From f0f933b4630bce810475a519e295828013d301d6 Mon Sep 17 00:00:00 2001
From: Rafael Guterres Jeffman <rjeffman@redhat.com>
Date: Wed, 10 Jun 2020 20:40:45 -0300
Subject: [PATCH] Changed admin password on tests to match other modules.
Use of the same password on all module tests ease test automation,
and this change ensure that dnsforwardzone use the same password as
other modules.
---
tests/dnsforwardzone/test_dnsforwardzone.yml | 42 ++++++++++----------
1 file changed, 21 insertions(+), 21 deletions(-)
diff --git a/tests/dnsforwardzone/test_dnsforwardzone.yml b/tests/dnsforwardzone/test_dnsforwardzone.yml
index 1a45e826..ac08a48f 100644
--- a/tests/dnsforwardzone/test_dnsforwardzone.yml
+++ b/tests/dnsforwardzone/test_dnsforwardzone.yml
@@ -7,13 +7,13 @@
tasks:
- name: ensure forwardzone example.com is absent - prep
ipadnsforwardzone:
- ipaadmin_password: password01
+ ipaadmin_password: SomeADMINpassword
name: example.com
state: absent
- name: ensure forwardzone example.com is created
ipadnsforwardzone:
- ipaadmin_password: password01
+ ipaadmin_password: SomeADMINpassword
state: present
name: example.com
forwarders:
@@ -25,7 +25,7 @@
- name: ensure forwardzone example.com is present again
ipadnsforwardzone:
- ipaadmin_password: password01
+ ipaadmin_password: SomeADMINpassword
state: present
name: example.com
forwarders:
@@ -37,7 +37,7 @@
- name: ensure forwardzone example.com has two forwarders
ipadnsforwardzone:
- ipaadmin_password: password01
+ ipaadmin_password: SomeADMINpassword
state: present
name: example.com
forwarders:
@@ -50,7 +50,7 @@
- name: ensure forwardzone example.com has one forwarder again
ipadnsforwardzone:
- ipaadmin_password: password01
+ ipaadmin_password: SomeADMINpassword
name: example.com
forwarders:
- 8.8.8.8
@@ -62,7 +62,7 @@
- name: skip_overlap_check can only be set on creation so change nothing
ipadnsforwardzone:
- ipaadmin_password: password01
+ ipaadmin_password: SomeADMINpassword
name: example.com
forwarders:
- 8.8.8.8
@@ -74,7 +74,7 @@
- name: change all the things at once
ipadnsforwardzone:
- ipaadmin_password: password01
+ ipaadmin_password: SomeADMINpassword
state: present
name: example.com
forwarders:
@@ -87,13 +87,13 @@
- name: ensure forwardzone example.com is absent for next testset
ipadnsforwardzone:
- ipaadmin_password: password01
+ ipaadmin_password: SomeADMINpassword
name: example.com
state: absent
- name: ensure forwardzone example.com is created with minimal args
ipadnsforwardzone:
- ipaadmin_password: password01
+ ipaadmin_password: SomeADMINpassword
state: present
name: example.com
skip_overlap_check: true
@@ -104,7 +104,7 @@
- name: add a forwarder to any existing ones
ipadnsforwardzone:
- ipaadmin_password: password01
+ ipaadmin_password: SomeADMINpassword
state: present
name: example.com
forwarders:
@@ -115,7 +115,7 @@
- name: check the list of forwarders is what we expect
ipadnsforwardzone:
- ipaadmin_password: password01
+ ipaadmin_password: SomeADMINpassword
state: present
name: example.com
forwarders:
@@ -127,7 +127,7 @@
- name: remove a single forwarder
ipadnsforwardzone:
- ipaadmin_password: password01
+ ipaadmin_password: SomeADMINpassword
state: absent
name: example.com
forwarders:
@@ -138,7 +138,7 @@
- name: check the list of forwarders is what we expect now
ipadnsforwardzone:
- ipaadmin_password: password01
+ ipaadmin_password: SomeADMINpassword
state: present
name: example.com
forwarders:
@@ -149,13 +149,13 @@
- name: ensure forwardzone example.com is absent again
ipadnsforwardzone:
- ipaadmin_password: password01
+ ipaadmin_password: SomeADMINpassword
name: example.com
state: absent
- name: try to create a new forwarder with action=member
ipadnsforwardzone:
- ipaadmin_password: password01
+ ipaadmin_password: SomeADMINpassword
state: present
name: example.com
forwarders:
@@ -167,13 +167,13 @@
- name: ensure forwardzone example.com is absent - tidy up
ipadnsforwardzone:
- ipaadmin_password: password01
+ ipaadmin_password: SomeADMINpassword
name: example.com
state: absent
- name: try to create a new forwarder is disabled state
ipadnsforwardzone:
- ipaadmin_password: password01
+ ipaadmin_password: SomeADMINpassword
state: disabled
name: example.com
forwarders:
@@ -184,7 +184,7 @@
- name: enable the forwarder
ipadnsforwardzone:
- ipaadmin_password: password01
+ ipaadmin_password: SomeADMINpassword
name: example.com
state: enabled
register: result
@@ -192,7 +192,7 @@
- name: disable the forwarder again
ipadnsforwardzone:
- ipaadmin_password: password01
+ ipaadmin_password: SomeADMINpassword
name: example.com
state: disabled
action: member
@@ -201,7 +201,7 @@
- name: ensure it stays disabled
ipadnsforwardzone:
- ipaadmin_password: password01
+ ipaadmin_password: SomeADMINpassword
name: example.com
state: disabled
register: result
@@ -209,6 +209,6 @@
- name: ensure forwardzone example.com is absent - tidy up
ipadnsforwardzone:
- ipaadmin_password: password01
+ ipaadmin_password: SomeADMINpassword
name: example.com
state: absent
From f8ebca760dbaaf38c7b74b0c855b05d26e9cb812 Mon Sep 17 00:00:00 2001
From: Rafael Guterres Jeffman <rjeffman@redhat.com>
Date: Wed, 10 Jun 2020 22:14:27 -0300
Subject: [PATCH] Allow processing of multiple names for deleting
dnsforwardzones.
