Merge pull request #499 from rjeffman/utils_fix_covscan_findings_lint_check

Fix build-galaxy.sh execution and add running info.
2026-05-13 21:12:02 +00:00 · 2021-01-18 15:04:49 +01:00 · 2021-01-18 10:46:19 -03:00 · 2021-01-18 14:19:41 +01:00 · 2021-01-18 16:58:22 +05:30 · 2021-01-18 15:39:21 +05:30
357 changed files with 15870 additions and 10871 deletions
--- a/.ansible-lint
+++ b/.ansible-lint
@@ -0,0 +1,23 @@
 exclude_paths:
  - roles
  - .tox
  - .venv
 parseable: true
 quiet: false
 skip_list:
  - '201'  # Trailing whitespace
  - '204'  # Lines should be no longer than 160 chars
  - '206'  # Variables should have spaces before and after: {{ var_name }}'
  - '208'  # File permissions not mentioned
  - '301'  # Commands should not change things if nothing needs doing'
  - '305'  # Use shell only when shell functionality is required'
  - '306'  # Shells that use pipes should set the pipefail option'
  - '502'  # All tasks should be named
  - '505'  # Referenced missing file
 use_default_rules: true
 verbosity: 1
--- a/.copr/Makefile
+++ b/.copr/Makefile
@@ -0,0 +1,9 @@
 srpm:
 	# Setup development environment
 	echo "Installing base development environment"
 	dnf install -y dnf-plugins-core git-all
 	echo "Call SRPM build Script"
 	./utils/build-srpm.sh
 	if [[ "${outdir}" != "" ]]; then \
 		mv /builddir/build/SRPMS/* ${outdir}; \
 	fi
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -0,0 +1,16 @@
 ---
 name: Verify Ansible documentation.
 on:
  - push
  - pull_request
 jobs:
  check_docs:
    name: Check Ansible Documentation.
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - uses: actions/setup-python@v2
        with:
          python-version: '3.x'
      - name: Run ansible-doc-test
        run: ANSIBLE_LIBRARY="." python utils/ansible-doc-test roles plugins
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -0,0 +1,33 @@
 ---
 name: Run Linters
 on:
  - push
  - pull_request
 jobs:
  linters:
    name: Run Linters
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - uses: actions/setup-python@v2
        with:
          python-version: "3.6"
      - name: Run ansible-lint
        uses: ansible/ansible-lint-action@master
        with:
          targets: |
            tests/*.yml
            tests/*/*.yml
            tests/*/*/*.yml
            playbooks/*.yml
            playbooks/*/*.yml
        env:
          ANSIBLE_MODULE_UTILS: plugins/module_utils
          ANSIBLE_LIBRARY: plugins/modules
      - name: Run yaml-lint
        uses: ibiqlik/action-yamllint@v1
      - name: Run Python linters
        uses: rjeffman/python-lint-action@v2
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,8 @@
 *.pyc
 *.retry
 # ignore virtual environments
 /.tox/
 /.venv/
 tests/logs/
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -0,0 +1,31 @@
 ---
 repos:
 - repo: https://github.com/ansible/ansible-lint.git
  rev: v4.3.5
  hooks:
  - id: ansible-lint
    always_run: false
    pass_filenames: true
    files: \.(yaml|yml)$
    entry: env ANSIBLE_LIBRARY=./plugins/modules ANSIBLE_MODULE_UTILS=./plugins/module_utils ansible-lint --force-color
 - repo: https://github.com/adrienverge/yamllint.git
  rev: v1.25.0
  hooks:
  - id: yamllint
    files: \.(yaml|yml)$
 - repo: https://gitlab.com/pycqa/flake8
  rev: 3.8.4
  hooks:
  - id: flake8
 - repo: https://gitlab.com/pycqa/pydocstyle
  rev: 5.1.1
  hooks:
  - id: pydocstyle
 - repo: local
  hooks:
  - id: ansible-doc-test
    name: Verify Ansible roles and module documentation.
    language: script
    entry: utils/ansible-doc-test
    # args: ['-v', 'roles', 'plugins']
    files: ^.*.py$
--- a/.yamllint
+++ b/.yamllint
@@ -0,0 +1,28 @@
 ---
 ignore: |
  /.tox/
  /.venv/
  /.github/
 extends: default
 rules:
  braces:
    max-spaces-inside: 1
    level: error
  brackets:
    max-spaces-inside: 1
    level: error
  truthy:
    allowed-values: ["yes", "no", "true", "false", "True", "False"]
    level: error
  # Disabled rules
  document-start: disable
  indentation: disable
  line-length: disable
  colons: disable
  empty-lines: disable
  comments: disable
  comments-indentation: disable
  trailing-spaces: disable
  new-line-at-end-of-file: disable
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -0,0 +1,121 @@
 Contributing to ansible-freeipa
 ===============================
 As part of the [FreeIPA] project, ansible-freeipa follows
 [FreeIPA's Code of Conduct].
 Reporting bugs or Features
 --------------------------
 ansible-freeipa uses [Github issues] for the upstream development, so all RFEs
 and bug reports should be added there.
 If you have questions about the usage of ansible-freeipa modules and roles,
 you should also submit an issue, so that anyone that knows an answer can help.
 Development
 -----------
 Contribute code by submitting a [pull request]. All pull requests should be
 created against the `master` branch. If your PR fixes an open issue, please,
 add this information to the commit message, like _"Fix issue #num"_.
 Every PR will have to pass some automatic checks and be reviewed by another
 developer(s). Once they are approved, they will be merged.
 In your commits, use clear messages that include intent, summary of changes,
 and expected result. Use a template commit message [for modules] and
 [for roles].
 Upon review, it is fine to `force push` the changes.
 **Preparing the development environment**
 There are some useful tools that will help you develop for ansible-freeipa,
 and you should install, at least, the modules in `requirements.txt`. You
 can install the modules with your distribution package manager, or use pip,
 as in the example:
 ```
 python3 -m pip install --user -r requirements-dev.txt
 ```
 We recommend using [pre-commit] so that the basic checks that will be executed
 for your PR are executed locally, on your commits. To setup the pre-commit
 hooks, issue the command:
 ```
 pre-commit install
 ```
 **Developing new modules**
 When developing new modules use the script `utils/new_module`. If the module
 should have `action: member` support, use the flag `-m`.
 This script will create the basic structure for the module, the required files
 for tests, playbooks, documentation and source code, all at the appropriate
 places.
 **Other helpfull tools**
 Under directory `utils`, you will find other useful tools, like
 **lint-check.sh**, which will run the Python and YAML linters on your code,
 and **ansible-doc-test** which will verify if the documentation added to the
 roles and modules source code has the right format.
 Testing
 -------
 When testing ansible-freeipa's roles and modules, we aim to check if they
 do what they intend to do, report the results correctly, and if they are
 idempotent (although, sometimes the operation performed is not, like when
 renaming items). To achieve this, we use Ansible playbooks.
 The Ansible playbooks test can be found under the [tests] directory. They
 should test the behavior of the module or role, and, if possible, provide
 test cases for all attributes.
 There might be some limitation on the testing environment, as some attributes
 or operations are only available in some circumstances, like specific FreeIPA
 versions, or some more elaborate scenarios (for example, requiring a
 configured trust to an AD domain). For these cases, there are some `facts`
 available that will only enable the tests if the testing environment is
 enabled.
 The tests run automatically on every pull request, using Fedora, CentOS 7,
 and CentOS 8 environments.
 See the document [Running the tests] and also the section `Preparing the
 development environment`, to prepare your environment.
 Documentation
 -------------
 We do our best to provide a correct and complete documentation for the modules
 and roles we provide, but we sometimes miss something that users find it
 important to be documented.
 If you think something could be made easier to understand, or found an error
 or omission in the documentation, fixing it will help other users and make
 the experience on using the project much better.
 Also, the [playbooks] can be seen as part of the documentation, as they are
 examples of commonly performed tasks.
 ---
 [FreeIPA]: https://freeipa.org
 [FreeIPA's Code of Conduct]: https://github.com/freeipa/freeipa/blob/master/CODE_OF_CONDUCT.md
 [for modules]: https://github.com/freeipa/ansible-freeipa/pull/357
 [for roles]: https://github.com/freeipa/ansible-freeipa/pull/430
 [Github issues]: https://github.com/freeipa/ansible-freeipa/issues
 [pull request]: https://github.com/freeipa/ansible-freeipa/pulls
 [playbooks]: playbooks
 [pre-commit]: https://pre-commit.com
 [Running the tests]: tests/README.md
 [tests]: tests/
--- a/README-config.md
+++ b/README-config.md
@@ -19,6 +19,7 @@ Supported FreeIPA Versions
 FreeIPA versions 4.4.0 and up are supported by the ipaconfig module.
 Some variables are only supported on newer versions of FreeIPA. Check `Variables` section for details.
 Requirements
 ------------
@@ -91,7 +92,7 @@ Variable | Description | Required
 `ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
 `ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
 `maxusername` \| `ipamaxusernamelength` |  Set the maximum username length (1 to 255) | no
-`maxhostname` \| `ipamaxhostnamelength` |  Set the maximum hostname length between 64-255 | no
+`maxhostname` \| `ipamaxhostnamelength` |  Set the maximum hostname length between 64-255. Only usable with IPA versions 4.8.0 and up. | no
 `homedirectory` \| `ipahomesrootdir` |  Set the default location of home directories | no
 `defaultshell` \| `ipadefaultloginshell` |  Set the default shell for new users | no
 `defaultgroup` \| `ipadefaultprimarygroup` |  Set the default group for new users | no
--- a/README-delegation.md
+++ b/README-delegation.md
@@ -0,0 +1,157 @@
 Delegation module
 =================
 Description
 -----------
 The delegation module allows to ensure presence, absence of delegations and delegation attributes.
 Features
 --------
 * Delegation management
 Supported FreeIPA Versions
 --------------------------
 FreeIPA versions 4.4.0 and up are supported by the ipadelegation module.
