# -*- coding: utf-8 -*- # Authors: # $author <$email> # # Copyright (C) $year Red Hat # see file 'COPYING' for use and warranty information # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . from __future__ import (absolute_import, division, print_function) __metaclass__ = type ANSIBLE_METADATA = { "metadata_version": "1.0", "supported_by": "community", "status": ["preview"], } DOCUMENTATION = """ --- module: ipa$name short_description: Manage FreeIPA $name description: Manage FreeIPA $name and $name members extends_documentation_fragment: - ipamodule_base_docs - ipamoudle_base_docs.delete_continue options: name: description: The list of $name name strings. required: true type: list elements: str aliases: ["API_PARAMETER_NAME"] PARAMETER1: description: DESCRIPTION required: false default: None type: TYPE aliases: ["API_PARAMETER_NAME"] PARAMETER2: description: member DESCRIPTION required: false type: list elements: str default: None type: TYPE aliases: ["API_PARAMETER_NAME"] action: description: Work on $name or member level. choices: ["$name", "member"] default: $name type: str state: description: The state to ensure. choices: ["present", "absent"] default: present type: str author: - $author (@$github) """ EXAMPLES = """ # Ensure $name NAME is present - ipa$name: ipaadmin_password: SomeADMINpassword name: NAME PARAMETERS # Ensure $name "NAME" member PARAMETER2 VALUE is present - ipa$name: ipaadmin_password: SomeADMINpassword name: NAME PARAMETER2: VALUE action: member # Ensure $name "NAME" member PARAMETER2 VALUE is absent - ipa$name: ipaadmin_password: SomeADMINpassword name: NAME PARAMETER2: VALUE action: member state: absent # Ensure $name NAME is absent - ipa$name: ipaadmin_password: SomeADMINpassword name: NAME state: absent # Ensure $name NAME ... - ipa$name: ipaadmin_password: SomeADMINpassword name: NAME CHANGE PARAMETERS """ RETURN = """ """ from ansible.module_utils.ansible_freeipa_module import \ IPAAnsibleModule, compare_args_ipa, gen_add_del_lists, gen_add_list, \ gen_intersection_list, ipalib_errors from ansible.module_utils import six if six.PY3: unicode = str def find_$name(module, name): """Find if a $name with the given name already exist.""" try: _result = module.ipa_command("$name_show", name, {"all": True}) except ipalib_errors.NotFound: # An exception is raised if $name name is not found. return None return _result["result"] def gen_args(PARAMETER1): _args = {} if PARAMETER1 is not None: _args["API_PARAMETER1_NAME"] = PARAMETER1 return _args def gen_member_args(PARAMETER2): _args = {} if PARAMETER2 is not None: _args["API_PARAMETER2_NAME"] = PARAMETER2 return _args def main(): ansible_module = IPAAnsibleModule( argument_spec=dict( # general name=dict(type="list", elements="str", required=True aliases=["API_PARAMETER_NAME"]), # present PARAMETER1=dict(required=False, type="str", default=None, aliases=["API_PARAMETER_NAME"]), PARAMETER2=dict(required=False, type='list', elements='str', default=None, aliases=["API_PARAMETER_NAME"]), # action action=dict(type="str", default="$name", choices=["member", "$name"]), # state state=dict(type="str", default="present", choices=["present", "absent"]), ), supports_check_mode=True, ipa_module_options=["delete_continue"] ) ansible_module._ansible_debug = True # Get parameters # general names = ansible_module.params_get("name") # present PARAMETER1 = ansible_module.params_get("PARAMETER1") # Note: some parameters must be compared in a case insensitive way, # or are transliterated into its lowercase version by IPA API. For # these parameters, use IPAAnsibleModule.params_get_lowercase. PARAMETER2 = ansible_module.params_get_lowercase("PARAMETER2") action = ansible_module.params_get("action") delete_continue = ansible_module.params_get("delete_continue") # state state = ansible_module.params_get("state") # Check parameters invalid = [] if state == "present": if len(names) != 1: ansible_module.fail_json( msg="Only one $name can be added at a time.") if action == "member": invalid = ["PARAMETER1"] if state == "absent": if len(names) < 1: ansible_module.fail_json(msg="No name given.") invalid = ["PARAMETER1"] if action == "$name": invalid.append("PARAMETER2") ansible_module.params_fail_used_invalid(invalid, state, action) # Init changed = False exit_args = {} # Connect to IPA API with ansible_module.ipa_connect(): commands = [] for name in names: # Make sure $name exists res_find = find_$name(ansible_module, name) # add/del lists PARAMETER2_add, PARAMETER2_del = [], [] # Create command if state == "present": # Generate args args = gen_args(PARAMETER1) if action == "$name": # Found the $name if res_find is not None: # For all settings is args, check if there are # different settings in the find result. # If yes: modify if not compare_args_ipa(ansible_module, args, res_find): commands.append([name, "$name_mod", args]) else: commands.append([name, "$name_add", args]) member_args = gen_member_args(PARAMETER2) if not compare_args_ipa(ansible_module, member_args, res_find): # Generate addition and removal lists PARAMETER2_add, PARAMETER2_del = gen_add_del_lists( PARAMETER2, res_find.get("member_PARAMETER2")) elif action == "member": if res_find is None: ansible_module.fail_json( msg="No $name '%s'" % name) # Reduce add lists for PARAMETER2 # to new entries only that are not in res_find. if PARAMETER2 is not None: PARAMETER2_add = gen_add_list( PARAMETER2, res_find.get("member_PARAMETER2")) elif state == "absent": if action == "$name": if res_find is not None: commands.append( [name, "$name_del", {"continue": delete_continue}] ) elif action == "member": if res_find is None: ansible_module.fail_json( msg="No $name '%s'" % name) # Reduce del lists of member_host and member_hostgroup, # to the entries only that are in res_find. if PARAMETER2 is not None: PARAMETER2_del = gen_intersection_list( PARAMETER2, res_find.get("member_PARAMETER2")) else: ansible_module.fail_json(msg="Unkown state '%s'" % state) # Member management # Add members if PARAMETER2_add: commands.append([name, "$name_add_member", { "PARAMETER2": PARAMETER2_add, }]) # Remove members if PARAMETER2_del: commands.append([name, "$name_remove_member", { "PARAMETER2": PARAMETER2_del, "continue": delete_continue, }]) # Execute commands # # To handle default member errors there is a static method # IPAAnsibleModule.handle_member_errors. It can be enabled with # fail_on_member_failures=True for execute_ipa_commands. # There might be cases in which this needs to be either done # manually or extended. # # Example: # # pylint: disable=unused-argument # def result_handler(module, result, command, name, args, errors): # # Get all errors # IPAAnsibleModule.handle_member_errors(module, result, command, # name, args, errors) # if "MY ERROR" in result.get("failed",[]): # errors.append("My error") # # # Execute commands # # changed = ansible_module.execute_ipa_commands(commands, # result_handler) # changed = ansible_module.execute_ipa_commands( commands, fail_on_member_failures=True) # Done ansible_module.exit_json(changed=changed, **exit_args) if __name__ == "__main__": main()