Merge pull request #709 from t-woerner/automationhub_fixes2

More Automation Hub fixes

README-config.md

@@ -56,12 +56,12 @@ Example playbook to read config options:
       register: result
     - name: display default login shell
       debug:
-        msg: '{{ result.config.defaultlogin }}'
+        msg: '{{ result.config.defaultshell }}'
 
     - name: ensure defaultloginshell and maxusernamelength are set as required
       ipaconfig:
         ipaadmin_password: password
-        defaultlogin: /bin/bash
+        defaultshell: /bin/bash
         maxusername: 64
 ```
 

README-pwpolicy.md

@@ -81,7 +81,7 @@ Example playbook to ensure maxlife is set to 49 in global policy:
   become: true
 
   tasks:
-  # Ensure absence of pwpolicies for group ops
+  # Ensure maxlife is set to 49 in global policy
   - ipapwpolicy:
       ipaadmin_password: SomeADMINpassword
       maxlife: 49

molecule/centos-9-build/Dockerfile

@@ -0,0 +1,30 @@
+FROM quay.io/centos/centos:stream9
+ENV container=docker
+
+RUN rm -fv /var/cache/dnf/metadata_lock.pid; \
+dnf makecache; \
+dnf --assumeyes install \
+    /usr/bin/python3 \
+    /usr/bin/python3-config \
+    /usr/bin/dnf-3 \
+    sudo \
+    bash \
+    systemd \
+    procps-ng \
+    iproute && \
+dnf clean all; \
+(cd /lib/systemd/system/sysinit.target.wants/; for i in *; do [ $i == systemd-tmpfiles-setup.service ] || rm -f $i; done); \
+rm -f /lib/systemd/system/multi-user.target.wants/*;\
+rm -f /etc/systemd/system/*.wants/*;\
+rm -f /lib/systemd/system/local-fs.target.wants/*; \
+rm -f /lib/systemd/system/sockets.target.wants/*udev*; \
+rm -f /lib/systemd/system/sockets.target.wants/*initctl*; \
+rm -f /lib/systemd/system/basic.target.wants/*;\
+rm -f /lib/systemd/system/anaconda.target.wants/*; \
+rm -rf /var/cache/dnf/;
+
+STOPSIGNAL RTMIN+3
+
+VOLUME ["/sys/fs/cgroup"]
+
+CMD ["/usr/sbin/init"]

molecule/centos-9-build/molecule.yml

@@ -0,0 +1,18 @@
+---
+driver:
+  name: docker
+platforms:
+  - name: centos-9-build
+    image: "quay.io/centos/centos:stream9"
+    dockerfile: Dockerfile
+    hostname: ipaserver.test.local
+    dns_servers:
+      - 8.8.8.8
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:ro
+    command: /usr/sbin/init
+    privileged: true
+provisioner:
+  name: ansible
+  playbooks:
+    prepare: ../resources/playbooks/prepare-build.yml

plugins/module_utils/ansible_freeipa_module.py

@@ -566,10 +566,76 @@ else:
         print(jsonify(kwargs))
         sys.exit(0)
 
-    class AnsibleFreeIPAParams(Mapping):
-        def __init__(self, ansible_module):
+    class IPAParamMapping(Mapping):
+        """
+        Provides IPA API mapping to playbook parameters or computed values.
+
+        It can be used to define a mapping of playbook parameters
+        or methods that provide computed values to IPA API arguments.
+
+        Playbook parameters can be retrieved as properties,
+        and the set of IPA arguments for a command can be
+        retrived with ``get_ipa_command_args()``. The keys for
+        ``param_mapping`` are also the keys of the argument set.
+
+        The values of ``param_mapping`` can be either:
+            * a str representing a key of ``AnsibleModule.params``.
+            * a callable.
+
+        In case of an ``AnsibleModule.param`` the value of the playbook
+        param will be used for that argument. If it is a ``callable``,
+        the value returned by the execution of it will be used.
+
+        Example:
+        -------
+            def check_params(ipa_params):
+                # Module parameters can be accessed as properties.
+                if len(ipa_params.name) == 0:
+                    ipa_params.ansible_module.fail_json(msg="No given name.")
+
+
+            def define_ipa_commands(self):
+                # Create the argument dict from the defined mapping.
+                args = self.get_ipa_command_args()
+
+                _commands = [("obj-name", "some_ipa_command", args)]
+                return _commands
+
+
+            def a_method_for_a_computed_param():
+                return "Some computed value"
+
+
+            def main():
+                ansible_module = SomeIPAModule(argument_spec=dict(
+                    name=dict(type="list", aliases=["cn"], required=True),
+                    state=dict(type="str", default="present",
+                               choices=["present", "absent"]),
+                    module_param=(type="str", required=False),
+                    )
+                )
+
+                # Define the playbook to IPA API mapping
+                ipa_param_mapping = {
+                    "arg_to_be_passed_to_ipa_command": "module_param",
+                    "another_arg": a_method_for_a_computed_param,
+                }
+                ipa_params = IPAParamMapping(
+                    ansible_module,
+                    param_mapping=ipa_param_mapping
+                )
+
+                check_params(ipa_params)
+                comands = define_ipa_commands(ipa_params)
+
+                ansible_module.execute_ipa_commands(commands)
+
+        """
+
+        def __init__(self, ansible_module, param_mapping=None):
             self.mapping = ansible_module.params
             self.ansible_module = ansible_module
+            self.param_mapping = param_mapping or {}
 
         def __getitem__(self, key):
             param = self.mapping[key]
@@ -590,6 +656,36 @@ else:
         def __getattr__(self, name):
             return self.get(name)
 
+        def get_ipa_command_args(self, **kwargs):
+            """Return a dict to be passed to an IPA command."""
+            args = {}
+            for ipa_param_name, param_name in self.param_mapping.items():
+
+                # Check if param_name is actually a param
+                if param_name in self.ansible_module.params:
+                    value = self.ansible_module.params_get(param_name)
+                    if isinstance(value, bool):
+                        value = "TRUE" if value else "FALSE"
+
+                # Since param wasn't a param check if it's a method name
+                elif callable(param_name):
+                    value = param_name(**kwargs)
+
+                # We don't have a way to guess the value so fail.
+                else:
+                    self.ansible_module.fail_json(
+                        msg=(
+                            "Couldn't get a value for '%s'. Option '%s' is "
+                            "not a module argument neither a defined method."
+                        )
+                        % (ipa_param_name, param_name)
+                    )
+
+                if value is not None:
+                    args[ipa_param_name] = value
+
+            return args
+
     class IPAAnsibleModule(AnsibleModule):
         """
         IPA Ansible Module.
@@ -1034,6 +1130,11 @@ else:
             # pylint: disable=super-with-arguments
             super(FreeIPABaseModule, self).__init__(*args, **kwargs)
 
+            self.deprecate(
+                msg="FreeIPABaseModule is deprecated. Use IPAAnsibleModule.",
+                version="1.5.0"
+            )
+
             # Status of an execution. Will be changed to True
             #   if something is actually peformed.
             self.changed = False
@@ -1049,11 +1150,6 @@ else:
             # Module exit arguments.
             self.exit_args = {}
 
-            # Wrapper around the AnsibleModule.params.
-            # Return the actual params but performing transformations
-            #   when needed.
-            self.ipa_params = AnsibleFreeIPAParams(self)
-
         def get_ipa_command_args(self, **kwargs):
             """
             Return a dict to be passed to an IPA command.
@@ -1074,97 +1170,77 @@ else:
             server).
 
             """
-            args = {}
-            for ipa_param_name, param_name in self.ipa_param_mapping.items():
-
-                # Check if param_name is actually a param
-                if param_name in self.ipa_params:
-                    value = self.ipa_params.get(param_name)
-                    if isinstance(value, bool):
-                        value = "TRUE" if value else "FALSE"
-
-                # Since param wasn't a param check if it's a method name
-                elif hasattr(self, param_name):
-                    method = getattr(self, param_name)
-                    if callable(method):
-                        value = method(**kwargs)
-
-                # We don't have a way to guess the value so fail.
-                else:
-                    self.fail_json(
-                        msg=(
-                            "Couldn't get a value for '%s'. Option '%s' is "
-                            "not a module argument neither a defined method."
-                        )
-                        % (ipa_param_name, param_name)
-                    )
-
-                if value is not None:
-                    args[ipa_param_name] = value
-
-            return args
+            self.deprecate(
+                msg=(
+                    "FreeIPABaseModule is deprecated. Use IPAAnsibleModule. "
+                    "Use 'AnsibleFreeIPAParams.get_ipa_command_args()', "
+                    "Instantiate it using the class 'ipa_params_mapping'."
+                ),
+                version="1.5.0"
+            )
+            mapping = IPAParamMapping(self, self.ipa_param_mapping)
+            return mapping.get_ipa_command_args(**kwargs)
 
         def check_ipa_params(self):
             """Validate ipa_params before command is called."""
+            self.deprecate(
+                msg=(
+                    "FreeIPABaseModule is deprecated. Use IPAAnsibleModule. "
+                ),
+                version="1.5.0"
+            )
             pass  # pylint: disable=unnecessary-pass
 
         def define_ipa_commands(self):
             """Define commands that will be run in IPA server."""
             raise NotImplementedError
 
-        def get_command_errors(self, command, result):
-            """Look for erros into command results."""
-            # Get all errors
-            # All "already a member" and "not a member" failures in the
-            # result are ignored. All others are reported.
-            errors = []
-            for item in result.get("failed", tuple()):
-                failed_item = result["failed"][item]
-                for member_type in failed_item:
-                    for member, failure in failed_item[member_type]:
-                        if (
-                            "already a member" in failure
-                            or "not a member" in failure
-                        ):
-                            continue
-                        errors.append(
-                            "%s: %s %s: %s"
-                            % (command, member_type, member, failure)
-                        )
-
-            if len(errors) > 0:
-                self.fail_json(", ".join("errors"))  # pylint: disable=E1121
-
         def add_ipa_command(self, command, name=None, args=None):
             """Add a command to the list of commands to be executed."""
             self.ipa_commands.append((name, command, args or {}))
 
         def _run_ipa_commands(self):
             """Execute commands in self.ipa_commands."""
-            if self.check_mode:
-                self.changed = len(self.ipa_commands) > 0
-                return
+            self.changed = self.execute_ipa_commands(
+                self.ipa_commands,
+                result_handler=self.process_results.__func__,
+                exit_args=self.exit_args
+            )
 
-            result = None
+        def process_results(
+            self, result, command, name, args, exit_args
+        ):  # pylint: disable=unused-argument
+            """
+            Process an API command result.
 
-            for name, command, args in self.ipa_commands:
-                try:
-                    result = self.ipa_command(command, name, args)
-                except Exception as excpt:
-                    self.fail_json(msg="%s: %s: %s" % (command, name,
-                                                       str(excpt)))
-                else:
-                    self.process_command_result(name, command, args, result)
-                self.get_command_errors(command, result)
+            This method must be overriden in subclasses if 'exit_args'
+            is to be modified.
+            """
+            self.deprecate(
+                msg=(
+                    "FreeIPABaseModule is deprecated. Use IPAAnsibleModule. "
+                ),
+                version="1.5.0"
+            )
+            self.process_command_result(name, command, args, result)
 
         def process_command_result(self, _name, _command, _args, result):
             """
             Process an API command result.
 
             This method can be overriden in subclasses, and
-            change self.exit_values
-            to return data in the result for the controller.
+            change self.exit_values to return data in the
+            result for the controller.
             """
+            self.deprecate(
+                msg=(
+                    "FreeIPABaseModule is deprecated. Use IPAAnsibleModule. "
+                    "To aid in porting to IPAAnsibleModule, change to "
+                    "'FreeIPABaseModule.process_results'."
+                ),
+                version="1.5.0"
+            )
+
             if "completed" in result:
                 if result["completed"] > 0:
                     self.changed = True
@@ -1178,12 +1254,26 @@ else:
             Returns True in case current IPA object attributes differ from
             args passed to the module.
             """
+            self.deprecate(
+                msg=(
+                    "FreeIPABaseModule is deprecated. Use IPAAnsibleModule. "
+                    "FreeIPABaseModule require_ipa_attrs_change() is "
+                    "deprecated. Use ansible_freeipa_module.compare_args()."
+                ),
+                version="1.5.0"
+            )
             equal = compare_args_ipa(self, command_args, ipa_attrs)
             return not equal
 
         def ipa_run(self):
             """Execute module actions."""
-            ipaapi_context = self.ipa_params.get("ipaapi_context")
+            self.deprecate(
+                msg=(
+                    "FreeIPABaseModule is deprecated. Use IPAAnsibleModule."
+                ),
+                version="1.5.0"
+            )
+            ipaapi_context = self.params_get("ipaapi_context")
             with self.ipa_connect(context=ipaapi_context):
                 self.check_ipa_params()
                 self.define_ipa_commands()

plugins/modules/README.md

@@ -1,6 +1,5 @@
 # Writing a new Ansible FreeIPA module
 
-## Minimum requirements
 A ansible-freeipa module should have:
 
 * Code:
@@ -13,68 +12,4 @@ A ansible-freeipa module should have:
 * Tests:
   * Test cases (also playbooks) defined in `tests/<module_name>/test_<something>.yml`. It's ok to have multiple files in this directory.
 
-## Code
-
-The module file have to start with the python shebang line, license header and definition of the constants `ANSIBLE_METADATA`, `DOCUMENTATION`, `EXAMPLES` and `RETURNS`. Those constants need to be defined before the code (even imports). See https://docs.ansible.com/ansible/latest/dev_guide/developing_modules_general.html#starting-a-new-module for more information.
-
-
-Although it's use is not yet required, ansible-freeipa provides `FreeIPABaseModule` as a helper class for the implementation of new modules. See the example bellow:
-
-```python
-
-from ansible.module_utils.ansible_freeipa_module import FreeIPABaseModule
-
-
-class SomeIPAModule(FreeIPABaseModule):
-    ipa_param_mapping = {
-        "arg_to_be_passed_to_ipa_command": "module_param",
-        "another_arg": "get_another_module_param",
-    }
-
-    def get_another_module_param(self):
-        another_module_param = self.ipa_params.another_module_param
-
-        # Validate or modify another_module_param ...
-
-        return another_module_param
-
-    def check_ipa_params(self):
-
-        # Validate your params here ...
-
-        # Example:
-        if not self.ipa_params.module_param in VALID_OPTIONS:
-            self.fail_json(msg="Invalid value for argument module_param")
-
-    def define_ipa_commands(self):
-        args = self.get_ipa_command_args()
-
-        self.add_ipa_command("some_ipa_command", name="obj-name", args=args)
-
-
-def main():
-    ipa_module = SomeIPAModule(argument_spec=dict(
-        module_param=dict(type="str", default=None, required=False),
-        another_module_param=dict(type="str", default=None, required=False),
-    ))
-    ipa_module.ipa_run()
-
-
-if __name__ == "__main__":
-    main()
-```
-
-In the example above, the module will call the command `some_ipa_command`, using "obj-name" as name and, `arg_to_be_passed_to_ipa_command` and `another_arg` as arguments.
-
-The values of the arguments will be determined by the class attribute `ipa_param_mapping`.
-
-In the case of `arg_to_be_passed_to_ipa_command` the key (`module_param`) is defined in the module `argument_specs` so the value of the argument is actually used.
-
-On the other hand, `another_arg` as mapped to something else: a callable method. In this case the method will be called and it's result used as value for `another_arg`.
-
-**NOTE**: Keep mind that to take advantage of the parameters mapping defined in `ipa_param_mapping` you will have to call `args = self.get_ipa_command_args()` and use `args` in your command. There is no implicit call of this method.
-
-
-## Disclaimer
-
-The `FreeIPABaseModule` is new and might not be suitable to all cases and every module yet. In case you need to extend it's functionality for a new module please open an issue or PR and we'll be happy to discuss it.
+Use the script `utils/new_module` to create the stub files for a new module.

plugins/modules/ipaautomember.py

@@ -194,19 +194,23 @@ def main():
         argument_spec=dict(
             # general
             inclusive=dict(type="list",
-                           aliases=["automemberinclusiveregex"], default=None,
+                           aliases=["automemberinclusiveregex"],
+                           default=None,
                            options=dict(
                                key=dict(type="str", required=True),
                                expression=dict(type="str", required=True)
                            ),
-                           elements="dict", required=False),
-            exclusive=dict(type="list", aliases=[
-                           "automemberexclusiveregex"], default=None,
+                           elements="dict",
+                           required=False),
+            exclusive=dict(type="list",
+                           aliases=["automemberexclusiveregex"],
+                           default=None,
                            options=dict(
                                key=dict(type="str", required=True),
                                expression=dict(type="str", required=True)
                            ),
-                           elements="dict", required=False),
+                           elements="dict",
+                           required=False),
             name=dict(type="list", aliases=["cn"],
                       default=None, required=True),
             description=dict(type="str", default=None),

plugins/modules/ipaautomountlocation.py

@@ -68,13 +68,16 @@ RETURN = '''
 '''
 
 from ansible.module_utils.ansible_freeipa_module import (
-    FreeIPABaseModule, ipalib_errors
+    IPAAnsibleModule, ipalib_errors
 )
 
 
-class AutomountLocation(FreeIPABaseModule):
+class AutomountLocation(IPAAnsibleModule):
 
-    ipa_param_mapping = {}
+    def __init__(self, *args, **kwargs):
+        # pylint: disable=super-with-arguments
+        super(AutomountLocation, self).__init__(*args, **kwargs)
+        self.commands = []
 
     def get_location(self, location):
         try:
@@ -87,40 +90,28 @@ class AutomountLocation(FreeIPABaseModule):
             return response.get("result", None)
 
     def check_ipa_params(self):
-        if len(self.ipa_params.name) == 0:
+        if len(self.params_get("name")) == 0:
             self.fail_json(msg="At least one location must be provided.")
 
     def define_ipa_commands(self):
+        state = self.params_get("state")
 
-        for location_name in self.ipa_params.name:
+        for location_name in self.params_get("name"):
             location = self.get_location(location_name)
 
-            if not location and self.ipa_params.state == "present":
+            if not location and state == "present":
                 # does not exist and is wanted
-                self.add_ipa_command(
-                    "automountlocation_add",
-                    name=location_name,
-                    args=None,
-                )
-            elif location and self.ipa_params.state == "absent":
+                self.commands.append(
+                    (location_name, "automountlocation_add", {}))
+            elif location and state == "absent":
                 # exists and is not wanted
-                self.add_ipa_command(
-                    "automountlocation_del",
-                    name=location_name,
-                    args=None,
-                )
+                self.commands.append(
+                    (location_name, "automountlocation_del", {}))
 
 
 def main():
     ipa_module = AutomountLocation(
         argument_spec=dict(
-            ipaadmin_principal=dict(type="str",
-                                    default="admin"
-                                    ),
-            ipaadmin_password=dict(type="str",
-                                   required=False,
-                                   no_log=True
-                                   ),
             state=dict(type='str',
                        default='present',
                        choices=['present', 'absent']
@@ -132,7 +123,12 @@ def main():
                       ),
         ),
     )
-    ipa_module.ipa_run()
+    ipaapi_context = ipa_module.params_get("ipaapi_context")
+    with ipa_module.ipa_connect(context=ipaapi_context):
+        ipa_module.check_ipa_params()
+        ipa_module.define_ipa_commands()
+        changed = ipa_module.execute_ipa_commands(ipa_module.commands)
+    ipa_module.exit_json(changed=changed)
 
 
 if __name__ == "__main__":

plugins/modules/ipaconfig.py

@@ -299,7 +299,7 @@ def main():
                                        "KDC:Disable Last Success",
                                        "KDC:Disable Lockout",
                                        "KDC:Disable Default Preauth for SPNs",
-                                       ""]), # noqa E128
+                                       ""]),  # noqa E128
             selinuxusermaporder=dict(type="list", required=False,
                                      aliases=['ipaselinuxusermaporder']),
             selinuxusermapdefault=dict(type="str", required=False,
@@ -365,15 +365,15 @@ def main():
 
     if params.get("ipadomainresolutionorder", None):
         params["ipadomainresolutionorder"] = \
-             ":".join(params["ipadomainresolutionorder"])
+            ":".join(params["ipadomainresolutionorder"])
 
     if params.get("ipausersearchfields", None):
         params["ipausersearchfields"] = \
-             ",".join(params["ipausersearchfields"])
+            ",".join(params["ipausersearchfields"])
 
     if params.get("ipagroupsearchfields", None):
         params["ipagroupsearchfields"] = \
-             ",".join(params["ipagroupsearchfields"])
+            ",".join(params["ipagroupsearchfields"])
 
     # verify limits on INT values.
     args_with_limits = [
@@ -418,12 +418,12 @@ def main():
                 if ansible_module.argument_spec.get(k):
                     arg_type = ansible_module.argument_spec[k]['type']
                     if k in (
-                           'ipaselinuxusermaporder', 'domain_resolution_order'
-                       ):
+                        'ipaselinuxusermaporder', 'domain_resolution_order'
+                    ):
                         exit_args[k] = result.get(key)[0].split('$')
                     elif k in (
-                           'usersearch', 'groupsearch'
-                       ):
+                        'usersearch', 'groupsearch'
+                    ):
                         exit_args[k] = result.get(key)[0].split(',')
                     elif isinstance(value, str) and arg_type == "list":
                         exit_args[k] = [value]

plugins/modules/ipadnsconfig.py

@@ -165,24 +165,23 @@ def gen_args(module, state, dnsconfig, forwarders, forward_policy,
 
 def main():
     forwarder_spec = dict(
-       ip_address=dict(type=str, required=True),
-       port=dict(type=int, required=False, default=None)
+        ip_address=dict(type=str, required=True),
+        port=dict(type=int, required=False, default=None)
     )
 
     ansible_module = IPAAnsibleModule(
-       argument_spec=dict(
-           # dnsconfig
-           forwarders=dict(type='list', default=None, required=False,
-                           options=dict(**forwarder_spec)),
-           forward_policy=dict(type='str', required=False, default=None,
-                               choices=['only', 'first', 'none']),
-           allow_sync_ptr=dict(type='bool', required=False, default=None),
+        argument_spec=dict(
+            # dnsconfig
+            forwarders=dict(type='list', default=None, required=False,
+                            options=dict(**forwarder_spec)),
+            forward_policy=dict(type='str', required=False, default=None,
+                                choices=['only', 'first', 'none']),
+            allow_sync_ptr=dict(type='bool', required=False, default=None),
 
-           # general
-           state=dict(type="str", default="present",
-                      choices=["present", "absent"]),
-
-       )
+            # general
+            state=dict(type="str", default="present",
+                       choices=["present", "absent"]),
+        )
     )
 
     ansible_module._ansible_debug = True

plugins/modules/ipadnsrecord.py

@@ -1108,12 +1108,13 @@ def configure_module():
             name=dict(type="list", aliases=["record_name"], default=None,
                       required=False),
 
-            records=dict(type="list", default=None,
+            records=dict(type="list",
+                         default=None,
                          options=dict(
-                            # Here name is a simple string
-                            name=dict(type='str', required=True,
-                                      aliases=['record_name']),
-                            **record_spec),
+                             # Here name is a simple string
+                             name=dict(type='str', required=True,
+                                       aliases=['record_name']),
+                             **record_spec),
                          ),
 
             # general

plugins/modules/ipadnszone.py

@@ -203,11 +203,13 @@ dnszone:
 
 from ipapython.dnsutil import DNSName  # noqa: E402
 from ansible.module_utils.ansible_freeipa_module import (
-    FreeIPABaseModule,
+    IPAAnsibleModule,
     is_ip_address,
     is_ip_network_address,
     is_valid_port,
-    ipalib_errors
+    ipalib_errors,
+    compare_args_ipa,
+    IPAParamMapping,
 )  # noqa: E402
 import netaddr
 from ansible.module_utils import six
@@ -217,31 +219,39 @@ if six.PY3:
     unicode = str
 
 
-class DNSZoneModule(FreeIPABaseModule):
+class DNSZoneModule(IPAAnsibleModule):
 
-    ipa_param_mapping = {
-        # Direct Mapping
-        "idnsforwardpolicy": "forward_policy",
-        "idnssoarefresh": "refresh",
-        "idnssoaretry": "retry",
-        "idnssoaexpire": "expire",
-        "idnssoaminimum": "minimum",
-        "dnsttl": "ttl",
-        "dnsdefaultttl": "default_ttl",
-        "idnsallowsyncptr": "allow_sync_ptr",
-        "idnsallowdynupdate": "dynamic_update",
-        "idnssecinlinesigning": "dnssec",
-        "idnsupdatepolicy": "update_policy",
-        # Mapping by method
-        "idnsforwarders": "get_ipa_idnsforwarders",
-        "idnsallowtransfer": "get_ipa_idnsallowtransfer",
-        "idnsallowquery": "get_ipa_idnsallowquery",
-        "idnssoamname": "get_ipa_idnssoamname",
-        "idnssoarname": "get_ipa_idnssoarname",
-        "skip_nameserver_check": "get_ipa_skip_nameserver_check",
-        "skip_overlap_check": "get_ipa_skip_overlap_check",
-        "nsec3paramrecord": "get_ipa_nsec3paramrecord",
-    }
+    def __init__(self, *args, **kwargs):
+        # pylint: disable=super-with-arguments
+        super(DNSZoneModule, self).__init__(*args, **kwargs)
+
+        ipa_param_mapping = {
+            # Direct Mapping
+            "idnsforwardpolicy": "forward_policy",
+            "idnssoarefresh": "refresh",
+            "idnssoaretry": "retry",
+            "idnssoaexpire": "expire",
+            "idnssoaminimum": "minimum",
+            "dnsttl": "ttl",
+            "dnsdefaultttl": "default_ttl",
+            "idnsallowsyncptr": "allow_sync_ptr",
+            "idnsallowdynupdate": "dynamic_update",
+            "idnssecinlinesigning": "dnssec",
+            "idnsupdatepolicy": "update_policy",
+            # Mapping by method
+            "idnsforwarders": self.get_ipa_idnsforwarders,
+            "idnsallowtransfer": self.get_ipa_idnsallowtransfer,
+            "idnsallowquery": self.get_ipa_idnsallowquery,
+            "idnssoamname": self.get_ipa_idnssoamname,
+            "idnssoarname": self.get_ipa_idnssoarname,
+            "skip_nameserver_check": self.get_ipa_skip_nameserver_check,
+            "skip_overlap_check": self.get_ipa_skip_overlap_check,
+            "nsec3paramrecord": self.get_ipa_nsec3paramrecord,
+        }
+
+        self.commands = []
+        self.ipa_params = IPAParamMapping(self, ipa_param_mapping)
+        self.exit_args = {}
 
     def validate_ips(self, ips, error_msg):
         invalid_ips = [
@@ -441,39 +451,34 @@ class DNSZoneModule(FreeIPABaseModule):
         for zone_name in self.get_zone_names():
             # Look for existing zone in IPA
             zone, is_zone_active = self.get_zone(zone_name)
-            args = self.get_ipa_command_args(zone=zone)
+            args = self.ipa_params.get_ipa_command_args(zone=zone)
 
             if self.ipa_params.state in ["present", "enabled", "disabled"]:
                 if not zone:
                     # Since the zone doesn't exist we just create it
                     #   with given args
-                    self.add_ipa_command("dnszone_add", zone_name, args)
+                    self.commands.append((zone_name, "dnszone_add", args))
                     is_zone_active = True
                     # just_added = True
 
                 else:
                     # Zone already exist so we need to verify if given args
                     #   matches the current config. If not we updated it.
-                    if self.require_ipa_attrs_change(args, zone):
-                        self.add_ipa_command("dnszone_mod", zone_name, args)
+                    if not compare_args_ipa(self, args, zone):
+                        self.commands.append((zone_name, "dnszone_mod", args))
 
             if self.ipa_params.state == "enabled" and not is_zone_active:
-                self.add_ipa_command("dnszone_enable", zone_name)
+                self.commands.append((zone_name, "dnszone_enable", {}))
 
             if self.ipa_params.state == "disabled" and is_zone_active:
-                self.add_ipa_command("dnszone_disable", zone_name)
+                self.commands.append((zone_name, "dnszone_disable", {}))
 
             if self.ipa_params.state == "absent" and zone is not None:
-                self.add_ipa_command("dnszone_del", zone_name)
+                self.commands.append((zone_name, "dnszone_del", {}))
 
-    def process_command_result(self, name, command, args, result):
-        # pylint: disable=super-with-arguments
-        super(DNSZoneModule, self).process_command_result(
-            name, command, args, result
-        )
+    def process_results(self, _result, command, name, _args, exit_args):
         if command == "dnszone_add" and self.ipa_params.name_from_ip:
-            dnszone_exit_args = self.exit_args.setdefault('dnszone', {})
-            dnszone_exit_args['name'] = name
+            exit_args.setdefault('dnszone', {})["name"] = name
 
 
 def get_argument_spec():
@@ -532,12 +537,24 @@ def get_argument_spec():
 
 
 def main():
-    DNSZoneModule(
+    ansible_module = DNSZoneModule(
         argument_spec=get_argument_spec(),
         mutually_exclusive=[["name", "name_from_ip"]],
         required_one_of=[["name", "name_from_ip"]],
         supports_check_mode=True,
-    ).ipa_run()
+    )
+
+    exit_args = {}
+    ipaapi_context = ansible_module.params_get("ipaapi_context")
+    with ansible_module.ipa_connect(context=ipaapi_context):
+        ansible_module.check_ipa_params()
+        ansible_module.define_ipa_commands()
+        changed = ansible_module.execute_ipa_commands(
+            ansible_module.commands,
+            result_handler=DNSZoneModule.process_results,
+            exit_args=exit_args
+        )
+    ansible_module.exit_json(changed=changed, **exit_args)
 
 
 if __name__ == "__main__":

plugins/modules/ipagroup.py

@@ -393,13 +393,13 @@ def main():
                         # If yes: modify
                         # Also if it is a modification from nonposix to posix
                         # or nonposix to external.
-                        if not compare_args_ipa(ansible_module, args,
-                                                res_find) or \
-                           (
-                               not is_posix_group(res_find) and
-                               not is_external_group(res_find) and
-                               (posix or external)
-                           ):
+                        if not compare_args_ipa(
+                            ansible_module, args, res_find
+                        ) or (
+                            not is_posix_group(res_find) and
+                            not is_external_group(res_find) and
+                            (posix or external)
+                        ):
                             if posix:
                                 args['posix'] = True
                             if external:

plugins/modules/iparole.py

@@ -199,7 +199,7 @@ def ensure_absent_state(module, name, action, res_find):
         member_args = {}
         for key in ['user', 'group', 'host', 'hostgroup']:
             items = member_intersect(
-                        module, key, 'member_%s' % key, res_find)
+                module, key, 'member_%s' % key, res_find)
             if items:
                 member_args[key] = items
 
@@ -298,7 +298,7 @@ def ensure_members_are_present(module, name, res_find):
     member_args = {}
     for key in ['user', 'group', 'host', 'hostgroup']:
         items = member_difference(
-                    module, key, 'member_%s' % key, res_find)
+            module, key, 'member_%s' % key, res_find)
         if items:
             member_args[key] = items
 

plugins/modules/ipaservice.py

@@ -577,7 +577,7 @@ def main():
                                 args.get("krbprincipalauthind", [""]) ==
                                 res_find.get("krbprincipalauthind", [""])
                             )
-                          ):
+                        ):
                             del args["krbprincipalauthind"]
 
                         if not compare_args_ipa(ansible_module, args,

plugins/modules/ipauser.py

@@ -824,14 +824,17 @@ def main():
             # general
             name=dict(type="list", aliases=["login"], default=None,
                       required=False),
-            users=dict(type="list", aliases=["login"], default=None,
+            users=dict(type="list",
+                       aliases=["login"],
+                       default=None,
                        options=dict(
                            # Here name is a simple string
                            name=dict(type="str", required=True),
                            # Add user specific parameters
                            **user_spec
                        ),
-                       elements='dict', required=False),
+                       elements='dict',
+                       required=False),
 
             # deleted
             preserve=dict(required=False, type='bool', default=None),

plugins/modules/ipavault.py

@@ -634,7 +634,7 @@ def main():
             vault_password_file=dict(type="str", required=False, default=None,
                                      no_log=False,
                                      aliases=[
-                                        'password_file', "old_password_file"
+                                         'password_file', "old_password_file"
                                      ]),
             new_password=dict(type="str", required=False, default=None,
                               no_log=True),

roles/ipabackup/library/ipabackup_get_backup_dir.py

@@ -45,7 +45,7 @@ EXAMPLES = '''
 # Get IPA_BACKUP_DIR from ipaplatform
 - name: Get IPA_BACKUP_DIR from ipaplatform
   ipabackup_get_backup_dir:
-  register result
+  register: result
 '''
 
 RETURN = '''

roles/ipabackup/vars/Ubuntu-18.04.yml

@@ -0,0 +1,10 @@
+# vars/Ubuntu.yml
+---
+ipaserver_packages: [ "freeipa-server" ]
+ipaserver_packages_dns: [ "freeipa-server-dns" ]
+ipaserver_packages_adtrust: [ "freeipa-server-trust-ad" ]
+ipaserver_packages_firewalld: [ "firewalld" ]
+# Ubuntu Bionic Beaver must use python2 as Python interpreter due
+# to the way python-ipalib package is defined.
+# Package python2.7 must be installed before executing this role.
+ansible_python_interpreter: '/usr/bin/python2.7'

roles/ipaclient/vars/Debian-10.yml

@@ -0,0 +1,7 @@
+---
+# vars/Debian.yml
+ipaclient_packages: [ "freeipa-client" ]
+# Debian Buster must use python2 as Python interpreter due
+# to the way freeipa-client package is defined.
+# You must install package python2.7 before executing this role.
+ansible_python_interpreter: '/usr/bin/python2'

roles/ipaclient/vars/Ubuntu-18.04.yml

@@ -0,0 +1,7 @@
+# vars/Ubuntu-18.04.yml
+---
+ipaclient_packages: [ "freeipa-client" ]
+# Ubuntu Bionic Beaver must use python2 as Python interpreter due
+# to the way python-ipalib package is defined.
+# Package python2.7 must be installed before executing this role.
+ansible_python_interpreter: '/usr/bin/python2.7'

roles/ipareplica/vars/Ubuntu-18.04.yml

@@ -0,0 +1,10 @@
+# vars/Ubuntu.yml
+---
+ipareplica_packages: [ "freeipa-server" ]
+ipareplica_packages_dns: [ "freeipa-server-dns" ]
+ipareplica_packages_adtrust: [ "freeipa-server-trust-ad" ]
+ipareplica_packages_firewalld: [ "firewalld" ]
+# Ubuntu Bionic Beaver must use python2 as Python interpreter due
+# to the way python-ipalib package is defined.
+# Package python2.7 must be installed before executing this role.
+ansible_python_interpreter: '/usr/bin/python2.7'

roles/ipaserver/vars/Ubuntu-18.04.yml

@@ -0,0 +1,10 @@
+# vars/Ubuntu.yml
+---
+ipaserver_packages: [ "freeipa-server" ]
+ipaserver_packages_dns: [ "freeipa-server-dns" ]
+ipaserver_packages_adtrust: [ "freeipa-server-trust-ad" ]
+ipaserver_packages_firewalld: [ "firewalld" ]
+# Ubuntu Bionic Beaver must use python2 as Python interpreter due
+# to the way python-ipalib package is defined.
+# Package python2.7 must be installed before executing this role.