---
plugins/modules/ipadnsforwardzone.py | 189 ++++++++++++++-------------
1 file changed, 98 insertions(+), 91 deletions(-)
diff --git a/plugins/modules/ipadnsforwardzone.py b/plugins/modules/ipadnsforwardzone.py
index 90bd3876..b28f28db 100644
--- a/plugins/modules/ipadnsforwardzone.py
+++ b/plugins/modules/ipadnsforwardzone.py
@@ -134,7 +134,7 @@ def main():
# general
ipaadmin_principal=dict(type="str", default="admin"),
ipaadmin_password=dict(type="str", required=False, no_log=True),
- name=dict(type="str", aliases=["cn"], default=None,
+ name=dict(type="list", aliases=["cn"], default=None,
required=True),
forwarders=dict(type='list', aliases=["idnsforwarders"],
required=False),
@@ -158,7 +158,7 @@ def main():
"ipaadmin_principal")
ipaadmin_password = module_params_get(ansible_module,
"ipaadmin_password")
- name = module_params_get(ansible_module, "name")
+ names = module_params_get(ansible_module, "name")
action = module_params_get(ansible_module, "action")
forwarders = module_params_get(ansible_module, "forwarders")
forwardpolicy = module_params_get(ansible_module, "forwardpolicy")
@@ -166,6 +166,12 @@ def main():
"skip_overlap_check")
state = module_params_get(ansible_module, "state")
+ if state == 'present' and len(names) != 1:
+ ansible_module.fail_json(
+ msg="Only one dnsforwardzone can be added at a time.")
+ if state == 'absent' and len(names) < 1:
+ ansible_module.fail_json(msg="No name given.")
+
# absent stae means delete if the action is NOT member but update if it is
# if action is member then update an exisiting resource
# and if action is not member then create a resource
@@ -207,101 +213,102 @@ def main():
ipaadmin_password)
api_connect()
- # Make sure forwardzone exists
- existing_resource = find_dnsforwardzone(ansible_module, name)
-
- if existing_resource is None and operation == "update":
- # does not exist and is updating
- # trying to update something that doesn't exist, so error
- ansible_module.fail_json(msg="""dnsforwardzone '%s' is not
- valid""" % (name))
- elif existing_resource is None and operation == "del":
- # does not exists and should be absent
- # set command
- command = None
- # enabled or disabled?
- is_enabled = "IGNORE"
- elif existing_resource is not None and operation == "del":
- # exists but should be absent
- # set command
- command = "dnsforwardzone_del"
- # enabled or disabled?
- is_enabled = "IGNORE"
- elif forwarders is None:
- # forwarders are not defined its not a delete, update state?
- # set command
- command = None
- # enabled or disabled?
- if existing_resource is not None:
- is_enabled = existing_resource["idnszoneactive"][0]
- else:
- is_enabled = "IGNORE"
- elif existing_resource is not None and operation == "update":
- # exists and is updating
- # calculate the new forwarders and mod
- # determine args
- if state != "absent":
- forwarders = list(set(existing_resource["idnsforwarders"]
- + forwarders))
- else:
- forwarders = list(set(existing_resource["idnsforwarders"])
- - set(forwarders))
- args = gen_args(forwarders, forwardpolicy,
- skip_overlap_check)
- if skip_overlap_check is not None:
- del args['skip_overlap_check']
-
- # command
- if not compare_args_ipa(ansible_module, args, existing_resource):
- command = "dnsforwardzone_mod"
- else:
+ for name in names:
+ # Make sure forwardzone exists
+ existing_resource = find_dnsforwardzone(ansible_module, name)
+
+ if existing_resource is None and operation == "update":
+ # does not exist and is updating
+ # trying to update something that doesn't exist, so error
+ ansible_module.fail_json(msg="""dnsforwardzone '%s' is not
+ valid""" % (name))
+ elif existing_resource is None and operation == "del":
+ # does not exists and should be absent
+ # set command
command = None
-
- # enabled or disabled?
- is_enabled = existing_resource["idnszoneactive"][0]
-
- elif existing_resource is None and operation == "add":
- # does not exist but should be present
- # determine args
- args = gen_args(forwarders, forwardpolicy,
- skip_overlap_check)
- # set command
- command = "dnsforwardzone_add"
- # enabled or disabled?
- is_enabled = "TRUE"
-
- elif existing_resource is not None and operation == "add":
- # exists and should be present, has it changed?
- # determine args
- args = gen_args(forwarders, forwardpolicy, skip_overlap_check)
- if skip_overlap_check is not None:
- del args['skip_overlap_check']
-
- # set command
- if not compare_args_ipa(ansible_module, args, existing_resource):
- command = "dnsforwardzone_mod"
- else:
+ # enabled or disabled?
+ is_enabled = "IGNORE"
+ elif existing_resource is not None and operation == "del":
+ # exists but should be absent
+ # set command
+ command = "dnsforwardzone_del"
+ # enabled or disabled?
+ is_enabled = "IGNORE"
+ elif forwarders is None:
+ # forwarders are not defined its not a delete, update state?
+ # set command
command = None
+ # enabled or disabled?
+ if existing_resource is not None:
+ is_enabled = existing_resource["idnszoneactive"][0]
+ else:
+ is_enabled = "IGNORE"
+ elif existing_resource is not None and operation == "update":
+ # exists and is updating
+ # calculate the new forwarders and mod
+ # determine args
+ if state != "absent":
+ forwarders = list(set(existing_resource["idnsforwarders"]
+ + forwarders))
+ else:
+ forwarders = list(set(existing_resource["idnsforwarders"])
+ - set(forwarders))
+ args = gen_args(forwarders, forwardpolicy,
+ skip_overlap_check)
+ if skip_overlap_check is not None:
+ del args['skip_overlap_check']
+
+ # command
+ if not compare_args_ipa(ansible_module, args, existing_resource):
+ command = "dnsforwardzone_mod"
+ else:
+ command = None
+
+ # enabled or disabled?
+ is_enabled = existing_resource["idnszoneactive"][0]
- # enabled or disabled?
- is_enabled = existing_resource["idnszoneactive"][0]
-
- # if command is set then run it with the args
- if command is not None:
- api_command(ansible_module, command, name, args)
- changed = True
+ elif existing_resource is None and operation == "add":
+ # does not exist but should be present
+ # determine args
+ args = gen_args(forwarders, forwardpolicy,
+ skip_overlap_check)
+ # set command
+ command = "dnsforwardzone_add"
+ # enabled or disabled?
+ is_enabled = "TRUE"
+
+ elif existing_resource is not None and operation == "add":
+ # exists and should be present, has it changed?
+ # determine args
+ args = gen_args(forwarders, forwardpolicy, skip_overlap_check)
+ if skip_overlap_check is not None:
+ del args['skip_overlap_check']
+
+ # set command
+ if not compare_args_ipa(ansible_module, args, existing_resource):
+ command = "dnsforwardzone_mod"
+ else:
+ command = None
+
+ # enabled or disabled?
+ is_enabled = existing_resource["idnszoneactive"][0]
- # does the enabled state match what we want (if we care)
- if is_enabled != "IGNORE":
- if wants_enable and is_enabled != "TRUE":
- api_command(ansible_module, "dnsforwardzone_enable",
- name, {})
- changed = True
- elif not wants_enable and is_enabled != "FALSE":
- api_command(ansible_module, "dnsforwardzone_disable",
- name, {})
+ # if command is set then run it with the args
+ if command is not None:
+ api_command(ansible_module, command, name, args)
changed = True
+ # does the enabled state match what we want (if we care)
+ if is_enabled != "IGNORE":
+ if wants_enable and is_enabled != "TRUE":
+ api_command(ansible_module, "dnsforwardzone_enable",
+ name, {})
+ changed = True
+ elif not wants_enable and is_enabled != "FALSE":
+ api_command(ansible_module, "dnsforwardzone_disable",
+ name, {})
+ changed = True
+
except Exception as e:
ansible_module.fail_json(msg=str(e))
From 3f785bc0e9fe1ab3ad874ce4f26e6897189db8aa Mon Sep 17 00:00:00 2001
From: Rafael Guterres Jeffman <rjeffman@redhat.com>
Date: Wed, 10 Jun 2020 22:20:20 -0300
Subject: [PATCH] Fix error message when adding dnsforwardzone without
forwarders.
---
plugins/modules/ipadnsforwardzone.py | 5 +++++
tests/dnsforwardzone/test_dnsforwardzone.yml | 13 +++++++++++--
2 files changed, 16 insertions(+), 2 deletions(-)
diff --git a/plugins/modules/ipadnsforwardzone.py b/plugins/modules/ipadnsforwardzone.py
index b28f28db..3968e6a1 100644
--- a/plugins/modules/ipadnsforwardzone.py
+++ b/plugins/modules/ipadnsforwardzone.py
@@ -217,6 +217,11 @@ def main():
# Make sure forwardzone exists
existing_resource = find_dnsforwardzone(ansible_module, name)
+ # validate parameters
+ if state == 'present':
+ if existing_resource is None and not forwarders:
+ ansible_module.fail_json(msg='No forwarders specified.')
+
if existing_resource is None and operation == "update":
# does not exist and is updating
# trying to update something that doesn't exist, so error
diff --git a/tests/dnsforwardzone/test_dnsforwardzone.yml b/tests/dnsforwardzone/test_dnsforwardzone.yml
index ac08a48f..d94db9e5 100644
--- a/tests/dnsforwardzone/test_dnsforwardzone.yml
+++ b/tests/dnsforwardzone/test_dnsforwardzone.yml
@@ -5,10 +5,12 @@
gather_facts: false
tasks:
- - name: ensure forwardzone example.com is absent - prep
+ - name: ensure test forwardzones are absent - prep
ipadnsforwardzone:
ipaadmin_password: SomeADMINpassword
- name: example.com
+ name:
+ - example.com
+ - newfailzone.com
state: absent
- name: ensure forwardzone example.com is created
@@ -207,6 +209,13 @@
register: result
failed_when: result.changed
+ - name: Ensure forwardzone is not added without forwarders, with correct message.
+ ipadnsforwardzone:
+ ipaadmin_password: SomeADMINpassword
+ name: newfailzone.com
+ register: result
+ failed_when: not result.failed or "No forwarders specified" not in result.msg
+
- name: ensure forwardzone example.com is absent - tidy up
ipadnsforwardzone:
ipaadmin_password: SomeADMINpassword
From 1d223c2b63634abe86f7702a64dd83c4fbc272ce Mon Sep 17 00:00:00 2001
From: Rafael Guterres Jeffman <rjeffman@redhat.com>
Date: Mon, 15 Jun 2020 16:14:25 -0300
Subject: [PATCH] Add support for attributes `ip_address` and `port` to
`forwarders`.
This patch modify the was forwarders are configured, using two attributes,
`ip_address` and `port`, instead of IPA API internal string representation
of `IP port PORT`.
