From bf864469a1da81c6b23e9726562b21408764ac8f Mon Sep 17 00:00:00 2001
From: Rafael Guterres Jeffman <rjeffman@redhat.com>
Date: Mon, 15 Jun 2020 20:42:23 -0300
Subject: [PATCH] Add support for attribute `permission` on dnsforwardzone
module.
Adds missing attribute `permission to dnsforwardzone module, that
enable setting `manageby` for the DNS Forwar Zone.
---
README-dnsforwardzone.md | 1 +
plugins/modules/ipadnsforwardzone.py | 71 ++++++++----
tests/dnsforwardzone/test_dnsforwardzone.yml | 110 +++++++++++++++----
3 files changed, 136 insertions(+), 46 deletions(-)
diff --git a/README-dnsforwardzone.md b/README-dnsforwardzone.md
index 15b2b574..175e6f8b 100644
--- a/README-dnsforwardzone.md
+++ b/README-dnsforwardzone.md
@@ -104,6 +104,7 @@ Variable | Description | Required
| `port`: The forwarder IP port. | no
`forwardpolicy` \| `idnsforwardpolicy` | Per-zone conditional forwarding policy. Possible values are `only`, `first`, `none`. Set to "none" to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded. | no
`skip_overlap_check` | Force DNS zone creation even if it will overlap with an existing zone. Defaults to False. | no
+`permission` | Allow DNS Forward Zone to be managed. (bool) | no
`action` | Work on group or member level. It can be on of `member` or `dnsforwardzone` and defaults to `dnsforwardzone`. | no
`state` | The state to ensure. It can be one of `present`, `absent`, `enabled` or `disabled`, default: `present`. | yes
diff --git a/plugins/modules/ipadnsforwardzone.py b/plugins/modules/ipadnsforwardzone.py
index 8e5c3464..a729197b 100644
--- a/plugins/modules/ipadnsforwardzone.py
+++ b/plugins/modules/ipadnsforwardzone.py
@@ -75,6 +75,11 @@ options:
- Force DNS zone creation even if it will overlap with an existing zone.
required: false
default: false
+ permission:
+ description:
+ - Allow DNS Forward Zone to be managed.
+ required: false
+ type: bool
'''
EXAMPLES = '''
@@ -168,6 +173,8 @@ def main():
required=False,
choices=['only', 'first', 'none']),
skip_overlap_check=dict(type='bool', required=False),
+ permission=dict(type='bool', required=False,
+ aliases=['managedby']),
action=dict(type="str", default="dnsforwardzone",
choices=["member", "dnsforwardzone"]),
# state
@@ -191,6 +198,7 @@ def main():
forwardpolicy = module_params_get(ansible_module, "forwardpolicy")
skip_overlap_check = module_params_get(ansible_module,
"skip_overlap_check")
+ permission = module_params_get(ansible_module, "permission")
state = module_params_get(ansible_module, "state")
if state == 'present' and len(names) != 1:
@@ -215,7 +223,9 @@ def main():
wants_enable = True
if operation == "del":
- invalid = ["forwarders", "forwardpolicy", "skip_overlap_check"]
+ invalid = [
+ "forwarders", "forwardpolicy", "skip_overlap_check", "permission"
+ ]
for x in invalid:
if vars()[x] is not None:
ansible_module.fail_json(
@@ -241,6 +251,9 @@ def main():
api_connect()
for name in names:
+ commands = []
+ command = None
+
# Make sure forwardzone exists
existing_resource = find_dnsforwardzone(ansible_module, name)
@@ -249,6 +262,18 @@ def main():
if existing_resource is None and not forwarders:
ansible_module.fail_json(msg='No forwarders specified.')
+ if existing_resource is not None:
+ if state != "absent":
+ if forwarders:
+ forwarders = list(
+ set(existing_resource["idnsforwarders"]
+ + forwarders))
+ else:
+ if forwarders:
+ forwarders = list(
+ set(existing_resource["idnsforwarders"])
+ - set(forwarders))
+
if existing_resource is None and operation == "update":
# does not exist and is updating
# trying to update something that doesn't exist, so error
@@ -256,20 +281,17 @@ def main():
valid""" % (name))
elif existing_resource is None and operation == "del":
# does not exists and should be absent
- # set command
- command = None
# enabled or disabled?
is_enabled = "IGNORE"
elif existing_resource is not None and operation == "del":
# exists but should be absent
# set command
command = "dnsforwardzone_del"
+ args = {}
# enabled or disabled?
is_enabled = "IGNORE"
elif forwarders is None:
# forwarders are not defined its not a delete, update state?
- # set command
- command = None
# enabled or disabled?
if existing_resource is not None:
is_enabled = existing_resource["idnszoneactive"][0]
@@ -278,23 +300,13 @@ def main():
elif existing_resource is not None and operation == "update":
# exists and is updating
# calculate the new forwarders and mod
- # determine args
- if state != "absent":
- forwarders = list(set(existing_resource["idnsforwarders"]
- + forwarders))
- else:
- forwarders = list(set(existing_resource["idnsforwarders"])
- - set(forwarders))
- args = gen_args(forwarders, forwardpolicy,
- skip_overlap_check)
- if skip_overlap_check is not None:
+ args = gen_args(forwarders, forwardpolicy, skip_overlap_check)
+ if "skip_overlap_check" in args:
del args['skip_overlap_check']
# command
if not compare_args_ipa(ansible_module, args, existing_resource):
command = "dnsforwardzone_mod"
- else:
- command = None
# enabled or disabled?
is_enabled = existing_resource["idnszoneactive"][0]
@@ -313,21 +325,36 @@ def main():
# exists and should be present, has it changed?
# determine args
args = gen_args(forwarders, forwardpolicy, skip_overlap_check)
- if skip_overlap_check is not None:
+ if 'skip_overlap_check' in args:
del args['skip_overlap_check']
# set command
if not compare_args_ipa(ansible_module, args, existing_resource):
command = "dnsforwardzone_mod"
- else:
- command = None
# enabled or disabled?
is_enabled = existing_resource["idnszoneactive"][0]
- # if command is set then run it with the args
+ # if command is set...
if command is not None:
- api_command(ansible_module, command, name, args)
+ commands.append([name, command, args])
+
+ if permission is not None:
+ if existing_resource is None:
+ managedby = None
+ else:
+ managedby = existing_resource.get('managedby', None)
+ if permission and managedby is None:
+ commands.append(
+ [name, 'dnsforwardzone_add_permission', {}]
+ )
+ elif not permission and managedby is not None:
+ commands.append(
+ [name, 'dnsforwardzone_remove_permission', {}]
+ )
+
+ for name, command, args in commands:
+ result = api_command(ansible_module, command, name, args)
changed = True
# does the enabled state match what we want (if we care)
diff --git a/tests/dnsforwardzone/test_dnsforwardzone.yml b/tests/dnsforwardzone/test_dnsforwardzone.yml
index 468cd4ce..0386bd48 100644
--- a/tests/dnsforwardzone/test_dnsforwardzone.yml
+++ b/tests/dnsforwardzone/test_dnsforwardzone.yml
@@ -51,8 +51,6 @@
register: result
failed_when: not result.changed
- - pause:
-
- name: ensure forwardzone example.com has one forwarder again
ipadnsforwardzone:
ipaadmin_password: SomeADMINpassword
@@ -63,7 +61,7 @@
skip_overlap_check: true
state: present
register: result
- failed_when: not result.changed
+ failed_when: result.changed
- name: skip_overlap_check can only be set on creation so change nothing
ipadnsforwardzone:
@@ -77,6 +75,22 @@
register: result
failed_when: result.changed
+ - name: ensure forwardzone example.com is absent.
+ ipadnsforwardzone:
+ ipaadmin_password: SomeADMINpassword
+ name: example.com
+ state: absent
+ register: result
+ failed_when: not result.changed
+
+ - name: ensure forwardzone example.com is absent, again.