 Requirements
 ------------
 **Controller**
 * Ansible version: 2.8+
 **Node**
 * Supported FreeIPA version (see above)
 Usage
 =====
 Example inventory file
 ```ini
 [ipaserver]
 ipaserver.test.local
 ```
 Example playbook to make sure delegation "basic manager attributes" is present:
 ```yaml
 ---
 - name: Playbook to manage IPA delegation.
  hosts: ipaserver
  become: yes
  tasks:
  - ipadelegation:
      ipaadmin_password: SomeADMINpassword
      name: "basic manager attributes"
      permission: read
      attribute:
      - businesscategory
      - employeetype
      group: managers
      membergroup: employees
 ```
 Example playbook to make sure delegation "basic manager attributes" is absent:
 ```yaml
 ---
 - name: Playbook to manage IPA delegation.
  hosts: ipaserver
  become: yes
  tasks:
  - ipadelegation:
      ipaadmin_password: SomeADMINpassword
      name: "basic manager attributes"
      state: absent
 ```
 Example playbook to make sure "basic manager attributes" member attributes employeetype and employeenumber are present:
 ```yaml
 ---
 - name: Playbook to manage IPA delegation.
  hosts: ipaserver
  become: yes
  tasks:
  - ipadelegation:
      ipaadmin_password: SomeADMINpassword
      name: "basic manager attributes"
      attribute:
      - employeenumber
      - employeetype
      action: member
 ```
 Example playbook to make sure "basic manager attributes" member attributes employeetype and employeenumber are absent:
 ```yaml
 ---
 - name: Playbook to manage IPA delegation.
  hosts: ipaserver
  become: yes
  tasks:
  - ipadelegation:
      ipaadmin_password: SomeADMINpassword
      name: "basic manager attributes"
      attribute:
      - employeenumber
      - employeetype
      action: member
      state: absent
 ```
 Example playbook to make sure delegation "basic manager attributes" is absent:
 ```yaml
 ---
 - name: Playbook to manage IPA delegation.
  hosts: ipaserver
  become: yes
  tasks:
  - ipadelegation:
      ipaadmin_password: SomeADMINpassword
      name: "basic manager attributes"
      state: absent
 ```
 Variables
 ---------
 ipadelegation
 -------
 Variable | Description | Required
 -------- | ----------- | --------
 `ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
 `ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
 `name` \| `aciname` | The list of delegation name strings. | yes
 `permission` \| `permissions` |  The permission to grant `read`, `read,write`, `write`]. Default is `write`. | no
 `attribute` \| `attrs` | The attribute list to which the delegation applies. | no
 `membergroup` \| `memberof` | The user group to apply delegation to. | no
 `group` | User group ACI grants access to. | no
 `action` | Work on delegation or member level. It can be on of `member` or `delegation` and defaults to `delegation`. | no
 `state` | The state to ensure. It can be one of `present`, `absent`, default: `present`. | no
 Authors
 =======
 Thomas Woerner
--- a/README-dnsforwardzone.md
+++ b/README-dnsforwardzone.md
@@ -47,43 +47,52 @@ Example playbook to ensure presence of a forwardzone to ipa DNS:
  become: true
  tasks:
-  - name: ensure presence of forwardzone for DNS requests for example.com to 8.8.8.8
+  - name: ensure presence of forwardzone with a single forwarder DNS server
    ipadnsforwardzone:
-      ipaadmin_password: password01
+      ipaadmin_password: SomeADMINpassword
      state: present
      name: example.com
      forwarders:
-        - 8.8.8.8
+        - ip_address: 8.8.8.8
      forwardpolicy: first
      skip_overlap_check: true
  - name: ensure the forward zone is disabled
    ipadnsforwardzone:
-      ipaadmin_password: password01
+      ipaadmin_password: SomeADMINpassword
      name: example.com
      state: disabled
-  - name: ensure presence of multiple upstream DNS servers for example.com
+  - name: ensure presence of forwardzone with multiple forwarder DNS server
    ipadnsforwardzone:
-      ipaadmin_password: password01
+      ipaadmin_password: SomeADMINpassword
      state: present
      name: example.com
      forwarders:
-        - 8.8.8.8
+        - ip_address: 8.8.8.8
-        - 4.4.4.4
+        - ip_address: 4.4.4.4
  - name: ensure presence of another forwarder to any existing ones for example.com
    ipadnsforwardzone:
-      ipaadmin_password: password01
+      ipaadmin_password: SomeADMINpassword
      state: present
      name: example.com
      forwarders:
-        - 1.1.1.1
+        - ip_address: 1.1.1.1
      action: member
-  - name: ensure the forwarder for example.com does not exists (delete it if needed)
+  - name: ensure presence of forwardzone with single forwarder DNS server on non-stardard port
    ipadnsforwardzone:
-      ipaadmin_password: password01
+      ipaadmin_password: SomeADMINpassword
      state: present
      name: example.com
      forwarders:
        - ip_address: 4.4.4.4
          port: 8053
  - name: ensure the forward zone is absent
    ipadnsforwardzone:
      ipaadmin_password: SomeADMINpassword
      name: example.com
      state: absent
 ```
@@ -99,9 +108,12 @@ Variable | Description | Required
 `ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
 `ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
 `name` \| `cn` | Zone name (FQDN). | yes if `state` == `present`
-`forwarders` \| `idnsforwarders` |  Per-zone conditional forwarding policy. Possible values are `only`, `first`, `none`) | no
+`forwarders` \| `idnsforwarders` |  Per-zone forwarders. A custom port can be specified for each forwarder. Options | no
-`forwardpolicy` \| `idnsforwardpolicy` | Per-zone conditional forwarding policy. Set to "none" to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded. | no
+&nbsp; | `ip_address`: The forwarder IP address. | yes
 &nbsp; | `port`: The forwarder IP port. | no
 `forwardpolicy` \| `idnsforwardpolicy` | Per-zone conditional forwarding policy. Possible values are `only`, `first`, `none`. Set to "none" to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded. | no
 `skip_overlap_check` | Force DNS zone creation even if it will overlap with an existing zone. Defaults to False. | no
 `permission` | Allow DNS Forward Zone to be managed. (bool) | no
 `action` | Work on group or member level. It can be on of `member` or `dnsforwardzone` and defaults to `dnsforwardzone`. | no
 `state` | The state to ensure. It can be one of `present`, `absent`, `enabled` or `disabled`, default: `present`. | yes
--- a/README-dnszone.md
+++ b/README-dnszone.md
@@ -152,6 +152,46 @@ Example playbook to remove a zone:
 ```
 Example playbook to create a zone for reverse DNS lookup, from an IP address:
 ```yaml
 ---
 - name: dnszone present
  hosts: ipaserver
  become: true
  tasks:
  - name: Ensure zone for reverse DNS lookup is present.
    ipadnszone:
      ipaadmin_password: SomeADMINpassword
      name_from_ip: 192.168.1.2
      state: present
 ```
 Note that, on the previous example the zone created with `name_from_ip` might be "1.168.192.in-addr.arpa.", "168.192.in-addr.arpa.", or "192.in-addr.arpa.", depending on the DNS response the system get while querying for zones, and for this reason, when creating a zone using `name_from_ip`, the inferred zone name is returned to the controller, in the attribute `dnszone.name`. Since the zone inferred might not be what a user expects, `name_from_ip` can only be used with `state: present`. To have more control over the zone name, the prefix length for the IP address can be provided.
 Example playbook to create a zone for reverse DNS lookup, from an IP address, given the prefix length and displaying the resulting zone name:
 ```yaml
 ---
 - name: dnszone present
  hosts: ipaserver
  become: true
  tasks:
  - name: Ensure zone for reverse DNS lookup is present.
    ipadnszone:
      ipaadmin_password: SomeADMINpassword
      name_from_ip: 192.168.1.2/24
      state: present
    register: result
  - name: Display inferred zone name.
    debug:
      msg: "Zone name: {{ result.dnszone.name }}"
 ```
 Variables
 =========
@@ -163,7 +203,8 @@ Variable | Description | Required
 -------- | ----------- | --------
 `ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
 `ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
-`name` \| `zone_name` | The zone name string. | yes
+`name` \| `zone_name` | The zone name string or list of strings. | no
 `name_from_ip` | Derive zone name from reverse of IP (PTR). Can only be used with `state: present`. | no
 `forwarders` | The list of forwarders dicts. Each `forwarders` dict entry has:| no
 &nbsp; | `ip_address` - The IPv4 or IPv6 address of the DNS server. | yes
 &nbsp; | `port` - The custom port that should be used on this server. | no
@@ -189,6 +230,17 @@ Variable | Description | Required
 `skip_nameserver_check` | Force DNS zone creation even if nameserver is not resolvable | no
 Return Values
 =============
 ipadnszone
 ----------
 Variable | Description | Returned When
 -------- | ----------- | -------------
 `dnszone` | DNS Zone dict with zone name infered from `name_from_ip`. <br>Options: |  If `state` is `present`, `name_from_ip` is used, and a zone was created.
 &nbsp; | `name` - The name of the zone created, inferred from `name_from_ip`. | Always
 Authors
 =======
--- a/README-group.md
+++ b/README-group.md
@@ -19,6 +19,8 @@ Supported FreeIPA Versions
 FreeIPA versions 4.4.0 and up are supported by the ipagroup module.
 Some variables are only supported on newer versions of FreeIPA. Check `Variables` section for details.
 Requirements
 ------------
@@ -107,6 +109,24 @@ Example playbook to add group members to a group:
      - appops
 ```
 Example playbook to add members from a trusted realm to an external group:
 ```yaml
 --
 - name: Playbook to handle groups.
  hosts: ipaserver
  became: true
  - name: Create an external group and add members from a trust to it.
    ipagroup:
      ipaadmin_password: SomeADMINpassword
      name: extgroup
      external: yes
      externalmember:
      - WINIPA\\Web Users
      - WINIPA\\Developers
 ```
 Example playbook to remove groups:
 ```yaml
@@ -137,6 +157,7 @@ Variable | Description | Required
 `name` \| `cn` | The list of group name strings. | no
 `description` | The group description string. | no
 `gid` \| `gidnumber` | The GID integer. | no
 `posix` | Create a non-POSIX group or change a non-POSIX to a posix group. (bool) | no
 `nonposix` | Create as a non-POSIX group. (bool) | no
 `external` | Allow adding external non-IPA members from trusted domains. (bool) | no
 `nomembers` | Suppress processing of membership attributes. (bool) | no
@@ -145,6 +166,7 @@ Variable | Description | Required
 `service` | List of service name strings assigned to this group. Only usable with IPA versions 4.7 and up. | no
 `membermanager_user` | List of member manager users assigned to this group. Only usable with IPA versions 4.8.4 and up. | no
 `membermanager_group` | List of member manager groups assigned to this group. Only usable with IPA versions 4.8.4 and up. | no
 `externalmember` \| `ipaexternalmember`  \| `external_member`| List of members of a trusted domain in DOM\\name or name@domain form. | no
 `action` | Work on group or member level. It can be on of `member` or `group` and defaults to `group`. | no
 `state` | The state to ensure. It can be one of `present` or `absent`, default: `present`. | yes
--- a/README-host.md
+++ b/README-host.md
@@ -355,7 +355,7 @@ Variable | Description | Required
 `mac_address` \| `macaddress` | List of hardware MAC addresses. | no
 `sshpubkey` \| `ipasshpubkey` | List of SSH public keys | no
 `userclass` \| `class` | Host category (semantics placed on this attribute are for local interpretation) | no
-`auth_ind` \| `krbprincipalauthind` | Defines a whitelist for Authentication Indicators. Use 'otp' to allow OTP-based 2FA authentications. Use 'radius' to allow RADIUS-based 2FA authentications. Use empty string to reset auth_ind to the initial value. Other values may be used for custom configurations. choices: ["radius", "otp", "pkinit", "hardened", ""] | no
+`auth_ind` \| `krbprincipalauthind` | Defines an allow list for Authentication Indicators. Use 'otp' to allow OTP-based 2FA authentications. Use 'radius' to allow RADIUS-based 2FA authentications. Use empty string to reset auth_ind to the initial value. Other values may be used for custom configurations. choices: ["radius", "otp", "pkinit", "hardened", ""] | no
 `requires_pre_auth` \| `ipakrbrequirespreauth` | Pre-authentication is required for the service (bool) | no
 `ok_as_delegate` \| `ipakrbokasdelegate` | Client credentials may be delegated to the service (bool) | no
 `ok_to_auth_as_delegate` \| `ipakrboktoauthasdelegate` | The service is allowed to authenticate on behalf of a client (bool) | no
--- a/README-hostgroup.md
+++ b/README-hostgroup.md
@@ -19,6 +19,8 @@ Supported FreeIPA Versions
 FreeIPA versions 4.4.0 and up are supported by the ipahostgroup module.