---
README-dnsforwardzone.md | 6 ++-
plugins/modules/ipadnsforwardzone.py | 37 ++++++++++++++---
tests/dnsforwardzone/test_dnsforwardzone.yml | 43 ++++++++++++--------
3 files changed, 62 insertions(+), 24 deletions(-)
diff --git a/README-dnsforwardzone.md b/README-dnsforwardzone.md
index 81919295..15b2b574 100644
--- a/README-dnsforwardzone.md
+++ b/README-dnsforwardzone.md
@@ -99,8 +99,10 @@ Variable | Description | Required
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`name` \| `cn` | Zone name (FQDN). | yes if `state` == `present`
-`forwarders` \| `idnsforwarders` | Per-zone conditional forwarding policy. Possible values are `only`, `first`, `none`) | no
-`forwardpolicy` \| `idnsforwardpolicy` | Per-zone conditional forwarding policy. Set to "none" to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded. | no
+`forwarders` \| `idnsforwarders` | Per-zone forwarders. A custom port can be specified for each forwarder. Options | no
+ | `ip_address`: The forwarder IP address. | yes
+ | `port`: The forwarder IP port. | no
+`forwardpolicy` \| `idnsforwardpolicy` | Per-zone conditional forwarding policy. Possible values are `only`, `first`, `none`. Set to "none" to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded. | no
`skip_overlap_check` | Force DNS zone creation even if it will overlap with an existing zone. Defaults to False. | no
`action` | Work on group or member level. It can be on of `member` or `dnsforwardzone` and defaults to `dnsforwardzone`. | no
`state` | The state to ensure. It can be one of `present`, `absent`, `enabled` or `disabled`, default: `present`. | yes
diff --git a/plugins/modules/ipadnsforwardzone.py b/plugins/modules/ipadnsforwardzone.py
index 3968e6a1..8e5c3464 100644
--- a/plugins/modules/ipadnsforwardzone.py
+++ b/plugins/modules/ipadnsforwardzone.py
@@ -54,9 +54,16 @@
forwarders:
description:
- List of the DNS servers to forward to
- required: true
- type: list
aliases: ["idnsforwarders"]
+ options:
+ ip_address:
+ description: Forwarder IP address (either IPv4 or IPv6).
+ required: false
+ type: string
+ port:
+ description: Forwarder port.
+ required: false
+ type: int
forwardpolicy:
description: Per-zone conditional forwarding policy
required: false
@@ -128,6 +135,20 @@ def gen_args(forwarders, forwardpolicy, skip_overlap_check):
return _args
+def forwarder_list(forwarders):
+ """Convert the forwarder dict into a list compatible with IPA API."""
+ if forwarders is None:
+ return None
+ fwd_list = []
+ for forwarder in forwarders:
+ if forwarder.get('port', None) is not None:
+ formatter = "{ip_address} port {port}"
+ else:
+ formatter = "{ip_address}"
+ fwd_list.append(formatter.format(**forwarder))
+ return fwd_list
+
+
def main():
ansible_module = AnsibleModule(
argument_spec=dict(
@@ -136,8 +157,13 @@ def main():
ipaadmin_password=dict(type="str", required=False, no_log=True),
name=dict(type="list", aliases=["cn"], default=None,
required=True),
- forwarders=dict(type='list', aliases=["idnsforwarders"],
- required=False),
+ forwarders=dict(type="list", default=None, required=False,
+ aliases=["idnsforwarders"], elements='dict',
+ options=dict(
+ ip_address=dict(type='str', required=True),
+ port=dict(type='int', required=False,
+ default=None),
+ )),
forwardpolicy=dict(type='str', aliases=["idnsforwardpolicy"],
required=False,
choices=['only', 'first', 'none']),
@@ -160,7 +186,8 @@ def main():
"ipaadmin_password")
names = module_params_get(ansible_module, "name")
action = module_params_get(ansible_module, "action")
- forwarders = module_params_get(ansible_module, "forwarders")
+ forwarders = forwarder_list(
+ module_params_get(ansible_module, "forwarders"))
forwardpolicy = module_params_get(ansible_module, "forwardpolicy")
skip_overlap_check = module_params_get(ansible_module,
"skip_overlap_check")
diff --git a/tests/dnsforwardzone/test_dnsforwardzone.yml b/tests/dnsforwardzone/test_dnsforwardzone.yml
index d94db9e5..468cd4ce 100644
--- a/tests/dnsforwardzone/test_dnsforwardzone.yml
+++ b/tests/dnsforwardzone/test_dnsforwardzone.yml
@@ -5,7 +5,7 @@
gather_facts: false
tasks:
- - name: ensure test forwardzones are absent - prep
+ - name: ensure test forwardzones are absent
ipadnsforwardzone:
ipaadmin_password: SomeADMINpassword
name:
@@ -19,7 +19,7 @@
state: present
name: example.com
forwarders:
- - 8.8.8.8
+ - ip_address: 8.8.8.8
forwardpolicy: first
skip_overlap_check: true
register: result
@@ -31,7 +31,7 @@
state: present
name: example.com
forwarders:
- - 8.8.8.8
+ - ip_address: 8.8.8.8
forwardpolicy: first
skip_overlap_check: true
register: result
@@ -43,19 +43,22 @@
state: present
name: example.com
forwarders:
- - 8.8.8.8
- - 4.4.4.4
+ - ip_address: 8.8.8.8
+ - ip_address: 4.4.4.4
+ port: 8053
forwardpolicy: first
skip_overlap_check: true
register: result
failed_when: not result.changed
+ - pause:
+
- name: ensure forwardzone example.com has one forwarder again
ipadnsforwardzone:
ipaadmin_password: SomeADMINpassword
name: example.com
forwarders:
- - 8.8.8.8
+ - ip_address: 8.8.8.8
forwardpolicy: first
skip_overlap_check: true
state: present
@@ -67,7 +70,7 @@
ipaadmin_password: SomeADMINpassword
name: example.com
forwarders:
- - 8.8.8.8
+ - ip_address: 8.8.8.8
forwardpolicy: first
skip_overlap_check: false
state: present
@@ -80,8 +83,9 @@
state: present
name: example.com
forwarders:
- - 8.8.8.8
- - 4.4.4.4
+ - ip_address: 8.8.8.8
+ - ip_address: 4.4.4.4
+ port: 8053
forwardpolicy: only
skip_overlap_check: false
register: result
@@ -100,7 +104,7 @@
name: example.com
skip_overlap_check: true
forwarders:
- - 8.8.8.8
+ - ip_address: 8.8.8.8
register: result
failed_when: not result.changed
@@ -110,7 +114,8 @@
state: present
name: example.com
forwarders:
- - 4.4.4.4
+ - ip_address: 4.4.4.4
+ port: 8053
action: member
register: result
failed_when: not result.changed
@@ -121,8 +126,9 @@
state: present
name: example.com
forwarders:
- - 4.4.4.4
- - 8.8.8.8
+ - ip_address: 4.4.4.4
+ port: 8053
+ - ip_address: 8.8.8.8
action: member
register: result
failed_when: result.changed
@@ -133,7 +139,7 @@
state: absent
name: example.com
forwarders:
- - 8.8.8.8
+ - ip_address: 8.8.8.8
action: member
register: result
failed_when: not result.changed
@@ -144,7 +150,8 @@
state: present
name: example.com
forwarders:
- - 4.4.4.4
+ - ip_address: 4.4.4.4
+ port: 8053
action: member
register: result
failed_when: result.changed
@@ -161,7 +168,8 @@
state: present
name: example.com
forwarders:
- - 4.4.4.4
+ - ip_address: 4.4.4.4
+ port: 8053
action: member
skip_overlap_check: true
register: result
@@ -179,7 +187,8 @@
state: disabled
name: example.com
forwarders:
- - 4.4.4.4
+ - ip_address: 4.4.4.4
+ port: 8053
skip_overlap_check: true
register: result
failed_when: not result.changed
From bf864469a1da81c6b23e9726562b21408764ac8f Mon Sep 17 00:00:00 2001
From: Rafael Guterres Jeffman <rjeffman@redhat.com>
Date: Mon, 15 Jun 2020 20:42:23 -0300
Subject: [PATCH] Add support for attribute `permission` on dnsforwardzone
module.
