fb9e9a
-                                                     valid""" % (name))
fb9e9a
-        elif existing_resource is None and operation == "del":
fb9e9a
-            # does not exists and should be absent
fb9e9a
-            # set command
fb9e9a
-            command = None
fb9e9a
-            # enabled or disabled?
fb9e9a
-            is_enabled = "IGNORE"
fb9e9a
-        elif existing_resource is not None and operation == "del":
fb9e9a
-            # exists but should be absent
fb9e9a
-            # set command
fb9e9a
-            command = "dnsforwardzone_del"
fb9e9a
-            # enabled or disabled?
fb9e9a
-            is_enabled = "IGNORE"
fb9e9a
-        elif forwarders is None:
fb9e9a
-            # forwarders are not defined its not a delete, update state?
fb9e9a
-            # set command
fb9e9a
-            command = None
fb9e9a
-            # enabled or disabled?
fb9e9a
-            if existing_resource is not None:
fb9e9a
-                is_enabled = existing_resource["idnszoneactive"][0]
fb9e9a
-            else:
fb9e9a
-                is_enabled = "IGNORE"
fb9e9a
-        elif existing_resource is not None and operation == "update":
fb9e9a
-            # exists and is updating
fb9e9a
-            # calculate the new forwarders and mod
fb9e9a
-            # determine args
fb9e9a
-            if state != "absent":
fb9e9a
-                forwarders = list(set(existing_resource["idnsforwarders"]
fb9e9a
-                                      + forwarders))
fb9e9a
-            else:
fb9e9a
-                forwarders = list(set(existing_resource["idnsforwarders"])
fb9e9a
-                                  - set(forwarders))
fb9e9a
-            args = gen_args(forwarders, forwardpolicy,
fb9e9a
-                            skip_overlap_check)
fb9e9a
-            if skip_overlap_check is not None:
fb9e9a
-                del args['skip_overlap_check']
fb9e9a
-
fb9e9a
-            # command
fb9e9a
-            if not compare_args_ipa(ansible_module, args, existing_resource):
fb9e9a
-                command = "dnsforwardzone_mod"
fb9e9a
-            else:
fb9e9a
+        for name in names:
fb9e9a
+            # Make sure forwardzone exists
fb9e9a
+            existing_resource = find_dnsforwardzone(ansible_module, name)
fb9e9a
+
fb9e9a
+            if existing_resource is None and operation == "update":
fb9e9a
+                # does not exist and is updating
fb9e9a
+                # trying to update something that doesn't exist, so error
fb9e9a
+                ansible_module.fail_json(msg="""dnsforwardzone '%s' is not
fb9e9a
+                                                         valid""" % (name))
fb9e9a
+            elif existing_resource is None and operation == "del":
fb9e9a
+                # does not exists and should be absent
fb9e9a
+                # set command
fb9e9a
                 command = None
fb9e9a
-
fb9e9a
-            # enabled or disabled?
fb9e9a
-            is_enabled = existing_resource["idnszoneactive"][0]
fb9e9a
-
fb9e9a
-        elif existing_resource is None and operation == "add":
fb9e9a
-            # does not exist but should be present
fb9e9a
-            # determine args
fb9e9a
-            args = gen_args(forwarders, forwardpolicy,
fb9e9a
-                            skip_overlap_check)
fb9e9a
-            # set command
fb9e9a
-            command = "dnsforwardzone_add"
fb9e9a
-            # enabled or disabled?
fb9e9a
-            is_enabled = "TRUE"
fb9e9a
-
fb9e9a
-        elif existing_resource is not None and operation == "add":
fb9e9a
-            # exists and should be present, has it changed?
fb9e9a
-            # determine args
fb9e9a
-            args = gen_args(forwarders, forwardpolicy, skip_overlap_check)
fb9e9a
-            if skip_overlap_check is not None:
fb9e9a
-                del args['skip_overlap_check']
fb9e9a
-
fb9e9a
-            # set command
fb9e9a
-            if not compare_args_ipa(ansible_module, args, existing_resource):
fb9e9a
-                command = "dnsforwardzone_mod"
fb9e9a
-            else:
fb9e9a
+                # enabled or disabled?
fb9e9a
+                is_enabled = "IGNORE"
fb9e9a
+            elif existing_resource is not None and operation == "del":
fb9e9a
+                # exists but should be absent
fb9e9a
+                # set command
fb9e9a
+                command = "dnsforwardzone_del"
fb9e9a
+                # enabled or disabled?
fb9e9a
+                is_enabled = "IGNORE"
fb9e9a
+            elif forwarders is None:
fb9e9a
+                # forwarders are not defined its not a delete, update state?
fb9e9a
+                # set command
fb9e9a
                 command = None
fb9e9a
+                # enabled or disabled?
fb9e9a
+                if existing_resource is not None:
fb9e9a
+                    is_enabled = existing_resource["idnszoneactive"][0]
fb9e9a
+                else:
fb9e9a
+                    is_enabled = "IGNORE"
fb9e9a
+            elif existing_resource is not None and operation == "update":
fb9e9a
+                # exists and is updating
fb9e9a
+                # calculate the new forwarders and mod
fb9e9a
+                # determine args
fb9e9a
+                if state != "absent":
fb9e9a
+                    forwarders = list(set(existing_resource["idnsforwarders"]
fb9e9a
+                                          + forwarders))
fb9e9a
+                else:
fb9e9a
+                    forwarders = list(set(existing_resource["idnsforwarders"])
fb9e9a
+                                      - set(forwarders))
fb9e9a
+                args = gen_args(forwarders, forwardpolicy,
fb9e9a
+                                skip_overlap_check)
fb9e9a
+                if skip_overlap_check is not None:
fb9e9a
+                    del args['skip_overlap_check']
fb9e9a
+
fb9e9a
+                # command
fb9e9a
+                if not compare_args_ipa(ansible_module, args, existing_resource):
fb9e9a
+                    command = "dnsforwardzone_mod"
fb9e9a
+                else:
fb9e9a
+                    command = None
fb9e9a
+
fb9e9a
+                # enabled or disabled?
fb9e9a
+                is_enabled = existing_resource["idnszoneactive"][0]
fb9e9a
 
fb9e9a
-            # enabled or disabled?
fb9e9a
-            is_enabled = existing_resource["idnszoneactive"][0]
fb9e9a
-
fb9e9a
-        # if command is set then run it with the args
fb9e9a
-        if command is not None:
fb9e9a
-            api_command(ansible_module, command, name, args)
fb9e9a
-            changed = True
fb9e9a
+            elif existing_resource is None and operation == "add":
fb9e9a
+                # does not exist but should be present
fb9e9a
+                # determine args
fb9e9a
+                args = gen_args(forwarders, forwardpolicy,
fb9e9a
+                                skip_overlap_check)
fb9e9a
+                # set command
fb9e9a
+                command = "dnsforwardzone_add"
fb9e9a
+                # enabled or disabled?
fb9e9a
+                is_enabled = "TRUE"
fb9e9a
+
fb9e9a
+            elif existing_resource is not None and operation == "add":
fb9e9a
+                # exists and should be present, has it changed?
fb9e9a
+                # determine args
fb9e9a
+                args = gen_args(forwarders, forwardpolicy, skip_overlap_check)
fb9e9a
+                if skip_overlap_check is not None:
fb9e9a
+                    del args['skip_overlap_check']
fb9e9a
+
fb9e9a
+                # set command
fb9e9a
+                if not compare_args_ipa(ansible_module, args, existing_resource):
fb9e9a
+                    command = "dnsforwardzone_mod"
fb9e9a
+                else:
fb9e9a
+                    command = None
fb9e9a
+
fb9e9a
+                # enabled or disabled?
fb9e9a
+                is_enabled = existing_resource["idnszoneactive"][0]
fb9e9a
 
fb9e9a
-        # does the enabled state match what we want (if we care)
fb9e9a
-        if is_enabled != "IGNORE":
fb9e9a
-            if wants_enable and is_enabled != "TRUE":
fb9e9a
-                api_command(ansible_module, "dnsforwardzone_enable",
fb9e9a
-                            name, {})
fb9e9a
-                changed = True
fb9e9a
-            elif not wants_enable and is_enabled != "FALSE":
fb9e9a
-                api_command(ansible_module, "dnsforwardzone_disable",
fb9e9a
-                            name, {})
fb9e9a
+            # if command is set then run it with the args
fb9e9a
+            if command is not None:
fb9e9a
+                api_command(ansible_module, command, name, args)
fb9e9a
                 changed = True
fb9e9a
 
fb9e9a
+            # does the enabled state match what we want (if we care)
fb9e9a
+            if is_enabled != "IGNORE":
fb9e9a
+                if wants_enable and is_enabled != "TRUE":
fb9e9a
+                    api_command(ansible_module, "dnsforwardzone_enable",
fb9e9a
+                                name, {})
fb9e9a
+                    changed = True
fb9e9a
+                elif not wants_enable and is_enabled != "FALSE":
fb9e9a
+                    api_command(ansible_module, "dnsforwardzone_disable",
fb9e9a
+                                name, {})
fb9e9a
+                    changed = True
fb9e9a
+
fb9e9a
     except Exception as e:
fb9e9a
         ansible_module.fail_json(msg=str(e))
fb9e9a
 
fb9e9a
From 3f785bc0e9fe1ab3ad874ce4f26e6897189db8aa Mon Sep 17 00:00:00 2001
fb9e9a
From: Rafael Guterres Jeffman <rjeffman@redhat.com>
fb9e9a
Date: Wed, 10 Jun 2020 22:20:20 -0300
fb9e9a
Subject: [PATCH] Fix error message when adding dnsforwardzone without
fb9e9a
 forwarders.
fb9e9a
fb9e9a
---
fb9e9a
 plugins/modules/ipadnsforwardzone.py         |  5 +++++
fb9e9a
 tests/dnsforwardzone/test_dnsforwardzone.yml | 13 +++++++++++--
fb9e9a
 2 files changed, 16 insertions(+), 2 deletions(-)
fb9e9a
fb9e9a
diff --git a/plugins/modules/ipadnsforwardzone.py b/plugins/modules/ipadnsforwardzone.py
fb9e9a
index b28f28db..3968e6a1 100644
fb9e9a
--- a/plugins/modules/ipadnsforwardzone.py
fb9e9a
+++ b/plugins/modules/ipadnsforwardzone.py
fb9e9a
@@ -217,6 +217,11 @@ def main():
fb9e9a
             # Make sure forwardzone exists
fb9e9a
             existing_resource = find_dnsforwardzone(ansible_module, name)
fb9e9a
 
fb9e9a
+            # validate parameters
fb9e9a
+            if state == 'present':
fb9e9a
+                if existing_resource is None and not forwarders:
fb9e9a
+                    ansible_module.fail_json(msg='No forwarders specified.')
fb9e9a
+
fb9e9a
             if existing_resource is None and operation == "update":
fb9e9a
                 # does not exist and is updating
fb9e9a
                 # trying to update something that doesn't exist, so error
fb9e9a
diff --git a/tests/dnsforwardzone/test_dnsforwardzone.yml b/tests/dnsforwardzone/test_dnsforwardzone.yml
fb9e9a
index ac08a48f..d94db9e5 100644
fb9e9a
--- a/tests/dnsforwardzone/test_dnsforwardzone.yml
fb9e9a
+++ b/tests/dnsforwardzone/test_dnsforwardzone.yml
fb9e9a
@@ -5,10 +5,12 @@
fb9e9a
   gather_facts: false
fb9e9a
 
fb9e9a
   tasks:
fb9e9a
-  - name: ensure forwardzone example.com is absent - prep
fb9e9a
+  - name: ensure test forwardzones are absent - prep
fb9e9a
     ipadnsforwardzone:
fb9e9a
       ipaadmin_password: SomeADMINpassword
fb9e9a
-      name: example.com
fb9e9a
+      name:
fb9e9a
+      - example.com
fb9e9a
+      - newfailzone.com
fb9e9a
       state: absent
fb9e9a
 
fb9e9a
   - name: ensure forwardzone example.com is created
fb9e9a
@@ -207,6 +209,13 @@
fb9e9a
     register: result
fb9e9a
     failed_when: result.changed
fb9e9a
 
fb9e9a
+  - name: Ensure forwardzone is not added without forwarders, with correct message.
fb9e9a
+    ipadnsforwardzone:
fb9e9a
+      ipaadmin_password: SomeADMINpassword
fb9e9a
+      name: newfailzone.com
fb9e9a
+    register: result
fb9e9a
+    failed_when: not result.failed or "No forwarders specified" not in result.msg
fb9e9a
+
fb9e9a
   - name: ensure forwardzone example.com is absent - tidy up
fb9e9a
     ipadnsforwardzone:
fb9e9a
       ipaadmin_password: SomeADMINpassword
fb9e9a
From 1d223c2b63634abe86f7702a64dd83c4fbc272ce Mon Sep 17 00:00:00 2001
fb9e9a
From: Rafael Guterres Jeffman <rjeffman@redhat.com>
fb9e9a
Date: Mon, 15 Jun 2020 16:14:25 -0300
fb9e9a
Subject: [PATCH] Add support for attributes `ip_address` and `port` to
fb9e9a
 `forwarders`.
fb9e9a
fb9e9a
This patch modify the was forwarders are configured, using two attributes,
fb9e9a
`ip_address` and `port`, instead of IPA API internal string representation
fb9e9a
of `IP port PORT`.
fb9e9a
---
fb9e9a
 README-dnsforwardzone.md                     |  6 ++-
fb9e9a
 plugins/modules/ipadnsforwardzone.py         | 37 ++++++++++++++---
fb9e9a
 tests/dnsforwardzone/test_dnsforwardzone.yml | 43 ++++++++++++--------
fb9e9a
 3 files changed, 62 insertions(+), 24 deletions(-)
fb9e9a
fb9e9a
diff --git a/README-dnsforwardzone.md b/README-dnsforwardzone.md
fb9e9a
index 81919295..15b2b574 100644
fb9e9a
--- a/README-dnsforwardzone.md
fb9e9a
+++ b/README-dnsforwardzone.md
fb9e9a
@@ -99,8 +99,10 @@ Variable | Description | Required
fb9e9a
 `ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
fb9e9a
 `ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
fb9e9a
 `name` \| `cn` | Zone name (FQDN). | yes if `state` == `present`
fb9e9a
-`forwarders` \| `idnsforwarders` |  Per-zone conditional forwarding policy. Possible values are `only`, `first`, `none`) | no
fb9e9a
-`forwardpolicy` \| `idnsforwardpolicy` | Per-zone conditional forwarding policy. Set to "none" to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded. | no
fb9e9a
+`forwarders` \| `idnsforwarders` |  Per-zone forwarders. A custom port can be specified for each forwarder. Options | no
fb9e9a
+  | `ip_address`: The forwarder IP address. | yes
fb9e9a
+  | `port`: The forwarder IP port. | no
fb9e9a
+`forwardpolicy` \| `idnsforwardpolicy` | Per-zone conditional forwarding policy. Possible values are `only`, `first`, `none`. Set to "none" to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded. | no
fb9e9a
 `skip_overlap_check` | Force DNS zone creation even if it will overlap with an existing zone. Defaults to False. | no
fb9e9a
 `action` | Work on group or member level. It can be on of `member` or `dnsforwardzone` and defaults to `dnsforwardzone`. | no
fb9e9a
 `state` | The state to ensure. It can be one of `present`, `absent`, `enabled` or `disabled`, default: `present`. | yes
fb9e9a
diff --git a/plugins/modules/ipadnsforwardzone.py b/plugins/modules/ipadnsforwardzone.py
fb9e9a
index 3968e6a1..8e5c3464 100644
fb9e9a
--- a/plugins/modules/ipadnsforwardzone.py
fb9e9a
+++ b/plugins/modules/ipadnsforwardzone.py
fb9e9a
@@ -54,9 +54,16 @@
fb9e9a
   forwarders:
fb9e9a
     description:
fb9e9a
     - List of the DNS servers to forward to
fb9e9a
-    required: true
fb9e9a
-    type: list
fb9e9a
     aliases: ["idnsforwarders"]
fb9e9a
+    options:
fb9e9a
+      ip_address:
fb9e9a
+        description: Forwarder IP address (either IPv4 or IPv6).
fb9e9a
+        required: false
fb9e9a
+        type: string
fb9e9a
+      port:
fb9e9a
+        description: Forwarder port.
fb9e9a
+        required: false
fb9e9a
+        type: int
fb9e9a
   forwardpolicy:
fb9e9a
     description: Per-zone conditional forwarding policy
fb9e9a
     required: false
fb9e9a
@@ -128,6 +135,20 @@ def gen_args(forwarders, forwardpolicy, skip_overlap_check):
fb9e9a
     return _args
fb9e9a
 