+ ipadnsforwardzone:
+ ipaadmin_password: SomeADMINpassword
+ name: example.com
+ state: absent
+ register: result
+ failed_when: result.changed
+
- name: change all the things at once
ipadnsforwardzone:
ipaadmin_password: SomeADMINpassword
@@ -87,11 +101,12 @@
- ip_address: 4.4.4.4
port: 8053
forwardpolicy: only
- skip_overlap_check: false
+ skip_overlap_check: true
+ permission: yes
register: result
failed_when: not result.changed
- - name: ensure forwardzone example.com is absent for next testset
+ - name: ensure forwardzone example.com is absent.
ipadnsforwardzone:
ipaadmin_password: SomeADMINpassword
name: example.com
@@ -156,43 +171,58 @@
register: result
failed_when: result.changed
- - name: ensure forwardzone example.com is absent again
+ - name: Add a permission for per-forward zone access delegation.
ipadnsforwardzone:
ipaadmin_password: SomeADMINpassword
name: example.com
- state: absent
+ permission: yes
+ action: member
+ register: result
+ failed_when: not result.changed
- - name: try to create a new forwarder with action=member
+ - name: Add a permission for per-forward zone access delegation, again.
ipadnsforwardzone:
ipaadmin_password: SomeADMINpassword
- state: present
name: example.com
- forwarders:
- - ip_address: 4.4.4.4
- port: 8053
+ permission: yes
action: member
- skip_overlap_check: true
register: result
failed_when: result.changed
- - name: ensure forwardzone example.com is absent - tidy up
+ - name: Remove a permission for per-forward zone access delegation.
ipadnsforwardzone:
ipaadmin_password: SomeADMINpassword
name: example.com
- state: absent
+ permission: no
+ action: member
+ register: result
+ failed_when: not result.changed
- - name: try to create a new forwarder is disabled state
+ - name: Remove a permission for per-forward zone access delegation, again.
ipadnsforwardzone:
ipaadmin_password: SomeADMINpassword
- state: disabled
name: example.com
- forwarders:
- - ip_address: 4.4.4.4
- port: 8053
- skip_overlap_check: true
+ permission: no
+ action: member
+ register: result
+ failed_when: result.changed
+
+ - name: disable the forwarder
+ ipadnsforwardzone:
+ ipaadmin_password: SomeADMINpassword
+ name: example.com
+ state: disabled
register: result
failed_when: not result.changed
+ - name: disable the forwarder again
+ ipadnsforwardzone:
+ ipaadmin_password: SomeADMINpassword
+ name: example.com
+ state: disabled
+ register: result
+ failed_when: result.changed
+
- name: enable the forwarder
ipadnsforwardzone:
ipaadmin_password: SomeADMINpassword
@@ -201,12 +231,42 @@
register: result
failed_when: not result.changed
- - name: disable the forwarder again
+ - name: enable the forwarder, again
ipadnsforwardzone:
ipaadmin_password: SomeADMINpassword
name: example.com
- state: disabled
+ state: enabled
+ register: result
+ failed_when: result.changed
+
+ - name: ensure forwardzone example.com is absent again
+ ipadnsforwardzone:
+ ipaadmin_password: SomeADMINpassword
+ name: example.com
+ state: absent
+
+ - name: try to create a new forwarder with action=member
+ ipadnsforwardzone:
+ ipaadmin_password: SomeADMINpassword
+ state: present
+ name: example.com
+ forwarders:
+ - ip_address: 4.4.4.4
+ port: 8053
action: member
+ skip_overlap_check: true
+ register: result
+ failed_when: result.changed
+
+ - name: try to create a new forwarder with disabled state
+ ipadnsforwardzone:
+ ipaadmin_password: SomeADMINpassword
+ state: disabled
+ name: example.com
+ forwarders:
+ - ip_address: 4.4.4.4
+ port: 8053
+ skip_overlap_check: yes
register: result
failed_when: not result.changed
@@ -228,5 +288,7 @@
- name: ensure forwardzone example.com is absent - tidy up
ipadnsforwardzone:
ipaadmin_password: SomeADMINpassword
- name: example.com
+ name:
+ - example.com
+ - newfailzone.com
state: absent
--
GitLab