Adds missing attribute `permission to dnsforwardzone module, that
enable setting `manageby` for the DNS Forwar Zone.
---
README-dnsforwardzone.md | 1 +
plugins/modules/ipadnsforwardzone.py | 71 ++++++++----
tests/dnsforwardzone/test_dnsforwardzone.yml | 110 +++++++++++++++----
3 files changed, 136 insertions(+), 46 deletions(-)
diff --git a/README-dnsforwardzone.md b/README-dnsforwardzone.md
index 15b2b574..175e6f8b 100644
--- a/README-dnsforwardzone.md
+++ b/README-dnsforwardzone.md
@@ -104,6 +104,7 @@ Variable | Description | Required
| `port`: The forwarder IP port. | no
`forwardpolicy` \| `idnsforwardpolicy` | Per-zone conditional forwarding policy. Possible values are `only`, `first`, `none`. Set to "none" to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded. | no
`skip_overlap_check` | Force DNS zone creation even if it will overlap with an existing zone. Defaults to False. | no
+`permission` | Allow DNS Forward Zone to be managed. (bool) | no
`action` | Work on group or member level. It can be on of `member` or `dnsforwardzone` and defaults to `dnsforwardzone`. | no
`state` | The state to ensure. It can be one of `present`, `absent`, `enabled` or `disabled`, default: `present`. | yes
diff --git a/plugins/modules/ipadnsforwardzone.py b/plugins/modules/ipadnsforwardzone.py
index 8e5c3464..a729197b 100644
--- a/plugins/modules/ipadnsforwardzone.py
+++ b/plugins/modules/ipadnsforwardzone.py
@@ -75,6 +75,11 @@
- Force DNS zone creation even if it will overlap with an existing zone.
required: false
default: false
+ permission:
+ description:
+ - Allow DNS Forward Zone to be managed.
+ required: false
+ type: bool
'''
EXAMPLES = '''
@@ -168,6 +173,8 @@ def main():
required=False,
choices=['only', 'first', 'none']),
skip_overlap_check=dict(type='bool', required=False),
+ permission=dict(type='bool', required=False,
+ aliases=['managedby']),
action=dict(type="str", default="dnsforwardzone",
choices=["member", "dnsforwardzone"]),
# state
@@ -191,6 +198,7 @@ def main():
forwardpolicy = module_params_get(ansible_module, "forwardpolicy")
skip_overlap_check = module_params_get(ansible_module,
"skip_overlap_check")
+ permission = module_params_get(ansible_module, "permission")
state = module_params_get(ansible_module, "state")
if state == 'present' and len(names) != 1:
@@ -215,7 +223,9 @@ def main():
wants_enable = True
if operation == "del":
- invalid = ["forwarders", "forwardpolicy", "skip_overlap_check"]
+ invalid = [
+ "forwarders", "forwardpolicy", "skip_overlap_check", "permission"
+ ]
for x in invalid:
if vars()[x] is not None:
ansible_module.fail_json(
@@ -241,6 +251,9 @@ def main():
api_connect()
for name in names:
+ commands = []
+ command = None
+
# Make sure forwardzone exists
existing_resource = find_dnsforwardzone(ansible_module, name)
@@ -249,6 +262,18 @@ def main():
if existing_resource is None and not forwarders:
ansible_module.fail_json(msg='No forwarders specified.')
+ if existing_resource is not None:
+ if state != "absent":
+ if forwarders:
+ forwarders = list(
+ set(existing_resource["idnsforwarders"]
+ + forwarders))
+ else:
+ if forwarders:
+ forwarders = list(
+ set(existing_resource["idnsforwarders"])
+ - set(forwarders))
+
if existing_resource is None and operation == "update":
# does not exist and is updating
# trying to update something that doesn't exist, so error
@@ -256,20 +281,17 @@ def main():
valid""" % (name))
elif existing_resource is None and operation == "del":
# does not exists and should be absent
- # set command
- command = None
# enabled or disabled?
is_enabled = "IGNORE"
elif existing_resource is not None and operation == "del":
# exists but should be absent
# set command
command = "dnsforwardzone_del"
+ args = {}
# enabled or disabled?
is_enabled = "IGNORE"
elif forwarders is None:
# forwarders are not defined its not a delete, update state?
- # set command
- command = None
# enabled or disabled?
if existing_resource is not None:
is_enabled = existing_resource["idnszoneactive"][0]
@@ -278,23 +300,13 @@ def main():
elif existing_resource is not None and operation == "update":
# exists and is updating
# calculate the new forwarders and mod
- # determine args
- if state != "absent":
- forwarders = list(set(existing_resource["idnsforwarders"]
- + forwarders))
- else:
- forwarders = list(set(existing_resource["idnsforwarders"])
- - set(forwarders))
- args = gen_args(forwarders, forwardpolicy,
- skip_overlap_check)
- if skip_overlap_check is not None:
+ args = gen_args(forwarders, forwardpolicy, skip_overlap_check)
+ if "skip_overlap_check" in args:
del args['skip_overlap_check']
# command
if not compare_args_ipa(ansible_module, args, existing_resource):
command = "dnsforwardzone_mod"
- else:
- command = None
# enabled or disabled?
is_enabled = existing_resource["idnszoneactive"][0]
@@ -313,21 +325,36 @@ def main():
# exists and should be present, has it changed?
# determine args
args = gen_args(forwarders, forwardpolicy, skip_overlap_check)
- if skip_overlap_check is not None:
+ if 'skip_overlap_check' in args:
del args['skip_overlap_check']
# set command
if not compare_args_ipa(ansible_module, args, existing_resource):
command = "dnsforwardzone_mod"
- else:
- command = None
# enabled or disabled?
is_enabled = existing_resource["idnszoneactive"][0]
- # if command is set then run it with the args
+ # if command is set...
if command is not None:
- api_command(ansible_module, command, name, args)
+ commands.append([name, command, args])
+
+ if permission is not None:
+ if existing_resource is None:
+ managedby = None
+ else:
+ managedby = existing_resource.get('managedby', None)
+ if permission and managedby is None:
+ commands.append(
+ [name, 'dnsforwardzone_add_permission', {}]
+ )
+ elif not permission and managedby is not None:
+ commands.append(
+ [name, 'dnsforwardzone_remove_permission', {}]
+ )
+
+ for name, command, args in commands:
+ result = api_command(ansible_module, command, name, args)
changed = True
# does the enabled state match what we want (if we care)
diff --git a/tests/dnsforwardzone/test_dnsforwardzone.yml b/tests/dnsforwardzone/test_dnsforwardzone.yml
index 468cd4ce..0386bd48 100644
--- a/tests/dnsforwardzone/test_dnsforwardzone.yml
+++ b/tests/dnsforwardzone/test_dnsforwardzone.yml
@@ -51,8 +51,6 @@
register: result
failed_when: not result.changed
- - pause:
-
- name: ensure forwardzone example.com has one forwarder again
ipadnsforwardzone:
ipaadmin_password: SomeADMINpassword
@@ -63,7 +61,7 @@
skip_overlap_check: true
state: present
register: result
- failed_when: not result.changed
+ failed_when: result.changed
- name: skip_overlap_check can only be set on creation so change nothing
ipadnsforwardzone:
@@ -77,6 +75,22 @@
register: result
failed_when: result.changed
+ - name: ensure forwardzone example.com is absent.
+ ipadnsforwardzone:
+ ipaadmin_password: SomeADMINpassword
+ name: example.com
+ state: absent
+ register: result
+ failed_when: not result.changed
+
+ - name: ensure forwardzone example.com is absent, again.
+ ipadnsforwardzone:
+ ipaadmin_password: SomeADMINpassword
+ name: example.com
+ state: absent
+ register: result
+ failed_when: result.changed
+
- name: change all the things at once
ipadnsforwardzone:
ipaadmin_password: SomeADMINpassword
@@ -87,11 +101,12 @@
- ip_address: 4.4.4.4
port: 8053
forwardpolicy: only
- skip_overlap_check: false
+ skip_overlap_check: true
+ permission: yes
register: result
failed_when: not result.changed
- - name: ensure forwardzone example.com is absent for next testset
+ - name: ensure forwardzone example.com is absent.
ipadnsforwardzone:
ipaadmin_password: SomeADMINpassword
name: example.com
@@ -156,43 +171,58 @@
register: result
failed_when: result.changed
- - name: ensure forwardzone example.com is absent again
+ - name: Add a permission for per-forward zone access delegation.
ipadnsforwardzone:
ipaadmin_password: SomeADMINpassword
name: example.com
- state: absent
+ permission: yes
+ action: member
+ register: result
+ failed_when: not result.changed
- - name: try to create a new forwarder with action=member
+ - name: Add a permission for per-forward zone access delegation, again.
ipadnsforwardzone:
ipaadmin_password: SomeADMINpassword
- state: present
name: example.com
- forwarders:
- - ip_address: 4.4.4.4
- port: 8053
+ permission: yes
action: member
- skip_overlap_check: true
register: result
failed_when: result.changed
- - name: ensure forwardzone example.com is absent - tidy up
+ - name: Remove a permission for per-forward zone access delegation.
ipadnsforwardzone:
ipaadmin_password: SomeADMINpassword
name: example.com
- state: absent
+ permission: no
+ action: member
+ register: result
+ failed_when: not result.changed
- - name: try to create a new forwarder is disabled state
+ - name: Remove a permission for per-forward zone access delegation, again.