fb9e9a
 
fb9e9a
+def forwarder_list(forwarders):
fb9e9a
+    """Convert the forwarder dict into a list compatible with IPA API."""
fb9e9a
+    if forwarders is None:
fb9e9a
+        return None
fb9e9a
+    fwd_list = []
fb9e9a
+    for forwarder in forwarders:
fb9e9a
+        if forwarder.get('port', None) is not None:
fb9e9a
+            formatter = "{ip_address} port {port}"
fb9e9a
+        else:
fb9e9a
+            formatter = "{ip_address}"
fb9e9a
+        fwd_list.append(formatter.format(**forwarder))
fb9e9a
+    return fwd_list
fb9e9a
+
fb9e9a
+
fb9e9a
 def main():
fb9e9a
     ansible_module = AnsibleModule(
fb9e9a
         argument_spec=dict(
fb9e9a
@@ -136,8 +157,13 @@ def main():
fb9e9a
             ipaadmin_password=dict(type="str", required=False, no_log=True),
fb9e9a
             name=dict(type="list", aliases=["cn"], default=None,
fb9e9a
                       required=True),
fb9e9a
-            forwarders=dict(type='list', aliases=["idnsforwarders"],
fb9e9a
-                            required=False),
fb9e9a
+            forwarders=dict(type="list", default=None, required=False,
fb9e9a
+                            aliases=["idnsforwarders"], elements='dict',
fb9e9a
+                            options=dict(
fb9e9a
+                                 ip_address=dict(type='str', required=True),
fb9e9a
+                                 port=dict(type='int', required=False,
fb9e9a
+                                           default=None),
fb9e9a
+                            )),
fb9e9a
             forwardpolicy=dict(type='str', aliases=["idnsforwardpolicy"],
fb9e9a
                                required=False,
fb9e9a
                                choices=['only', 'first', 'none']),
fb9e9a
@@ -160,7 +186,8 @@ def main():
fb9e9a
                                           "ipaadmin_password")
fb9e9a
     names = module_params_get(ansible_module, "name")
fb9e9a
     action = module_params_get(ansible_module, "action")
fb9e9a
-    forwarders = module_params_get(ansible_module, "forwarders")
fb9e9a
+    forwarders = forwarder_list(
fb9e9a
+        module_params_get(ansible_module, "forwarders"))
fb9e9a
     forwardpolicy = module_params_get(ansible_module, "forwardpolicy")
fb9e9a
     skip_overlap_check = module_params_get(ansible_module,
fb9e9a
                                            "skip_overlap_check")
fb9e9a
diff --git a/tests/dnsforwardzone/test_dnsforwardzone.yml b/tests/dnsforwardzone/test_dnsforwardzone.yml
fb9e9a
index d94db9e5..468cd4ce 100644
fb9e9a
--- a/tests/dnsforwardzone/test_dnsforwardzone.yml
fb9e9a
+++ b/tests/dnsforwardzone/test_dnsforwardzone.yml
fb9e9a
@@ -5,7 +5,7 @@
fb9e9a
   gather_facts: false
fb9e9a
 
fb9e9a
   tasks:
fb9e9a
-  - name: ensure test forwardzones are absent - prep
fb9e9a
+  - name: ensure test forwardzones are absent
fb9e9a
     ipadnsforwardzone:
fb9e9a
       ipaadmin_password: SomeADMINpassword
fb9e9a
       name:
fb9e9a
@@ -19,7 +19,7 @@
fb9e9a
       state: present
fb9e9a
       name: example.com
fb9e9a
       forwarders:
fb9e9a
-        - 8.8.8.8
fb9e9a
+        - ip_address: 8.8.8.8
fb9e9a
       forwardpolicy: first
fb9e9a
       skip_overlap_check: true
fb9e9a
     register: result
fb9e9a
@@ -31,7 +31,7 @@
fb9e9a
       state: present
fb9e9a
       name: example.com
fb9e9a
       forwarders:
fb9e9a
-        - 8.8.8.8
fb9e9a
+        - ip_address: 8.8.8.8
fb9e9a
       forwardpolicy: first
fb9e9a
       skip_overlap_check: true
fb9e9a
     register: result
fb9e9a
@@ -43,19 +43,22 @@
fb9e9a
       state: present
fb9e9a
       name: example.com
fb9e9a
       forwarders:
fb9e9a
-        - 8.8.8.8
fb9e9a
-        - 4.4.4.4
fb9e9a
+        - ip_address: 8.8.8.8
fb9e9a
+        - ip_address: 4.4.4.4
fb9e9a
+          port: 8053
fb9e9a
       forwardpolicy: first
fb9e9a
       skip_overlap_check: true
fb9e9a
     register: result
fb9e9a
     failed_when: not result.changed
fb9e9a
 
fb9e9a
+  - pause:
fb9e9a
+
fb9e9a
   - name: ensure forwardzone example.com has one forwarder again
fb9e9a
     ipadnsforwardzone:
fb9e9a
       ipaadmin_password: SomeADMINpassword
fb9e9a
       name: example.com
fb9e9a
       forwarders:
fb9e9a
-        - 8.8.8.8
fb9e9a
+        - ip_address: 8.8.8.8
fb9e9a
       forwardpolicy: first
fb9e9a
       skip_overlap_check: true
fb9e9a
       state: present
fb9e9a
@@ -67,7 +70,7 @@
fb9e9a
       ipaadmin_password: SomeADMINpassword
fb9e9a
       name: example.com
fb9e9a
       forwarders:
fb9e9a
-        - 8.8.8.8
fb9e9a
+        - ip_address: 8.8.8.8
fb9e9a
       forwardpolicy: first
fb9e9a
       skip_overlap_check: false
fb9e9a
       state: present
fb9e9a
@@ -80,8 +83,9 @@
fb9e9a
       state: present
fb9e9a
       name: example.com
fb9e9a
       forwarders:
fb9e9a
-        - 8.8.8.8
fb9e9a
-        - 4.4.4.4
fb9e9a
+        - ip_address: 8.8.8.8
fb9e9a
+        - ip_address: 4.4.4.4
fb9e9a
+          port: 8053
fb9e9a
       forwardpolicy: only
fb9e9a
       skip_overlap_check: false
fb9e9a
     register: result
fb9e9a
@@ -100,7 +104,7 @@
fb9e9a
       name: example.com
fb9e9a
       skip_overlap_check: true
fb9e9a
       forwarders:
fb9e9a
-        - 8.8.8.8
fb9e9a
+        - ip_address: 8.8.8.8
fb9e9a
     register: result
fb9e9a
     failed_when: not result.changed
fb9e9a
 
