Release 7.1.0.

Keycloak: Authentication required actions management (#6732)

* feat: keycloak required actions

* Update plugins/modules/keycloak_authentication_required_actions.py

Co-authored-by: Felix Fontein <felix@fontein.de>

* Update plugins/modules/keycloak_authentication_required_actions.py

Co-authored-by: Felix Fontein <felix@fontein.de>

* fix: dedent

* fix: unnecessary defaults

* fix: sanity checks

* Update plugins/modules/keycloak_authentication_required_actions.py

Co-authored-by: Felix Fontein <felix@fontein.de>

* fix: ident

---------

Co-authored-by: Skrekulko <Skrekulko@users.noreply.github.com>
Co-authored-by: Felix Fontein <felix@fontein.de>
(cherry picked from commit cd48e818ae)

Co-authored-by: Skrekulko <111891715+Skrekulko@users.noreply.github.com>

.azure-pipelines/azure-pipelines.yml

@@ -112,19 +112,6 @@ stages:
             - test: 2
             - test: 3
             - test: 4
-  - stage: Sanity_2_12
-    displayName: Sanity 2.12
-    dependsOn: []
-    jobs:
-      - template: templates/matrix.yml
-        parameters:
-          nameFormat: Test {0}
-          testFormat: 2.12/sanity/{0}
-          targets:
-            - test: 1
-            - test: 2
-            - test: 3
-            - test: 4
 ### Units
   - stage: Units_devel
     displayName: Units devel
@@ -136,7 +123,6 @@ stages:
           testFormat: devel/units/{0}/1
           targets:
             - test: 2.7
-            - test: 3.5
             - test: 3.6
             - test: 3.7
             - test: 3.8
@@ -152,6 +138,7 @@ stages:
           nameFormat: Python {0}
           testFormat: 2.15/units/{0}/1
           targets:
+            - test: 3.5
             - test: "3.10"
   - stage: Units_2_14
     displayName: Units 2.14
@@ -174,17 +161,6 @@ stages:
           targets:
             - test: 2.7
             - test: 3.8
-  - stage: Units_2_12
-    displayName: Units 2.12
-    dependsOn: []
-    jobs:
-      - template: templates/matrix.yml
-        parameters:
-          nameFormat: Python {0}
-          testFormat: 2.12/units/{0}/1
-          targets:
-            - test: 2.6
-            - test: 3.8
 
 ## Remote
   - stage: Remote_devel_extra_vms
@@ -199,8 +175,6 @@ stages:
               test: alpine/3.17
             # - name: Fedora 37
             #   test: fedora/37
-            # - name: Ubuntu 20.04
-            #   test: ubuntu/20.04
             - name: Ubuntu 22.04
               test: ubuntu/22.04
           groups:
@@ -215,8 +189,10 @@ stages:
           targets:
             - name: macOS 13.2
               test: macos/13.2
-            - name: RHEL 9.1
-              test: rhel/9.1
+            - name: RHEL 9.2
+              test: rhel/9.2
+            - name: RHEL 8.8
+              test: rhel/8.8
             - name: FreeBSD 13.2
               test: freebsd/13.2
             - name: FreeBSD 12.4
@@ -233,6 +209,10 @@ stages:
         parameters:
           testFormat: 2.15/{0}
           targets:
+            - name: RHEL 9.1
+              test: rhel/9.1
+            - name: RHEL 8.7
+              test: rhel/8.7
             - name: RHEL 7.9
               test: rhel/7.9
             - name: FreeBSD 13.1
@@ -269,22 +249,6 @@ stages:
               test: macos/12.0
             - name: RHEL 8.5
               test: rhel/8.5
-          groups:
-            - 1
-            - 2
-            - 3
-  - stage: Remote_2_12
-    displayName: Remote 2.12
-    dependsOn: []
-    jobs:
-      - template: templates/matrix.yml
-        parameters:
-          testFormat: 2.12/{0}
-          targets:
-            - name: macOS 11.1
-              test: macos/11.1
-            - name: RHEL 8.4
-              test: rhel/8.4
             - name: FreeBSD 13.0
               test: freebsd/13.0
           groups:
@@ -361,24 +325,6 @@ stages:
             - 1
             - 2
             - 3
-  - stage: Docker_2_12
-    displayName: Docker 2.12
-    dependsOn: []
-    jobs:
-      - template: templates/matrix.yml
-        parameters:
-          testFormat: 2.12/linux/{0}
-          targets:
-            - name: CentOS 6
-              test: centos6
-            - name: Fedora 34
-              test: fedora34
-            - name: Ubuntu 18.04
-              test: ubuntu1804
-          groups:
-            - 1
-            - 2
-            - 3
 
