diff --git a/README-vault.md b/README-vault.md
index 9c0c833c4a9e5454cadcc778e2d8c6c5a84a0bd1..5ea3d8f259779effdd41a82e09cae4fddd25fffe 100644
--- a/README-vault.md
+++ b/README-vault.md
@@ -186,6 +186,7 @@ Variable | Description | Required
`shared` | Vault is shared. Default to false. (bool) | no
`users` | Users that are members of the vault. | no
`groups` | Groups that are member of the vault. | no
+`services` | Services that are member of the vault. | no
`vault_data` \| `ipavaultdata` | Data to be stored in the vault. | no
`action` | Work on vault or member level. It can be on of `member` or `vault` and defaults to `vault`. | no
`state` | The state to ensure. It can be one of `present` or `absent`, default: `present`. | no
diff --git a/plugins/modules/ipavault.py b/plugins/modules/ipavault.py
index d102202e8195e00cb7a081de6b9429ae9c3d72c2..d3d6db0f76ccceab846dcdbe9d57f5089a4a3456 100644
--- a/plugins/modules/ipavault.py
+++ b/plugins/modules/ipavault.py
@@ -96,6 +96,10 @@ options:
description: Groups that are member of the container.
required: false
type: list
+ services:
+ description: Services that are member of the container.
+ required: false
+ type: list
action:
description: Work on vault or member level.
default: vault
@@ -284,7 +288,7 @@ def gen_args(description, username, service, shared, vault_type, salt,
return _args
-def gen_member_args(args, users, groups):
+def gen_member_args(args, users, groups, services):
_args = args.copy()
for arg in ['ipavaulttype', 'description', 'ipavaultpublickey',
@@ -292,8 +296,12 @@ def gen_member_args(args, users, groups):
if arg in _args:
del _args[arg]
- _args['user'] = users
- _args['group'] = groups
+ if users is not None:
+ _args['user'] = users
+ if groups is not None:
+ _args['group'] = groups
+ if services is not None:
+ _args['services'] = services
return _args
@@ -317,8 +325,9 @@ def data_storage_args(args, data, password):
def check_parameters(module, state, action, description, username, service,
- shared, users, groups, owners, ownergroups, vault_type,
- salt, password, public_key, vault_data):
+ shared, users, groups, services, owners, ownergroups,
+ ownerservices, vault_type, salt, password, public_key,
+ vault_data):
invalid = []
if state == "present":
if action == "member":
@@ -334,8 +343,9 @@ def check_parameters(module, state, action, description, username, service,
invalid = ['description', 'salt']
if action == "vault":
- invalid.extend(['users', 'groups', 'owners', 'ownergroups',
- 'password', 'public_key'])
+ invalid.extend(['users', 'groups', 'services', 'owners',
+ 'ownergroups', 'ownerservices', 'password',
+ 'public_key'])
for arg in invalid:
if vars()[arg] is not None:
@@ -386,9 +396,11 @@ def main():
users=dict(required=False, type='list', default=None),
groups=dict(required=False, type='list', default=None),
- owners=dict(required=False, type='list', default=None),
+ services=dict(required=False, type='list', default=None),
+ owners=dict(required=False, type='list', default=None,
+ aliases=['ownerusers']),
ownergroups=dict(required=False, type='list', default=None),
-
+ ownerservices=dict(required=False, type='list', default=None),
vault_data=dict(type="str", required=False, default=None,
aliases=['ipavaultdata']),
vault_password=dict(type="str", required=False, default=None,
@@ -422,8 +434,10 @@ def main():
users = module_params_get(ansible_module, "users")
groups = module_params_get(ansible_module, "groups")
+ services = module_params_get(ansible_module, "services")
owners = module_params_get(ansible_module, "owners")
ownergroups = module_params_get(ansible_module, "ownergroups")
+ ownerservices = module_params_get(ansible_module, "ownerservices")
vault_type = module_params_get(ansible_module, "vault_type")
salt = module_params_get(ansible_module, "vault_salt")
@@ -451,8 +465,9 @@ def main():
ansible_module.fail_json(msg="Invalid state '%s'" % state)
check_parameters(ansible_module, state, action, description, username,
- service, shared, users, groups, owners, ownergroups,
- vault_type, salt, password, public_key, vault_data)
+ service, shared, users, groups, services, owners,
+ ownergroups, ownerservices, vault_type, salt, password,
+ public_key, vault_data)
# Init
changed = False
@@ -520,48 +535,54 @@ def main():
group_add, group_del = \
gen_add_del_lists(groups,
res_find.get('member_group', []))
+ service_add, service_del = \
+ gen_add_del_lists(services,
+ res_find.get('member_service', []))
+
owner_add, owner_del = \
gen_add_del_lists(owners,
res_find.get('owner_user', []))
+
ownergroups_add, ownergroups_del = \
gen_add_del_lists(ownergroups,
res_find.get('owner_group', []))
+ ownerservice_add, ownerservice_del = \
+ gen_add_del_lists(ownerservices,
+ res_find.get('owner_service', []))
+
# Add users and groups
- if len(user_add) > 0 or len(group_add) > 0:
- user_add_args = gen_member_args(args, user_add,
- group_add)
- commands.append([name, 'vault_add_member',
- user_add_args])
+ user_add_args = gen_member_args(args, user_add,
+ group_add, service_add)
+ commands.append([name, 'vault_add_member', user_add_args])
# Remove users and groups
- if len(user_del) > 0 or len(group_del) > 0:
- user_del_args = gen_member_args(args, user_del,
- group_del)
- commands.append([name, 'vault_remove_member',
- user_del_args])
+ user_del_args = gen_member_args(args, user_del,
+ group_del, service_del)
+ commands.append(
+ [name, 'vault_remove_member', user_del_args])
# Add owner users and groups
- if len(user_add) > 0 or len(group_add) > 0:
- owner_add_args = gen_member_args(args, owner_add,