ipadnsforwardzone:
ipaadmin_password: SomeADMINpassword
- state: disabled
name: example.com
- forwarders:
- - ip_address: 4.4.4.4
- port: 8053
- skip_overlap_check: true
+ permission: no
+ action: member
+ register: result
+ failed_when: result.changed
+
+ - name: disable the forwarder
+ ipadnsforwardzone:
+ ipaadmin_password: SomeADMINpassword
+ name: example.com
+ state: disabled
register: result
failed_when: not result.changed
+ - name: disable the forwarder again
+ ipadnsforwardzone:
+ ipaadmin_password: SomeADMINpassword
+ name: example.com
+ state: disabled
+ register: result
+ failed_when: result.changed
+
- name: enable the forwarder
ipadnsforwardzone:
ipaadmin_password: SomeADMINpassword
@@ -201,12 +231,42 @@
register: result
failed_when: not result.changed
- - name: disable the forwarder again
+ - name: enable the forwarder, again
ipadnsforwardzone:
ipaadmin_password: SomeADMINpassword
name: example.com
- state: disabled
+ state: enabled
+ register: result
+ failed_when: result.changed
+
+ - name: ensure forwardzone example.com is absent again
+ ipadnsforwardzone:
+ ipaadmin_password: SomeADMINpassword
+ name: example.com
+ state: absent
+
+ - name: try to create a new forwarder with action=member
+ ipadnsforwardzone:
+ ipaadmin_password: SomeADMINpassword
+ state: present
+ name: example.com
+ forwarders:
+ - ip_address: 4.4.4.4
+ port: 8053
action: member
+ skip_overlap_check: true
+ register: result
+ failed_when: result.changed
+
+ - name: try to create a new forwarder with disabled state
+ ipadnsforwardzone:
+ ipaadmin_password: SomeADMINpassword
+ state: disabled
+ name: example.com
+ forwarders:
+ - ip_address: 4.4.4.4
+ port: 8053
+ skip_overlap_check: yes
register: result
failed_when: not result.changed
@@ -228,5 +288,7 @@
- name: ensure forwardzone example.com is absent - tidy up
ipadnsforwardzone:
ipaadmin_password: SomeADMINpassword
- name: example.com
+ name:
+ - example.com
+ - newfailzone.com
state: absent
From 857fb82eb9141a44ffb91331653e1c30b43f671e Mon Sep 17 00:00:00 2001
From: Rafael Guterres Jeffman <rjeffman@redhat.com>
Date: Mon, 15 Jun 2020 23:40:35 -0300
Subject: [PATCH] Allows modification of forward policy in existing DNS Forward
Zone.
This patch allows the modification of the forward zone policy in
an existing DNS Forward Zone, and fixes some issues with `enable`
and `disable` state that prevented correct behavior of `forwardpolicy`.
---
plugins/modules/ipadnsforwardzone.py | 154 ++++++++++---------
tests/dnsforwardzone/test_dnsforwardzone.yml | 32 ++--
2 files changed, 97 insertions(+), 89 deletions(-)
diff --git a/plugins/modules/ipadnsforwardzone.py b/plugins/modules/ipadnsforwardzone.py
index a729197b..1f1e85ec 100644
--- a/plugins/modules/ipadnsforwardzone.py
+++ b/plugins/modules/ipadnsforwardzone.py
@@ -217,10 +217,20 @@ def main():
else:
operation = "add"
- if state == "disabled":
- wants_enable = False
- else:
- wants_enable = True
+ if state in ["enabled", "disabled"]:
+ if action == "member":
+ ansible_module.fail_json(
+ msg="Action `member` cannot be used with state `%s`"
+ % (state))
+ invalid = [
+ "forwarders", "forwardpolicy", "skip_overlap_check", "permission"
+ ]
+ for x in invalid:
+ if vars()[x] is not None:
+ ansible_module.fail_json(
+ msg="Argument '%s' can not be used with action "
+ "'%s', state `%s`" % (x, action, state))
+ wants_enable = (state == "enabled")
if operation == "del":
invalid = [
@@ -230,7 +240,7 @@ def main():
if vars()[x] is not None:
ansible_module.fail_json(
msg="Argument '%s' can not be used with action "
- "'%s'" % (x, action))
+ "'%s', state `%s`" % (x, action, state))
changed = False
exit_args = {}
@@ -262,7 +272,27 @@ def main():
if existing_resource is None and not forwarders:
ansible_module.fail_json(msg='No forwarders specified.')
- if existing_resource is not None:
+ if existing_resource is None:
+ if operation == "add":
+ # does not exist but should be present
+ # determine args
+ args = gen_args(forwarders, forwardpolicy,
+ skip_overlap_check)
+ # set command
+ command = "dnsforwardzone_add"
+ # enabled or disabled?
+
+ elif operation == "update":
+ # does not exist and is updating
+ # trying to update something that doesn't exist, so error
+ ansible_module.fail_json(
+ msg="dnsforwardzone '%s' not found." % (name))
+
+ elif operation == "del":
+ # there's nothnig to do.
+ continue
+
+ else: # existing_resource is not None
if state != "absent":
if forwarders:
forwarders = list(
@@ -274,66 +304,51 @@ def main():
set(existing_resource["idnsforwarders"])
- set(forwarders))
- if existing_resource is None and operation == "update":
- # does not exist and is updating
- # trying to update something that doesn't exist, so error
- ansible_module.fail_json(msg="""dnsforwardzone '%s' is not
- valid""" % (name))
- elif existing_resource is None and operation == "del":
- # does not exists and should be absent
- # enabled or disabled?
- is_enabled = "IGNORE"
- elif existing_resource is not None and operation == "del":
- # exists but should be absent
- # set command
- command = "dnsforwardzone_del"
- args = {}
- # enabled or disabled?
- is_enabled = "IGNORE"
- elif forwarders is None:
- # forwarders are not defined its not a delete, update state?
- # enabled or disabled?
+ if operation == "add":
+ # exists and should be present, has it changed?
+ # determine args
+ args = gen_args(
+ forwarders, forwardpolicy, skip_overlap_check)
+ if 'skip_overlap_check' in args:
+ del args['skip_overlap_check']
+
+ # set command
+ if not compare_args_ipa(
+ ansible_module, args, existing_resource):
+ command = "dnsforwardzone_mod"
+
+ elif operation == "del":
+ # exists but should be absent
+ # set command
+ command = "dnsforwardzone_del"
+ args = {}
+
+ elif operation == "update":
+ # exists and is updating
+ # calculate the new forwarders and mod
+ args = gen_args(
+ forwarders, forwardpolicy, skip_overlap_check)
+ if "skip_overlap_check" in args:
+ del args['skip_overlap_check']
+
+ # command
+ if not compare_args_ipa(
+ ansible_module, args, existing_resource):
+ command = "dnsforwardzone_mod"
+
+ if state in ['enabled', 'disabled']:
if existing_resource is not None:
is_enabled = existing_resource["idnszoneactive"][0]
else:
- is_enabled = "IGNORE"
- elif existing_resource is not None and operation == "update":
- # exists and is updating
- # calculate the new forwarders and mod
- args = gen_args(forwarders, forwardpolicy, skip_overlap_check)
- if "skip_overlap_check" in args:
- del args['skip_overlap_check']
-
- # command
- if not compare_args_ipa(ansible_module, args, existing_resource):
- command = "dnsforwardzone_mod"
-
- # enabled or disabled?