 Some variables are only supported on newer versions of FreeIPA. Check `Variables` section for details.
 Requirements
 ------------
@@ -105,6 +107,23 @@ Example playbook to make sure hosts and hostgroups are absent in databases hostg
      state: absent
 ```
 Example playbook to rename an existing playbook:
 ```yaml
 ---
 - name: Playbook to handle hostgroups
  hosts: ipaserver
  become: true
  tasks:
  # Ensure host-group databases is absent
  - ipahostgroup:
      ipaadmin_password: SomeADMINpassword
      name: databases
      rename: datalake
      state: renamed
 ```
 Example playbook to make sure host-group databases is absent:
 ```yaml
@@ -121,7 +140,6 @@ Example playbook to make sure host-group databases is absent:
      state: absent
 ```
 Variables
 =========
@@ -139,8 +157,9 @@ Variable | Description | Required
 `hostgroup` | List of hostgroup name strings assigned to this hostgroup. | no
 `membermanager_user` | List of member manager users assigned to this hostgroup. Only usable with IPA versions 4.8.4 and up. | no
 `membermanager_group` | List of member manager groups assigned to this hostgroup. Only usable with IPA versions 4.8.4 and up. | no
 `rename` \| `new_name` | Rename hostgroup to the provided name. Only usable with IPA versions 4.8.7 and up. | no
 `action` | Work on hostgroup or member level. It can be on of `member` or `hostgroup` and defaults to `hostgroup`. | no
-`state` | The state to ensure. It can be one of `present` or `absent`, default: `present`. | no
+`state` | The state to ensure. It can be one of `present`, `absent` or `renamed`, default: `present`. | no
 Authors
--- a/README-location.md
+++ b/README-location.md
@@ -0,0 +1,92 @@
 Location module
 ===============
 Description
 -----------
 The location module allows to ensure presence and absence of locations.
 Features
 --------
 * Location management
 Supported FreeIPA Versions
 --------------------------
 FreeIPA versions 4.4.0 and up are supported by the ipalocation module.
 Requirements
 ------------
 **Controller**
 * Ansible version: 2.8+
 **Node**
 * Supported FreeIPA version (see above)
 Usage
 =====
 Example inventory file
 ```ini
 [ipaserver]
 ipaserver.test.local
 ```
 Example playbook to make sure location "my_location1" is present:
 ```yaml
 ---
 - name: Playbook to manage IPA location.
  hosts: ipaserver
  become: yes
  tasks:
  - ipalocation:
      ipaadmin_password: SomeADMINpassword
      name: my_location1
      description: My Location 1
 ```
 Example playbook to make sure location "my_location1" is absent:
 ```yaml
 ---
 - name: Playbook to manage IPA location.
  hosts: ipaserver
  become: yes
  tasks:
  - ipalocation:
      ipaadmin_password: SomeADMINpassword
      name: my_location1
      state: absent
 ```
 Variables
 ---------
 ipalocation
 -------
 Variable | Description | Required
 -------- | ----------- | --------
 `ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
 `ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
 `name` \| `idnsname` | The list of location name strings. | yes
 `description` | The IPA location string | false
 `state` | The state to ensure. It can be one of `present`, `absent`, default: `present`. | no
 Authors
 =======
 Thomas Woerner
--- a/README-permission.md
+++ b/README-permission.md
@@ -0,0 +1,188 @@
 Permission module
 ============
 Description
 -----------
 The permission module allows to ensure presence and absence of permissions and permission members.
 Features
 --------
 * Permission management
 Supported FreeIPA Versions
 --------------------------
 FreeIPA versions 4.4.0 and up are supported by the ipapermission module.
 Requirements
 ------------
 **Controller**
 * Ansible version: 2.8+
 **Node**
 * Supported FreeIPA version (see above)
 Usage
 =====
 Example inventory file
 ```ini
 [ipaserver]
 ipaserver.test.local
 ```
 Example playbook to make sure permission "MyPermission" is present:
 ```yaml
 ---
 - name: Playbook to handle IPA permissions
  hosts: ipaserver
  become: yes
  tasks:
  - name: Ensure permission MyPermission is present
    ipapermission:
      ipaadmin_password: SomeADMINpassword
      name: MyPermission
      object_type: host
      right: all
 ```
 Example playbook to ensure permission "MyPermission" is present with attr carlicense:
 ```yaml
 ---
 - name: Playbook to handle IPA permissions
  hosts: ipaserver
  become: yes
  tasks:
  - name: Ensure permission "MyPermission" is present with attr carlicense
    ipapermission:
      ipaadmin_password: SomeADMINpassword
      name: MyPermission
      object_type: host
      right: all
      attrs:
      - carlicense
 ```
 Example playbook to ensure attr gecos is present in permission "MyPermission":
 ```yaml
 ---
 - name: Playbook to handle IPA permissions
  hosts: ipaserver
  become: yes
  tasks:
  - name: Ensure attr gecos is present in permission "MyPermission"
    ipapermission:
      ipaadmin_password: SomeADMINpassword
      name: MyPermission
      attrs:
      - gecos
      action: member
 ```
 Example playbook to ensure attr gecos is absent in permission "MyPermission":
 ```yaml
 ---
 - name: Playbook to handle IPA permissions
  hosts: ipaserver
  become: yes
  tasks:
  - name: Ensure attr gecos is present in permission "MyPermission"
    ipapermission:
      ipaadmin_password: SomeADMINpassword
      name: MyPermission
      attrs:
      - gecos
      action: member
      state: absent
 ```
 Example playbook to make sure permission "MyPermission" is absent:
 ```yaml
 ---
 - name: Playbook to handle IPA permissions
  hosts: ipaserver
  become: yes
  tasks:
  - name: Ensure permission "MyPermission" is absent
    ipapermission:
      ipaadmin_password: SomeADMINpassword
      name: MyPermission
      state: absent
 ```
 Example playbook to make sure permission "MyPermission" is renamed to "MyNewPermission":
 ```yaml
 ---
 - name: Playbook to handle IPA permissions
  hosts: ipaserver
  become: yes
  tasks:
  - name: Ensure permission "MyPermission" is renamed to "MyNewPermission
    ipapermission:
      ipaadmin_password: SomeADMINpassword
      name: MyPermission
      rename: MyNewPermission
      state: renamed
 ```
 Variables
 ---------
 ipapermission
 -------
 Variable | Description | Required
 -------- | ----------- | --------
 `ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
 `ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
 `name` \| `cn` | The permission name string. | yes
 `right` \| `ipapermright` | Rights to grant. It can be a list of one or more of `read`, `search`, `compare`, `write`, `add`, `delete`, and `all` default: `all` | no
 `attrs` | All attributes to which the permission applies. | no
 `bindtype` \| `ipapermbindruletype` | Bind rule type. It can be one of `permission`, `all`, `self`, or `anonymous` defaults to `permission` for new permissions. Bind rule type `self` can only be used on IPA versions 4.8.7 or up.| no
 `subtree` \| `ipapermlocation` | Subtree to apply permissions to | no
 `filter` \| `extratargetfilter` | Extra target filter | no
 `rawfilter` \| `ipapermtargetfilter` | All target filters | no
 `target` \| `ipapermtarget` | Optional DN to apply the permission to | no
 `targetto` \| `ipapermtargetto` | Optional DN subtree where an entry can be moved to | no
 `targetfrom` \| `ipapermtargetfrom` | Optional DN subtree from where an entry can be moved | no
 `memberof` | Target members of a group (sets memberOf targetfilter) | no
 `targetgroup` | User group to apply permissions to (sets target) | no
 `object_type` | Type of IPA object (sets subtree and objectClass targetfilter) | no
 `no_members` | Suppress processing of membership | no
 `rename` | Rename the permission object | no
 `action` | Work on permission or member level. It can be on of `member` or `permission` and defaults to `permission`. | no
 `state` | The state to ensure. It can be one of `present`, `absent`, or `renamed` default: `present`. | no
 The `includedattrs` and `excludedattrs` variables are only usable for managed permisions and are not exposed by the module. Using `attrs` for managed permissions will result in the automatic generation of `includedattrs` and `excludedattrs` in the IPA server.
 Authors
 =======
 Seth Kress
--- a/README-privilege.md
+++ b/README-privilege.md
@@ -0,0 +1,147 @@
 Privilege module
 ================
 Description
 -----------
 The privilege module allows to ensure presence and absence of privileges and privilege members.
 Features
 --------
 * Privilege management
 Supported FreeIPA Versions
 --------------------------
 FreeIPA versions 4.4.0 and up are supported by the ipaprivilege module.
 Requirements
 ------------
 **Controller**
 * Ansible version: 2.8+
 **Node**
 * Supported FreeIPA version (see above)
 Usage
 =====
 Example inventory file
 ```ini
 [ipaserver]
 ipaserver.test.local
 ```
 Example playbook to make sure privilege "Broad Privilege" is present:
 ```yaml
 ---
 - name: Playbook to manage IPA privilege.
  hosts: ipaserver
  become: yes
  tasks:
  - ipaprivilege:
      ipaadmin_password: SomeADMINpassword
      name: Broad Privilege
      description: Broad Privilege
 ```
 Example playbook to make sure privilege "Broad Privilege" member permission has multiple values:
 ```yaml
 ---
 - name: Playbook to manage IPA privilege permission member.
  hosts: ipaserver
  become: yes
  tasks:
  - ipaprivilege:
      ipaadmin_password: SomeADMINpassword
      name: Broad Privilege
      permission:
      - "Write IPA Configuration"
      - "System: Write DNS Configuration"
      - "System: Update DNS Entries"
      action: member
 ```
 Example playbook to make sure privilege "Broad Privilege" member permission 'Write IPA Configuration' is absent:
 ```yaml
 ---
 - name: Playbook to manage IPA privilege permission member.
  hosts: ipaserver
  become: yes
  tasks:
  - ipaprivilege:
      ipaadmin_password: SomeADMINpassword
      name: Broad Privilege
      permission:
      - "Write IPA Configuration"
      action: member
      state: absent
 ```
 Example playbook to rename privilege "Broad Privilege" to "DNS Special Privilege":
 ```yaml
 ---
 - name: Playbook to manage IPA privilege.
  hosts: ipaserver
  become: yes
  tasks:
  - ipaprivilege:
      ipaadmin_password: SomeADMINpassword
      name: Broad Privilege
      rename: DNS Special Privilege
      state: renamed
 ```
 Example playbook to make sure privilege "DNS Special Privilege" is absent:
 ```yaml
 ---
 - name: Playbook to manage IPA privilege.
  hosts: ipaserver
  become: yes
  - name: Ensure privilege Broad Privilege is absent
      ipaadmin_password: SomeADMINpassword
      name: DNS Special Privilege
      state: absent
 ```
 Variables
 ---------
 ipaprivilege
 ------------
 Variable | Description | Required
 -------- | ----------- | --------
 `ipaadmin_principal` | The admin principal is a string and defaults to `admin`. | no
 `ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node. | no
 `name` \| `cn` | The list of privilege name strings. | yes
 `description` | Privilege description. | no
 `rename` \| `new_name` | Rename the privilege object. | no
 `permission` | Permissions to be added to the privilege. | no
 `action` | Work on privilege or member level. It can be one of `member` or `privilege` and defaults to `privilege`. | no
 `state` | The state to ensure. It can be one of `present`, `absent` or `renamed`, default: `present`. | no
 Authors
 =======
 Rafael Guterres Jeffman
--- a/README-role.md
+++ b/README-role.md
@@ -0,0 +1,264 @@
 Role module
 ===========
 Description
 -----------
 The role module allows to ensure presence, absence of roles and members of roles.
