Allows modification of forward policy in existing DNS Forward Zone.

This patch allows the modification of the forward zone policy in an existing DNS Forward Zone, and fixes some issues with `enable` and `disable` state that prevented correct behavior of `forwardpolicy`.

Allows modification of forward policy in existing DNS Forward Zone.
857fb82e · Rafael Guterres Jeffman · bf864469 · 857fb82e · 857fb82e
Commit 857fb82e authored 5 years ago by Rafael Guterres Jeffman
--- a/plugins/modules/ipadnsforwardzone.py
+++ b/plugins/modules/ipadnsforwardzone.py
@@ -217,10 +217,20 @@ def main():
    else:
        operation = "add"
-    if state == "disabled":
+    if state in ["enabled", "disabled"]:
-        wants_enable = False
+        if action == "member":
-    else:
+            ansible_module.fail_json(
-        wants_enable = True
+                msg="Action `member` cannot be used with state `%s`"
+                    % (state))
+        invalid = [
+            "forwarders", "forwardpolicy", "skip_overlap_check", "permission"
+        ]
+        for x in invalid:
+            if vars()[x] is not None:
+                ansible_module.fail_json(
+                    msg="Argument '%s' can not be used with action "
+                    "'%s', state `%s`" % (x, action, state))
+        wants_enable = (state == "enabled")
    if operation == "del":
        invalid = [
@@ -230,7 +240,7 @@ def main():
            if vars()[x] is not None:
                ansible_module.fail_json(
                    msg="Argument '%s' can not be used with action "
-                    "'%s'" % (x, action))
+                    "'%s', state `%s`" % (x, action, state))
    changed = False
    exit_args = {}
@@ -262,7 +272,27 @@ def main():
                if existing_resource is None and not forwarders:
                    ansible_module.fail_json(msg='No forwarders specified.')
-            if existing_resource is not None:
+            if existing_resource is None:
+                if operation == "add":
+                    # does not exist but should be present
+                    # determine args
+                    args = gen_args(forwarders, forwardpolicy,
+                                    skip_overlap_check)
+                    # set command
+                    command = "dnsforwardzone_add"
+                    # enabled or disabled?
+                elif operation == "update":
+                    # does not exist and is updating
+                    # trying to update something that doesn't exist, so error
+                    ansible_module.fail_json(
+                        msg="dnsforwardzone '%s' not found." % (name))
+                elif operation == "del":
+                    # there's nothnig to do.
+                    continue
+            else:   # existing_resource is not None
                if state != "absent":
                    if forwarders:
                        forwarders = list(
@@ -274,66 +304,51 @@ def main():
                            set(existing_resource["idnsforwarders"])
                            - set(forwarders))
-            if existing_resource is None and operation == "update":
+                if operation == "add":
-                # does not exist and is updating
+                    # exists and should be present, has it changed?
-                # trying to update something that doesn't exist, so error
+                    # determine args
-                ansible_module.fail_json(msg="""dnsforwardzone '%s' is not
+                    args = gen_args(
-                                                         valid""" % (name))
+                        forwarders, forwardpolicy, skip_overlap_check)
-            elif existing_resource is None and operation == "del":
+                    if 'skip_overlap_check' in args:
-                # does not exists and should be absent
+                        del args['skip_overlap_check']
-                # enabled or disabled?
-                is_enabled = "IGNORE"
+                    # set command
-            elif existing_resource is not None and operation == "del":
+                    if not compare_args_ipa(
+                            ansible_module, args, existing_resource):
+                        command = "dnsforwardzone_mod"
+                elif operation == "del":
                    # exists but should be absent
                    # set command
                    command = "dnsforwardzone_del"
                    args = {}
-                # enabled or disabled?
-                is_enabled = "IGNORE"
+                elif operation == "update":
-            elif forwarders is None:
-                # forwarders are not defined its not a delete, update state?
-                # enabled or disabled?
-                if existing_resource is not None:
-                    is_enabled = existing_resource["idnszoneactive"][0]
-                else:
-                    is_enabled = "IGNORE"
-            elif existing_resource is not None and operation == "update":
                    # exists and is updating
                    # calculate the new forwarders and mod
-                args = gen_args(forwarders, forwardpolicy, skip_overlap_check)
+                    args = gen_args(
+                        forwarders, forwardpolicy, skip_overlap_check)
                    if "skip_overlap_check" in args:
                        del args['skip_overlap_check']
                    # command
-                if not compare_args_ipa(ansible_module, args, existing_resource):
+                    if not compare_args_ipa(
+                            ansible_module, args, existing_resource):
                        command = "dnsforwardzone_mod"
-                # enabled or disabled?
+            if state in ['enabled', 'disabled']:
+                if existing_resource is not None:
                    is_enabled = existing_resource["idnszoneactive"][0]
+                else:
+                    ansible_module.fail_json(
+                        msg="dnsforwardzone '%s' not found." % (name))
-            elif existing_resource is None and operation == "add":
+            # does the enabled state match what we want (if we care)
-                # does not exist but should be present
+            if is_enabled != "IGNORE":
-                # determine args
+                if wants_enable and is_enabled != "TRUE":
-                args = gen_args(forwarders, forwardpolicy,
+                    commands.append([name, "dnsforwardzone_enable", {}])
-                                skip_overlap_check)
+                elif not wants_enable and is_enabled != "FALSE":
-                # set command
+                    commands.append([name, "dnsforwardzone_disable", {}])
-                command = "dnsforwardzone_add"
-                # enabled or disabled?
-                is_enabled = "TRUE"
-            elif existing_resource is not None and operation == "add":
-                # exists and should be present, has it changed?
-                # determine args
-                args = gen_args(forwarders, forwardpolicy, skip_overlap_check)
-                if 'skip_overlap_check' in args:
-                    del args['skip_overlap_check']
-                # set command
-                if not compare_args_ipa(ansible_module, args, existing_resource):
-                    command = "dnsforwardzone_mod"
-                # enabled or disabled?
-                is_enabled = existing_resource["idnszoneactive"][0]
            # if command is set...
            if command is not None:
@@ -354,18 +369,7 @@ def main():
                    )
            for name, command, args in commands:
-                result = api_command(ansible_module, command, name, args)
+                api_command(ansible_module, command, name, args)
-                changed = True
-            # does the enabled state match what we want (if we care)
-            if is_enabled != "IGNORE":
-                if wants_enable and is_enabled != "TRUE":
-                    api_command(ansible_module, "dnsforwardzone_enable",
-                                name, {})
-                    changed = True
-                elif not wants_enable and is_enabled != "FALSE":
-                    api_command(ansible_module, "dnsforwardzone_disable",
-                                name, {})
                changed = True
    except Exception as e:

--- a/tests/dnsforwardzone/test_dnsforwardzone.yml
+++ b/tests/dnsforwardzone/test_dnsforwardzone.yml
@@ -106,6 +106,22 @@
    register: result
    failed_when: not result.changed
+  - name: change zone forward policy
+    ipadnsforwardzone:
+      ipaadmin_password: SomeADMINpassword
+      name: example.com
+      forwardpolicy: first
+    register: result
+    failed_when: not result.changed
+  - name: change zone forward policy, again
+    ipadnsforwardzone:
+      ipaadmin_password: SomeADMINpassword
+      name: example.com
+      forwardpolicy: first
+    register: result
+    failed_when: result.changed
  - name: ensure forwardzone example.com is absent.
    ipadnsforwardzone:
      ipaadmin_password: SomeADMINpassword
@@ -256,27 +272,15 @@
      action: member
      skip_overlap_check: true
    register: result
-    failed_when: result.changed
+    failed_when: not result.failed or "not found" not in result.msg
  - name: try to create a new forwarder with disabled state
-    ipadnsforwardzone:
-      ipaadmin_password: SomeADMINpassword
-      state: disabled
-      name: example.com
-      forwarders:
-        - ip_address: 4.4.4.4
-          port: 8053
-      skip_overlap_check: yes
-    register: result
-    failed_when: not result.changed
-  - name: ensure it stays disabled
    ipadnsforwardzone:
      ipaadmin_password: SomeADMINpassword
      name: example.com
      state: disabled
    register: result
-    failed_when: result.changed
+    failed_when: not result.failed or "not found" not in result.msg
  - name: Ensure forwardzone is not added without forwarders, with correct message.
    ipadnsforwardzone: