tests/azure: Deactivate NTP in prepare-build

In CentOS 8 and also Fedora the configuration and start of chrony fails with Fatal error : adjtimex(0x8001) failed : Operation not permitted For more information: https://bugzilla.redhat.com/show_bug.cgi?id=1772053 NTP will not be needed before a separate namespace is used for clocks.
tests/azure: Set ANSIBLE_LIBRARY to fix unknown interpreter issue
2026-05-13 21:12:02 +00:00 · 2021-05-03 13:28:25 +02:00 · 2021-04-30 16:29:53 +02:00 · 2021-04-07 21:38:05 -03:00 · 2021-04-07 13:03:52 -03:00 · 2021-04-07 17:13:26 +02:00
67 changed files with 458 additions and 223 deletions
--- a/molecule/centos-8-build/molecule.yml
+++ b/molecule/centos-8-build/molecule.yml
@@ -3,7 +3,7 @@ driver:
  name: docker
 platforms:
  - name: centos-8-build
-    image: centos:8
+    image: "centos:centos8"
    pre_build_image: true
    hostname: ipaserver.test.local
    dns_servers:
--- a/molecule/fedora-latest-build/molecule.yml
+++ b/molecule/fedora-latest-build/molecule.yml
@@ -3,7 +3,7 @@ driver:
  name: docker
 platforms:
  - name: fedora-latest-build
-    image: fedora-latest
+    image: "fedora:latest"
    dockerfile: Dockerfile
    hostname: ipaserver.test.local
    dns_servers:
--- a/molecule/resources/playbooks/prepare-build.yml
+++ b/molecule/resources/playbooks/prepare-build.yml
@@ -25,3 +25,4 @@
      ipadm_password: SomeDMpassword
      ipaserver_domain: test.local
      ipaserver_realm: TEST.LOCAL
+      ipaclient_no_ntp: yes
--- a/playbooks/permission/permission-absent.yml
+++ b/playbooks/permission/permission-absent.yml
@@ -4,8 +4,8 @@
  become: true

  tasks:
-  - name: Ensure permission TestPerm1 is absent
+  - name: Ensure permission is absent
    ipapermission:
+      ipaadmin_password: SomeADMINpassword
      name: TestPerm1
      state: absent
-
--- a/playbooks/permission/permission-allow-read-employeenum.yml
+++ b/playbooks/permission/permission-allow-read-employeenum.yml
@@ -4,11 +4,12 @@
  become: true

  tasks:
-  - name: Ensure permission TestPerm2 is present with Read rights to employeenumber
+  - name: Ensure permission is present with set of rights to attribute employeenumber
    ipapermission:
-      name: TestPerm2
+      ipaadmin_password: SomeADMINpassword
+      name: TestPerm1
      object_type: user
-      perm_rights: 
+      right:
        - read
        - search
        - compare
--- a/playbooks/permission/permission-member-absent.yml
+++ b/playbooks/permission/permission-member-absent.yml
@@ -4,8 +4,9 @@
  become: true

  tasks:
-  - name: Ensure privilege User Administrators privilege is absent on Permission TestPerm1
+  - name: Ensure permission privilege, "User Administrators", is absent
    ipapermission:
+      ipaadmin_password: SomeADMINpassword
      name: TestPerm1
      privilege: "User Administrators"
      action: member
--- a/playbooks/permission/permission-member-present.yml
+++ b/playbooks/permission/permission-member-present.yml
@@ -4,8 +4,9 @@
  become: true

  tasks:
-  - name: Ensure permission TestPerm1 is present with the User Administrators privilege present
+  - name: Ensure permission is present with "User Administrators" privilege
    ipapermission:
+      ipaadmin_password: SomeADMINpassword
      name: TestPerm1
      privilege: "User Administrators"
      action: member
--- a/playbooks/permission/permission-present.yml
+++ b/playbooks/permission/permission-present.yml
@@ -4,8 +4,9 @@
  become: true

  tasks:
-  - name: Ensure permission TestPerm1 is present
+  - name: Ensure permission is present
    ipapermission:
+      ipaadmin_password: SomeADMINpassword
      name: TestPerm1
      object_type: host
-      perm_rights: all
+      right: all
--- a/playbooks/permission/permission-renamed.yml
+++ b/playbooks/permission/permission-renamed.yml
@@ -4,8 +4,9 @@
  become: true

  tasks:
-  - name: Ensure permission TestPerm1 is present
+  - name: Ensure permission TestPerm1 is renamed to TestPermRenamed
    ipapermission:
+      ipaadmin_password: SomeADMINpassword
      name: TestPerm1
      rename: TestPermRenamed
      state: renamed
--- a/playbooks/selfservice/selfservice-absent.yml
+++ b/playbooks/selfservice/selfservice-absent.yml
@@ -1,11 +1,11 @@
 ---
- name: Delegation absent
+- name: Selfservice absent
  hosts: ipaserver
  become: true

  tasks:
-  - name: Ensure delegation "basic manager attributes" is absent
-    ipadelegation:
+  - name: Ensure selfservice "basic manager attributes" is absent
+    ipaselfservice:
      ipaadmin_password: SomeADMINpassword
      name: "basic manager attributes"
      state: absent
--- a/playbooks/selfservice/selfservice-member-absent.yml
+++ b/playbooks/selfservice/selfservice-member-absent.yml
@@ -1,15 +1,15 @@
 ---
- name: Delegation member absent
+- name: Selfservice member absent
  hosts: ipaserver
  become: true

  tasks:
-  - name: Ensure delegation "basic manager attributes" member attributes employeenumber and employeetype are absent
-    ipadelegation:
+  - name: Ensure selfservice "basic manager attributes" member attributes employeenumber and employeetype are absent
+    ipaselfservice:
      ipaadmin_password: SomeADMINpassword
      name: "basic manager attributes"
      attribute:
-      - employeenumber
-      - employeetype
+      - businesscategory
+      - departmentnumber
      action: member
      state: absent
--- a/playbooks/selfservice/selfservice-member-present.yml
+++ b/playbooks/selfservice/selfservice-member-present.yml
@@ -1,11 +1,11 @@
 ---
- name: Delegation member present
+- name: Selfservice member present
  hosts: ipaserver
  become: true

  tasks:
-  - name: Ensure delegation "basic manager attributes" member attribute departmentnumber is present
-    ipadelegation:
+  - name: Ensure selfservice "basic manager attributes" member attribute departmentnumber is present
+    ipaselfservice:
      ipaadmin_password: SomeADMINpassword
      name: "basic manager attributes"
      attribute:
--- a/playbooks/selfservice/selfservice-present.yml
+++ b/playbooks/selfservice/selfservice-present.yml
@@ -1,11 +1,11 @@
 ---
- name: Delegation present
+- name: Selfservice present
  hosts: ipaserver
  become: true

  tasks:
-  - name: Ensure delegation "basic manager attributes" is present
-    ipadelegation:
+  - name: Ensure selfservice "basic manager attributes" is present
+    ipaselfservice:
      ipaadmin_password: SomeADMINpassword
      name: "basic manager attributes"
      permission: read
--- a/playbooks/vault/vault-is-present-with-password-file.yml
+++ b/playbooks/vault/vault-is-present-with-password-file.yml
@@ -7,7 +7,7 @@
  tasks:
  - copy:
      src: "{{ playbook_dir }}/password.txt"
-      dest: "{{ ansible_env.HOME }}/password.txt"
+      dest: "{{ ansible_facts['env'].HOME }}/password.txt"
      owner: "{{ ansible_user }}"
      group: "{{ ansible_user }}"
      mode: 0600
@@ -16,7 +16,7 @@
      name: symvault
      username: admin
      vault_type: symmetric
-      vault_password_file: "{{ ansible_env.HOME }}/password.txt"
+      vault_password_file: "{{ ansible_facts['env'].HOME }}/password.txt"
  - file:
-      path: "{{ ansible_env.HOME }}/password.txt"
+      path: "{{ ansible_facts['env'].HOME }}/password.txt"
      state: absent
--- a/playbooks/vault/vault-is-present-with-public-key-file.yml
+++ b/playbooks/vault/vault-is-present-with-public-key-file.yml
@@ -12,7 +12,7 @@
  tasks:
  - copy:
      src: "{{ playbook_dir }}/public.pem"
-      dest: "{{ ansible_env.HOME }}/public.pem"
+      dest: "{{ ansible_facts['env'].HOME }}/public.pem"
      owner: "{{ ansible_user }}"
      group: "{{ ansible_user }}"
      mode: 0600
@@ -21,7 +21,7 @@
      name: asymvault
      username: admin
      vault_type: asymmetric
-      vault_public_key_file: "{{ ansible_env.HOME }}/public.pem"
+      vault_public_key_file: "{{ ansible_facts['env'].HOME }}/public.pem"
  - file:
-      path: "{{ ansible_env.HOME }}/public.pem"
+      path: "{{ ansible_facts['env'].HOME }}/public.pem"
      state: absent
--- a/plugins/modules/ipadnsrecord.py
+++ b/plugins/modules/ipadnsrecord.py
@@ -1350,8 +1350,6 @@ def define_commands_for_present_state(module, zone_name, entry, res_find):
                    module, zone_name, name, args[record])
                _commands.extend(cmds)
                del args['%s_extra_create_reverse' % ipv]
-                if '%s_ip_address' not in args:
-                    del args[record]
        for record, fields in _RECORD_PARTS.items():
            part_fields = [f for f in fields if f in args]
            if part_fields:
--- a/plugins/modules/ipapermission.py
+++ b/plugins/modules/ipapermission.py
@@ -277,10 +277,8 @@ def main():
            ansible_module.fail_json(
                msg="Only one permission can be added at a time.")
        if action == "member":
-            invalid = ["right", "bindtype", "subtree",
-                       "extra_target_filter", "rawfilter", "target",
-                       "targetto", "targetfrom", "memberof", "targetgroup",
-                       "object_type", "rename"]
+            invalid = ["bindtype", "target", "targetto", "targetfrom",
+                       "subtree", "targetgroup", "object_type", "rename"]
        else:
            invalid = ["rename"]

@@ -299,13 +297,12 @@ def main():
    if state == "absent":
        if len(names) < 1:
            ansible_module.fail_json(msg="No name given.")
-        invalid = ["right",
-                   "bindtype", "subtree",
-                   "extra_target_filter", "rawfilter", "target", "targetto",
-                   "targetfrom", "memberof", "targetgroup", "object_type",
+        invalid = ["bindtype", "subtree", "target", "targetto",
+                   "targetfrom", "targetgroup", "object_type",
                   "no_members", "rename"]
        if action != "member":
-            invalid += ["attrs"]
+            invalid += ["right", "attrs", "memberof",
+                        "extra_target_filter", "rawfilter"]

    for x in invalid:
        if vars()[x] is not None:
@@ -317,6 +314,11 @@ def main():
        ansible_module.fail_json(
            msg="Bindtype 'self' is not supported by your IPA version.")

+    if all([extra_target_filter, rawfilter]):
+        ansible_module.fail_json(
+            msg="Cannot specify target filter and extra target filter "
+                "simultaneously.")
+
    # Init

    changed = False
@@ -359,16 +361,31 @@ def main():
                        ansible_module.fail_json(
                            msg="No permission '%s'" % name)

-                    # attrs
-                    if attrs is not None:
-                        _attrs = list(set(list(res_find["attrs"]) + attrs))
-                        if len(_attrs) > len(res_find["attrs"]):
-                            commands.append([name, "permission_mod",
-                                             {"attrs": _attrs}])
+                    member_attrs = {}
+                    check_members = {
+                        "attrs": attrs,
+                        "memberof": memberof,
+                        "ipapermright": right,
+                        "ipapermtargetfilter": rawfilter,
+                        "extratargetfilter": extra_target_filter,
+                        # subtree member management is currently disabled.
+                        # "ipapermlocation": subtree,
+                    }
+
+                    for _member, _member_change in check_members.items():
+                        if _member_change is not None:
+                            _res_list = res_find[_member]
+                            _new_set = set(_res_list + _member_change)
+                            if _new_set != set(_res_list):
+                                member_attrs[_member] = list(_new_set)
+
+                    if member_attrs:
+                        commands.append([name, "permission_mod", member_attrs])

                else:
                    ansible_module.fail_json(
                        msg="Unknown action '%s'" % action)
+
            elif state == "renamed":
                if action == "permission":
                    # Generate args
@@ -393,6 +410,7 @@ def main():
                else:
                    ansible_module.fail_json(
                        msg="Unknown action '%s'" % action)
+
            elif state == "absent":
                if action == "permission":
                    if res_find is not None:
@@ -403,20 +421,26 @@ def main():
                        ansible_module.fail_json(
                            msg="No permission '%s'" % name)

-                    # attrs
-                    if attrs is not None:
-                        # New attribute list (remove given ones from find
-                        # result)
-                        # Make list with unique entries
-                        _attrs = list(set(res_find["attrs"]) - set(attrs))
-                        if len(_attrs) < 1:
-                            ansible_module.fail_json(
-                                msg="At minimum one attribute is needed.")
+                    member_attrs = {}
+                    check_members = {
+                        "attrs": attrs,
+                        "memberof": memberof,
+                        "ipapermright": right,
+                        "ipapermtargetfilter": rawfilter,
+                        "extratargetfilter": extra_target_filter,
+                        # subtree member management is currently disabled.
+                        # "ipapermlocation": subtree,
+                    }

-                        # Entries New number of attributes is smaller
-                        if len(_attrs) < len(res_find["attrs"]):
-                            commands.append([name, "permission_mod",
-                                             {"attrs": _attrs}])
+                    for _member, _member_change in check_members.items():
+                        if _member_change is not None:
+                            _res_set = set(res_find[_member])
+                            _new_set = _res_set - set(_member_change)
+                            if _new_set != _res_set:
+                                member_attrs[_member] = list(_new_set)
+
+                    if member_attrs:
+                        commands.append([name, "permission_mod", member_attrs])

            else:
                ansible_module.fail_json(msg="Unknown state '%s'" % state)
--- a/plugins/modules/ipasudorule.py
+++ b/plugins/modules/ipasudorule.py
@@ -429,16 +429,16 @@ def main():

                    # Generate addition and removal lists
                    host_add, host_del = gen_add_del_lists(
-                        host, res_find.get('member_host', []))
+                        host, res_find.get('memberhost_host', []))

                    hostgroup_add, hostgroup_del = gen_add_del_lists(
-                        hostgroup, res_find.get('member_hostgroup', []))
+                        hostgroup, res_find.get('memberhost_hostgroup', []))

                    user_add, user_del = gen_add_del_lists(
-                        user, res_find.get('member_user', []))
+                        user, res_find.get('memberuser_user', []))

                    group_add, group_del = gen_add_del_lists(
-                        group, res_find.get('member_group', []))
+                        group, res_find.get('memberuser_group', []))

                    allow_cmd_add, allow_cmd_del = gen_add_del_lists(
                        allow_sudocmd,
--- a/roles/ipabackup/tasks/copy_backup_from_server.yml
+++ b/roles/ipabackup/tasks/copy_backup_from_server.yml
@@ -10,7 +10,7 @@
  set_fact:
    ipabackup_controller_dir:
        "{{ ipabackup_controller_path | default(lookup('env','PWD')) }}/{{
-         ipabackup_name_prefix | default(ansible_fqdn) }}_{{
+         ipabackup_name_prefix | default(ansible_facts['fqdn']) }}_{{
         ipabackup_item }}/"

 - name: Stat backup on server
--- a/roles/ipabackup/tasks/get_ipabackup_dir.yml
+++ b/roles/ipabackup/tasks/get_ipabackup_dir.yml
@@ -1,6 +1,6 @@
 ---
 - name: Get IPA_BACKUP_DIR dir from ipaplatform
-  command: "{{ ansible_playbook_python }}"
+  command: "{{ ansible_python_interpreter | default('/usr/bin/python') }}"
  args:
    stdin: |
      from ipaplatform.paths import paths
--- a/roles/ipabackup/tasks/restore.yml
+++ b/roles/ipabackup/tasks/restore.yml
@@ -6,9 +6,9 @@
 - name: Import variables specific to distribution
  include_vars: "{{ item }}"
  with_first_found:
-    - "{{ role_path }}/vars/{{ ansible_distribution }}-{{ ansible_distribution_version }}.yml"
-    - "{{ role_path }}/vars/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml"
-    - "{{ role_path }}/vars/{{ ansible_distribution }}.yml"
+    - "{{ role_path }}/vars/{{ ansible_facts['distribution'] }}-{{ ansible_facts['distribution_version'] }}.yml"
+    - "{{ role_path }}/vars/{{ ansible_facts['distribution'] }}-{{ ansible_facts['distribution_major_version'] }}.yml"
+    - "{{ role_path }}/vars/{{ ansible_facts['distribution'] }}.yml"
    - "{{ role_path }}/vars/default.yml"

 ### GET SERVICES FROM BACKUP
--- a/roles/ipaclient/tasks/install.yml
+++ b/roles/ipaclient/tasks/install.yml
@@ -33,7 +33,7 @@
    domain: "{{ ipaserver_domain | default(ipaclient_domain) | default(omit) }}"
    servers: "{{ ipaclient_servers | default(omit) }}"
    realm: "{{ ipaserver_realm | default(ipaclient_realm) | default(omit) }}"
-    hostname: "{{ ipaclient_hostname | default(ansible_fqdn) }}"
+    hostname: "{{ ipaclient_hostname | default(ansible_facts['fqdn']) }}"
    ntp_servers: "{{ ipaclient_ntp_servers | default(omit) }}"
    ntp_pool: "{{ ipaclient_ntp_pool | default(omit) }}"
    no_ntp: "{{ ipaclient_no_ntp }}"
@@ -181,8 +181,12 @@
    # Do not fail on error codes 3 and 5:
    #   3 - Unable to open keytab
    #   5 - Principal name or realm not found in keytab
+    #   7 - Failed to set cursor, typically when errcode
+    #       would be issued in past
    failed_when: result_ipa_rmkeytab.rc != 0 and
-                 result_ipa_rmkeytab.rc != 3 and result_ipa_rmkeytab.rc != 5
+                 result_ipa_rmkeytab.rc != 3 and
+                 result_ipa_rmkeytab.rc != 5 and
+                 result_ipa_rmkeytab.rc != 7
    when: (ipaclient_use_otp | bool or ipaclient_force_join | bool) and not ipaclient_on_master | bool

  - name: Install - Backup and set hostname
--- a/roles/ipaclient/tasks/main.yml
+++ b/roles/ipaclient/tasks/main.yml
@@ -4,9 +4,9 @@
 - name: Import variables specific to distribution
  include_vars: "{{ item }}"
  with_first_found:
-    - "{{ role_path }}/vars/{{ ansible_distribution }}-{{ ansible_distribution_version }}.yml"
-    - "{{ role_path }}/vars/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml"
-    - "{{ role_path }}/vars/{{ ansible_distribution }}.yml"
+    - "{{ role_path }}/vars/{{ ansible_facts['distribution'] }}-{{ ansible_facts['distribution_version'] }}.yml"
+    - "{{ role_path }}/vars/{{ ansible_facts['distribution'] }}-{{ ansible_facts['distribution_major_version'] }}.yml"
+    - "{{ role_path }}/vars/{{ ansible_facts['distribution'] }}.yml"
    - "{{ role_path }}/vars/default.yml"

 - name: Install IPA client
--- a/roles/ipareplica/tasks/install.yml
+++ b/roles/ipareplica/tasks/install.yml
@@ -72,7 +72,7 @@
            default(omit) }}"
    servers: "{{ ipareplica_servers | default(omit) }}"
    realm: "{{ ipareplica_realm | default(ipaserver_realm) |default(omit) }}"
-    hostname: "{{ ipareplica_hostname | default(ansible_fqdn) }}"
+    hostname: "{{ ipareplica_hostname | default(ansible_facts['fqdn']) }}"
    ca_cert_files: "{{ ipareplica_ca_cert_files | default([]) }}"
    hidden_replica: "{{ ipareplica_hidden_replica }}"
    skip_mem_check: "{{ not ipareplica_mem_check }}"
--- a/roles/ipareplica/tasks/main.yml
+++ b/roles/ipareplica/tasks/main.yml
@@ -4,9 +4,9 @@
 - name: Import variables specific to distribution
  include_vars: "{{ item }}"
  with_first_found:
-    - "vars/{{ ansible_distribution }}-{{ ansible_distribution_version }}.yml"
-    - "vars/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml"
-    - "vars/{{ ansible_distribution }}.yml"
+    - "vars/{{ ansible_facts['distribution'] }}-{{ ansible_facts['distribution_version'] }}.yml"
+    - "vars/{{ ansible_facts['distribution'] }}-{{ ansible_facts['distribution_major_version'] }}.yml"
+    - "vars/{{ ansible_facts['distribution'] }}.yml"
    - "vars/default.yml"

 - name: Install IPA replica
--- a/roles/ipareplica/tasks/uninstall.yml
+++ b/roles/ipareplica/tasks/uninstall.yml
@@ -25,7 +25,7 @@
 #  command: >
 #    /usr/sbin/ipa-replica-manage
 #    del
-#    {{ ipareplica_hostname | default(ansible_fqdn) }}
+#    {{ ipareplica_hostname | default(ansible_facts['fqdn']) }}
 #    --force
 #    --password={{ ipadm_password }}
 #  failed_when: False
--- a/roles/ipaserver/tasks/install.yml
+++ b/roles/ipaserver/tasks/install.yml
@@ -65,7 +65,7 @@
    master_password: "{{ ipaserver_master_password | default(omit) }}"
    domain: "{{ ipaserver_domain | default(omit) }}"
    realm: "{{ ipaserver_realm | default(omit) }}"
-    hostname: "{{ ipaserver_hostname | default(ansible_fqdn) }}"
+    hostname: "{{ ipaserver_hostname | default(ansible_facts['fqdn']) }}"
    ca_cert_files: "{{ ipaserver_ca_cert_files | default(omit) }}"
    no_host_dns: "{{ ipaserver_no_host_dns }}"
    pki_config_override: "{{ ipaserver_pki_config_override | default(omit) }}"
--- a/roles/ipaserver/tasks/main.yml
+++ b/roles/ipaserver/tasks/main.yml
@@ -4,9 +4,9 @@
 - name: Import variables specific to distribution
  include_vars: "{{ item }}"
  with_first_found:
-    - "vars/{{ ansible_distribution }}-{{ ansible_distribution_version }}.yml"
-    - "vars/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml"
-    - "vars/{{ ansible_distribution }}.yml"
+    - "vars/{{ ansible_facts['distribution'] }}-{{ ansible_facts['distribution_version'] }}.yml"
+    - "vars/{{ ansible_facts['distribution'] }}-{{ ansible_facts['distribution_major_version'] }}.yml"
+    - "vars/{{ ansible_facts['distribution'] }}.yml"
    - "vars/default.yml"

 - name: Install IPA server
--- a/tests/ansible.cfg
+++ b/tests/ansible.cfg
@@ -3,3 +3,4 @@ roles_path = ../roles:~/.ansible/roles:/usr/share/ansible/roles:/etc/ansible/rol
 library = ../plugins/modules:~/.ansible/plugins/modules:/usr/share/ansible/plugins/modules
 module_utils = ../plugins/module_utils:~/.ansible/plugins/module_utils:/usr/share/ansible/plugins/module_utils
 host_key_checking = false
+inject_facts_as_vars = false
--- a/tests/azure/azure-pipelines.yml
+++ b/tests/azure/azure-pipelines.yml
@@ -15,7 +15,7 @@ trigger:
 - master

 pool:
-  vmImage: 'ubuntu-18.04'
+  vmImage: 'ubuntu-20.04'

 stages:
 - stage: Centos7
--- a/tests/azure/build-containers.yml
+++ b/tests/azure/build-containers.yml
@@ -11,7 +11,7 @@ schedules:
 trigger: none

 pool:
-  vmImage: 'ubuntu-18.04'
+  vmImage: 'ubuntu-20.04'

 jobs:

--- a/tests/azure/templates/build_container.yml
+++ b/tests/azure/templates/build_container.yml
@@ -15,7 +15,7 @@ jobs:
    inputs:
      versionSpec: '3.6'

-  - script: python -m pip install --upgrade pip setuptools wheel
+  - script: python -m pip install --upgrade pip setuptools wheel ansible
    displayName: Install tools

  - script: pip install molecule[docker]
@@ -23,6 +23,8 @@ jobs:

  - script: molecule create -s ${{ parameters.build_scenario_name }}
    displayName: Create test container
+    env:
+      ANSIBLE_LIBRARY: ./molecule

  - script: |
      docker stop ${{ parameters.build_scenario_name }}
--- a/tests/azure/templates/playbook_tests.yml
+++ b/tests/azure/templates/playbook_tests.yml
@@ -44,6 +44,8 @@ jobs:
      cp -a plugins/module_utils/* ~/.ansible/module_utils
      molecule create -s ${{ parameters.scenario }}
    displayName: Setup test container
+    env:
+      ANSIBLE_LIBRARY: ./molecule

  - script: |
      pytest \
--- a/tests/azure/templates/pytest_tests.yml
+++ b/tests/azure/templates/pytest_tests.yml
@@ -36,6 +36,8 @@ jobs:
      cp -a plugins/module_utils/* ~/.ansible/module_utils
      molecule create -s ${{ parameters.scenario }}
    displayName: Setup test container
+    env:
+      ANSIBLE_LIBRARY: ./molecule

  - script: |
      pytest \
--- a/tests/dnsrecord/env_vars.yml
+++ b/tests/dnsrecord/env_vars.yml
@@ -2,9 +2,9 @@
 # Set common vars and facts for test.
 - name: Set IPv4 address prefix.
  set_fact:
-    ipv4_prefix: "{{ ansible_default_ipv4.address.split('.')[:-1] |
+    ipv4_prefix: "{{ ansible_facts['default_ipv4'].address.split('.')[:-1] |
                     join('.') }}"
-    ipv4_reverse_sufix: "{{ ansible_default_ipv4.address.split('.')[:-1] |
+    ipv4_reverse_sufix: "{{ ansible_facts['default_ipv4'].address.split('.')[:-1] |
                            reverse |
                            join('.') }}"

--- a/tests/dnsrecord/test_compatibility_with_ansible_module.yml
+++ b/tests/dnsrecord/test_compatibility_with_ansible_module.yml
@@ -29,26 +29,32 @@
      ipaadmin_password: SomeADMINpassword
      name: host01
      zone_name: testzone.local
-      record_type: 'AAAA'
-      record_value: '::1'
+      del_all: yes
      state: absent

-  - name: Ensure that dns record 'vm-001' is absent
+  - name: Ensure that dns records for 'vm-001' are absent
    ipadnsrecord:
      ipaadmin_password: SomeADMINpassword
      name: vm-001
      zone_name: testzone.local
-      record_type: 'AAAA'
-      record_value: '::1'
+      del_all: yes
+      state: absent
+
+  - name: Ensure a PTR record is absent for 'vm-001'
+    ipadnsrecord:
+      ipaadmin_password: SomeADMINpassword
+      name: '1'
+      record_type: 'PTR'
+      record_value: 'vm-001'
+      zone_name: 2.168.192.in-addr.arpa
      state: absent

  - name: Ensure a PTR record is absent
    ipadnsrecord:
      ipaadmin_password: SomeADMINpassword
-      name: 5
-      record_type: 'PTR'
-      record_value: 'internal.ipa.testzone.local'
      zone_name: 2.168.192.in-addr.arpa
+      name: "5"
+      del_all: yes
      state: absent

  - name: Ensure a TXT record is absent
@@ -79,7 +85,7 @@
      state: absent

  # tests
-  - name: Ensure dns record is present
+  - name: Ensure AAAA  dns record is present
    ipadnsrecord:
      ipaadmin_password: SomeADMINpassword
      name: vm-001
@@ -88,9 +94,9 @@
      zone_name: testzone.local
      state: present
    register: result
-    failed_when: not result.changed
+    failed_when: not result.changed or result.failed

-  - name: Ensure that dns record exists with a TTL
+  - name: Ensure that AAAA dns record exists with a TTL
    ipadnsrecord:
      ipaadmin_password: SomeADMINpassword
      name: host01
@@ -100,18 +106,52 @@
      zone_name: testzone.local
      state: present
    register: result
-    failed_when: not result.changed
+    failed_when: not result.changed or result.failed

  - name: Ensure a PTR record is present
    ipadnsrecord:
      ipaadmin_password: SomeADMINpassword
-      name: 5
+      name: '5'
      record_type: 'PTR'
      record_value: 'internal.ipa.testzone.local'
      zone_name: 2.168.192.in-addr.arpa
      state: present
    register: result
-    failed_when: not result.changed
+    failed_when: not result.changed or result.failed
+
+  - name: Ensure A record is present, with reverse
+    ipadnsrecord:
+      ipaadmin_password: SomeADMINpassword
+      name: vm-001
+      record_type: 'A'
+      record_value: '192.168.2.1'
+      create_reverse: yes
+      zone_name: testzone.local
+      state: present
+    register: result
+    failed_when: not result.changed or result.failed
+
+  - name: Ensure A record is present
+    ipadnsrecord:
+      ipaadmin_password: SomeADMINpassword
+      name: vm-001
+      record_type: 'A'
+      record_value: '192.168.2.1'
+      zone_name: testzone.local
+      state: present
+    register: result
+    failed_when: result.changed or result.failed
+
+  - name: Ensure PTR record is present
+    ipadnsrecord:
+      ipaadmin_password: SomeADMINpassword
+      name: '1'
+      record_type: 'PTR'
+      record_value: vm-001.testzone.local
+      zone_name: 2.168.192.in-addr.arpa
+      state: present
+    register: result
+    failed_when: result.changed or result.failed

  - name: Ensure a TXT record is present
    ipadnsrecord:
@@ -122,7 +162,7 @@
      zone_name: testzone.local
      state: present
    register: result
-    failed_when: not result.changed
+    failed_when: not result.changed or result.failed

  - name: Ensure a SRV record is present
    ipadnsrecord:
@@ -133,7 +173,7 @@
      zone_name: testzone.local
      state: present
    register: result
-    failed_when: not result.changed
+    failed_when: not result.changed or result.failed

  - name: Ensure an MX record is present
    ipadnsrecord:
@@ -144,7 +184,7 @@
      zone_name: testzone.local
      state: present
    register: result
-    failed_when: not result.changed
+    failed_when: not result.changed or result.failed

  - name: Ensure that dns record is removed
    ipadnsrecord:
@@ -155,7 +195,7 @@
      record_value: '::1'
      state: absent
    register: result
-    failed_when: not result.changed
+    failed_when: not result.changed or result.failed

   # cleanup
  - name: Ensure that dns record 'host01' is absent
@@ -167,7 +207,7 @@
      record_value: '::1'
      state: absent
    register: result
-    failed_when: result.changed
+    failed_when: result.changed or result.failed

  - name: Ensure that dns record 'vm-001' is absent
    ipadnsrecord:
@@ -178,7 +218,7 @@
      record_value: '::1'
      state: absent
    register: result
-    failed_when: not result.changed
+    failed_when: not result.changed or result.failed

  - name: Ensure a PTR record is absent
    ipadnsrecord:
@@ -189,7 +229,7 @@
      zone_name: 2.168.192.in-addr.arpa
      state: absent
    register: result
-    failed_when: not result.changed
+    failed_when: not result.changed or result.failed

  - name: Ensure a TXT record is absent
    ipadnsrecord:
@@ -200,7 +240,7 @@
      zone_name: testzone.local
      state: absent
    register: result
-    failed_when: not result.changed
+    failed_when: not result.changed or result.failed

  - name: Ensure a SRV record is absent
    ipadnsrecord:
@@ -211,7 +251,7 @@
      zone_name: testzone.local
      state: absent
    register: result
-    failed_when: not result.changed
+    failed_when: not result.changed or result.failed

  - name: Ensure an MX record is absent
    ipadnsrecord:
@@ -222,7 +262,7 @@
      zone_name: testzone.local
      state: absent
    register: result
-    failed_when: not result.changed
+    failed_when: not result.changed or result.failed

  - name: Ensure DNS zones to be used are absent.
    ipadnszone:
--- a/tests/dnsrecord/test_dnsrecord.yml
+++ b/tests/dnsrecord/test_dnsrecord.yml
@@ -564,7 +564,7 @@
      ipaadmin_password: SomeADMINpassword
      name: iron01
      zone_name: "{{ safezone }}"
-      ip_address: "{{ ansible_default_ipv4.address }}"
+      ip_address: "{{ ansible_facts['default_ipv4'].address }}"
    register: result
    failed_when: not result.changed

--- a/tests/hbacrule/test_hbacrule.yml
+++ b/tests/hbacrule/test_hbacrule.yml
@@ -6,7 +6,7 @@
  tasks:
  - name: Get Domain from server name
    set_fact:
-      ipaserver_domain: "{{ ansible_fqdn.split('.')[1:] | join ('.') }}"
+      ipaserver_domain: "{{ ansible_facts['fqdn'].split('.')[1:] | join ('.') }}"
    when: ipaserver_domain is not defined

  # CLEANUP TEST ITEMS
--- a/tests/host/certificate/test_host_certificate.yml
+++ b/tests/host/certificate/test_host_certificate.yml
@@ -6,7 +6,7 @@
  tasks:
  - name: Get Domain from server name
    set_fact:
-      ipaserver_domain: "{{ ansible_fqdn.split('.')[1:] | join ('.') }}"
+      ipaserver_domain: "{{ ansible_facts['fqdn'].split('.')[1:] | join ('.') }}"
    when: ipaserver_domain is not defined

  - name: Generate self-signed certificates.
--- a/tests/host/certificate/test_hosts_certificate.yml
+++ b/tests/host/certificate/test_hosts_certificate.yml
@@ -6,7 +6,7 @@
  tasks:
  - name: Get Domain from server name
    set_fact:
-      ipaserver_domain: "{{ ansible_fqdn.split('.')[1:] | join ('.') }}"
+      ipaserver_domain: "{{ ansible_facts['fqdn'].split('.')[1:] | join ('.') }}"
    when: ipaserver_domain is not defined

  - name: Host test absent
--- a/tests/host/test_host.yml
+++ b/tests/host/test_host.yml
@@ -6,7 +6,7 @@
  tasks:
  - name: Get Domain from server name
    set_fact:
-      ipaserver_domain: "{{ ansible_fqdn.split('.')[1:] | join ('.') }}"
+      ipaserver_domain: "{{ ansible_facts['fqdn'].split('.')[1:] | join ('.') }}"
    when: ipaserver_domain is not defined

  - name: Set host1_fqdn .. host6_fqdn
@@ -33,7 +33,7 @@

  - name: Get IPv4 address prefix from server node
    set_fact:
-      ipv4_prefix: "{{ ansible_default_ipv4.address.split('.')[:-1] |
+      ipv4_prefix: "{{ ansible_facts['default_ipv4'].address.split('.')[:-1] |
                       join('.') }}"

  - name: Host "{{ host1_fqdn }}" present
--- a/tests/host/test_host_allow_create_keytab.yml
+++ b/tests/host/test_host_allow_create_keytab.yml
@@ -6,12 +6,12 @@
  tasks:
  - name: Get Domain from server name
    set_fact:
-      ipaserver_domain: "{{ ansible_fqdn.split('.')[1:] | join ('.') }}"
+      ipaserver_domain: "{{ ansible_facts['fqdn'].split('.')[1:] | join ('.') }}"
    when: ipaserver_domain is not defined

  - name: Get Realm from server name
    set_fact:
-      ipaserver_realm: "{{ ansible_fqdn.split('.')[1:] | join ('.') | upper }}"
+      ipaserver_realm: "{{ ansible_facts['fqdn'].split('.')[1:] | join ('.') | upper }}"
    when: ipaserver_realm is not defined

  - name: Set host1_fqdn .. host3_fqdn
--- a/tests/host/test_host_allow_retrieve_keytab.yml
+++ b/tests/host/test_host_allow_retrieve_keytab.yml
@@ -6,12 +6,12 @@
  tasks:
  - name: Get Domain from server name
    set_fact:
-      ipaserver_domain: "{{ ansible_fqdn.split('.')[1:] | join ('.') }}"
+      ipaserver_domain: "{{ ansible_facts['fqdn'].split('.')[1:] | join ('.') }}"
    when: ipaserver_domain is not defined

  - name: Get Realm from server name
    set_fact:
-      ipaserver_realm: "{{ ansible_fqdn.split('.')[1:] | join ('.') | upper }}"
+      ipaserver_realm: "{{ ansible_facts['fqdn'].split('.')[1:] | join ('.') | upper }}"
    when: ipaserver_realm is not defined

  - name: Set host1_fqdn .. host3_fqdn
--- a/tests/host/test_host_bool_params.yml
+++ b/tests/host/test_host_bool_params.yml
@@ -6,7 +6,7 @@
  tasks:
  - name: Get Domain from server name
    set_fact:
-      ipaserver_domain: "{{ ansible_fqdn.split('.')[1:] | join ('.') }}"
+      ipaserver_domain: "{{ ansible_facts['fqdn'].split('.')[1:] | join ('.') }}"
    when: ipaserver_domain is not defined

  - name: Set host1_fqdn .. host6_fqdn
--- a/tests/host/test_host_ipaddresses.yml
+++ b/tests/host/test_host_ipaddresses.yml
@@ -6,7 +6,7 @@
  tasks:
  - name: Get Domain from server name
    set_fact:
-      ipaserver_domain: "{{ ansible_fqdn.split('.')[1:] | join ('.') }}"
+      ipaserver_domain: "{{ ansible_facts['fqdn'].split('.')[1:] | join ('.') }}"
    when: ipaserver_domain is not defined

  - name: Set host1_fqdn .. host6_fqdn
@@ -17,7 +17,7 @@

  - name: Get IPv4 address prefix from server node
    set_fact:
-      ipv4_prefix: "{{ ansible_default_ipv4.address.split('.')[:-1] |
+      ipv4_prefix: "{{ ansible_facts['default_ipv4'].address.split('.')[:-1] |
                       join('.') }}"

  - name: Host absent
--- a/tests/host/test_host_managedby_host.yml
+++ b/tests/host/test_host_managedby_host.yml
@@ -6,7 +6,7 @@
  tasks:
  - name: Get Domain from server name
    set_fact:
-      ipaserver_domain: "{{ ansible_fqdn.split('.')[1:] | join ('.') }}"
+      ipaserver_domain: "{{ ansible_facts['fqdn'].split('.')[1:] | join ('.') }}"
    when: ipaserver_domain is not defined

  - name: Set host1_fqdn .. host2_fqdn
@@ -55,39 +55,39 @@
    register: result
    failed_when: result.changed

-  - name: Host "{{ host1_fqdn }}" managed by "{{ ansible_fqdn }}"
+  - name: Host "{{ host1_fqdn }}" managed by "{{ ansible_facts['fqdn'] }}"
    ipahost:
      ipaadmin_password: SomeADMINpassword
      name: "{{ host1_fqdn }}"
-      managedby_host: "{{ ansible_fqdn }}"
+      managedby_host: "{{ ansible_facts['fqdn'] }}"
      action: member
    register: result
    failed_when: not result.changed

-  - name: Host "{{ host1_fqdn }}" managed by "{{ ansible_fqdn }}" again
+  - name: Host "{{ host1_fqdn }}" managed by "{{ ansible_facts['fqdn'] }}" again
    ipahost:
      ipaadmin_password: SomeADMINpassword
      name: "{{ host1_fqdn }}"
-      managedby_host: "{{ ansible_fqdn }}"
+      managedby_host: "{{ ansible_facts['fqdn'] }}"
      action: member
    register: result
    failed_when: result.changed

-  - name: Host "{{ host1_fqdn }}" not managed by "{{ ansible_fqdn }}"
+  - name: Host "{{ host1_fqdn }}" not managed by "{{ ansible_facts['fqdn'] }}"
    ipahost:
      ipaadmin_password: SomeADMINpassword
      name: "{{ host1_fqdn }}"
-      managedby_host: "{{ ansible_fqdn }}"
+      managedby_host: "{{ ansible_facts['fqdn'] }}"
      action: member
      state: absent
    register: result
    failed_when: not result.changed

-  - name: Host "{{ host1_fqdn }}" not managed by "{{ ansible_fqdn }}" again
+  - name: Host "{{ host1_fqdn }}" not managed by "{{ ansible_facts['fqdn'] }}" again
    ipahost:
      ipaadmin_password: SomeADMINpassword
      name: "{{ host1_fqdn }}"
-      managedby_host: "{{ ansible_fqdn }}"
+      managedby_host: "{{ ansible_facts['fqdn'] }}"
      action: member
      state: absent
    register: result
--- a/tests/host/test_host_principal.yml
+++ b/tests/host/test_host_principal.yml
@@ -6,12 +6,12 @@
  tasks:
  - name: Get Domain from server name
    set_fact:
-      ipaserver_domain: "{{ ansible_fqdn.split('.')[1:] | join ('.') }}"
+      ipaserver_domain: "{{ ansible_facts['fqdn'].split('.')[1:] | join ('.') }}"
    when: ipaserver_domain is not defined

  - name: Get Realm from server name
    set_fact:
-      ipaserver_realm: "{{ ansible_fqdn.split('.')[1:] | join ('.') | upper }}"
+      ipaserver_realm: "{{ ansible_facts['fqdn'].split('.')[1:] | join ('.') | upper }}"
    when: ipaserver_realm is not defined

  - name: Set host1_fqdn
--- a/tests/host/test_host_random.yml
+++ b/tests/host/test_host_random.yml
@@ -6,7 +6,7 @@
  tasks:
  - name: Get Domain from server name
    set_fact:
-      ipaserver_domain: "{{ ansible_fqdn.split('.')[1:] | join ('.') }}"
+      ipaserver_domain: "{{ ansible_facts['fqdn'].split('.')[1:] | join ('.') }}"
    when: ipaserver_domain is not defined

  - name: Set host1_fqdn and host2_fqdn
@@ -77,11 +77,11 @@
    debug:
      var: ipahost.host["{{host2_fqdn }}"].randompassword

-  - name: Enrolled host "{{ ansible_fqdn }}" fails to set random password with update_password always
+  - name: Enrolled host "{{ ansible_facts['fqdn'] }}" fails to set random password with update_password always
    ipahost:
      ipaadmin_password: SomeADMINpassword
      hosts:
-      - name: "{{ ansible_fqdn }}"
+      - name: "{{ ansible_facts['fqdn'] }}"
        random: yes
      update_password: always
    register: ipahost
@@ -89,7 +89,7 @@

  - assert:
      that:
-      - ipahost.host["{{ ansible_fqdn }}"].randompassword is
+      - ipahost.host["{{ ansible_facts['fqdn'] }}"].randompassword is
        not defined
      - "'Password cannot be set on enrolled host' in ipahost.msg"

--- a/tests/host/test_host_reverse.yml
+++ b/tests/host/test_host_reverse.yml
@@ -6,7 +6,7 @@
  tasks:
  - name: Get Domain from server name
    set_fact:
-      ipaserver_domain: "{{ ansible_fqdn.split('.')[1:] | join ('.') }}"
+      ipaserver_domain: "{{ ansible_facts['fqdn'].split('.')[1:] | join ('.') }}"
    when: ipaserver_domain is not defined

  - name: Set host1_fqdn
@@ -23,7 +23,7 @@

  - name: Get IPv4 address prefix from server node
    set_fact:
-      ipv4_prefix: "{{ ansible_default_ipv4.address.split('.')[:-1] |
+      ipv4_prefix: "{{ ansible_facts['default_ipv4'].address.split('.')[:-1] |
                       join('.') }}"

  - name: Set zone prefixes.
--- a/tests/host/test_hosts.yml
+++ b/tests/host/test_hosts.yml
@@ -6,7 +6,7 @@
  tasks:
  - name: Get Domain from server name
    set_fact:
-      ipaserver_domain: "{{ ansible_fqdn.split('.')[1:] | join ('.') }}"
+      ipaserver_domain: "{{ ansible_facts['fqdn'].split('.')[1:] | join ('.') }}"
    when: ipaserver_domain is not defined

  - name: Set host1_fqdn .. host6_fqdn
--- a/tests/host/test_hosts_managedby_host.yml
+++ b/tests/host/test_hosts_managedby_host.yml
@@ -6,7 +6,7 @@
  tasks:
  - name: Get Domain from server name
    set_fact:
-      ipaserver_domain: "{{ ansible_fqdn.split('.')[1:] | join ('.') }}"
+      ipaserver_domain: "{{ ansible_facts['fqdn'].split('.')[1:] | join ('.') }}"
    when: ipaserver_domain is not defined

  - name: Set host1_fqdn .. host5_fqdn
--- a/tests/host/test_hosts_principal.yml
+++ b/tests/host/test_hosts_principal.yml
@@ -6,12 +6,12 @@
  tasks:
  - name: Get Domain from server name
    set_fact:
-      ipaserver_domain: "{{ ansible_fqdn.split('.')[1:] | join ('.') }}"
+      ipaserver_domain: "{{ ansible_facts['fqdn'].split('.')[1:] | join ('.') }}"
    when: ipaserver_domain is not defined

  - name: Get Realm from server name
    set_fact:
-      ipaserver_realm: "{{ ansible_fqdn.split('.')[1:] | join ('.') | upper }}"
+      ipaserver_realm: "{{ ansible_facts['fqdn'].split('.')[1:] | join ('.') | upper }}"
    when: ipaserver_realm is not defined

  - name: Set host1_fqdn .. host2_fqdn
--- a/tests/hostgroup/test_hostgroup.yml
+++ b/tests/hostgroup/test_hostgroup.yml
@@ -7,7 +7,7 @@
  tasks:
  - name: Get Domain from server name
    set_fact:
-      ipaserver_domain: "{{ ansible_fqdn.split('.')[1:] | join ('.') }}"
+      ipaserver_domain: "{{ ansible_facts['fqdn'].split('.')[1:] | join ('.') }}"
    when: ipaserver_domain is not defined

  - name: Ensure host-group databases, mysql-server and oracle-server are absent
--- a/tests/permission/test_permission.yml
+++ b/tests/permission/test_permission.yml
@@ -6,6 +6,15 @@
  tasks:
  - include_tasks: ../env_freeipa_facts.yml

+  - name: Ensure testing groups are present.
+    ipagroup:
+      ipaadmin_password: SomeADMINpassword
+      name: "{{ item }}"
+      state: present
+    with_items:
+      - rbacgroup1
+      - rbacgroup2
+
  # CLEANUP TEST ITEMS

  - name: Ensure permission perm-test-1 is absent
@@ -24,6 +33,8 @@
      ipaadmin_password: SomeADMINpassword
      name: perm-test-1
      object_type: host
+      memberof: rbacgroup1
+      filter: '(cn=*.ipa.*)'
      right: all
    register: result
    failed_when: not result.changed or result.failed
@@ -33,10 +44,106 @@
      ipaadmin_password: SomeADMINpassword
      name: perm-test-1
      object_type: host
+      memberof: rbacgroup1
+      filter: '(cn=*.ipa.*)'
      right: all
    register: result
    failed_when: result.changed or result.failed

+  - name: Ensure permission perm-test-1 has an extra filter '(cn=*.internal.*)'
+    ipapermission:
+      ipaadmin_password: SomeADMINpassword
+      name: perm-test-1
+      filter: '(cn=*.internal.*)'
+      action: member
+    register: result
+    failed_when: not result.changed or result.failed
+
+  - name: Ensure permission perm-test-1 has an extra filter '(cn=*.internal.*)', again
+    ipapermission:
+      ipaadmin_password: SomeADMINpassword
+      name: perm-test-1
+      filter: '(cn=*.internal.*)'
+      action: member
+    register: result
+    failed_when: result.changed or result.failed
+
+  - name: Ensure permission perm-test-1 `right` has `write`
+    ipapermission:
+      ipaadmin_password: SomeADMINpassword
+      name: perm-test-1
+      right: write
+      action: member
+    register: result
+    failed_when: not result.changed or result.failed
+
+  - name: Ensure permission perm-test-1 `right` has `write`, again
+    ipapermission:
+      ipaadmin_password: SomeADMINpassword
+      name: perm-test-1
+      right: write
+      action: member
+    register: result
+    failed_when: result.changed or result.failed
+
+  - name: Ensure permission perm-test-1 `right` has no `write`
+    ipapermission:
+      ipaadmin_password: SomeADMINpassword
+      name: perm-test-1
+      right: write
+      action: member
+      state: absent
+    register: result
+    failed_when: not result.changed or result.failed
+
+  - name: Ensure permission perm-test-1 `right` has no `write`, again
+    ipapermission:
+      ipaadmin_password: SomeADMINpassword
+      name: perm-test-1
+      right: write
+      action: member
+      state: absent
+    register: result
+    failed_when: result.changed or result.failed
+
+  - name: Ensure permission perm-test-1 `memberof` has `rbackgroup2`
+    ipapermission:
+      ipaadmin_password: SomeADMINpassword
+      name: perm-test-1
+      memberof: rbacgroup2
+      action: member
+    register: result
+    failed_when: not result.changed or result.failed
+
+  - name: Ensure permission perm-test-1 `memberof` has `rbackgroup2`, again
+    ipapermission:
+      ipaadmin_password: SomeADMINpassword
+      name: perm-test-1
+      memberof: rbacgroup2
+      action: member
+    register: result
+    failed_when: result.changed or result.failed
+
+  - name: Ensure permission perm-test-1 `memberof` item `rbackgroup1` is absent
+    ipapermission:
+      ipaadmin_password: SomeADMINpassword
+      name: perm-test-1
+      memberof: rbacgroup1
+      action: member
+      state: absent
+    register: result
+    failed_when: not result.changed or result.failed
+
+  - name: Ensure permission perm-test-1 `memberof` item `rbackgroup1` is absent, again
+    ipapermission:
+      ipaadmin_password: SomeADMINpassword
+      name: perm-test-1
+      memberof: rbacgroup1
+      action: member
+      state: absent
+    register: result
+    failed_when: result.changed or result.failed
+
  - name: Ensure permission perm-test-1 is present with attr carlicense
    ipapermission:
      ipaadmin_password: SomeADMINpassword
@@ -163,6 +270,34 @@
    register: result
    failed_when: result.changed or result.failed

+  - name: Ensure permission perm-test-1 has rawfilter '(objectclass=ipagroup)'
+    ipapermission:
+      ipaadmin_password: SomeADMINpassword
+      name: perm-test-1
+      rawfilter: '(objectclass=ipagroup)'
+      action: member
+    register: result
+    failed_when: not result.changed or result.failed
+
+  - name: Ensure permission perm-test-1 has rawfilter '(objectclass=ipagroup)', again
+    ipapermission:
+      ipaadmin_password: SomeADMINpassword
+      name: perm-test-1
+      rawfilter: '(objectclass=ipagroup)'
+      action: member
+    register: result
+    failed_when: result.changed or result.failed
+
+  - name: Ensure filter and rawfilter cannot be used together.
+    ipapermission:
+      ipaadmin_password: SomeADMINpassword
+      name: perm-test-1
+      rawfilter: '(objectclass=ipagroup)'
+      filter: '(cn=*.internal.*)'
+      action: member
+    register: result
+    failed_when: not result.failed or "Cannot specify target filter and extra target filter simultaneously" not in result.msg
+
  - name: Rename permission perm-test-1 to perm-test-renamed
    ipapermission:
      ipaadmin_password: SomeADMINpassword
@@ -213,7 +348,7 @@

  # CLEANUP TEST ITEMS

-  - name: Ensure permission perm-test-1 is absent
+  - name: Ensure testing permissions are absent
    ipapermission:
      ipaadmin_password: SomeADMINpassword
      name:
@@ -221,3 +356,12 @@
      - perm-test-bindtype-test
      - perm-test-renamed
      state: absent
+
+  - name: Ensure testing groups are absent.
+    ipagroup:
+      ipaadmin_password: SomeADMINpassword
+      name: "{{ item }}"
+      state: absent
+    with_items:
+      - rbacgroup1
+      - rbacgroup2
--- a/tests/role/env_facts.yml
+++ b/tests/role/env_facts.yml
@@ -1,7 +1,7 @@
 ---
 - name: Get Domain from server name
  set_fact:
-    ipaserver_domain: "{{ ansible_fqdn.split('.')[1:] | join ('.') }}"
+    ipaserver_domain: "{{ ansible_facts['fqdn'].split('.')[1:] | join ('.') }}"
  when: ipaserver_domain is not defined

 - name: Set fact for realm name
--- a/tests/service/certificate/test_service_certificate.yml
+++ b/tests/service/certificate/test_service_certificate.yml
@@ -29,12 +29,12 @@
  # setup
  - name: Get Domain from server name
    set_fact:
-      ipaserver_domain: "{{ ansible_fqdn.split('.')[1:] | join ('.') }}"
+      ipaserver_domain: "{{ ansible_facts['fqdn'].split('.')[1:] | join ('.') }}"
    when: ipaserver_domain is not defined

  - name: Get IPv4 address prefix from server node
    set_fact:
-      ipv4_prefix: "{{ ansible_default_ipv4.address.split('.')[:-1] |
+      ipv4_prefix: "{{ ansible_facts['default_ipv4'].address.split('.')[:-1] |
                       join('.') }}"

  - name: Set test host FQDN
--- a/tests/service/env_vars.yml
+++ b/tests/service/env_vars.yml
@@ -1,7 +1,7 @@
 ---
    - name: Get Domain from server name
      set_fact:
-        test_domain: "{{ ansible_fqdn.split('.')[1:] | join('.') }}"
+        test_domain: "{{ ansible_facts['fqdn'].split('.')[1:] | join('.') }}"

    - name: Set host1, host2 and svc hosts fqdn
      set_fact:
@@ -12,4 +12,4 @@

    - name: Get IPv4 address prefix from server node
      set_fact:
-        ipv4_prefix: "{{ ansible_default_ipv4.address.split('.')[:-1] | join('.') }}"
+        ipv4_prefix: "{{ ansible_facts['default_ipv4'].address.split('.')[:-1] | join('.') }}"
--- a/tests/service/test_service_disable.yml
+++ b/tests/service/test_service_disable.yml
@@ -19,13 +19,13 @@
  - name: Ensure service is absent
    ipaservice:
      ipaadmin_password: SomeADMINpassword
-      name: "mysvc1/{{ ansible_fqdn }}"
+      name: "mysvc1/{{ ansible_facts['fqdn'] }}"
      state: absent

  - name: Ensure service is present
    ipaservice:
      ipaadmin_password: SomeADMINpassword
-      name: "mysvc1/{{ ansible_fqdn }}"
+      name: "mysvc1/{{ ansible_facts['fqdn'] }}"
      certificate:
        - MIIC/zCCAeegAwIBAgIUMNHIbn+hhrOVew/2WbkteisV29QwDQYJKoZIhvcNAQELBQAwDzENMAsGA1UEAwwEdGVzdDAeFw0yMDAyMDQxNDQxMDhaFw0zMDAyMDExNDQxMDhaMA8xDTALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+XVVGFYpHVkcDfVnNInE1Y/pFciegdzqTjMwUWlRL4Zt3u96GhaMLRbtk+OfEkzLUAhWBOwEraELJzMLJOMvjYF3C+TiGO7dStFLikZmccuSsSIXjnzIPwBXa8KvgRVRyGLoVvGbLJvmjfMXp0nIToTx/i74KF9S++WEes9H5ErJ99CDhLKFgq0amnvsgparYXhypHaRLnikn0vQINt55YoEd1s4KrvEcD2VdZkIMPbLRu2zFvMprF3cjQQG4LT9ggfEXNIPZ1nQWAnAsu7OJEkNF+E4Mkmpcxj9aGUVt5bsq1D+Tzj3GsidSX0nSNcZ2JltXRnL/5v63g5cZyE+nAgMBAAGjUzBRMB0GA1UdDgQWBBRV0j7JYukuH/r/t9+QeNlRLXDlEDAfBgNVHSMEGDAWgBRV0j7JYukuH/r/t9+QeNlRLXDlEDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCgVy1+1kNwHs5y1Zp0WjMWGCJC6/zw7FDG4OW5r2GJiCXZYdJ0UonY9ZtoVLJPrp2/DAv1m5DtnDhBYqicuPgLzEkOS1KdTi20Otm/J4yxLLrZC5W4x0XOeSVPXOJuQWfwQ5pPvKkn6WxYUYkGwIt1OH2nSMngkbami3CbSmKZOCpgQIiSlQeDJ8oGjWFMLDymYSHoVOIXHwNoooyEiaio3693l6noobyGv49zyCVLVR1DC7i6RJ186ql0av+D4vPoiF5mX7+sKC2E8xEj9uKQ5GTWRh59VnRBVC/SiMJ/H78tJnBAvoBwXxSEvj8Z3Kjm/BQqZfv4IBsA5yqV7MVq
      force: no
@@ -33,51 +33,51 @@
    failed_when: not result.changed

  - name: Obtain keytab
-    shell: ipa-getkeytab -s "{{ ansible_fqdn }}" -p "mysvc1/{{ ansible_fqdn }}" -k mysvc1.keytab
+    shell: ipa-getkeytab -s "{{ ansible_facts['fqdn'] }}" -p "mysvc1/{{ ansible_facts['fqdn'] }}" -k mysvc1.keytab

  - name: Verify keytab
-    shell: ipa service-find "mysvc1/{{ ansible_fqdn }}"
+    shell: ipa service-find "mysvc1/{{ ansible_facts['fqdn'] }}"
    register: result
    failed_when: result.failed or result.stdout | regex_search(" Keytab. true")

  - name: Ensure service is disabled
    ipaservice:
      ipaadmin_password: SomeADMINpassword
-      name: "mysvc1/{{ ansible_fqdn }}"
+      name: "mysvc1/{{ ansible_facts['fqdn'] }}"
      state: disabled
    register: result
    failed_when: not result.changed

  - name: Verify keytab
-    shell: ipa service-find "mysvc1/{{ ansible_fqdn }}"
+    shell: ipa service-find "mysvc1/{{ ansible_facts['fqdn'] }}"
    register: result
    failed_when: result.failed or result.stdout | regex_search(" Keytab. true")

  - name: Obtain keytab
-    shell: ipa-getkeytab -s "{{ ansible_fqdn }}" -p "mysvc1/{{ ansible_fqdn }}" -k mysvc1.keytab
+    shell: ipa-getkeytab -s "{{ ansible_facts['fqdn'] }}" -p "mysvc1/{{ ansible_facts['fqdn'] }}" -k mysvc1.keytab

  - name: Verify keytab
-    shell: ipa service-find "mysvc1/{{ ansible_fqdn }}"
+    shell: ipa service-find "mysvc1/{{ ansible_facts['fqdn'] }}"
    register: result
    failed_when: result.failed or result.stdout | regex_search(" Keytab. true")

  - name: Ensure service is disabled
    ipaservice:
      ipaadmin_password: SomeADMINpassword
-      name: "mysvc1/{{ ansible_fqdn }}"
+      name: "mysvc1/{{ ansible_facts['fqdn'] }}"
      state: disabled
    register: result
    failed_when: not result.changed

  - name: Verify keytab
-    shell: ipa service-find "mysvc1/{{ ansible_fqdn }}"
+    shell: ipa service-find "mysvc1/{{ ansible_facts['fqdn'] }}"
    register: result
    failed_when: result.failed or result.stdout | regex_search(" Keytab. true")

  - name: Ensure service is disabled, with no keytab.
    ipaservice:
      ipaadmin_password: SomeADMINpassword
-      name: "mysvc1/{{ ansible_fqdn }}"
+      name: "mysvc1/{{ ansible_facts['fqdn'] }}"
      state: disabled
    register: result
    failed_when: result.changed
@@ -85,7 +85,7 @@
  - name: Ensure service is absent
    ipaservice:
      ipaadmin_password: SomeADMINpassword
-      name: "mysvc1/{{ ansible_fqdn }}"
+      name: "mysvc1/{{ ansible_facts['fqdn'] }}"

  - name: Destroy Kerberos tickets.
    shell: kdestroy -A -q -c ${KRB5CCNAME}
--- a/tests/sudorule/test_sudorule.yml
+++ b/tests/sudorule/test_sudorule.yml
@@ -43,7 +43,7 @@
    ipahostgroup:
      ipaadmin_password: SomeADMINpassword
      name: cluster
-      host: "{{ ansible_fqdn }}"
+      host: "{{ ansible_facts['fqdn'] }}"

  - name: Ensure some sudocmds are available
    ipasudocmd:
@@ -500,20 +500,20 @@
    register: result
    failed_when: result.changed

-  - name: Ensure host "{{ ansible_fqdn }}" is present in sudorule.
+  - name: Ensure host "{{ ansible_facts['fqdn'] }}" is present in sudorule.
    ipasudorule:
      ipaadmin_password: SomeADMINpassword
      name: testrule1
-      host: "{{ ansible_fqdn }}"
+      host: "{{ ansible_facts['fqdn'] }}"
      action: member
    register: result
    failed_when: not result.changed

-  - name: Ensure host "{{ ansible_fqdn }}" is present in sudorule, again.
+  - name: Ensure host "{{ ansible_facts['fqdn'] }}" is present in sudorule, again.
    ipasudorule:
      ipaadmin_password: SomeADMINpassword
      name: testrule1
-      host: "{{ ansible_fqdn }}"
+      host: "{{ ansible_facts['fqdn'] }}"
      action: member
    register: result
    failed_when: result.changed
--- a/tests/sudorule/test_sudorule_categories.yml
+++ b/tests/sudorule/test_sudorule_categories.yml
@@ -7,7 +7,7 @@
  tasks:
  - name: Get Domain from the server name
    set_fact:
-      ipaserver_domain: "{{ ansible_fqdn.split('.')[1:] | join ('.') }}"
+      ipaserver_domain: "{{ ansible_facts['fqdn'].split('.')[1:] | join ('.') }}"

  - name: Ensure sudorules are absent
    ipasudorule:
--- a/tests/vault/env_cleanup.yml
+++ b/tests/vault/env_cleanup.yml
@@ -40,7 +40,7 @@

  - name: Remove files from target host.
    file:
-      path: "{{ ansible_env.HOME }}/{{ item }}"
+      path: "{{ ansible_facts['env'].HOME }}/{{ item }}"
      state: absent
    with_items:
    - A_private.pem
--- a/tests/vault/env_setup.yml
+++ b/tests/vault/env_setup.yml
@@ -19,7 +19,7 @@
  - name: Copy files to target host.
    copy:
      src: "{{ playbook_dir }}/{{ item }}"
-      dest: "{{ ansible_env.HOME }}/{{ item }}"
+      dest: "{{ ansible_facts['env'].HOME }}/{{ item }}"
    with_items:
    - A_private.pem
    - A_public.pem
--- a/tests/vault/tasks_vault_members.yml
+++ b/tests/vault/tasks_vault_members.yml
@@ -151,7 +151,7 @@
      ipaadmin_password: SomeADMINpassword
      name: "{{vault.name}}"
      action: member
-      services: "HTTP/{{ ansible_fqdn }}"
+      services: "HTTP/{{ ansible_facts['fqdn'] }}"
    register: result
    failed_when: not result.changed

@@ -160,7 +160,7 @@
      ipaadmin_password: SomeADMINpassword
      name: "{{vault.name}}"
      action: member
-      services: "HTTP/{{ ansible_fqdn }}"
+      services: "HTTP/{{ ansible_facts['fqdn'] }}"
    register: result
    failed_when: result.changed

@@ -169,7 +169,7 @@
      ipaadmin_password: SomeADMINpassword
      name: "{{vault.name}}"
      action: member
-      services: "HTTP/{{ ansible_fqdn }}"
+      services: "HTTP/{{ ansible_facts['fqdn'] }}"
      state: absent
    register: result
    failed_when: not result.changed
@@ -179,7 +179,7 @@
      ipaadmin_password: SomeADMINpassword
      name: "{{vault.name}}"
      action: member
-      services: "HTTP/{{ ansible_fqdn }}"
+      services: "HTTP/{{ ansible_facts['fqdn'] }}"
      state: absent
    register: result
    failed_when: result.changed
@@ -264,7 +264,7 @@
    ipavault:
      ipaadmin_password: SomeADMINpassword
      name: "{{vault.name}}"
-      ownerservices: "HTTP/{{ ansible_fqdn }}"
+      ownerservices: "HTTP/{{ ansible_facts['fqdn'] }}"
      action: member
    register: result
    failed_when: not result.changed
@@ -273,7 +273,7 @@
    ipavault:
      ipaadmin_password: SomeADMINpassword
      name: "{{vault.name}}"
-      ownerservices: "HTTP/{{ ansible_fqdn }}"
+      ownerservices: "HTTP/{{ ansible_facts['fqdn'] }}"
      action: member
    register: result
    failed_when: result.changed
@@ -282,7 +282,7 @@
    ipavault:
      ipaadmin_password: SomeADMINpassword
      name: "{{vault.name}}"
-      ownerservices: "HTTP/{{ ansible_fqdn }}"
+      ownerservices: "HTTP/{{ ansible_facts['fqdn'] }}"
      state: absent
      action: member
    register: result
@@ -292,7 +292,7 @@
    ipavault:
      ipaadmin_password: SomeADMINpassword
      name: "{{vault.name}}"
-      ownerservices: "HTTP/{{ ansible_fqdn }}"
+      ownerservices: "HTTP/{{ ansible_facts['fqdn'] }}"
      state: absent
      action: member
    register: result
--- a/tests/vault/test_vault_asymmetric.yml
+++ b/tests/vault/test_vault_asymmetric.yml
@@ -68,7 +68,7 @@
      ipaadmin_password: SomeADMINpassword
      name: asymvault
      vault_type: asymmetric
-      public_key_file: "{{ ansible_env.HOME }}/A_public.pem"
+      public_key_file: "{{ ansible_facts['env'].HOME }}/A_public.pem"
      private_key: "{{ lookup('file', 'B_private.b64') }}"
    register: result
    failed_when: result.failed or not result.changed
@@ -77,7 +77,7 @@
    ipavault:
      ipaadmin_password: SomeADMINpassword
      name: asymvault
-      private_key_file: "{{ ansible_env.HOME }}/A_private.pem"
+      private_key_file: "{{ ansible_facts['env'].HOME }}/A_private.pem"
      state: retrieved
    register: result
    failed_when: result.failed or result.changed or result.vault.data != 'SomeValue'
@@ -87,8 +87,8 @@
      ipaadmin_password: SomeADMINpassword
      name: asymvault
      vault_type: asymmetric
-      public_key_file: "{{ ansible_env.HOME }}/B_public.pem"
-      private_key_file: "{{ ansible_env.HOME }}/A_private.pem"
+      public_key_file: "{{ ansible_facts['env'].HOME }}/B_public.pem"
+      private_key_file: "{{ ansible_facts['env'].HOME }}/A_private.pem"
    register: result
    failed_when: result.failed or not result.changed

@@ -115,8 +115,8 @@
    ipavault:
      ipaadmin_password: SomeADMINpassword
      name: asymvault
-      public_key_file: "{{ ansible_env.HOME }}/B_public.pem"
-      private_key_file: "{{ ansible_env.HOME }}/A_private.pem"
+      public_key_file: "{{ ansible_facts['env'].HOME }}/B_public.pem"
+      private_key_file: "{{ ansible_facts['env'].HOME }}/A_private.pem"
    register: result
    failed_when: result.failed or not result.changed

@@ -154,11 +154,11 @@
    register: result
    failed_when: result.vault.data != 'Hello World.' or result.changed

-  - name: Retrieve data from asymmetric vault into file {{ ansible_env.HOME }}/data.txt.
+  - name: Retrieve data from asymmetric vault into file {{ ansible_facts['env'].HOME }}/data.txt.
    ipavault:
      ipaadmin_password: SomeADMINpassword
      name: asymvault
-      out: "{{ ansible_env.HOME }}/data.txt"
+      out: "{{ ansible_facts['env'].HOME }}/data.txt"
      private_key: "{{ lookup('file', 'B_private.b64') }}"
      state: retrieved
    register: result
@@ -166,7 +166,7 @@

  - name: Verify retrieved data.
    slurp:
-      src: "{{ ansible_env.HOME }}/data.txt"
+      src: "{{ ansible_facts['env'].HOME }}/data.txt"
    register: slurpfile
    failed_when: slurpfile['content'] | b64decode != 'Hello World.'

@@ -192,7 +192,7 @@
      ipaadmin_password: SomeADMINpassword
      name: asymvault
      vault_type: asymmetric
-      in: "{{ ansible_env.HOME }}/in.txt"
+      in: "{{ ansible_facts['env'].HOME }}/in.txt"
    register: result
    failed_when: not result.changed

@@ -242,7 +242,7 @@
    ipavault:
      ipaadmin_password: SomeADMINpassword
      name: asymvault
-      public_key_file: "{{ ansible_env.HOME }}/B_public.pem"
+      public_key_file: "{{ ansible_facts['env'].HOME }}/B_public.pem"
      vault_type: asymmetric
    register: result
    failed_when: not result.changed
@@ -251,7 +251,7 @@
    ipavault:
      ipaadmin_password: SomeADMINpassword
      name: asymvault
-      public_key_file: "{{ ansible_env.HOME }}/B_public.pem"
+      public_key_file: "{{ ansible_facts['env'].HOME }}/B_public.pem"
      vault_type: asymmetric
    register: result
    failed_when: result.changed
@@ -277,7 +277,7 @@
    ipavault:
      ipaadmin_password: SomeADMINpassword
      name: asymvault
-      private_key_file: "{{ ansible_env.HOME }}/B_private.pem"
+      private_key_file: "{{ ansible_facts['env'].HOME }}/B_private.pem"
      state: retrieved
    register: result
    failed_when: result.vault.data != 'Hello World.' or result.changed
--- a/tests/vault/test_vault_standard.yml
+++ b/tests/vault/test_vault_standard.yml
@@ -57,18 +57,18 @@
    register: result
    failed_when: result.vault.data != 'Hello World.' or result.changed

-  - name: Retrieve data from standard vault into file {{ ansible_env.HOME }}/data.txt.
+  - name: Retrieve data from standard vault into file {{ ansible_facts['env'].HOME }}/data.txt.
    ipavault:
      ipaadmin_password: SomeADMINpassword
      name: stdvault
-      out: "{{ ansible_env.HOME }}/data.txt"
+      out: "{{ ansible_facts['env'].HOME }}/data.txt"
      state: retrieved
    register: result
    failed_when: result.changed or result.failed or (result.vault.data | default(false))

  - name: Verify retrieved data.
    slurp:
-      src: "{{ ansible_env.HOME }}/data.txt"
+      src: "{{ ansible_facts['env'].HOME }}/data.txt"
    register: slurpfile
    failed_when: slurpfile['content'] | b64decode != 'Hello World.'

@@ -93,7 +93,7 @@
      ipaadmin_password: SomeADMINpassword
      name: stdvault
      vault_type: standard
-      in: "{{ ansible_env.HOME }}/in.txt"
+      in: "{{ ansible_facts['env'].HOME }}/in.txt"
    register: result
    failed_when: not result.changed

--- a/tests/vault/test_vault_symmetric.yml
+++ b/tests/vault/test_vault_symmetric.yml
@@ -63,19 +63,19 @@
    register: result
    failed_when: result.changed or result.failed or result.vault.data != 'Hello World.'

-  - name: Retrieve data from symmetric vault into file {{ ansible_env.HOME }}/data.txt.
+  - name: Retrieve data from symmetric vault into file {{ ansible_facts['env'].HOME }}/data.txt.
    ipavault:
      ipaadmin_password: SomeADMINpassword
      name: symvault
      password: SomeVAULTpassword
-      out: "{{ ansible_env.HOME }}/data.txt"
+      out: "{{ ansible_facts['env'].HOME }}/data.txt"
      state: retrieved
    register: result
    failed_when: result.changed or result.failed or (result.vault.data | default(false))

  - name: Verify retrieved data.
    slurp:
-      src: "{{ ansible_env.HOME }}/data.txt"
+      src: "{{ ansible_facts['env'].HOME }}/data.txt"
    register: slurpfile
    failed_when: slurpfile['content'] | b64decode != 'Hello World.'

@@ -101,7 +101,7 @@
    ipavault:
      ipaadmin_password: SomeADMINpassword
      name: symvault
-      in: "{{ ansible_env.HOME }}/in.txt"
+      in: "{{ ansible_facts['env'].HOME }}/in.txt"
      password: SomeVAULTpassword
    register: result
    failed_when: result.failed or not result.changed
@@ -154,7 +154,7 @@
      ipaadmin_password: SomeADMINpassword
      name: symvault
      username: user01
-      password_file: "{{ ansible_env.HOME }}/password.txt"
+      password_file: "{{ ansible_facts['env'].HOME }}/password.txt"
      vault_type: symmetric
    register: result
    failed_when: result.failed or not result.changed
@@ -164,7 +164,7 @@
      ipaadmin_password: SomeADMINpassword
      name: symvault
      username: user01
-      password_file: "{{ ansible_env.HOME }}/password.txt"
+      password_file: "{{ ansible_facts['env'].HOME }}/password.txt"
      vault_type: symmetric
    register: result
    failed_when: result.failed or result.changed
@@ -191,7 +191,7 @@
    ipavault:
      ipaadmin_password: SomeADMINpassword
      name: symvault
-      password_file: "{{ ansible_env.HOME }}/password.txt"
+      password_file: "{{ ansible_facts['env'].HOME }}/password.txt"
      state: retrieved
    register: result
    failed_when: result.failed or result.changed or result.vault.data != 'Hello World.'
@@ -328,7 +328,7 @@
      ipaadmin_password: SomeADMINpassword
      name: symvault
      password: APasswordToChange
-      new_password_file: "{{ ansible_env.HOME }}/password.txt"
+      new_password_file: "{{ ansible_facts['env'].HOME }}/password.txt"
      vault_type: symmetric
    register: result
    failed_when: not result.changed or result.failed
--- a/utils/build-galaxy-release.sh
+++ b/utils/build-galaxy-release.sh
@@ -15,49 +15,61 @@ find . -name "*~" -exec rm {} \;
 sed -i -e "s/ansible.module_utils.ansible_freeipa_module/ansible_collections.${collection_prefix}.plugins.module_utils.ansible_freeipa_module/" plugins/modules/*.py

 (cd plugins/module_utils && {
-    ln -s ../../roles/*/module_utils/*.py .
+    ln -sf ../../roles/*/module_utils/*.py .
 })

 (cd plugins/modules && {
    sed -i -e "s/ansible.module_utils.ansible_ipa_/ansible_collections.${collection_prefix}.plugins.module_utils.ansible_ipa_/" ../../roles/*/library/*.py
-    ln -s ../../roles/*/library/*.py .
+    ln -sf ../../roles/*/library/*.py .
 })

 [ ! -x plugins/action_plugins ] && mkdir plugins/action_plugins
 (cd plugins/action_plugins && {
-    ln -s ../../roles/*/action_plugins/*.py .
+    ln -sf ../../roles/*/action_plugins/*.py .
 })

+echo "Fixing examples in plugins/modules..."
 find plugins/modules -name "*.py" -print0 |
-    while IFS= read -d -r '' line; do
-        python utils/galaxyfy-module-EXAMPLES.py "$x" \
+    while IFS= read -d '' -r line; do
+        python utils/galaxyfy-module-EXAMPLES.py "$line" \
               "ipa" "$collection_prefix"
    done
+echo -e "\033[AFixing examples in plugins/modules... \033[32;1mDONE\033[0m"

+echo "Fixing examples in roles/*/library..."
 find roles/*/library -name "*.py" -print0 |
-    while IFS= read -d -r '' line; do
-        python utils/galaxyfy-module-EXAMPLES.py "$x" \
+    while IFS= read -d '' -r line; do
+        python utils/galaxyfy-module-EXAMPLES.py "$line" \
               "ipa" "$collection_prefix"
    done
+echo -e "\033[AFixing examples in roles/*/library... \033[32;1mDONE\033[0m"

-for x in roles/*/tasks/*.yml; do
-    python utils/galaxyfy-playbook.py "$x" "ipa" "$collection_prefix"
+echo "Fixing playbooks in roles/*/tasks..."
+for line in roles/*/tasks/*.yml; do
+    python utils/galaxyfy-playbook.py "$line" "ipa" "$collection_prefix"
 done
+echo -e "\033[AFixing playbooks in roles/*tasks... \033[32;1mDONE\033[0m"

+echo "Fixing playbooks in playbooks..."
 find playbooks -name "*.yml" -print0 |
-    while IFS= read -d -r '' line; do
-        python utils/galaxyfy-playbook.py "$x" "ipa" "$collection_prefix"
+    while IFS= read -d '' -r line; do
+        python utils/galaxyfy-playbook.py "$line" "ipa" "$collection_prefix"
    done
+echo -e "\033[AFixing playbooks in playbooks... \033[32;1mDONE\033[0m"

+echo "Fixing README(s)..."
 find . -name "README*.md" -print0 |
-    while IFS= read -d -r '' line; do
-        python utils/galaxyfy-README.py "$x" "ipa" "$collection_prefix"
+    while IFS= read -d '' -r line; do
+        python utils/galaxyfy-README.py "$line" "ipa" "$collection_prefix"
    done
+echo -e "\033[AFixing examples in plugins/modules... \033[32;1mDONE\033[0m"

+echo "Fixing playbbooks in tests..."
 find tests -name "*.yml" -print0 |
-    while IFS= read -d -r '' line; do
-        python utils/galaxyfy-playbook.py "$x" "ipa" "$collection_prefix"
+    while IFS= read -d '' -r line; do
+        python utils/galaxyfy-playbook.py "$line" "ipa" "$collection_prefix"
    done
+echo -e "\033[AFixing playbooks in tests... \033[32;1mDONE\033[0m"

 #git diff
Author	SHA1	Message	Date
Thomas Woerner	408aa69ab0	tests/azure: Deactivate NTP in prepare-build In CentOS 8 and also Fedora the configuration and start of chrony fails with Fatal error : adjtimex(0x8001) failed : Operation not permitted For more information: https://bugzilla.redhat.com/show_bug.cgi?id=1772053 NTP will not be needed before a separate namespace is used for clocks.	2021-05-03 13:28:25 +02:00
Thomas Woerner	f24390473b	tests/azure: Set ANSIBLE_LIBRARY to fix unknown interpreter issue The ANSIBLE_LIBRARY environment variable needs to be set.	2021-04-30 16:29:53 +02:00
Rafael Guterres Jeffman	b598470c2b	Merge pull request #517 from xek/master Use ansible_facts variable	2021-04-07 21:38:05 -03:00
Rafael Guterres Jeffman	2e5a826ddb	Merge pull request #514 from FollowKenny/fix_ipabackup_var change variable in get_ipabackup_dir.yml and update README.md	2021-04-07 13:03:52 -03:00
Ivan PANICO	0e7f4e2b1b	change variable in get_ipabackup_dir.yml	2021-04-07 17:13:26 +02:00
Grzegorz Grasza	7a23531047	Use ansible_facts variable Without this change the "Import variables specific to distribution" tasks fail with "Could not find file on the Ansible Controller..." on environments with inject facts disabled. This changes the tests to run with ansible with inject_facts_as_vars = false and fixes other roles and playbooks.	2021-03-19 13:55:44 +01:00
Varun Mylaraiah	3c666ccdaa	Merge pull request #511 from t-woerner/ipaclient_otp_rmkeytab_error#7 ipaclient: Do not fail on rmkeytab error #7	2021-02-22 20:27:53 +05:30
Thomas Woerner	976cd1baa7	ipaclient: Do not fail on rmkeytab error #7 Due to commit f3f9672d527008dc741ac90aa465bac842eea08d (ipa-rmkeytab: Check return value of krb5_kt_(start\|end)_seq_get) in IPA 4.9.2 there is a new error reported for ipa-rmkeytab in case of a non existing keytab file. Using ipa-rmkeytab now results in the error #7 in this case. The client role is using ipa-rmkeytab and needs to ignore error #7 also. Fixes: #510 (ipa-client installation with OTP is failed with error code 7 (keytab: /usr/sbin/ipa-rmkeytab returned 7))	2021-02-22 13:28:04 +01:00
Varun Mylaraiah	5bed0d627b	Merge pull request #505 from rjeffman/fix_ipaselfservice_example_playbooks example playbooks: ipaselfservice examples mentioned ipadelegation.	2021-02-04 17:06:23 +05:30
Varun Mylaraiah	630c378ab1	Merge pull request #504 from rjeffman/fix_ipapermission_example_playbooks Fix ipapermission example playbooks	2021-02-04 17:03:59 +05:30
Rafael Guterres Jeffman	0447143047	example playbooks: ipaselfservice examples mentioned ipadelegation. The example playbooks for ipaselfservice were using the wrong module, ipadelegation. This patch changes the references from ipadelegation to ipaselfservice on these example playbooks. Also, the attributes were changed, so the same attributes are used throughout the examples.	2021-02-04 08:30:37 -03:00
Rafael Guterres Jeffman	6e45d1ea06	example playbooks: use only one permission name. By using only one permission name, examples are easier to follow.	2021-02-01 18:02:52 -03:00
Rafael Guterres Jeffman	be27a615d0	example playbooks: removed permission names from task names.	2021-02-01 18:02:33 -03:00
Rafael Guterres Jeffman	e2c6480fe0	example playbooks: Use default password in ipapermission examples. Example playbooks for ipapermission didn't have default password set.	2021-02-01 17:58:03 -03:00
Rafael Guterres Jeffman	873b69107e	example playbooks: Fix invalid variable in ipapermission playbooks. ipapremission playbooks were using the invalid attribute `perm_right`. The attribute was changed to `right`.	2021-02-01 17:55:32 -03:00
Rafael Guterres Jeffman	e2cb68de54	Merge pull request #495 from rjeffman/molecule_fix_image_build Fix container build.	2021-01-26 19:18:27 -03:00
Rafael Guterres Jeffman	be1720e9ea	Merge pull request #501 from enothen/500-Sudorule-fix-false-positive-changes Fixed names of member objects of sudorule	2021-01-26 19:17:26 -03:00
Rafael Guterres Jeffman	90779ed7ab	upstream CI: change name of base image for CentOS and Fedora. Building containers for CentOS and Fedora were failing due to image download failure. The container build process was fixed by changing the base images.	2021-01-26 16:25:57 -03:00
Rafael Guterres Jeffman	141554bd3d	upstream CI: Explicitly install Ansible. Without explicit installation, Ansible was failing to run on Azure pipelines. This change explicitly install the latest Ansible version available through `pip`.	2021-01-26 16:25:49 -03:00
Rafael Guterres Jeffman	dff921039d	upstream CI: update Azure vmImage to 'ubuntu-20.04'. In the near future, Github will use Ubuntu 20.04, for workflows, and this change will keep the upstream CI environment consistent between Github and Azure.	2021-01-26 16:25:36 -03:00
Eric Nothen	2cc4c27fa3	ipasudorule: Fix names of member objects. Fixed names of sudorule member objects, as they did not match the names provided by IdM. From: To: member_host memberhost_host member_hostgroup memberhost_hostgroup member_user memberuser_user member_group memberuser_group Fixes: #500	2021-01-26 18:55:26 +01:00
Thomas Woerner	38b3e817ad	Merge pull request #499 from rjeffman/utils_fix_covscan_findings_lint_check Fix build-galaxy.sh execution and add running info.	2021-01-18 15:04:49 +01:00
Rafael Guterres Jeffman	a292645a01	Fix build-galaxy.sh execution and add running info. This patch adds a missing argument to `read` and adds information on which step is being executed.	2021-01-18 10:46:19 -03:00
Thomas Woerner	6ffc51a75f	utils/build-galaxy-release.sh: Use proper variable for galaxify A wrong variable was used inside of the while IFS read loops. This prevented that the modules, playbooks, tasks, example playbooks and also tests have been adapted for the galaxy release naming scheme.	2021-01-18 14:19:41 +01:00
Varun Mylaraiah	b738085ba4	Merge pull request #493 from rjeffman/fix_dnsrecord_reverse_compatibility_mode Fix adding A/AAAA records with reverse in compatibility mode.	2021-01-18 16:58:22 +05:30
Varun Mylaraiah	9e912d2bd9	Merge pull request #492 from rjeffman/fix_ipa_permission_members Improve ipapermission member management.	2021-01-18 15:39:21 +05:30
Rafael Guterres Jeffman	71c0972b69	Improve ipapermission member management. In `ipapermission` plugin, Some attributtes were not being managed when `action: member` was enabled. This patch enable member management for `right`, `rawfilter`, `filter, and fixes management of `memberof`. Fix issue #489	2021-01-12 11:38:40 -03:00
Rafael Guterres Jeffman	5537492f7f	Fix adding A/AAAA records with reverse in compatibility mode. When adding A or AAAA records using the compatibility mode with Ansible's community general plugin, the reverse (PTR) record was added, but the A/AAAA record was not. This patch fixes the behavior. Fix issue #491	2021-01-11 17:09:36 -03:00
Rafael Guterres Jeffman	0cfd07a709	Merge pull request #490 from freeipa/t-woerner-permission-typo1 Fix typo in README-permission.md	2021-01-11 09:50:34 -03:00