 The role module is as compatible as possible to the Ansible upstream `ipa_role` module, but additionally offers role member management.
 Features
 --------
 * Role management
 Supported FreeIPA Versions
 --------------------------
 FreeIPA versions 4.4.0 and up are supported by the iparole module.
 Requirements
 ------------
 **Controller**
 * Ansible version: 2.8+
 **Node**
 * Supported FreeIPA version (see above)
 Usage
 =====
 Example inventory file
 ```ini
 [ipaserver]
 ipaserver.test.local
 ```
 Example playbook to make sure role is present with all members:
 ```yaml
 ---
 - name: Playbook to manage IPA role with members.
  hosts: ipaserver
  become: yes
  gather_facts: no
  tasks:
  - iparole:
      ipaadmin_password: SomeADMINpassword
      name: somerole
      user:
      - pinky
      group:
      - group01
      host:
      - host01.example.com
      hostgroup:
      - hostgroup01
      privilege:
      - Group Administrators
      - User Administrators
      service:
      - service01
 ```
 Example playbook to rename a role:
 ```yaml
 - iparole:
    ipaadmin_password: SomeADMINpassword
    name: somerole
    rename: anotherrole
 ```
 Example playbook to make sure role is absent:
 ```yaml
 ---
 - name: Playbook to manage IPA role.
  hosts: ipaserver
  become: yes
  gather_facts: no
  tasks:
  - iparole:
      ipaadmin_password: SomeADMINpassword
      name: somerole
      state: absent
 ```
 Example playbook to ensure a user is a member of a role:
 ```yaml
 ---
 - name: Playbook to manage IPA role member.
  hosts: ipaserver
  become: yes
  gather_facts: no
  tasks:
  - iparole:
      ipaadmin_password: SomeADMINpassword
      name: somerole
      user:
      - pinky
      action: member
 ```
 Example playbook to ensure a group is a member of a role:
 ```yaml
 ---
 - name: Playbook to manage IPA role member.
  hosts: ipaserver
  become: yes
  gather_facts: no
  tasks:
  - iparole:
      ipaadmin_password: SomeADMINpassword
      name: somerole
      host:
      - host01.example.com
      action: member
 ```
 Example playbook to ensure a host is a member of a role:
 ```yaml
 ---
 - name: Playbook to manage IPA role member.
  hosts: ipaserver
  become: yes
  gather_facts: no
  tasks:
  - iparole:
      ipaadmin_password: SomeADMINpassword
      name: somerole
      host:
      - host01.example.com
      action: member
 ```
 Example playbook to ensure a hostgroup is a member of a role:
 ```yaml
 ---
 - name: Playbook to manage IPA role member.
  hosts: ipaserver
  become: yes
  gather_facts: no
  tasks:
  - iparole:
      ipaadmin_password: SomeADMINpassword
      name: somerole
      hostgroup:
      - hostgroup01
      action: member
 ```
 Example playbook to ensure a service is a member of a role:
 ```yaml
 ---
 - name: Playbook to manage IPA role member.
  hosts: ipaserver
  become: yes
  gather_facts: no
  tasks:
  - iparole:
      ipaadmin_password: SomeADMINpassword
      name: somerole
      service:
      - service01
      action: member
 ```
 Example playbook to ensure a privilege is a member of a role:
 ```yaml
 ---
 - name: Playbook to manage IPA role member.
  hosts: ipaserver
  become: yes
  gather_facts: no
  tasks:
  - iparole:
      ipaadmin_password: SomeADMINpassword
      name: somerole
      privilege:
      - Group Administrators
      - User Administrators
      action: member
 ```
 Example playbook to ensure that different members are not associated with a role.
 ```yaml
 ---
 - name: Playbook to manage IPA role member.
  hosts: ipaserver
  become: yes
  gather_facts: no
  tasks:
  - iparole:
      ipaadmin_password: SomeADMINpassword
      name: somerole
      user:
      - pinky
      group:
      - group01
      host:
      - host01.example.com
      hostgroup:
      - hostgroup01
      privilege:
      - Group Administrators
      - User Administrators
      service:
      - service01
      action: member
      state: absent
 ```
 Variables
 ---------
 iparole
 -------
 Variable | Description | Required
 -------- | ----------- | --------
 `ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
 `ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
 `name` \| `cn` | The list of role name strings. | yes
 `description` | A description for the role. | no
 `rename` | Rename the role object. | no
 `privilege` | Privileges associated to this role. | no
 `user` | List of users to be assigned or not assigned to the role. | no
 `group` | List of groups to be assigned or not assigned to the role. | no
 `host` | List of hosts to be assigned or not assigned to the role. | no
 `hostgroup` | List of hostgroups to be assigned or not assigned to the role. | no
 `service` | List of services to be assigned or not assigned to the role. | no
 `action` | Work on role or member level. It can be on of `member` or `role` and defaults to `role`. | no
 `state` | The state to ensure. It can be one of `present`, `absent`, default: `present`. | no
 Authors
 =======
 Rafael Jeffman
--- a/README-selfservice.md
+++ b/README-selfservice.md
@@ -0,0 +1,151 @@
 Selfservice module
 =================
 Description
 -----------
 The selfservice module allows to ensure presence, absence of selfservices and selfservice attributes.
 Features
 --------
 * Selfservice management
 Supported FreeIPA Versions
 --------------------------
 FreeIPA versions 4.4.0 and up are supported by the ipaselfservice module.
 Requirements
 ------------
 **Controller**
 * Ansible version: 2.8+
 **Node**
 * Supported FreeIPA version (see above)
 Usage
 =====
 Example inventory file
 ```ini
 [ipaserver]
 ipaserver.test.local
 ```
 Example playbook to make sure selfservice "Users can manage their own name details" is present:
 ```yaml
 ---
 - name: Playbook to manage IPA selfservice.
  hosts: ipaserver
  become: yes
  tasks:
  - ipaselfservice:
      ipaadmin_password: SomeADMINpassword
      name: "Users can manage their own name details"
      permission: read
      attribute:
      - title
      - initials
 ```
 Example playbook to make sure selfservice "Users can manage their own name details" is absent:
 ```yaml
 ---
 - name: Playbook to manage IPA selfservice.
  hosts: ipaserver
  become: yes
  tasks:
  - ipaselfservice:
      ipaadmin_password: SomeADMINpassword
      name: "Users can manage their own name details"
      state: absent
 ```
 Example playbook to make sure "Users can manage their own name details" member attribute initials is present:
 ```yaml
 ---
 - name: Playbook to manage IPA selfservice.
  hosts: ipaserver
  become: yes
  tasks:
  - ipaselfservice:
      ipaadmin_password: SomeADMINpassword
      name: "Users can manage their own name details"
      attribute:
      - initials
      action: member
 ```
 Example playbook to make sure "Users can manage their own name details" member attribute initials is absent:
 ```yaml
 ---
 - name: Playbook to manage IPA selfservice.
  hosts: ipaserver
  become: yes
  tasks:
  - ipaselfservice:
      ipaadmin_password: SomeADMINpassword
      name: "Users can manage their own name details"
      attribute:
      - initials
      action: member
      state: absent
 ```
 Example playbook to make sure selfservice "Users can manage their own name details" is absent:
 ```yaml
 ---
 - name: Playbook to manage IPA selfservice.
  hosts: ipaserver
  become: yes
  tasks:
  - ipaselfservice:
      ipaadmin_password: SomeADMINpassword
      name: "Users can manage their own name details"
      state: absent
 ```
 Variables
 ---------
 ipaselfservice
 -------
 Variable | Description | Required
 -------- | ----------- | --------
 `ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
 `ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
 `name` \| `aciname` | The list of selfservice name strings. | yes
 `permission` \| `permissions` |  The permission to grant `read`, `read,write`, `write`]. Default is `write`. | no
 `attribute` \| `attrs` | The attribute list to which the selfservice applies. | no
 `action` | Work on selfservice or member level. It can be on of `member` or `selfservice` and defaults to `selfservice`. | no
 `state` | The state to ensure. It can be one of `present`, `absent`, default: `present`. | no
 Authors
 =======
 Thomas Woerner
--- a/README-service.md
+++ b/README-service.md
@@ -18,7 +18,7 @@ Supported FreeIPA Versions
 FreeIPA versions 4.4.0 and up are supported by the ipaservice module.
-Option `skip_host_check` requires FreeIPA version 4.7.0 or later.
+Some variables are only supported on newer versions of FreeIPA. Check `Variables` section for details.
 Requirements
@@ -56,7 +56,7 @@ Example playbook to make sure service is present:
  - ipaservice:
      ipaadmin_password: SomeADMINpassword
      name: HTTP/www.example.com
-      certificate:
+      certificate: |
        - MIIC/zCCAeegAwIBAgIUMNHIbn+hhrOVew/2WbkteisV29QwDQYJKoZIhvcNAQELBQAw
        DzENMAsGA1UEAwwEdGVzdDAeFw0yMDAyMDQxNDQxMDhaFw0zMDAyMDExNDQxMDhaMA8xDT
        ALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+XVVGFYpH
@@ -77,7 +77,7 @@ Example playbook to make sure service is present:
      requires_pre_auth: false
      ok_as_delegate: false
      ok_to_auth_as_delegate: false
-      skip-host-check: true
+      skip_host_check: true
      force: true
 ```
@@ -167,7 +167,7 @@ Example playbook to ensure service has a certificate:
  - ipaservice:
      ipaadmin_password: SomeADMINpassword
      name: HTTP/www.example.com
-      certificate:
+      certificate: |
        - MIIC/zCCAeegAwIBAgIUMNHIbn+hhrOVew/2WbkteisV29QwDQYJKoZIhvcNAQELBQAw
        DzENMAsGA1UEAwwEdGVzdDAeFw0yMDAyMDQxNDQxMDhaFw0zMDAyMDExNDQxMDhaMA8xDT
        ALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+XVVGFYpH
@@ -294,11 +294,11 @@ Variable | Description | Required
 `name` \| `service` | The list of service name strings. | yes
 `certificate` \| `usercertificate` | Base-64 encoded service certificate. | no
 `pac_type` \| `ipakrbauthzdata` | Supported PAC type. It can be one of `MS-PAC`, `PAD`, or `NONE`. | no
-`auth_ind` \| `krbprincipalauthind` | Defines a whitelist for Authentication Indicators. It can be any of `otp`, `radius`, `pkinit`, or `hardened`. | no
+`auth_ind` \| `krbprincipalauthind` | Defines an allow list for Authentication Indicators. It can be any of `otp`, `radius`, `pkinit`, or `hardened`. | no
 `requires_pre_auth` \| `ipakrbrequirespreauth` | Pre-authentication is required for the service. Default to true. (bool) | no
 `ok_as_delegate` \|  `ipakrbokasdelegate` | Client credentials may be delegated to the service. Default to false. (bool) | no
 `ok_to_auth_as_delegate` \|  `ipakrboktoauthasdelegate` | The service is allowed to authenticate on behalf of a client. Default to false. (bool) | no
-`skip_host_check` | Force service to be created even when host object does not exist to manage it. Default to false. (bool)| no
+`skip_host_check` | Force service to be created even when host object does not exist to manage it. Only usable with IPA versions 4.7.0 and up. Default to false. (bool)| no
 `force` | Force principal name even if host not in DNS. Default to false. (bool) | no
 `host` \| `managedby_host`| Hosts that can manage the service. | no
 `principal` \| `krbprincipalname` | List of principal aliases for the service. | no
--- a/README-trust.md
+++ b/README-trust.md
@@ -0,0 +1,119 @@
 Trust module
 ============
 Description
 -----------
 The trust module allows to ensure presence and absence of a domain trust.
 Features
 --------
 * Trust management
 Supported FreeIPA Versions
 --------------------------
 FreeIPA versions 4.4.0 and up are supported by the ipatrust module.
 Requirements
 ------------
 **Controller**
 * Ansible version: 2.8+
 **Node**
 * Supported FreeIPA version (see above)
 * samba-4
 * ipa-server-trust-ad
 Usage
 =====
 Example inventory file
 ```ini
 [ipaserver]
 ipaserver.test.local
 ```
 Example playbook to ensure a one-way trust is present:
 Omitting the two_way option implies the default of one-way
 ```yaml
 ---
 - name: Playbook to ensure a one-way trust is present
  hosts: ipaserver
  become: true
  tasks:
  - name: ensure the one-way trust present
    ipatrust:
      realm: ad.example.test
      admin: Administrator
      password: secret_password
      state: present
 ```
 Example playbook to ensure a two-way trust is present using a shared-secret:
 ```yaml
 ---
 - name: Playbook to ensure a two-way trust is present
  hosts: ipaserver
  become: true
  tasks:
  - name: ensure the two-way trust is present
    ipatrust:
      realm: ad.example.test
      trust_secret: my_share_Secret
      two_way: True
      state: present
 ```
 Example playbook to ensure a trust is absent:
 ```yaml
 ---
 - name: Playbook to ensure a trust is absent
  hosts: ipaserver
  become: true
  tasks:
  - name: ensure the trust is absent
    ipatrust:
      realm: ad.example.test
      state: absent
 ```
 This will only delete the ipa-side of the trust and it does NOT delete the id-range that matches the trust,
 Variables
 =========
 ipatrust
 -------
 Variable | Description | Required
 -------- | ----------- | --------
 `ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
 `ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
 `realm` | The realm name string. | yes
 `admin` | Active Directory domain administrator string. | no
 `password` | Active Directory domain administrator's password string. | no
 `server` | Domain controller for the Active Directory domain string. | no
 `trust_secret` | Shared secret for the trust string. | no
 `base_id` | First posix id for the trusted domain integer. | no
 `range_size` | Size of the ID range reserved for the trusted domain integer. | no
 `range_type` | Type of trusted domain ID range, It can be one of `ipa-ad-trust` or `ipa-ad-trust-posix`and defaults to `ipa-ad-trust`. | no
 `two_way` | Establish bi-directional trust. By default trust is inbound one-way only. (bool) | no
 `external` | Establish external trust to a domain in another forest. The trust is not transitive beyond the domain. (bool) | no
 `state` | The state to ensure. It can be one of `present` or `absent`, default: `present`. | yes
 Authors
 =======
 Rob Verduijn
--- a/README-user.md
+++ b/README-user.md
@@ -437,7 +437,7 @@ There are only return values if one or more random passwords have been generated
 Variable | Description | Returned When
 -------- | ----------- | -------------
-`host` | Host dict with random password. (dict) <br>Options: | If random is yes and user did not exist or update_password is yes
+`user` | User dict with random password. (dict) <br>Options: | If random is yes and user did not exist or update_password is yes
 &nbsp; | `randompassword` - The generated random password | If only one user is handled by the module
 &nbsp; | `name` - The user name of the user that got a new random password. (dict) <br> Options: <br> &nbsp; `randompassword` - The generated random password | If several users are handled by the module
--- a/README-vault.md
+++ b/README-vault.md
@@ -130,7 +130,7 @@ Example playbook to make sure vault data is present in a symmetric vault:
      action: member
 ```
-Example playbook to retrieve vault data from a symmetric vault:
+When retrieving data from a vault, it is recommended that `no_log: yes` is used, so that sensitive data stored in a vault is not logged by Ansible. The data is returned in a dict `vault`, in the field `data` (e.g. `result.vault.data`). An example playbook to retrieve data from a symmetric vault:
 ```yaml
 ---
@@ -139,12 +139,19 @@ Example playbook to retrieve vault data from a symmetric vault:
  become: true
  tasks:
-  - ipavault:
+  - name: Retrieve data from vault and register it in 'ipavault'
    ipavault:
      ipaadmin_password: SomeADMINpassword
      name: symvault
      username: admin
      password: SomeVAULTpassword
      state: retrieved
    no_log: yes
    register: ipavault
  - name: Print retrieved data from vault
    debug:
      var: ipavault.vault.data
 ```
 Example playbook to make sure vault data is absent in a symmetric vault:
@@ -165,6 +172,22 @@ Example playbook to make sure vault data is absent in a symmetric vault:
      state: absent
 ```
 Example playbook to change the password of a symmetric:
 ```yaml
 ---
 - name: Playbook to handle vaults
  hosts: ipaserver
  become: true
  tasks:
  - ipavault:
      ipaadmin_password: SomeADMINpassword
      name: symvault
      old_password: SomeVAULTpassword
      new_password: SomeNEWpassword
 ```
 Example playbook to make sure vault is absent:
 ```yaml
@@ -181,7 +204,7 @@ Example playbook to make sure vault is absent:
      state: absent
    register: result
  - debug:
-      msg: "{{ result.data }}"
+      msg: "{{ result.vault.data }}"
 ```
 Variables
@@ -197,8 +220,11 @@ Variable | Description | Required
 `name` \| `cn` | The list of vault name strings. | yes
 `description` | The vault description string. | no
 `nomembers` | Suppress processing of membership attributes. (bool) | no
-`password ` \| `vault_password` \| `ipavaultpassword` | Vault password. | no
+`password` \| `vault_password` \| `ipavaultpassword` \| `old_password`| Vault password. | no
-`public_key ` \| `vault_public_key` \| `ipavaultpublickey` | Base64 encoded vault public key. | no
+`password_file` \| `vault_password_file` \| `old_password_file`| File containing Base64 encoded Vault password. | no
 `new_password` | Vault new password. | no
 `new_password_file` | File containing Base64 encoded new Vault password. | no
 `public_key ` \| `vault_public_key` \| `old_password_file` | Base64 encoded vault public key. | no
 `public_key_file` \| `vault_public_key_file` | Path to file with public key. | no
 `private_key `\| `vault_private_key` | Base64 encoded vault private key. Used only to retrieve data. | no
 `private_key_file` \| `vault_private_key_file` | Path to file with private key. Used only to retrieve data. | no
@@ -227,7 +253,8 @@ There is only a return value if `state` is `retrieved`.
 Variable | Description | Returned When
 -------- | ----------- | -------------
-`data` | The data stored in the vault. | If `state` is `retrieved`.
+`vault` | Vault dict with archived data. (dict) <br>Options: | If `state` is `retrieved` and `out` is not defined.
 &nbsp; | `data` - The vault data. | Always
 Notes
--- a/README.md
+++ b/README.md
@@ -11,6 +11,10 @@ Features
 * Cluster deployments: Server, replicas and clients in one playbook
 * One-time-password (OTP) support for client installation
 * Repair mode for clients
 * Backup and restore, also to and from controller
 * Modules for config management
 * Modules for delegation management
 * Modules for dns config management
 * Modules for dns forwarder management
 * Modules for dns record management
 * Modules for dns zone management
@@ -20,12 +24,18 @@ Features
 * Modules for hbacsvcgroup management
 * Modules for host management
 * Modules for hostgroup management
 * Modules for location management
 * Modules for permission management
 * Modules for privilege management
 * Modules for pwpolicy management
 * Modules for role management
 * Modules for self service management
 * Modules for service management
 * Modules for sudocmd management
 * Modules for sudocmdgroup management
 * Modules for sudorule management
 * Modules for topology management
 * Modules fot trust management
 * Modules for user management
 * Modules for vault management
@@ -144,7 +154,7 @@ ipaserver_domain=test.local
 ipaserver_realm=TEST.LOCAL
 ```
-The admin principle is ```admin``` by default. Please set ```ipaadmin_principal``` if you need to change it.
+The admin principal is ```admin``` by default. Please set ```ipaadmin_principal``` if you need to change it.
 You can also add more setting here, like for example to enable the DNS server or to set auto-forwarders:
 ```yaml
@@ -406,10 +416,13 @@ Roles
 * [Server](roles/ipaserver/README.md)
 * [Replica](roles/ipareplica/README.md)
 * [Client](roles/ipaclient/README.md)
 * [Backup](roles/ipabackup/README.md)
 Modules in plugin/modules
 =========================
 * [ipaconfig](README-config.md)
 * [ipadelegation](README-delegation.md)
 * [ipadnsconfig](README-dnsconfig.md)
 * [ipadnsforwardzone](README-dnsforwardzone.md)
 * [ipadnsrecord](README-dnsrecord.md)
@@ -420,13 +433,19 @@ Modules in plugin/modules
 * [ipahbacsvcgroup](README-hbacsvc.md)
 * [ipahost](README-host.md)
 * [ipahostgroup](README-hostgroup.md)
 * [ipalocation](README-ipalocation.md)
 * [ipapermission](README-ipapermission.md)
 * [ipaprivilege](README-ipaprivilege.md)
 * [ipapwpolicy](README-pwpolicy.md)
 * [iparole](README-role.md)
 * [ipaselfservice](README-ipaselfservice.md)
 * [ipaservice](README-service.md)
 * [ipasudocmd](README-sudocmd.md)
 * [ipasudocmdgroup](README-sudocmdgroup.md)
 * [ipasudorule](README-sudorule.md)
 * [ipatopologysegment](README-topology.md)
 * [ipatopologysuffix](README-topology.md)
 * [ipatrust](README-trust.md)
 * [ipauser](README-user.md)
 * [ipavault](README-vault.md)
--- a/azure-pipelines.yml
+++ b/azure-pipelines.yml
@@ -1,22 +0,0 @@
 trigger:
 - master
 pool:
  vmImage: 'ubuntu-18.04'
 steps:
 - task: UsePythonVersion@0
  inputs:
    versionSpec: '3.6'
 - script: python -m pip install --upgrade pip setuptools wheel
  displayName: Install tools
 - script: pip install pydocstyle flake8
  displayName: Install dependencies
 - script: flake8 .
  displayName: Run flake8 checks
 - script: pydocstyle .
  displayName: Verify docstings
--- a/molecule/centos-7-build/molecule.yml
+++ b/molecule/centos-7-build/molecule.yml
@@ -0,0 +1,18 @@
 ---
 driver:
  name: docker
 platforms:
  - name: centos-7-build
    image: centos/systemd
    pre_build_image: true
    hostname: ipaserver.test.local
    dns_servers:
      - 8.8.8.8
    volumes:
      - /sys/fs/cgroup:/sys/fs/cgroup:ro
    command: /usr/sbin/init
    privileged: true
 provisioner:
  name: ansible
  playbooks:
    prepare: ../resources/playbooks/prepare-build.yml
--- a/molecule/centos-7/molecule.yml
+++ b/molecule/centos-7/molecule.yml
@@ -0,0 +1,18 @@
 ---
 driver:
  name: docker
 platforms:
  - name: centos-7
    image: quay.io/ansible-freeipa/upstream-tests:centos-7
    pre_build_image: true
    hostname: ipaserver.test.local
    dns_servers:
      - 127.0.0.1
    volumes:
      - /sys/fs/cgroup:/sys/fs/cgroup:ro
    command: /usr/sbin/init
    privileged: true
 provisioner:
  name: ansible
  playbooks:
    prepare: ../resources/playbooks/prepare.yml
--- a/molecule/centos-8-build/molecule.yml
+++ b/molecule/centos-8-build/molecule.yml
@@ -0,0 +1,18 @@
 ---
 driver:
  name: docker
 platforms:
  - name: centos-8-build
    image: centos:8
    pre_build_image: true
    hostname: ipaserver.test.local
    dns_servers:
      - 8.8.8.8
    volumes:
      - /sys/fs/cgroup:/sys/fs/cgroup:ro
    command: /usr/sbin/init
    privileged: true
 provisioner:
  name: ansible
  playbooks:
    prepare: ../resources/playbooks/prepare-build.yml
--- a/molecule/centos-8/molecule.yml
+++ b/molecule/centos-8/molecule.yml
@@ -0,0 +1,18 @@
 ---
 driver:
  name: docker
 platforms:
  - name: centos-8
    image: quay.io/ansible-freeipa/upstream-tests:centos-8
    pre_build_image: true
    hostname: ipaserver.test.local
    dns_servers:
      - 127.0.0.1
    volumes:
      - /sys/fs/cgroup:/sys/fs/cgroup:ro
    command: /usr/sbin/init
    privileged: true
 provisioner:
  name: ansible
  playbooks:
    prepare: ../resources/playbooks/prepare.yml
--- a/molecule/default
+++ b/molecule/default
@@ -0,0 +1 @@
 centos-8
--- a/molecule/fedora-latest-build/Dockerfile
+++ b/molecule/fedora-latest-build/Dockerfile
@@ -0,0 +1,30 @@
 FROM fedora:latest
 ENV container=docker
 RUN rm -fv /var/cache/dnf/metadata_lock.pid; \
 dnf makecache; \
 dnf --assumeyes install \
    /usr/bin/python3 \
    /usr/bin/python3-config \
    /usr/bin/dnf-3 \
    sudo \
    bash \
    systemd \
    procps-ng \
    iproute && \
 dnf clean all; \
 (cd /lib/systemd/system/sysinit.target.wants/; for i in *; do [ $i == systemd-tmpfiles-setup.service ] || rm -f $i; done); \
 rm -f /lib/systemd/system/multi-user.target.wants/*;\
 rm -f /etc/systemd/system/*.wants/*;\
 rm -f /lib/systemd/system/local-fs.target.wants/*; \
 rm -f /lib/systemd/system/sockets.target.wants/*udev*; \
 rm -f /lib/systemd/system/sockets.target.wants/*initctl*; \
 rm -f /lib/systemd/system/basic.target.wants/*;\
 rm -f /lib/systemd/system/anaconda.target.wants/*; \
 rm -rf /var/cache/dnf/;
 STOPSIGNAL RTMIN+3
 VOLUME ["/sys/fs/cgroup"]
 CMD ["/usr/sbin/init"]
--- a/molecule/fedora-latest-build/molecule.yml
+++ b/molecule/fedora-latest-build/molecule.yml
@@ -0,0 +1,18 @@
 ---
 driver:
  name: docker
 platforms:
  - name: fedora-latest-build
    image: fedora-latest
    dockerfile: Dockerfile
    hostname: ipaserver.test.local
    dns_servers:
      - 8.8.8.8
    volumes:
      - /sys/fs/cgroup:/sys/fs/cgroup:ro
    command: /usr/sbin/init
    privileged: true
 provisioner:
  name: ansible
  playbooks:
    prepare: ../resources/playbooks/prepare-build.yml
--- a/molecule/fedora-latest/molecule.yml
+++ b/molecule/fedora-latest/molecule.yml
@@ -0,0 +1,18 @@
 ---
 driver:
  name: docker
 platforms:
  - name: fedora-latest
    image: quay.io/ansible-freeipa/upstream-tests:fedora-latest
    pre_build_image: true
    hostname: ipaserver.test.local
    dns_servers:
      - 127.0.0.1
    volumes:
      - /sys/fs/cgroup:/sys/fs/cgroup:ro
    command: /usr/sbin/init
    privileged: true
 provisioner:
  name: ansible
  playbooks:
    prepare: ../resources/playbooks/prepare.yml
--- a/molecule/resources/playbooks/library
+++ b/molecule/resources/playbooks/library
@@ -0,0 +1 @@
 ../../../plugins/modules/
--- a/molecule/resources/playbooks/module_utils
+++ b/molecule/resources/playbooks/module_utils
@@ -0,0 +1 @@
 ../../../plugins/module_utils/
--- a/molecule/resources/playbooks/prepare-build.yml
+++ b/molecule/resources/playbooks/prepare-build.yml
@@ -0,0 +1,27 @@
 ---
 - name: Converge
  hosts: all
  tasks:
  - include_tasks: prepare-common.yml
  - name: Ensure sudo package is installed
    package:
      name: sudo
  - name: Ensure nss package is updated
    package:
      name: nss
      state: latest  # noqa 403
  - include_role:
      name: ipaserver
    vars:
      ipaserver_setup_dns: yes
      ipaserver_setup_kra: yes
      ipaserver_auto_forwarders: yes
      ipaserver_no_dnssec_validation: yes
      ipaserver_auto_reverse: yes
      ipaadmin_password: SomeADMINpassword
      ipadm_password: SomeDMpassword
      ipaserver_domain: test.local
      ipaserver_realm: TEST.LOCAL
--- a/molecule/resources/playbooks/prepare-common.yml
+++ b/molecule/resources/playbooks/prepare-common.yml
@@ -0,0 +1,33 @@
 # IPA depends on IPv6 and without it dirsrv service won't start.
 - name: Ensure IPv6 is ENABLED
  sysctl:
    name: "{{ item.name }}"
    value: "{{ item.value }}"
    sysctl_set: yes
    state: present
    reload: yes
  with_items :
    - name: net.ipv6.conf.all.disable_ipv6
      value: 0
    - name: net.ipv6.conf.lo.disable_ipv6
      value: 0
    - name: net.ipv6.conf.eth0.disable_ipv6
      value: 1
 # Set fs.protected_regular to 0
 #   This is needed in some IPA versions in order to get KRA enabled.
 #   See https://pagure.io/freeipa/issue/7906 for more information.
 - name: stat protected_regular
  stat:
    path: /proc/sys/fs/protected_regular
  register: result
 - name: Ensure fs.protected_regular is disabled
  sysctl:
    name: fs.protected_regular
    value: 0
    sysctl_set: yes
    state: present
    reload: yes
  when: result.stat.exists
--- a/molecule/resources/playbooks/prepare.yml
+++ b/molecule/resources/playbooks/prepare.yml
@@ -0,0 +1,26 @@
 ---
 - name: Converge
  hosts: all
  tasks:
  - include_tasks: prepare-common.yml
  # In some distros DS won't start up after reboot
  #   This is due to a problem in 389-ds. See tickets:
  #   * https://pagure.io/389-ds-base/issue/47429
  #   * https://pagure.io/389-ds-base/issue/51039
  #
  # To avoid this problem we create the directories before starting IPA.
  - name: Ensure lock dirs for DS exists
    file:
      state: directory
      owner: dirsrv
      group: dirsrv
      path: "{{ item }}"
    loop:
      - /var/lock/dirsrv/
      - /var/lock/dirsrv/slapd-TEST-LOCAL/
  - name: Ensure IPA server is up an running
    service:
      name: ipa
      state: started
--- a/molecule/resources/playbooks/roles
+++ b/molecule/resources/playbooks/roles
@@ -0,0 +1 @@
 ../../../roles/
--- a/playbooks/backup-server-to-controller.yml
+++ b/playbooks/backup-server-to-controller.yml
@@ -0,0 +1,12 @@
 ---
 - name: Playbook to backup IPA server to controller
  hosts: ipaserver
  become: true
  vars:
    ipabackup_to_controller: yes
    # ipabackup_keep_on_server: yes
  roles:
  - role: ipabackup
    state: present
--- a/playbooks/backup-server.yml
+++ b/playbooks/backup-server.yml
@@ -0,0 +1,8 @@
 ---
 - name: Playbook to backup IPA server
  hosts: ipaserver
  become: true
  roles:
  - role: ipabackup
    state: present
--- a/playbooks/copy-all-backups-from-server.yml
+++ b/playbooks/copy-all-backups-from-server.yml
@@ -0,0 +1,12 @@
 ---
 - name: Playbook to copy all backups from IPA server
  hosts: ipaserver
  become: true
  vars:
    ipabackup_name: all
    ipabackup_to_controller: yes
  roles:
  - role: ipabackup
    state: copied
--- a/playbooks/copy-backup-from-controller.yml
+++ b/playbooks/copy-backup-from-controller.yml
@@ -0,0 +1,12 @@
 ---
 - name: Playbook to copy a backup from controller to the IPA server
  hosts: ipaserver
  become: true
  vars:
    ipabackup_name: ipaserver.test.local_ipa-full-2020-10-22-11-11-44
    ipabackup_from_controller: yes
  roles:
  - role: ipabackup
    state: copied
--- a/playbooks/copy-backup-from-server.yml
+++ b/playbooks/copy-backup-from-server.yml
@@ -0,0 +1,12 @@
 ---
 - name: Playbook to copy backup from IPA server
  hosts: ipaserver
  become: true
  vars:
    ipabackup_name: ipa-full-2020-10-22-11-11-44
    ipabackup_to_controller: yes
  roles:
  - role: ipabackup
    state: copied
--- a/playbooks/delegation/delegation-absent.yml
+++ b/playbooks/delegation/delegation-absent.yml
@@ -0,0 +1,11 @@
 ---
 - name: Delegation absent
  hosts: ipaserver
  become: true
  tasks:
  - name: Ensure delegation "basic manager attributes" is absent
    ipadelegation:
      ipaadmin_password: SomeADMINpassword
      name: "basic manager attributes"
      state: absent
--- a/playbooks/delegation/delegation-member-absent.yml
+++ b/playbooks/delegation/delegation-member-absent.yml
@@ -0,0 +1,15 @@
 ---
 - name: Delegation member absent
  hosts: ipaserver
  become: true
  tasks:
  - name: Ensure delegation "basic manager attributes" member attributes employeenumber and employeetype are absent
    ipadelegation:
      ipaadmin_password: SomeADMINpassword
      name: "basic manager attributes"
      attribute:
      - employeenumber
      - employeetype
      action: member
      state: absent
--- a/playbooks/delegation/delegation-member-present.yml
+++ b/playbooks/delegation/delegation-member-present.yml
@@ -0,0 +1,13 @@
 ---
 - name: Delegation member present
  hosts: ipaserver
  become: true
  tasks:
  - name: Ensure delegation "basic manager attributes" member attribute departmentnumber is present
    ipadelegation:
      ipaadmin_password: SomeADMINpassword
      name: "basic manager attributes"
      attribute:
      - departmentnumber
      action: member
--- a/playbooks/delegation/delegation-present.yml
+++ b/playbooks/delegation/delegation-present.yml
@@ -0,0 +1,15 @@
 ---
 - name: Delegation present
  hosts: ipaserver
  become: true
  tasks:
  - name: Ensure delegation "basic manager attributes" is present
    ipadelegation:
      ipaadmin_password: SomeADMINpassword
      name: "basic manager attributes"
      permission: read
      attribute:
      - businesscategory
      group: managers
      membergroup: employees
--- a/playbooks/dnsforwardzone/ensure-dnsforwardzone-is-absent.yml
+++ b/playbooks/dnsforwardzone/ensure-dnsforwardzone-is-absent.yml
@@ -0,0 +1,11 @@
 ---
 - name: Playbook to manage DNS forward zone
  hosts: ipaserver
  become: true
  gather_facts: false
  tasks:
  # Ensure DNS zone is present
  - ipadnsforwardzone:
      ipaadmin_password: SomeADMINpassword
      state: absent
--- a/playbooks/dnsforwardzone/ensure-dnsforwardzone-is-present.yml
+++ b/playbooks/dnsforwardzone/ensure-dnsforwardzone-is-present.yml
@@ -0,0 +1,16 @@
 ---
 - name: Playbook to manage DNS forward zone
  hosts: ipaserver
  become: true
  gather_facts: false
  tasks:
  # Ensure DNS zone is present
  - ipadnsforwardzone:
      ipaadmin_password: SomeADMINpassword
      name: example.com
      forwarders:
        - ip_address: 8.8.8.8
      forwardpolicy: first
      skip_overlap_check: true
      permission: yes
--- a/playbooks/dnsforwardzone/ensure-dnsforwardzone-with-forwarder-port.yml
+++ b/playbooks/dnsforwardzone/ensure-dnsforwardzone-with-forwarder-port.yml
@@ -0,0 +1,14 @@
 ---
 - name: Playbook to manage DNS forward zone
  hosts: ipaserver
  become: true
  gather_facts: false
  tasks:
  # Ensure DNS zone is present
  - ipadnsforwardzone:
      ipaadmin_password: SomeADMINpassword
      name: example.com
      forwarders:
        - ip_address: 192.168.100.123
          port: 8063
--- a/playbooks/dnszone/dnszone-reverse-from-ip.yml
+++ b/playbooks/dnszone/dnszone-reverse-from-ip.yml
@@ -0,0 +1,15 @@
 ---
 - name: Playbook to ensure DNS zone exist
  hosts: ipaserver
  become: true
  tasks:
  - name: Ensure zone exist, finding zone name from IP address.
