ipadnszone: Fix modification o SOA serial with other attributes.

Due to an issue with FreeIPA, when modifying the SOA serial attribute
along with other attributes, the value is ignored. In order to have
the value provided, the attribute is set is a later call to dnszone-mod
allowing it to retain the desired value.

Ref: https://pagure.io/freeipa/issue/8489

plugins/modules/ipadnszone.py

@@ -214,6 +214,7 @@ from ansible.module_utils.ansible_freeipa_module import (
     is_ipv6_addr,
     is_valid_port,
 )  # noqa: E402
+import ipalib.errors
 import netaddr
 import six
 
@@ -404,13 +405,14 @@ class DNSZoneModule(FreeIPABaseModule):
 
     def get_zone(self, zone_name):
         get_zone_args = {"idnsname": zone_name, "all": True}
-        response = self.api_command("dnszone_find", args=get_zone_args)
 
+        try:
+            response = self.api_command("dnszone_show", args=get_zone_args)
+        except ipalib.errors.NotFound:
             zone = None
             is_zone_active = False
-
-        if response["count"] == 1:
-            zone = response["result"][0]
+        else:
+            zone = response["result"]
             is_zone_active = zone.get("idnszoneactive") == ["TRUE"]
 
         return zone, is_zone_active
@@ -448,7 +450,10 @@ class DNSZoneModule(FreeIPABaseModule):
             # Look for existing zone in IPA
             zone, is_zone_active = self.get_zone(zone_name)
             args = self.get_ipa_command_args(zone=zone)
-            just_added = False
+            set_serial = self.ipa_params.serial is not None
+
+            if set_serial:
+                del args["idnssoaserial"]
 
             if self.ipa_params.state in ["present", "enabled", "disabled"]:
                 if not zone:
@@ -456,7 +461,7 @@ class DNSZoneModule(FreeIPABaseModule):
                     #   with given args
                     self.add_ipa_command("dnszone_add", zone_name, args)
                     is_zone_active = True
-                    just_added = True
+                    # just_added = True
 
                 else:
                     # Zone already exist so we need to verify if given args
@@ -470,16 +475,18 @@ class DNSZoneModule(FreeIPABaseModule):
             if self.ipa_params.state == "disabled" and is_zone_active:
                 self.add_ipa_command("dnszone_disable", zone_name)
 
-            if self.ipa_params.state == "absent":
-                if zone:
+            if self.ipa_params.state == "absent" and zone is not None:
                 self.add_ipa_command("dnszone_del", zone_name)
 
             # Due to a bug in FreeIPA dnszone-add won't set
-            #   SOA Serial. The good news is that dnszone-mod does the job.
-            # See: https://pagure.io/freeipa/issue/8227
-            # Because of that, if the zone was just added with a given serial
-            #   we run mod just after to workaround the bug
-            if just_added and self.ipa_params.serial is not None:
+            # SOA Serial in the creation of a zone, or if
+            # another field is modified along with it.
+            # As a workaround, we set only the SOA serial,
+            # with dnszone-mod, after other changes.
+            # See:
+            #   - https://pagure.io/freeipa/issue/8227
+            #   - https://pagure.io/freeipa/issue/8489
+            if set_serial:
                 args = {
                     "idnssoaserial": self.ipa_params.serial,
                 }

tests/dnszone/test_dnszone_mod.yml

@@ -11,6 +11,80 @@
     include_tasks: env_setup.yml
 
   # Tests
+  - name: Verify if zone can be created with a specific SOA serial.
+    block:
+    - name: Create zone with serial, refresh, retry and expire.
+      ipadnszone:
+        ipaadmin_password: SomeADMINpassword
+        name: testzone.local
+        serial: 4567
+        refresh: 70
+        retry: 89
+        expire: 200
+
+    - name: Verify zone was created with correct values.
+      shell: |
+         echo SomeADMINpassword | kinit -c {{ KRB5CCNAME }} admin
+         KRB5CCNAME={{ KRB5CCNAME }} ipa dnszone-show testzone.local
+         kdestroy -A -q -c {{ KRB5CCNAME }}
+      register: result
+      failed_when: |
+        result.failed or not (
+          "serial: 4567" in result.stdout
+          and "refresh: 70" in result.stdout
+          and "retry: 89" in result.stdout
+          and "expire: 200" in result.stdout
+        )
+
+    - name: Remove test zone.
+      ipadnszone:
+        ipaadmin_password: SomeADMINpassword
+        name: testzone.local
+        state: absent
+
+    vars:
+      KRB5CCNAME: verify_bz_1876896
+
+  - name: Verify if a zone can have the the SOA serial modified to a specific value.
+    block:
+    - name: Create zone.
+      ipadnszone:
+        ipaadmin_password: SomeADMINpassword
+        name: testzone.local
+        state: present
+
+    - name: Modify zone with serial, refresh, retry and expire.
+      ipadnszone:
+        ipaadmin_password: SomeADMINpassword
+        name: testzone.local
+        serial: 4567
+        refresh: 70
+        retry: 89
+        expire: 200
+
+    - name: Verify zone was modified to the correct values
+      shell: |
+         echo SomeADMINpassword | kinit -c {{ KRB5CCNAME }} admin
+         KRB5CCNAME={{ KRB5CCNAME }} ipa dnszone-show testzone.local
+         kdestroy -A -q -c {{ KRB5CCNAME }}
+      register: result
+      failed_when: |
+        result.failed or not (
+          "serial: 4567" in result.stdout
+          and "refresh: 70" in result.stdout
+          and "retry: 89" in result.stdout
+          and "expire: 200" in result.stdout
+        )
+
+    - name: Remove test zone.
+      ipadnszone:
+        ipaadmin_password: SomeADMINpassword
+        name: testzone.local
+        state: absent
+
+    vars:
+      KRB5CCNAME: verify_bz_1876896
+
   - name: Ensure zone is present.
     ipadnszone:
       ipaadmin_password: SomeADMINpassword