mirror of
https://github.com/freeipa/ansible-freeipa.git
synced 2026-03-26 21:33:05 +00:00
dc9b0ce4e8
There is a new sysaccount management module placed in the plugins folder:
plugins/modules/ipasysaccount.py
The sysaccount module allows to ensure presence or absence of system
accounts.
Here is the documentation for the module:
README-sysaccount.md
New sysaccount example playbooks:
playbooks/sysaccount/sysaccount-absent.yml
playbooks/sysaccount/sysaccount-disabled.yml
playbooks/sysaccount/sysaccount-enabled.yml
playbooks/sysaccount/sysaccount-present.yml
playbooks/sysaccount/sysaccount-privileged.yml
playbooks/sysaccount/sysaccount-unprivileged.yml
New tests for the module:
tests/sysaccount/test_sysaccount.yml
tests/sysaccount/test_sysaccount_client_context.yml
151 lines
4.3 KiB
YAML
151 lines
4.3 KiB
YAML
---
|
|
- name: Test sysaccount
|
|
hosts: "{{ ipa_test_host | default('ipaserver') }}"
|
|
# It is normally not needed to set "become" to "true" for a module test.
|
|
# Only set it to true if it is needed to execute commands as root.
|
|
become: false
|
|
# Enable "gather_facts" only if "ansible_facts" variable needs to be used.
|
|
gather_facts: false
|
|
module_defaults:
|
|
ipasysaccount:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
|
|
tasks:
|
|
|
|
- name: Verify sysaccount tests are possible
|
|
ansible.builtin.shell:
|
|
cmd: |
|
|
echo SomeADMINpassword | kinit -c {{ krb5ccname }} admin > /dev/null
|
|
RESULT=$(KRB5CCNAME={{ krb5ccname }} ipa sysaccount-add --help)
|
|
kdestroy -A -c {{ krb5ccname }} > /dev/null
|
|
echo $RESULT
|
|
vars:
|
|
krb5ccname: "__check_ipa_sysaccount_add__"
|
|
register: check_sysaccount_add
|
|
|
|
- name: Execute tests
|
|
when: '"ipa: ERROR: unknown command" not in check_sysaccount_add.stderr'
|
|
block:
|
|
|
|
# CLEANUP TEST ITEMS
|
|
|
|
- name: Ensure sysaccount my-app is absent
|
|
ipasysaccount:
|
|
name: my-app
|
|
state: absent
|
|
|
|
# CREATE TEST ITEMS
|
|
|
|
# TESTS
|
|
|
|
- name: Ensure sysaccount my-app is present with random password
|
|
ipasysaccount:
|
|
name: my-app
|
|
random: true
|
|
register: result
|
|
failed_when: not result.changed or
|
|
result.sysaccount.randompassword is not defined or
|
|
result.failed
|
|
|
|
- name: Ensure sysaccount my-app is present, again with updated random password and update_password always
|
|
ipasysaccount:
|
|
name: my-app
|
|
random: true
|
|
register: result2
|
|
failed_when: not result2.changed or
|
|
result2.sysaccount.randompassword is not defined or
|
|
result2.sysaccount.randompassword == result.sysaccount.randompassword or
|
|
result2.failed
|
|
|
|
- name: Ensure sysaccount my-app is present, again with random password and update_password on_create
|
|
ipasysaccount:
|
|
name: my-app
|
|
random: true
|
|
update_password: on_create
|
|
register: result
|
|
failed_when: not result2.changed or
|
|
result.sysaccount.randompassword is defined or
|
|
result.failed
|
|
|
|
# more tests here
|
|
|
|
- name: Ensure sysaccount my-app is disabled
|
|
ipasysaccount:
|
|
name: my-app
|
|
state: disabled
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure sysaccount my-app is disabled, again
|
|
ipasysaccount:
|
|
name: my-app
|
|
state: disabled
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Ensure sysaccount my-app is enabled
|
|
ipasysaccount:
|
|
name: my-app
|
|
state: enabled
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure sysaccount my-app is enabled, again
|
|
ipasysaccount:
|
|
name: my-app
|
|
state: enabled
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Ensure sysaccount my-app is privileged
|
|
ipasysaccount:
|
|
name: my-app
|
|
privileged: true
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure sysaccount my-app is privileged, again
|
|
ipasysaccount:
|
|
name: my-app
|
|
privileged: true
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
# ADDITIONAL TEST HERE?
|
|
|
|
- name: Ensure sysaccount my-app is not privileged
|
|
ipasysaccount:
|
|
name: my-app
|
|
privileged: false
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure sysaccount my-app is not privileged, again
|
|
ipasysaccount:
|
|
name: my-app
|
|
privileged: false
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Ensure sysaccount my-app is absent
|
|
ipasysaccount:
|
|
name: my-app
|
|
state: absent
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure sysaccount my-app is absent again
|
|
ipasysaccount:
|
|
name: my-app
|
|
state: absent
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
# CLEANUP TEST ITEMS
|
|
|
|
- name: Ensure sysaccount my-app is absent
|
|
ipasysaccount:
|
|
name: my-app
|
|
state: absent
|