    ipadnszone:
      ipaadmin_password: SomeADMINpassword
      name_from_ip: 10.1.2.3/24
    register: result
  - name: Zone name inferred from `name_from_ip`
    debug:
      msg: "Zone created: {{ result.dnszone.name }}"
--- a/playbooks/host/host-member-managedby_host-absent.yml
+++ b/playbooks/host/host-member-managedby_host-absent.yml
@@ -4,7 +4,7 @@
  become: true
  tasks:
-    ipahost:
+  - ipahost:
      ipaadmin_password: SomeADMINpassword
      name: host01.exmaple.com
      managedby_host: server.exmaple.com
--- a/playbooks/host/host-member-managedby_host-present.yml
+++ b/playbooks/host/host-member-managedby_host-present.yml
@@ -4,7 +4,7 @@
  become: true
  tasks:
-    ipahost:
+  - ipahost:
      ipaadmin_password: SomeADMINpassword
      name: host01.exmaple.com
      managedby_host: server.exmaple.com
--- a/playbooks/host/host-present-with-managedby_host.yml
+++ b/playbooks/host/host-present-with-managedby_host.yml
@@ -4,7 +4,7 @@
  become: true
  tasks:
-    ipahost:
+  - ipahost:
      ipaadmin_password: SomeADMINpassword
      name: host01.exmaple.com
      managedby_host: server.exmaple.com
--- a/playbooks/host/hosts-member-managedby_host-absent.yml
+++ b/playbooks/host/hosts-member-managedby_host-absent.yml
@@ -4,6 +4,7 @@
  become: true
  tasks:
  - name: Ensure hosts manadegby_host is absent.
    ipahost:
      ipaadmin_password: SomeADMINpassword
      hosts:
--- a/playbooks/host/hosts-member-managedby_host-present.yml
+++ b/playbooks/host/hosts-member-managedby_host-present.yml
@@ -4,6 +4,7 @@
  become: true
  tasks:
  - name: Ensure hosts manadegby_host is absent.
    ipahost:
      ipaadmin_password: SomeADMINpassword
      hosts:
--- a/playbooks/host/hosts-present-with-managedby_host.yml
+++ b/playbooks/host/hosts-present-with-managedby_host.yml
@@ -4,7 +4,7 @@
  become: true
  tasks:
-    ipahost:
+  - ipahost:
      ipaadmin_password: SomeADMINpassword
      hosts:
      - name: host01.exmaple.com
--- a/playbooks/host/hosts-present-with-randompasswords.yml
+++ b/playbooks/host/hosts-present-with-randompasswords.yml
@@ -23,4 +23,3 @@
  - name: Print generated random password for host02.example.com
    debug:
      var: ipahost.host["host02.example.com"].randompassword
--- a/playbooks/hostgroup/rename-hostgroup.yml
+++ b/playbooks/hostgroup/rename-hostgroup.yml
@@ -0,0 +1,12 @@
 ---
 - name: Playbook to handle hostgroups
  hosts: ipaserver
  become: yes
  tasks:
  - name : Rename host-group from `databases` to `datalake`
    ipahostgroup:
      ipaadmin_password: SomeADMINpassword
      name: databases
      rename: datalake
      state: renamed
--- a/playbooks/location/location-absent.yml
+++ b/playbooks/location/location-absent.yml
@@ -0,0 +1,11 @@
 ---
 - name: Location absent test
  hosts: ipaserver
  become: true
  tasks:
  - name: Ensure location my_location1 is absent
    ipalocation:
      ipaadmin_password: SomeADMINpassword
      name: my_location1
      state: absent
--- a/playbooks/location/location-present.yml
+++ b/playbooks/location/location-present.yml
@@ -0,0 +1,10 @@
 ---
 - name: Location present test
  hosts: ipaserver
  become: true
  tasks:
  - name: Ensure location my_location1 is present
    ipalocation:
      ipaadmin_password: SomeADMINpassword
      name: my_location1
--- a/playbooks/permission/permission-absent.yml
+++ b/playbooks/permission/permission-absent.yml
@@ -0,0 +1,11 @@
 ---
 - name: Permission absent example
  hosts: ipaserver
  become: true
  tasks:
  - name: Ensure permission TestPerm1 is absent
    ipapermission:
      name: TestPerm1
      state: absent
--- a/playbooks/permission/permission-allow-read-employeenum.yml
+++ b/playbooks/permission/permission-allow-read-employeenum.yml
@@ -0,0 +1,15 @@
 ---
 - name: Permission Allow Read Employee Number Example
  hosts: ipaserver
  become: true
  tasks:
  - name: Ensure permission TestPerm2 is present with Read rights to employeenumber
    ipapermission:
      name: TestPerm2
      object_type: user
      perm_rights: 
        - read
        - search
        - compare
      attrs: employeenumber
--- a/playbooks/permission/permission-member-absent.yml
+++ b/playbooks/permission/permission-member-absent.yml
@@ -0,0 +1,12 @@
 ---
 - name: Permission absent example
  hosts: ipaserver
  become: true
  tasks:
  - name: Ensure privilege User Administrators privilege is absent on Permission TestPerm1
    ipapermission:
      name: TestPerm1
      privilege: "User Administrators"
      action: member
      state: absent
--- a/playbooks/permission/permission-member-present.yml
+++ b/playbooks/permission/permission-member-present.yml
@@ -0,0 +1,11 @@
 ---
 - name: Permission member present example
  hosts: ipaserver
  become: true
  tasks:
  - name: Ensure permission TestPerm1 is present with the User Administrators privilege present
    ipapermission:
      name: TestPerm1
      privilege: "User Administrators"
      action: member
--- a/playbooks/permission/permission-present.yml
+++ b/playbooks/permission/permission-present.yml
@@ -0,0 +1,11 @@
 ---
 - name: Permission present example
  hosts: ipaserver
  become: true
  tasks:
  - name: Ensure permission TestPerm1 is present
    ipapermission:
      name: TestPerm1
      object_type: host
      perm_rights: all
--- a/playbooks/permission/permission-renamed.yml
+++ b/playbooks/permission/permission-renamed.yml
@@ -0,0 +1,11 @@
 ---
 - name: Permission present example
  hosts: ipaserver
  become: true
  tasks:
  - name: Ensure permission TestPerm1 is present
    ipapermission:
      name: TestPerm1
      rename: TestPermRenamed
      state: renamed
--- a/playbooks/privilege/privilege-absent.yml
+++ b/playbooks/privilege/privilege-absent.yml
@@ -0,0 +1,10 @@
 ---
 - name: Privilege absent example
  hosts: ipaserver
  become: true
  tasks:
  - name: Ensure privilege "Broad Privilege" is absent
    ipaprivilege:
      name: Broad Privilege
      state: absent
--- a/playbooks/privilege/privilege-member-absent.yml
+++ b/playbooks/privilege/privilege-member-absent.yml
@@ -0,0 +1,14 @@
 ---
 - name: Privilege absent example
  hosts: ipaserver
  become: true
  tasks:
  - name: Ensure privilege "Broad Privilege" permission is absent
    ipaprivilege:
      ipaadmin_password: SomeADMINpassword
      name: Broad Privilege
      permission:
      - "System: Write IPA Configuration"
      action: member
      state: absent
--- a/playbooks/privilege/privilege-member-present.yml
+++ b/playbooks/privilege/privilege-member-present.yml
@@ -0,0 +1,15 @@
 ---
 - name: Privilege member present example
  hosts: ipaserver
  become: true
  tasks:
  - name: Ensure privilege "Broad Privilege" permissions are present
    ipaprivilege:
      ipaadmin_password: SomeADMINpassword
      name: Broad Privilege
      permission:
      - "System: Write IPA Configuration"
      - "System: Write DNS Configuration"
      - "System: Update DNS Entries"
      action: member
--- a/playbooks/privilege/privilege-present.yml
+++ b/playbooks/privilege/privilege-present.yml
@@ -0,0 +1,11 @@
 ---
 - name: Privilege present example
  hosts: ipaserver
  become: true
  tasks:
  - name: Ensure privilege Broad Privilege is present
    ipaprivilege:
      ipaadmin_password: SomeADMINpassword
      name: Broad Privilege
      description: Broad Privilege
--- a/playbooks/remove-all-backups-from-server.yml
+++ b/playbooks/remove-all-backups-from-server.yml
@@ -0,0 +1,11 @@
 ---
 - name: Playbook to remove all backups from IPA server
  hosts: ipaserver
  become: true
  vars:
    ipabackup_name: all
  roles:
  - role: ipabackup
    state: absent
--- a/playbooks/remove-backup-from-server.yml
+++ b/playbooks/remove-backup-from-server.yml
@@ -0,0 +1,11 @@
 ---
 - name: Playbook to remove backup from IPA server
  hosts: ipaserver
  become: true
  vars:
    ipabackup_name: ipa-full-2020-10-22-11-11-44
  roles:
  - role: ipabackup
    state: absent
--- a/playbooks/restore-server-from-controller.yml
+++ b/playbooks/restore-server-from-controller.yml
@@ -0,0 +1,13 @@
 ---
 - name: Playbook to restore IPA server from controller
  hosts: ipaserver
  become: true
  vars:
    ipabackup_name: ipaserver.el83.local_ipa-full-2020-10-22-11-11-44
    ipabackup_password: SomeDMpassword
    ipabackup_from_controller: yes
  roles:
  - role: ipabackup
    state: restored
--- a/playbooks/restore-server.yml
+++ b/playbooks/restore-server.yml
@@ -0,0 +1,12 @@
 ---
 - name: Playbook to restore an IPA server
  hosts: ipaserver
  become: true
  vars:
    ipabackup_name: ipa-full-2020-10-22-11-11-44
    ipabackup_password: SomeDMpassword
  roles:
  - role: ipabackup
    state: restored
--- a/playbooks/role/role-is-absent.yml
+++ b/playbooks/role/role-is-absent.yml
@@ -0,0 +1,11 @@
 ---
 - name: Playbook to manage IPA role.