fb9e9a
@@ -110,7 +114,8 @@
fb9e9a
       state: present
fb9e9a
       name: example.com
fb9e9a
       forwarders:
fb9e9a
-        - 4.4.4.4
fb9e9a
+        - ip_address: 4.4.4.4
fb9e9a
+          port: 8053
fb9e9a
       action: member
fb9e9a
     register: result
fb9e9a
     failed_when: not result.changed
fb9e9a
@@ -121,8 +126,9 @@
fb9e9a
       state: present
fb9e9a
       name: example.com
fb9e9a
       forwarders:
fb9e9a
-        - 4.4.4.4
fb9e9a
-        - 8.8.8.8
fb9e9a
+        - ip_address: 4.4.4.4
fb9e9a
+          port: 8053
fb9e9a
+        - ip_address: 8.8.8.8
fb9e9a
       action: member
fb9e9a
     register: result
fb9e9a
     failed_when: result.changed
fb9e9a
@@ -133,7 +139,7 @@
fb9e9a
       state: absent
fb9e9a
       name: example.com
fb9e9a
       forwarders:
fb9e9a
-        - 8.8.8.8
fb9e9a
+        - ip_address: 8.8.8.8
fb9e9a
       action: member
fb9e9a
     register: result
fb9e9a
     failed_when: not result.changed
fb9e9a
@@ -144,7 +150,8 @@
fb9e9a
       state: present
fb9e9a
       name: example.com
fb9e9a
       forwarders:
fb9e9a
-        - 4.4.4.4
fb9e9a
+        - ip_address: 4.4.4.4
fb9e9a
+          port: 8053
fb9e9a
       action: member
fb9e9a
     register: result
fb9e9a
     failed_when: result.changed
fb9e9a
@@ -161,7 +168,8 @@
fb9e9a
       state: present
fb9e9a
       name: example.com
fb9e9a
       forwarders:
fb9e9a
-        - 4.4.4.4
fb9e9a
+        - ip_address: 4.4.4.4
fb9e9a
+          port: 8053
fb9e9a
       action: member
fb9e9a
       skip_overlap_check: true
fb9e9a
     register: result
fb9e9a
@@ -179,7 +187,8 @@
fb9e9a
       state: disabled
fb9e9a
       name: example.com
fb9e9a
       forwarders:
fb9e9a
-        - 4.4.4.4
fb9e9a
+        - ip_address: 4.4.4.4
fb9e9a
+          port: 8053
fb9e9a
       skip_overlap_check: true
fb9e9a
     register: result
fb9e9a
     failed_when: not result.changed
fb9e9a
From bf864469a1da81c6b23e9726562b21408764ac8f Mon Sep 17 00:00:00 2001
fb9e9a
From: Rafael Guterres Jeffman <rjeffman@redhat.com>
fb9e9a
Date: Mon, 15 Jun 2020 20:42:23 -0300
fb9e9a
Subject: [PATCH] Add support for attribute `permission` on dnsforwardzone
fb9e9a
 module.
fb9e9a
fb9e9a
Adds missing attribute `permission to dnsforwardzone module, that
fb9e9a
enable setting `manageby` for the DNS Forwar Zone.
fb9e9a
---
fb9e9a
 README-dnsforwardzone.md                     |   1 +
fb9e9a
 plugins/modules/ipadnsforwardzone.py         |  71 ++++++++----
fb9e9a
 tests/dnsforwardzone/test_dnsforwardzone.yml | 110 +++++++++++++++----
fb9e9a
 3 files changed, 136 insertions(+), 46 deletions(-)
fb9e9a
fb9e9a
diff --git a/README-dnsforwardzone.md b/README-dnsforwardzone.md
fb9e9a
index 15b2b574..175e6f8b 100644
fb9e9a
--- a/README-dnsforwardzone.md
fb9e9a
+++ b/README-dnsforwardzone.md
fb9e9a
@@ -104,6 +104,7 @@ Variable | Description | Required
fb9e9a
   | `port`: The forwarder IP port. | no
fb9e9a
 `forwardpolicy` \| `idnsforwardpolicy` | Per-zone conditional forwarding policy. Possible values are `only`, `first`, `none`. Set to "none" to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded. | no
fb9e9a
 `skip_overlap_check` | Force DNS zone creation even if it will overlap with an existing zone. Defaults to False. | no
fb9e9a
+`permission` | Allow DNS Forward Zone to be managed. (bool) | no
fb9e9a
 `action` | Work on group or member level. It can be on of `member` or `dnsforwardzone` and defaults to `dnsforwardzone`. | no
fb9e9a
 `state` | The state to ensure. It can be one of `present`, `absent`, `enabled` or `disabled`, default: `present`. | yes
fb9e9a
 
fb9e9a
diff --git a/plugins/modules/ipadnsforwardzone.py b/plugins/modules/ipadnsforwardzone.py
fb9e9a
index 8e5c3464..a729197b 100644
fb9e9a
--- a/plugins/modules/ipadnsforwardzone.py
fb9e9a
+++ b/plugins/modules/ipadnsforwardzone.py
fb9e9a
@@ -75,6 +75,11 @@
fb9e9a
     - Force DNS zone creation even if it will overlap with an existing zone.
fb9e9a
     required: false
fb9e9a
     default: false
fb9e9a
+  permission:
fb9e9a
+    description:
fb9e9a
+    - Allow DNS Forward Zone to be managed.
fb9e9a
+    required: false
fb9e9a
+    type: bool
fb9e9a
 '''
fb9e9a
 
fb9e9a
 EXAMPLES = '''
fb9e9a
@@ -168,6 +173,8 @@ def main():
fb9e9a
                                required=False,
fb9e9a
                                choices=['only', 'first', 'none']),
fb9e9a
             skip_overlap_check=dict(type='bool', required=False),
fb9e9a
+            permission=dict(type='bool', required=False,
fb9e9a
+                            aliases=['managedby']),
fb9e9a
             action=dict(type="str", default="dnsforwardzone",
fb9e9a
                         choices=["member", "dnsforwardzone"]),
fb9e9a
             # state
fb9e9a
@@ -191,6 +198,7 @@ def main():
fb9e9a
     forwardpolicy = module_params_get(ansible_module, "forwardpolicy")
fb9e9a
     skip_overlap_check = module_params_get(ansible_module,
fb9e9a
                                            "skip_overlap_check")
fb9e9a
+    permission = module_params_get(ansible_module, "permission")
fb9e9a
     state = module_params_get(ansible_module, "state")
fb9e9a
 
fb9e9a
     if state == 'present' and len(names) != 1:
fb9e9a
@@ -215,7 +223,9 @@ def main():
fb9e9a
         wants_enable = True
fb9e9a
 
fb9e9a
     if operation == "del":
fb9e9a
-        invalid = ["forwarders", "forwardpolicy", "skip_overlap_check"]
fb9e9a
+        invalid = [
fb9e9a
+            "forwarders", "forwardpolicy", "skip_overlap_check", "permission"
fb9e9a
+        ]
fb9e9a
         for x in invalid:
fb9e9a
             if vars()[x] is not None:
fb9e9a
                 ansible_module.fail_json(
fb9e9a
@@ -241,6 +251,9 @@ def main():
fb9e9a
         api_connect()
fb9e9a
 
fb9e9a
         for name in names:
fb9e9a
+            commands = []
fb9e9a
+            command = None
fb9e9a
+
fb9e9a
             # Make sure forwardzone exists
fb9e9a
             existing_resource = find_dnsforwardzone(ansible_module, name)
fb9e9a
 
fb9e9a
@@ -249,6 +262,18 @@ def main():
fb9e9a
                 if existing_resource is None and not forwarders:
fb9e9a
                     ansible_module.fail_json(msg='No forwarders specified.')
fb9e9a
 