- ownergroups_add)
- commands.append([name, 'vault_add_owner',
- owner_add_args])
+ owner_add_args = gen_member_args(
+ args, owner_add, ownergroups_add, ownerservice_add)
+ commands.append(
+ [name, 'vault_add_owner', owner_add_args])
# Remove owner users and groups
- if len(user_del) > 0 or len(group_del) > 0:
- owner_del_args = gen_member_args(args, owner_del,
- ownergroups_del)
- commands.append([name, 'vault_remove_owner',
- owner_del_args])
+ owner_del_args = gen_member_args(
+ args, owner_del, ownergroups_del, ownerservice_del)
+ commands.append(
+ [name, 'vault_remove_owner', owner_del_args])
elif action in "member":
# Add users and groups
- if users is not None or groups is not None:
- user_args = gen_member_args(args, users, groups)
+ if any([users, groups, services]):
+ user_args = gen_member_args(args, users, groups,
+ services)
commands.append([name, 'vault_add_member', user_args])
- if owners is not None or ownergroups is not None:
- owner_args = gen_member_args(args, owners, ownergroups)
+ if any([owners, ownergroups, ownerservices]):
+ owner_args = gen_member_args(args, owners, ownergroups,
+ ownerservices)
commands.append([name, 'vault_add_owner', owner_args])
if vault_data is not None:
@@ -579,15 +600,17 @@ def main():
elif action == "member":
# remove users and groups
- if users is not None or groups is not None:
- user_args = gen_member_args(args, users, groups)
- commands.append([name, 'vault_remove_member',
- user_args])
-
- if owners is not None or ownergroups is not None:
- owner_args = gen_member_args(args, owners, ownergroups)
- commands.append([name, 'vault_remove_owner',
- owner_args])
+ if any([users, groups, services]):
+ user_args = gen_member_args(
+ args, users, groups, services)
+ commands.append(
+ [name, 'vault_remove_member', user_args])
+
+ if any([owners, ownergroups, ownerservices]):
+ owner_args = gen_member_args(
+ args, owners, ownergroups, ownerservices)
+ commands.append(
+ [name, 'vault_remove_owner', owner_args])
else:
ansible_module.fail_json(
msg="Invalid action '%s' for state '%s'" %
diff --git a/tests/vault/test_vault.yml b/tests/vault/test_vault.yml
index 5b467f61f9e10069563ad9297f3341fb59757eca..86e6e6d013630d0341892410b6b1b44939184818 100644
--- a/tests/vault/test_vault.yml
+++ b/tests/vault/test_vault.yml
@@ -348,6 +348,48 @@
register: result
failed_when: result.changed
+ - name: Ensure vault member service is present.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: stdvault
+ username: user01
+ action: member
+ services: "HTTP/{{ groups.ipaserver[0] }}"
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure vault member service is present, again.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: stdvault
+ username: user01
+ action: member
+ services: "HTTP/{{ groups.ipaserver[0] }}"
+ register: result
+ failed_when: result.changed
+
+ - name: Ensure vault member service is absent.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: stdvault
+ username: user01
+ action: member
+ services: "HTTP/{{ groups.ipaserver[0] }}"
+ state: absent
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure vault member service is absent, again.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: stdvault
+ username: user01
+ action: member
+ services: "HTTP/{{ groups.ipaserver[0] }}"
+ state: absent
+ register: result
+ failed_when: result.changed
+
- name: Ensure vault is absent.
ipavault:
ipaadmin_password: SomeADMINpassword
@@ -514,6 +556,90 @@
register: result
failed_when: result.changed
+ - name: Ensure vaultgroup is owner of stdvault.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: stdvault
+ username: user01
+ ownergroups: vaultgroup
+ action: member
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure vaultgroup is owner of stdvault, again.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: stdvault
+ username: user01
+ ownergroups: vaultgroup
+ action: member
+ register: result
+ failed_when: result.changed
+
+ - name: Ensure vaultgroup is not owner of stdvault.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: stdvault
+ username: user01
+ ownergroups: vaultgroup
+ state: absent
+ action: member
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure vaultgroup is not owner of stdvault, again.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: stdvault
+ username: user01
+ ownergroups: vaultgroup
+ state: absent
+ action: member
+ register: result
+ failed_when: result.changed
+
+ - name: Ensure vault is owned by HTTP service.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: stdvault
+ username: user01
+ ownerservices: "HTTP/{{ groups.ipaserver[0] }}"
+ action: member
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure vault is owned by HTTP service, again.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: stdvault
+ username: user01
+ ownerservices: "HTTP/{{ groups.ipaserver[0] }}"
+ action: member
+ register: result
+ failed_when: result.changed
+
+ - name: Ensure vault is not owned by HTTP service.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: stdvault
+ username: user01
+ ownerservices: "HTTP/{{ groups.ipaserver[0] }}"
+ state: absent
+ action: member
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure vault is not owned by HTTP service, again.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: stdvault
+ username: user01
+ ownerservices: "HTTP/{{ groups.ipaserver[0] }}"
+ state: absent
+ action: member
+ register: result
+ failed_when: result.changed
+
- name: Ensure vault is absent.
ipavault:
ipaadmin_password: SomeADMINpassword