  hosts: ipaserver
  become: yes
  gather_facts: no
  tasks:
  - iparole:
      ipaadmin_password: SomeADMINpassword
      name: somerole
      state: absent
--- a/playbooks/role/role-is-present.yml
+++ b/playbooks/role/role-is-present.yml
@@ -0,0 +1,11 @@
 ---
 - name: Playbook to manage IPA role.
  hosts: ipaserver
  become: yes
  gather_facts: no
  tasks:
  - iparole:
      ipaadmin_password: SomeADMINpassword
      name: somerole
      description: A role in IPA.
--- a/playbooks/role/role-member-group-absent.yml
+++ b/playbooks/role/role-member-group-absent.yml
@@ -0,0 +1,14 @@
 ---
 - name: Playbook to manage IPA role member.
  hosts: ipaserver
  become: yes
  gather_facts: no
  tasks:
  - iparole:
      ipaadmin_password: SomeADMINpassword
      name: somerole
      group:
      - group01
      action: member
      state: absent
--- a/playbooks/role/role-member-group-present.yml
+++ b/playbooks/role/role-member-group-present.yml
@@ -0,0 +1,13 @@
 ---
 - name: Playbook to manage IPA role member.
  hosts: ipaserver
  become: yes
  gather_facts: no
  tasks:
  - iparole:
      ipaadmin_password: SomeADMINpassword
      name: somerole
      group:
      - group01
      action: member
--- a/playbooks/role/role-member-host-absent.yml
+++ b/playbooks/role/role-member-host-absent.yml
@@ -0,0 +1,14 @@
 ---
 - name: Playbook to manage IPA role member.
  hosts: ipaserver
  become: yes
  gather_facts: no
  tasks:
  - iparole:
      ipaadmin_password: SomeADMINpassword
      name: somerole
      host:
      - host01.example.com
      action: member
      state: absent
--- a/playbooks/role/role-member-host-present.yml
+++ b/playbooks/role/role-member-host-present.yml
@@ -0,0 +1,13 @@
 ---
 - name: Playbook to manage IPA role member.
  hosts: ipaserver
  become: yes
  gather_facts: no
  tasks:
  - iparole:
      ipaadmin_password: SomeADMINpassword
      name: somerole
      host:
      - host01.example.com
      action: member
--- a/playbooks/role/role-member-hostgroup-absent.yml
+++ b/playbooks/role/role-member-hostgroup-absent.yml
@@ -0,0 +1,14 @@
 ---
 - name: Playbook to manage IPA role member.
  hosts: ipaserver
  become: yes
  gather_facts: no
  tasks:
  - iparole:
      ipaadmin_password: SomeADMINpassword
      name: somerole
      hostgroup:
      - hostgroup01
      action: member
      state: absent
--- a/playbooks/role/role-member-hostgroup-present.yml
+++ b/playbooks/role/role-member-hostgroup-present.yml
@@ -0,0 +1,13 @@
 ---
 - name: Playbook to manage IPA role member.
  hosts: ipaserver
  become: yes
  gather_facts: no
  tasks:
  - iparole:
      ipaadmin_password: SomeADMINpassword
      name: somerole
      hostgroup:
      - hostgroup01
      action: member
--- a/playbooks/role/role-member-privilege-absent.yml
+++ b/playbooks/role/role-member-privilege-absent.yml
@@ -0,0 +1,15 @@
 ---
 - name: Playbook to manage IPA role member.
  hosts: ipaserver
  become: yes
  gather_facts: no
  tasks:
  - iparole:
      ipaadmin_password: SomeADMINpassword
      name: somerole
      privilege:
      - Group Administrators
      - User Administrators
      action: member
      state: absent
--- a/playbooks/role/role-member-privilege-present.yml
+++ b/playbooks/role/role-member-privilege-present.yml
@@ -0,0 +1,14 @@
 ---
 - name: Playbook to manage IPA role member.
  hosts: ipaserver
  become: yes
  gather_facts: no
  tasks:
  - iparole:
      ipaadmin_password: SomeADMINpassword
      name: somerole
      privilege:
      - Group Administrators
      - User Administrators
      action: member
--- a/playbooks/role/role-member-service-absent.yml
+++ b/playbooks/role/role-member-service-absent.yml
@@ -0,0 +1,14 @@
 ---
 - name: Playbook to manage IPA role member.
  hosts: ipaserver
  become: yes
  gather_facts: no
  tasks:
  - iparole:
      ipaadmin_password: SomeADMINpassword
      name: testrole
      service:
      - http/www.example.com
      action: member
      state: absent
--- a/playbooks/role/role-member-service-present.yml
+++ b/playbooks/role/role-member-service-present.yml
@@ -0,0 +1,13 @@
 ---
 - name: Playbook to manage IPA role member.
  hosts: ipaserver
  become: yes
  gather_facts: no
  tasks:
  - iparole:
      ipaadmin_password: SomeADMINpassword
      name: somerole
      service:
      - service01
      action: member
--- a/playbooks/role/role-member-user-absent.yml
+++ b/playbooks/role/role-member-user-absent.yml
@@ -0,0 +1,14 @@
 ---
 - name: Playbook to manage IPA role member.
  hosts: ipaserver
  become: yes
  gather_facts: no
  tasks:
  - iparole:
      ipaadmin_password: SomeADMINpassword
      name: somerole
      user:
      - pinky
      action: member
      state: absent
--- a/playbooks/role/role-member-user-present.yml
+++ b/playbooks/role/role-member-user-present.yml
@@ -0,0 +1,13 @@
 ---
 - name: Playbook to manage IPA role member.
  hosts: ipaserver
  become: yes
  gather_facts: no
  tasks:
  - iparole:
      ipaadmin_password: SomeADMINpassword
      name: somerole
      user:
      - pinky
      action: member
--- a/playbooks/role/role-members-absent.yml
+++ b/playbooks/role/role-members-absent.yml
@@ -0,0 +1,25 @@
 ---
 - name: Playbook to manage IPA role member.
  hosts: ipaserver
  become: yes
  gather_facts: no
  tasks:
  - iparole:
      ipaadmin_password: SomeADMINpassword
      name: somerole
      user:
      - pinky
      group:
      - group01
      host:
      - host01.example.com
      hostgroup:
      - hostgroup01
      privilege:
      - Group Administrators
      - User Administrators
      service:
      - service01
      action: member
      state: absent
--- a/playbooks/role/role-members-present.yml
+++ b/playbooks/role/role-members-present.yml
@@ -0,0 +1,23 @@
 ---
 - name: Playbook to manage IPA role with members.
  hosts: ipaserver
  become: yes
  gather_facts: no
  tasks:
  - iparole:
      ipaadmin_password: SomeADMINpassword
      name: somerole
      user:
      - pinky
      group:
      - group01
      host:
      - host01.example.com
      hostgroup:
      - hostgroup01
      privilege:
      - Group Administrators
      - User Administrators
      service:
      - service01
--- a/playbooks/role/role-rename.yml
+++ b/playbooks/role/role-rename.yml
@@ -0,0 +1,11 @@
 ---
 - name: Playbook to manage IPA role.
  hosts: ipaserver
  become: yes
  gather_facts: no
  tasks:
  - iparole:
      ipaadmin_password: SomeADMINpassword
      name: somerole
      rename: anotherrole
--- a/playbooks/selfservice/selfservice-absent.yml
+++ b/playbooks/selfservice/selfservice-absent.yml
@@ -0,0 +1,11 @@
 ---
 - name: Delegation absent
  hosts: ipaserver
  become: true
  tasks:
  - name: Ensure delegation "basic manager attributes" is absent
    ipadelegation:
      ipaadmin_password: SomeADMINpassword
      name: "basic manager attributes"
      state: absent
--- a/playbooks/selfservice/selfservice-member-absent.yml
+++ b/playbooks/selfservice/selfservice-member-absent.yml
@@ -0,0 +1,15 @@
 ---
 - name: Delegation member absent
  hosts: ipaserver
  become: true
  tasks:
  - name: Ensure delegation "basic manager attributes" member attributes employeenumber and employeetype are absent
    ipadelegation:
      ipaadmin_password: SomeADMINpassword
      name: "basic manager attributes"
      attribute:
      - employeenumber
      - employeetype
      action: member
      state: absent
--- a/playbooks/selfservice/selfservice-member-present.yml
+++ b/playbooks/selfservice/selfservice-member-present.yml
@@ -0,0 +1,13 @@
 ---
 - name: Delegation member present
  hosts: ipaserver
  become: true
  tasks:
  - name: Ensure delegation "basic manager attributes" member attribute departmentnumber is present
    ipadelegation:
      ipaadmin_password: SomeADMINpassword
      name: "basic manager attributes"
      attribute:
      - departmentnumber
      action: member
--- a/playbooks/selfservice/selfservice-present.yml
+++ b/playbooks/selfservice/selfservice-present.yml
@@ -0,0 +1,13 @@
 ---
 - name: Delegation present
  hosts: ipaserver
  become: true
  tasks:
  - name: Ensure delegation "basic manager attributes" is present
    ipadelegation:
      ipaadmin_password: SomeADMINpassword
      name: "basic manager attributes"
      permission: read
      attribute:
      - businesscategory
--- a/playbooks/service/service-host-is-absent.yml
+++ b/playbooks/service/service-host-is-absent.yml
@@ -7,7 +7,7 @@
  tasks:
  # Ensure management host is absent.
  - ipaservice:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
      name: HTTP/www.example.com
      host: "{{ groups.ipaserver[0] }}"
      action: member
--- a/playbooks/service/service-host-is-present.yml
+++ b/playbooks/service/service-host-is-present.yml
@@ -7,7 +7,7 @@
  tasks:
  # Ensure management host is present.
  - ipaservice:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
      name: HTTP/www.example.com
      host: "{{ groups.ipaserver[0] }}"
      action: member
--- a/Show More
+++ b/Show More