fb9e9a
+            if existing_resource is not None:
fb9e9a
+                if state != "absent":
fb9e9a
+                    if forwarders:
fb9e9a
+                        forwarders = list(
fb9e9a
+                            set(existing_resource["idnsforwarders"]
fb9e9a
+                                + forwarders))
fb9e9a
+                else:
fb9e9a
+                    if forwarders:
fb9e9a
+                        forwarders = list(
fb9e9a
+                            set(existing_resource["idnsforwarders"])
fb9e9a
+                            - set(forwarders))
fb9e9a
+
fb9e9a
             if existing_resource is None and operation == "update":
fb9e9a
                 # does not exist and is updating
fb9e9a
                 # trying to update something that doesn't exist, so error
fb9e9a
@@ -256,20 +281,17 @@ def main():
fb9e9a
                                                          valid""" % (name))
fb9e9a
             elif existing_resource is None and operation == "del":
fb9e9a
                 # does not exists and should be absent
fb9e9a
-                # set command
fb9e9a
-                command = None
fb9e9a
                 # enabled or disabled?
fb9e9a
                 is_enabled = "IGNORE"
fb9e9a
             elif existing_resource is not None and operation == "del":
fb9e9a
                 # exists but should be absent
fb9e9a
                 # set command
fb9e9a
                 command = "dnsforwardzone_del"
fb9e9a
+                args = {}
fb9e9a
                 # enabled or disabled?
fb9e9a
                 is_enabled = "IGNORE"
fb9e9a
             elif forwarders is None:
fb9e9a
                 # forwarders are not defined its not a delete, update state?
fb9e9a
-                # set command
fb9e9a
-                command = None
fb9e9a
                 # enabled or disabled?
fb9e9a
                 if existing_resource is not None:
fb9e9a
                     is_enabled = existing_resource["idnszoneactive"][0]
fb9e9a
@@ -278,23 +300,13 @@ def main():
fb9e9a
             elif existing_resource is not None and operation == "update":
fb9e9a
                 # exists and is updating
fb9e9a
                 # calculate the new forwarders and mod
fb9e9a
-                # determine args
fb9e9a
-                if state != "absent":
fb9e9a
-                    forwarders = list(set(existing_resource["idnsforwarders"]
fb9e9a
-                                          + forwarders))
fb9e9a
-                else:
fb9e9a
-                    forwarders = list(set(existing_resource["idnsforwarders"])
fb9e9a
-                                      - set(forwarders))
fb9e9a
-                args = gen_args(forwarders, forwardpolicy,
fb9e9a
-                                skip_overlap_check)
fb9e9a
-                if skip_overlap_check is not None:
fb9e9a
+                args = gen_args(forwarders, forwardpolicy, skip_overlap_check)
fb9e9a
+                if "skip_overlap_check" in args:
fb9e9a
                     del args['skip_overlap_check']
fb9e9a
 
fb9e9a
                 # command
fb9e9a
                 if not compare_args_ipa(ansible_module, args, existing_resource):
fb9e9a
                     command = "dnsforwardzone_mod"
fb9e9a
-                else:
fb9e9a
-                    command = None
fb9e9a
 
fb9e9a
                 # enabled or disabled?
fb9e9a
                 is_enabled = existing_resource["idnszoneactive"][0]
fb9e9a
@@ -313,21 +325,36 @@ def main():
fb9e9a
                 # exists and should be present, has it changed?
fb9e9a
                 # determine args
fb9e9a
                 args = gen_args(forwarders, forwardpolicy, skip_overlap_check)
fb9e9a
-                if skip_overlap_check is not None:
fb9e9a
+                if 'skip_overlap_check' in args:
fb9e9a
                     del args['skip_overlap_check']
fb9e9a
 
fb9e9a
                 # set command
fb9e9a
                 if not compare_args_ipa(ansible_module, args, existing_resource):
fb9e9a
                     command = "dnsforwardzone_mod"
fb9e9a
-                else:
fb9e9a
-                    command = None
fb9e9a
 
fb9e9a
                 # enabled or disabled?
fb9e9a
                 is_enabled = existing_resource["idnszoneactive"][0]
fb9e9a
 
fb9e9a
-            # if command is set then run it with the args
fb9e9a
+            # if command is set...
fb9e9a
             if command is not None:
fb9e9a
-                api_command(ansible_module, command, name, args)
fb9e9a
+                commands.append([name, command, args])
fb9e9a
+
fb9e9a
+            if permission is not None:
fb9e9a
+                if existing_resource is None:
fb9e9a
+                    managedby = None
fb9e9a
+                else:
fb9e9a
+                    managedby = existing_resource.get('managedby', None)
fb9e9a
+                if permission and managedby is None:
fb9e9a
+                    commands.append(
fb9e9a
+                        [name, 'dnsforwardzone_add_permission', {}]
fb9e9a
+                    )
fb9e9a
+                elif not permission and managedby is not None:
fb9e9a
+                    commands.append(
fb9e9a
+                        [name, 'dnsforwardzone_remove_permission', {}]
fb9e9a
+                    )
fb9e9a
+
fb9e9a
+            for name, command, args in commands:
fb9e9a
+                result = api_command(ansible_module, command, name, args)
fb9e9a
                 changed = True
fb9e9a
 
fb9e9a
             # does the enabled state match what we want (if we care)
fb9e9a
diff --git a/tests/dnsforwardzone/test_dnsforwardzone.yml b/tests/dnsforwardzone/test_dnsforwardzone.yml
fb9e9a
index 468cd4ce..0386bd48 100644
fb9e9a
--- a/tests/dnsforwardzone/test_dnsforwardzone.yml
fb9e9a
+++ b/tests/dnsforwardzone/test_dnsforwardzone.yml
fb9e9a
@@ -51,8 +51,6 @@
fb9e9a
     register: result
fb9e9a
     failed_when: not result.changed
fb9e9a
 
fb9e9a
-  - pause:
fb9e9a
-
fb9e9a
   - name: ensure forwardzone example.com has one forwarder again
fb9e9a
     ipadnsforwardzone:
fb9e9a
       ipaadmin_password: SomeADMINpassword
fb9e9a
@@ -63,7 +61,7 @@
fb9e9a
       skip_overlap_check: true
fb9e9a
       state: present
fb9e9a
     register: result
fb9e9a
-    failed_when: not result.changed
fb9e9a
+    failed_when: result.changed
fb9e9a
 
fb9e9a
   - name: skip_overlap_check can only be set on creation so change nothing
fb9e9a
     ipadnsforwardzone:
fb9e9a
@@ -77,6 +75,22 @@
fb9e9a
     register: result
fb9e9a
     failed_when: result.changed
fb9e9a
 
fb9e9a
+  - name: ensure forwardzone example.com is absent.
fb9e9a
+    ipadnsforwardzone:
fb9e9a
+      ipaadmin_password: SomeADMINpassword
fb9e9a
+      name: example.com
fb9e9a
+      state: absent
fb9e9a
+    register: result
fb9e9a
+    failed_when: not result.changed
fb9e9a
+
fb9e9a
+  - name: ensure forwardzone example.com is absent, again.
fb9e9a
+    ipadnsforwardzone:
fb9e9a
+      ipaadmin_password: SomeADMINpassword
fb9e9a
+      name: example.com
fb9e9a
+      state: absent
fb9e9a
+    register: result
fb9e9a
+    failed_when: result.changed
fb9e9a
+
fb9e9a
   - name: change all the things at once
fb9e9a
     ipadnsforwardzone:
fb9e9a
       ipaadmin_password: SomeADMINpassword
fb9e9a
@@ -87,11 +101,12 @@
fb9e9a
         - ip_address: 4.4.4.4
fb9e9a
           port: 8053
fb9e9a
       forwardpolicy: only
fb9e9a
-      skip_overlap_check: false
fb9e9a
+      skip_overlap_check: true
fb9e9a
+      permission: yes
fb9e9a
     register: result
fb9e9a
     failed_when: not result.changed
fb9e9a
 