+ansible_python_interpreter: '/usr/bin/python2.7'

tests/azure/build-containers.yml

@@ -27,6 +27,12 @@ jobs:
     container_name: centos-8
     build_scenario_name: centos-8-build
 
+- template: templates/build_container.yml
+  parameters:
+    job_name_suffix: Centos9
+    container_name: centos-9
+    build_scenario_name: centos-9-build
+
 - template: templates/build_container.yml
   parameters:
     job_name_suffix: FedoraLatest

tests/sanity/ignore-2.12.txt

@@ -0,0 +1,55 @@
+plugins/module_utils/ansible_freeipa_module.py compile-2.6!skip
+plugins/module_utils/ansible_freeipa_module.py import-2.6!skip
+plugins/module_utils/ansible_freeipa_module.py pylint:ansible-bad-import-from
+plugins/module_utils/ansible_freeipa_module.py pylint:ansible-bad-function
+plugins/module_utils/ansible_freeipa_module.py pylint:ansible-format-automatic-specification
+plugins/module_utils/ansible_freeipa_module.py pylint:ansible-deprecated-no-collection-name
+plugins/modules/ipaclient_get_facts.py compile-2.6!skip
+plugins/modules/ipaclient_get_facts.py import-2.6!skip
+plugins/modules/ipaclient_api.py pylint:ansible-format-automatic-specification
+plugins/modules/ipaclient_join.py pylint:ansible-format-automatic-specification
+plugins/modules/ipaclient_test.py pylint:ansible-format-automatic-specification
+plugins/modules/ipaconfig.py compile-2.6!skip
+plugins/modules/ipaconfig.py import-2.6!skip
+plugins/modules/ipadnsrecord.py compile-2.6!skip
+plugins/modules/ipadnsrecord.py import-2.6!skip
+plugins/modules/ipadnsrecord.py pylint:ansible-format-automatic-specification
+plugins/modules/ipadnsrecord.py pylint:use-maxsplit-arg
+plugins/modules/ipareplica_enable_ipa.py pylint:ansible-format-automatic-specification
+plugins/modules/ipareplica_prepare.py pylint:ansible-format-automatic-specification
+plugins/modules/ipareplica_test.py pylint:ansible-format-automatic-specification
+plugins/modules/ipaserver_setup_ca.py compile-2.6!skip
+plugins/modules/ipaserver_setup_ca.py import-2.6!skip
+plugins/modules/ipaserver_test.py pylint:ansible-format-automatic-specification
+plugins/modules/ipaservice.py compile-2.6!skip
+plugins/modules/ipaservice.py import-2.6!skip
+plugins/modules/ipavault.py compile-2.6!skip
+plugins/modules/ipavault.py import-2.6!skip
+roles/ipaclient/library/ipaclient_api.py pylint:ansible-format-automatic-specification
+roles/ipaclient/library/ipaclient_join.py pylint:ansible-format-automatic-specification
+roles/ipaclient/library/ipaclient_test.py pylint:ansible-format-automatic-specification
+roles/ipareplica/library/ipareplica_enable_ipa.py pylint:ansible-format-automatic-specification
+roles/ipareplica/library/ipareplica_prepare.py pylint:ansible-format-automatic-specification
+roles/ipareplica/library/ipareplica_test.py pylint:ansible-format-automatic-specification
+roles/ipaserver/library/ipaserver_test.py pylint:ansible-format-automatic-specification
+roles/ipareplica/module_utils/ansible_ipa_replica.py pylint:ansible-format-automatic-specification
+tests/external-signed-ca-with-automatic-copy/external-ca.sh shebang!skip
+tests/pytests/conftest.py pylint:ansible-format-automatic-specification
+tests/user/users.sh shebang!skip
+tests/user/users_absent.sh shebang!skip
+tests/utils.py pylint:ansible-format-automatic-specification
+tests/utils.py pylint:subprocess-run-check
+utils/ansible-doc-test shebang!skip
+utils/ansible-ipa-client-install shebang!skip
+utils/ansible-ipa-replica-install shebang!skip
+utils/ansible-ipa-server-install shebang!skip
+utils/build-galaxy-release.sh shebang!skip
+utils/build-srpm.sh shebang!skip
+utils/changelog shebang!skip
+utils/galaxyfy-README.py shebang!skip
+utils/galaxyfy-module-EXAMPLES.py shebang!skip
+utils/galaxyfy-playbook.py shebang!skip
+utils/galaxyfy.py shebang!skip
+utils/gen_modules_docs.sh shebang!skip
+utils/lint_check.sh shebang!skip
+utils/new_module shebang!skip

utils/build-galaxy-release.sh

@@ -84,7 +84,7 @@ rm plugins/module_utils/ansible_ipa_*
 rm plugins/modules/ipaserver_*
 rm plugins/modules/ipareplica_*
 rm plugins/modules/ipaclient_*
+rm plugins/modules/ipabackup_*
 rm plugins/action/ipaclient_*
-rm plugins/action/ipabackup_*
 rmdir plugins/action
 git reset --hard

utils/gen_module_docs.py

@@ -26,7 +26,7 @@ param_docs = {
     "sssd": "The installer sssd setting",
     "dnsok": "The installer dnsok setting",
 
-    "dm_password":  "Directory Manager password",
+    "dm_password": "Directory Manager password",
     "password": "Admin user kerberos password",
     "ip_addresses": "List of Master Server IP Addresses",
     "domain": "Primary DNS domain of the IPA deployment",
@@ -55,10 +55,9 @@ param_docs = {
     "no_pkinit": "Disable pkinit setup steps",
     "no_ui_redirect": "Do not automatically redirect to the Web UI",
     "external_ca": "External ca setting",
-    "setup_adtrust": "Configure AD trust capability",
     "external_cert_files": [
-      "File containing the IPA CA certificate and the external CA certificate",
-      "chain"
+        "File containing the IPA CA certificate and the external CA "
+        "certificate chain"
     ],
     "reverse_zones": "The reverse DNS zones to use",
     "no_reverse": "Do not create new reverse DNS zone",
@@ -132,8 +131,8 @@ param_docs = {
     "debug": "Turn on extra debugging",
     "basedn": "The basedn of the IPA server (of the form dc=example,dc=com)",
     "allow_repair": [
-      "Allow repair of already joined hosts. Contrary to ipaclient_force_join",
-      "the host entry will not be changed on the server"
+        "Allow repair of already joined hosts. Contrary to "
+        "ipaclient_force_join the host entry will not be changed on the server"
     ],
     "backup": "File to backup",
     "fqdn": [