- is_enabled = existing_resource["idnszoneactive"][0]
-
- elif existing_resource is None and operation == "add":
- # does not exist but should be present
- # determine args
- args = gen_args(forwarders, forwardpolicy,
- skip_overlap_check)
- # set command
- command = "dnsforwardzone_add"
- # enabled or disabled?
- is_enabled = "TRUE"
-
- elif existing_resource is not None and operation == "add":
- # exists and should be present, has it changed?
- # determine args
- args = gen_args(forwarders, forwardpolicy, skip_overlap_check)
- if 'skip_overlap_check' in args:
- del args['skip_overlap_check']
-
- # set command
- if not compare_args_ipa(ansible_module, args, existing_resource):
- command = "dnsforwardzone_mod"
-
- # enabled or disabled?
- is_enabled = existing_resource["idnszoneactive"][0]
+ ansible_module.fail_json(
+ msg="dnsforwardzone '%s' not found." % (name))
+
+ # does the enabled state match what we want (if we care)
+ if is_enabled != "IGNORE":
+ if wants_enable and is_enabled != "TRUE":
+ commands.append([name, "dnsforwardzone_enable", {}])
+ elif not wants_enable and is_enabled != "FALSE":
+ commands.append([name, "dnsforwardzone_disable", {}])
# if command is set...
if command is not None:
@@ -354,20 +369,9 @@ def main():
)
for name, command, args in commands:
- result = api_command(ansible_module, command, name, args)
+ api_command(ansible_module, command, name, args)
changed = True
- # does the enabled state match what we want (if we care)
- if is_enabled != "IGNORE":
- if wants_enable and is_enabled != "TRUE":
- api_command(ansible_module, "dnsforwardzone_enable",
- name, {})
- changed = True
- elif not wants_enable and is_enabled != "FALSE":
- api_command(ansible_module, "dnsforwardzone_disable",
- name, {})
- changed = True
-
except Exception as e:
ansible_module.fail_json(msg=str(e))
diff --git a/tests/dnsforwardzone/test_dnsforwardzone.yml b/tests/dnsforwardzone/test_dnsforwardzone.yml
index 0386bd48..223cf3d0 100644
--- a/tests/dnsforwardzone/test_dnsforwardzone.yml
+++ b/tests/dnsforwardzone/test_dnsforwardzone.yml
@@ -106,6 +106,22 @@
register: result
failed_when: not result.changed
+ - name: change zone forward policy
+ ipadnsforwardzone:
+ ipaadmin_password: SomeADMINpassword
+ name: example.com
+ forwardpolicy: first
+ register: result
+ failed_when: not result.changed
+
+ - name: change zone forward policy, again
+ ipadnsforwardzone:
+ ipaadmin_password: SomeADMINpassword
+ name: example.com
+ forwardpolicy: first
+ register: result
+ failed_when: result.changed
+
- name: ensure forwardzone example.com is absent.
ipadnsforwardzone:
ipaadmin_password: SomeADMINpassword
@@ -256,27 +272,15 @@
action: member
skip_overlap_check: true
register: result
- failed_when: result.changed
+ failed_when: not result.failed or "not found" not in result.msg
- name: try to create a new forwarder with disabled state
- ipadnsforwardzone:
- ipaadmin_password: SomeADMINpassword
- state: disabled
- name: example.com
- forwarders:
- - ip_address: 4.4.4.4
- port: 8053
- skip_overlap_check: yes
- register: result
- failed_when: not result.changed
-
- - name: ensure it stays disabled
ipadnsforwardzone:
ipaadmin_password: SomeADMINpassword
name: example.com
state: disabled
register: result
- failed_when: result.changed
+ failed_when: not result.failed or "not found" not in result.msg
- name: Ensure forwardzone is not added without forwarders, with correct message.
ipadnsforwardzone:
From 8da6a6937919d0c390b870113fb557649c39c815 Mon Sep 17 00:00:00 2001
From: Rafael Guterres Jeffman <rjeffman@redhat.com>
Date: Fri, 26 Jun 2020 11:28:15 -0300
Subject: [PATCH] Change password values in README to keep consistency with
other modules.
---
README-dnsforwardzone.md | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/README-dnsforwardzone.md b/README-dnsforwardzone.md
index 175e6f8b..32de7bfe 100644
--- a/README-dnsforwardzone.md
+++ b/README-dnsforwardzone.md
@@ -49,7 +49,7 @@ Example playbook to ensure presence of a forwardzone to ipa DNS:
tasks:
- name: ensure presence of forwardzone for DNS requests for example.com to 8.8.8.8
ipadnsforwardzone:
- ipaadmin_password: password01
+ ipaadmin_password: SomeADMINpassword
state: present
name: example.com
forwarders:
@@ -59,13 +59,13 @@ Example playbook to ensure presence of a forwardzone to ipa DNS:
- name: ensure the forward zone is disabled
ipadnsforwardzone:
- ipaadmin_password: password01
+ ipaadmin_password: SomeADMINpassword
name: example.com
state: disabled
- name: ensure presence of multiple upstream DNS servers for example.com
ipadnsforwardzone:
- ipaadmin_password: password01
+ ipaadmin_password: SomeADMINpassword
state: present
name: example.com
forwarders:
@@ -74,7 +74,7 @@ Example playbook to ensure presence of a forwardzone to ipa DNS:
- name: ensure presence of another forwarder to any existing ones for example.com
ipadnsforwardzone:
- ipaadmin_password: password01
+ ipaadmin_password: SomeADMINpassword
state: present
name: example.com
forwarders:
@@ -83,7 +83,7 @@ Example playbook to ensure presence of a forwardzone to ipa DNS:
- name: ensure the forwarder for example.com does not exists (delete it if needed)
ipadnsforwardzone:
- ipaadmin_password: password01
+ ipaadmin_password: SomeADMINpassword
name: example.com
state: absent
```