fb9e9a
-  - name: ensure forwardzone example.com is absent for next testset
fb9e9a
+  - name: ensure forwardzone example.com is absent.
fb9e9a
     ipadnsforwardzone:
fb9e9a
       ipaadmin_password: SomeADMINpassword
fb9e9a
       name: example.com
fb9e9a
@@ -156,43 +171,58 @@
fb9e9a
     register: result
fb9e9a
     failed_when: result.changed
fb9e9a
 
fb9e9a
-  - name: ensure forwardzone example.com is absent again
fb9e9a
+  - name: Add a permission for per-forward zone access delegation.
fb9e9a
     ipadnsforwardzone:
fb9e9a
       ipaadmin_password: SomeADMINpassword
fb9e9a
       name: example.com
fb9e9a
-      state: absent
fb9e9a
+      permission: yes
fb9e9a
+      action: member
fb9e9a
+    register: result
fb9e9a
+    failed_when: not result.changed
fb9e9a
 
fb9e9a
-  - name: try to create a new forwarder with action=member
fb9e9a
+  - name: Add a permission for per-forward zone access delegation, again.
fb9e9a
     ipadnsforwardzone:
fb9e9a
       ipaadmin_password: SomeADMINpassword
fb9e9a
-      state: present
fb9e9a
       name: example.com
fb9e9a
-      forwarders:
fb9e9a
-        - ip_address: 4.4.4.4
fb9e9a
-          port: 8053
fb9e9a
+      permission: yes
fb9e9a
       action: member
fb9e9a
-      skip_overlap_check: true
fb9e9a
     register: result
fb9e9a
     failed_when: result.changed
fb9e9a
 
fb9e9a
-  - name: ensure forwardzone example.com is absent - tidy up
fb9e9a
+  - name: Remove a permission for per-forward zone access delegation.
fb9e9a
     ipadnsforwardzone:
fb9e9a
       ipaadmin_password: SomeADMINpassword
fb9e9a
       name: example.com
fb9e9a
-      state: absent
fb9e9a
+      permission: no
fb9e9a
+      action: member
fb9e9a
+    register: result
fb9e9a
+    failed_when: not result.changed
fb9e9a
 
fb9e9a
-  - name: try to create a new forwarder is disabled state
fb9e9a
+  - name: Remove a permission for per-forward zone access delegation, again.
fb9e9a
     ipadnsforwardzone:
fb9e9a
       ipaadmin_password: SomeADMINpassword
fb9e9a
-      state: disabled
fb9e9a
       name: example.com
fb9e9a
-      forwarders:
fb9e9a
-        - ip_address: 4.4.4.4
fb9e9a
-          port: 8053
fb9e9a
-      skip_overlap_check: true
fb9e9a
+      permission: no
fb9e9a
+      action: member
fb9e9a
+    register: result
fb9e9a
+    failed_when: result.changed
fb9e9a
+
fb9e9a
+  - name: disable the forwarder
fb9e9a
+    ipadnsforwardzone:
fb9e9a
+      ipaadmin_password: SomeADMINpassword
fb9e9a
+      name: example.com
fb9e9a
+      state: disabled
fb9e9a
     register: result
fb9e9a
     failed_when: not result.changed
fb9e9a
 
fb9e9a
+  - name: disable the forwarder again
fb9e9a
+    ipadnsforwardzone:
fb9e9a
+      ipaadmin_password: SomeADMINpassword
fb9e9a
+      name: example.com
fb9e9a
+      state: disabled
fb9e9a
+    register: result
fb9e9a
+    failed_when: result.changed
fb9e9a
+
fb9e9a
   - name: enable the forwarder
fb9e9a
     ipadnsforwardzone:
fb9e9a
       ipaadmin_password: SomeADMINpassword
fb9e9a
@@ -201,12 +231,42 @@
fb9e9a
     register: result
fb9e9a
     failed_when: not result.changed
fb9e9a
 
fb9e9a
-  - name: disable the forwarder again
fb9e9a
+  - name: enable the forwarder, again
fb9e9a
     ipadnsforwardzone:
fb9e9a
       ipaadmin_password: SomeADMINpassword
fb9e9a
       name: example.com
fb9e9a
-      state: disabled
fb9e9a
+      state: enabled
fb9e9a
+    register: result
fb9e9a
+    failed_when: result.changed
fb9e9a
+
fb9e9a
+  - name: ensure forwardzone example.com is absent again
fb9e9a
+    ipadnsforwardzone:
fb9e9a
+      ipaadmin_password: SomeADMINpassword
fb9e9a
+      name: example.com
fb9e9a
+      state: absent
fb9e9a
+
fb9e9a
+  - name: try to create a new forwarder with action=member
fb9e9a
+    ipadnsforwardzone:
fb9e9a
+      ipaadmin_password: SomeADMINpassword
fb9e9a
+      state: present
fb9e9a
+      name: example.com
fb9e9a
+      forwarders:
fb9e9a
+        - ip_address: 4.4.4.4
fb9e9a
+          port: 8053
fb9e9a
       action: member
fb9e9a
+      skip_overlap_check: true
fb9e9a
+    register: result
fb9e9a
+    failed_when: result.changed
fb9e9a
+
fb9e9a
+  - name: try to create a new forwarder with disabled state
fb9e9a
+    ipadnsforwardzone:
fb9e9a
+      ipaadmin_password: SomeADMINpassword
fb9e9a
+      state: disabled
fb9e9a
+      name: example.com
fb9e9a
+      forwarders:
fb9e9a
+        - ip_address: 4.4.4.4
fb9e9a
+          port: 8053
fb9e9a
+      skip_overlap_check: yes
fb9e9a
     register: result
fb9e9a
     failed_when: not result.changed
fb9e9a
 
fb9e9a
@@ -228,5 +288,7 @@
fb9e9a
   - name: ensure forwardzone example.com is absent - tidy up
fb9e9a
     ipadnsforwardzone:
fb9e9a
       ipaadmin_password: SomeADMINpassword
fb9e9a
-      name: example.com
fb9e9a
+      name:
fb9e9a
+      - example.com
fb9e9a
+      - newfailzone.com
fb9e9a
       state: absent
fb9e9a
From 857fb82eb9141a44ffb91331653e1c30b43f671e Mon Sep 17 00:00:00 2001
fb9e9a
From: Rafael Guterres Jeffman <rjeffman@redhat.com>
fb9e9a
Date: Mon, 15 Jun 2020 23:40:35 -0300
fb9e9a
Subject: [PATCH] Allows modification of forward policy in existing DNS Forward
fb9e9a
 Zone.
fb9e9a
fb9e9a
This patch allows the modification of the forward zone policy in
fb9e9a
an existing DNS Forward Zone, and fixes some issues with `enable`
fb9e9a
and `disable` state that prevented correct behavior of `forwardpolicy`.
fb9e9a
---
fb9e9a
 plugins/modules/ipadnsforwardzone.py         | 154 ++++++++++---------
fb9e9a
 tests/dnsforwardzone/test_dnsforwardzone.yml |  32 ++--
fb9e9a
 2 files changed, 97 insertions(+), 89 deletions(-)
fb9e9a
fb9e9a
diff --git a/plugins/modules/ipadnsforwardzone.py b/plugins/modules/ipadnsforwardzone.py
fb9e9a
index a729197b..1f1e85ec 100644
fb9e9a
--- a/plugins/modules/ipadnsforwardzone.py
fb9e9a
+++ b/plugins/modules/ipadnsforwardzone.py
fb9e9a
@@ -217,10 +217,20 @@ def main():
fb9e9a
     else:
fb9e9a
         operation = "add"
fb9e9a
 
fb9e9a
-    if state == "disabled":
fb9e9a
-        wants_enable = False
fb9e9a
-    else:
fb9e9a
-        wants_enable = True
fb9e9a
+    if state in ["enabled", "disabled"]:
fb9e9a
+        if action == "member":
fb9e9a
+            ansible_module.fail_json(
fb9e9a
+                msg="Action `member` cannot be used with state `%s`"
fb9e9a
+                    % (state))
fb9e9a
+        invalid = [
fb9e9a
+            "forwarders", "forwardpolicy", "skip_overlap_check", "permission"
fb9e9a
+        ]
fb9e9a
+        for x in invalid:
fb9e9a
+            if vars()[x] is not None:
fb9e9a
+                ansible_module.fail_json(
fb9e9a
+                    msg="Argument '%s' can not be used with action "
fb9e9a
+                    "'%s', state `%s`" % (x, action, state))
fb9e9a
+        wants_enable = (state == "enabled")
fb9e9a
 
fb9e9a
     if operation == "del":
fb9e9a
         invalid = [
fb9e9a
@@ -230,7 +240,7 @@ def main():
fb9e9a
             if vars()[x] is not None:
fb9e9a
                 ansible_module.fail_json(
fb9e9a
                     msg="Argument '%s' can not be used with action "
fb9e9a
-                    "'%s'" % (x, action))
fb9e9a
+                    "'%s', state `%s`" % (x, action, state))
fb9e9a
 
fb9e9a
     changed = False
fb9e9a
     exit_args = {}
fb9e9a
@@ -262,7 +272,27 @@ def main():
fb9e9a
                 if existing_resource is None and not forwarders:
fb9e9a
                     ansible_module.fail_json(msg='No forwarders specified.')
fb9e9a
 
fb9e9a
-            if existing_resource is not None:
fb9e9a
+            if existing_resource is None:
fb9e9a
+                if operation == "add":
fb9e9a
+                    # does not exist but should be present
fb9e9a
+                    # determine args
fb9e9a
+                    args = gen_args(forwarders, forwardpolicy,
fb9e9a
+                                    skip_overlap_check)
fb9e9a
+                    # set command
fb9e9a
+                    command = "dnsforwardzone_add"
fb9e9a
+                    # enabled or disabled?
fb9e9a
+
fb9e9a
+                elif operation == "update":
fb9e9a
+                    # does not exist and is updating
fb9e9a
+                    # trying to update something that doesn't exist, so error
fb9e9a
+                    ansible_module.fail_json(
fb9e9a
+                        msg="dnsforwardzone '%s' not found." % (name))
fb9e9a
+
fb9e9a
+                elif operation == "del":
fb9e9a
+                    # there's nothnig to do.
fb9e9a
+                    continue
fb9e9a
+
fb9e9a
+            else:   # existing_resource is not None
fb9e9a
                 if state != "absent":
fb9e9a
                     if forwarders:
fb9e9a
                         forwarders = list(
fb9e9a
@@ -274,66 +304,51 @@ def main():
fb9e9a
                             set(existing_resource["idnsforwarders"])
fb9e9a
                             - set(forwarders))
fb9e9a
 
fb9e9a
-            if existing_resource is None and operation == "update":
fb9e9a
-                # does not exist and is updating
fb9e9a
-                # trying to update something that doesn't exist, so error
fb9e9a
-                ansible_module.fail_json(msg="""dnsforwardzone '%s' is not
fb9e9a
-                                                         valid""" % (name))
fb9e9a
-            elif existing_resource is None and operation == "del":
fb9e9a
-                # does not exists and should be absent
fb9e9a
-                # enabled or disabled?
fb9e9a
-                is_enabled = "IGNORE"
fb9e9a
-            elif existing_resource is not None and operation == "del":
fb9e9a
-                # exists but should be absent
fb9e9a
-                # set command
fb9e9a
-                command = "dnsforwardzone_del"
fb9e9a
-                args = {}
fb9e9a
-                # enabled or disabled?
fb9e9a
-                is_enabled = "IGNORE"
fb9e9a
-            elif forwarders is None:
fb9e9a
-                # forwarders are not defined its not a delete, update state?
fb9e9a
-                # enabled or disabled?
fb9e9a
+                if operation == "add":
fb9e9a
+                    # exists and should be present, has it changed?
fb9e9a
+                    # determine args
fb9e9a
+                    args = gen_args(
fb9e9a
+                        forwarders, forwardpolicy, skip_overlap_check)
fb9e9a
+                    if 'skip_overlap_check' in args:
fb9e9a
+                        del args['skip_overlap_check']
fb9e9a
+
fb9e9a
+                    # set command
fb9e9a
+                    if not compare_args_ipa(
fb9e9a
+                            ansible_module, args, existing_resource):
fb9e9a
+                        command = "dnsforwardzone_mod"
fb9e9a
+
fb9e9a
+                elif operation == "del":
fb9e9a
+                    # exists but should be absent
fb9e9a
+                    # set command
fb9e9a
+                    command = "dnsforwardzone_del"
fb9e9a
+                    args = {}
fb9e9a
+
fb9e9a
+                elif operation == "update":
fb9e9a
+                    # exists and is updating
fb9e9a
+                    # calculate the new forwarders and mod
fb9e9a
+                    args = gen_args(
fb9e9a
+                        forwarders, forwardpolicy, skip_overlap_check)
fb9e9a
+                    if "skip_overlap_check" in args:
fb9e9a
+                        del args['skip_overlap_check']
fb9e9a
+
fb9e9a
+                    # command
fb9e9a
+                    if not compare_args_ipa(
fb9e9a
+                            ansible_module, args, existing_resource):
fb9e9a
+                        command = "dnsforwardzone_mod"
fb9e9a
+
fb9e9a
+            if state in ['enabled', 'disabled']:
fb9e9a
                 if existing_resource is not None:
fb9e9a
                     is_enabled = existing_resource["idnszoneactive"][0]
fb9e9a
                 else:
fb9e9a
-                    is_enabled = "IGNORE"
fb9e9a
-            elif existing_resource is not None and operation == "update":
fb9e9a
-                # exists and is updating
fb9e9a
-                # calculate the new forwarders and mod
fb9e9a
-                args = gen_args(forwarders, forwardpolicy, skip_overlap_check)
fb9e9a
-                if "skip_overlap_check" in args:
fb9e9a
-                    del args['skip_overlap_check']
fb9e9a
-
fb9e9a
-                # command
fb9e9a
-                if not compare_args_ipa(ansible_module, args, existing_resource):
fb9e9a
-                    command = "dnsforwardzone_mod"
fb9e9a
-
fb9e9a
-                # enabled or disabled?
fb9e9a
-                is_enabled = existing_resource["idnszoneactive"][0]
fb9e9a
-
fb9e9a
-            elif existing_resource is None and operation == "add":
fb9e9a
-                # does not exist but should be present
fb9e9a
-                # determine args
fb9e9a
-                args = gen_args(forwarders, forwardpolicy,
fb9e9a
-                                skip_overlap_check)
fb9e9a
-                # set command
fb9e9a
-                command = "dnsforwardzone_add"
fb9e9a
-                # enabled or disabled?
fb9e9a
-                is_enabled = "TRUE"
fb9e9a
-
fb9e9a
-            elif existing_resource is not None and operation == "add":
fb9e9a
-                # exists and should be present, has it changed?
fb9e9a
-                # determine args
fb9e9a
-                args = gen_args(forwarders, forwardpolicy, skip_overlap_check)
fb9e9a
-                if 'skip_overlap_check' in args:
fb9e9a
-                    del args['skip_overlap_check']
fb9e9a
-
fb9e9a
-                # set command
fb9e9a
-                if not compare_args_ipa(ansible_module, args, existing_resource):
fb9e9a
-                    command = "dnsforwardzone_mod"
fb9e9a
-
fb9e9a
-                # enabled or disabled?
fb9e9a
-                is_enabled = existing_resource["idnszoneactive"][0]
fb9e9a
+                    ansible_module.fail_json(
fb9e9a
+                        msg="dnsforwardzone '%s' not found." % (name))
fb9e9a
+
fb9e9a
+            # does the enabled state match what we want (if we care)
fb9e9a
+            if is_enabled != "IGNORE":
fb9e9a
+                if wants_enable and is_enabled != "TRUE":
fb9e9a
+                    commands.append([name, "dnsforwardzone_enable", {}])
fb9e9a
+                elif not wants_enable and is_enabled != "FALSE":
fb9e9a
+                    commands.append([name, "dnsforwardzone_disable", {}])
fb9e9a
 
fb9e9a
             # if command is set...
fb9e9a
             if command is not None:
fb9e9a
@@ -354,20 +369,9 @@ def main():
fb9e9a
                     )
fb9e9a
 
fb9e9a
             for name, command, args in commands:
fb9e9a
-                result = api_command(ansible_module, command, name, args)
fb9e9a
+                api_command(ansible_module, command, name, args)
fb9e9a
                 changed = True
fb9e9a
 
fb9e9a
-            # does the enabled state match what we want (if we care)
fb9e9a
-            if is_enabled != "IGNORE":
fb9e9a
-                if wants_enable and is_enabled != "TRUE":
fb9e9a
-                    api_command(ansible_module, "dnsforwardzone_enable",
fb9e9a
-                                name, {})
fb9e9a
-                    changed = True
fb9e9a
-                elif not wants_enable and is_enabled != "FALSE":
fb9e9a
-                    api_command(ansible_module, "dnsforwardzone_disable",
fb9e9a
-                                name, {})
fb9e9a
-                    changed = True
fb9e9a
-
fb9e9a
     except Exception as e:
fb9e9a
         ansible_module.fail_json(msg=str(e))
fb9e9a
 
fb9e9a
diff --git a/tests/dnsforwardzone/test_dnsforwardzone.yml b/tests/dnsforwardzone/test_dnsforwardzone.yml
fb9e9a
index 0386bd48..223cf3d0 100644
fb9e9a
--- a/tests/dnsforwardzone/test_dnsforwardzone.yml
fb9e9a
+++ b/tests/dnsforwardzone/test_dnsforwardzone.yml
fb9e9a
@@ -106,6 +106,22 @@
fb9e9a
     register: result
fb9e9a
     failed_when: not result.changed
fb9e9a
 
fb9e9a
+  - name: change zone forward policy
fb9e9a
+    ipadnsforwardzone:
fb9e9a
+      ipaadmin_password: SomeADMINpassword
fb9e9a
+      name: example.com
fb9e9a
+      forwardpolicy: first
fb9e9a
+    register: result
fb9e9a
+    failed_when: not result.changed
fb9e9a
+
fb9e9a
+  - name: change zone forward policy, again
fb9e9a
+    ipadnsforwardzone:
fb9e9a
+      ipaadmin_password: SomeADMINpassword
fb9e9a
+      name: example.com
fb9e9a
+      forwardpolicy: first
fb9e9a
+    register: result
fb9e9a
+    failed_when: result.changed
fb9e9a
+
fb9e9a
   - name: ensure forwardzone example.com is absent.
fb9e9a
     ipadnsforwardzone:
fb9e9a
       ipaadmin_password: SomeADMINpassword
fb9e9a
@@ -256,27 +272,15 @@
fb9e9a
       action: member
fb9e9a
       skip_overlap_check: true
fb9e9a
     register: result
fb9e9a
-    failed_when: result.changed
fb9e9a
+    failed_when: not result.failed or "not found" not in result.msg
fb9e9a
 
fb9e9a
   - name: try to create a new forwarder with disabled state
fb9e9a
-    ipadnsforwardzone:
fb9e9a
-      ipaadmin_password: SomeADMINpassword
fb9e9a
-      state: disabled
fb9e9a
-      name: example.com
fb9e9a
-      forwarders:
fb9e9a
-        - ip_address: 4.4.4.4
fb9e9a
-          port: 8053
fb9e9a
-      skip_overlap_check: yes
fb9e9a
-    register: result
fb9e9a
-    failed_when: not result.changed
fb9e9a
-
fb9e9a
-  - name: ensure it stays disabled
fb9e9a
     ipadnsforwardzone:
fb9e9a
       ipaadmin_password: SomeADMINpassword
fb9e9a
       name: example.com
fb9e9a
       state: disabled
fb9e9a
     register: result
fb9e9a
-    failed_when: result.changed
fb9e9a
+    failed_when: not result.failed or "not found" not in result.msg
fb9e9a
 
fb9e9a
   - name: Ensure forwardzone is not added without forwarders, with correct message.
fb9e9a
     ipadnsforwardzone:
fb9e9a
From 8da6a6937919d0c390b870113fb557649c39c815 Mon Sep 17 00:00:00 2001
fb9e9a
From: Rafael Guterres Jeffman <rjeffman@redhat.com>
fb9e9a
Date: Fri, 26 Jun 2020 11:28:15 -0300
fb9e9a
Subject: [PATCH] Change password values in README to keep consistency with
fb9e9a
 other modules.
fb9e9a
fb9e9a
---
fb9e9a
 README-dnsforwardzone.md | 10 +++++-----
fb9e9a
 1 file changed, 5 insertions(+), 5 deletions(-)
fb9e9a
fb9e9a
diff --git a/README-dnsforwardzone.md b/README-dnsforwardzone.md
fb9e9a
index 175e6f8b..32de7bfe 100644
fb9e9a
--- a/README-dnsforwardzone.md
fb9e9a
+++ b/README-dnsforwardzone.md
fb9e9a
@@ -49,7 +49,7 @@ Example playbook to ensure presence of a forwardzone to ipa DNS:
fb9e9a
   tasks:
fb9e9a
   - name: ensure presence of forwardzone for DNS requests for example.com to 8.8.8.8
fb9e9a
     ipadnsforwardzone:
fb9e9a
-      ipaadmin_password: password01
fb9e9a
+      ipaadmin_password: SomeADMINpassword
fb9e9a
       state: present
fb9e9a
       name: example.com
fb9e9a
       forwarders:
fb9e9a
@@ -59,13 +59,13 @@ Example playbook to ensure presence of a forwardzone to ipa DNS:
fb9e9a
 
fb9e9a
   - name: ensure the forward zone is disabled
fb9e9a
     ipadnsforwardzone:
fb9e9a
-      ipaadmin_password: password01
fb9e9a
+      ipaadmin_password: SomeADMINpassword
fb9e9a
       name: example.com
fb9e9a
       state: disabled
fb9e9a
 
fb9e9a
   - name: ensure presence of multiple upstream DNS servers for example.com
fb9e9a
     ipadnsforwardzone:
fb9e9a
-      ipaadmin_password: password01
fb9e9a
+      ipaadmin_password: SomeADMINpassword
fb9e9a
       state: present
fb9e9a
       name: example.com
fb9e9a
       forwarders:
fb9e9a
@@ -74,7 +74,7 @@ Example playbook to ensure presence of a forwardzone to ipa DNS:
fb9e9a
 
fb9e9a
   - name: ensure presence of another forwarder to any existing ones for example.com
fb9e9a
     ipadnsforwardzone:
fb9e9a
-      ipaadmin_password: password01
fb9e9a
+      ipaadmin_password: SomeADMINpassword
fb9e9a
       state: present
fb9e9a
       name: example.com
fb9e9a
       forwarders:
fb9e9a
@@ -83,7 +83,7 @@ Example playbook to ensure presence of a forwardzone to ipa DNS:
fb9e9a
 
fb9e9a
   - name: ensure the forwarder for example.com does not exists (delete it if needed)
fb9e9a
     ipadnsforwardzone:
fb9e9a
-      ipaadmin_password: password01
fb9e9a
+      ipaadmin_password: SomeADMINpassword
fb9e9a
       name: example.com
fb9e9a
       state: absent
fb9e9a
 ```