 ### Community Docker
   - stage: Docker_community_devel
@@ -442,45 +388,30 @@ stages:
           testFormat: 2.13/generic/{0}/1
           targets:
             - test: 3.9
-  - stage: Generic_2_12
-    displayName: Generic 2.12
-    dependsOn: []
-    jobs:
-      - template: templates/matrix.yml
-        parameters:
-          nameFormat: Python {0}
-          testFormat: 2.12/generic/{0}/1
-          targets:
-            - test: 3.8
 
   - stage: Summary
     condition: succeededOrFailed()
     dependsOn:
       - Sanity_devel
-      - Sanity_2_12
       - Sanity_2_13
       - Sanity_2_14
       - Sanity_2_15
       - Units_devel
-      - Units_2_12
       - Units_2_13
       - Units_2_14
       - Units_2_15
       - Remote_devel_extra_vms
       - Remote_devel
-      - Remote_2_12
       - Remote_2_13
       - Remote_2_14
       - Remote_2_15
       - Docker_devel
-      - Docker_2_12
       - Docker_2_13
       - Docker_2_14
       - Docker_2_15
       - Docker_community_devel
 # Right now all generic tests are disabled. Uncomment when at least one of them is re-enabled.
 #      - Generic_devel
-#      - Generic_2_12
 #      - Generic_2_13
 #      - Generic_2_14
 #      - Generic_2_15

.github/BOTMETA.yml

@@ -333,6 +333,9 @@ files:
   $module_utils/utm_utils.py:
     labels: utm_utils
     maintainers: $team_e_spirit
+  $module_utils/vardict.py:
+    labels: vardict
+    maintainers: russoz
   $module_utils/wdc_redfish_utils.py:
     labels: wdc_redfish_utils
     maintainers: $team_wdc
@@ -529,8 +532,12 @@ files:
     notify: jlozadad
   $modules/gitlab_branch.py:
     maintainers: paytroff
+  $modules/gitlab_merge_request.py:
+    maintainers: zvaraondrej
   $modules/gitlab_project_variable.py:
     maintainers: markuman
+  $modules/gitlab_instance_variable.py:
+    maintainers: benibr
   $modules/gitlab_runner.py:
     maintainers: SamyCoenen
   $modules/gitlab_user.py:
@@ -680,6 +687,8 @@ files:
     maintainers: $team_keycloak
   $modules/keycloak_authentication.py:
     maintainers: elfelip Gaetan2907
+  $modules/keycloak_authentication_required_actions.py:
+    maintainers: Skrekulko
   $modules/keycloak_authz_authorization_scope.py:
     maintainers: mattock
   $modules/keycloak_client_rolemapping.py:
@@ -702,6 +711,8 @@ files:
     maintainers: fynncfchen
   $modules/keycloak_role.py:
     maintainers: laurpaum
+  $modules/keycloak_user.py:
+    maintainers: elfelip
   $modules/keycloak_user_federation.py:
     maintainers: laurpaum
   $modules/keycloak_user_rolemapping.py:
@@ -748,6 +759,8 @@ files:
     maintainers: nerzhul
   $modules/lvg.py:
     maintainers: abulimov
+  $modules/lvg_rename.py:
+    maintainers: lszomor
   $modules/lvol.py:
     maintainers: abulimov jhoekx zigaSRC unkaputtbar112
   $modules/lxc_container.py:
@@ -929,7 +942,7 @@ files:
   $modules/pamd.py:
     maintainers: kevensen
   $modules/parted.py:
-    maintainers: ColOfAbRiX rosowiecki jake2184
+    maintainers: ColOfAbRiX jake2184
   $modules/pear.py:
     ignore: jle64
     labels: pear
@@ -976,7 +989,7 @@ files:
   $modules/proxmox:
     keywords: kvm libvirt proxmox qemu
     labels: proxmox virt
-    maintainers: $team_virt
+    maintainers: $team_virt UnderGreen
   $modules/proxmox.py:
     ignore: skvidal
     maintainers: UnderGreen

.github/workflows/ansible-test.yml

@@ -14,9 +14,9 @@ on:
       - main
       - stable-*
   pull_request:
-  # Run EOL CI once per day (at 08:00 UTC)
+  # Run EOL CI once per day (at 10:00 UTC)
   schedule:
-    - cron: '0 8 * * *'
+    - cron: '0 10 * * *'
 
 concurrency:
   # Make sure there is at most one active run per PR, but do not cancel any non-PR runs
@@ -30,6 +30,7 @@ jobs:
       matrix:
         ansible:
           - '2.11'
+          - '2.12'
     # Ansible-test on various stable branches does not yet work well with cgroups v2.
     # Since ubuntu-latest now uses Ubuntu 22.04, we need to fall back to the ubuntu-20.04
     # image for these stable branches. The list of branches where this is necessary will
@@ -43,7 +44,7 @@ jobs:
       - name: Perform sanity testing
         uses: felixfontein/ansible-test-gh-action@main
         with:
-          ansible-core-github-repository-slug: felixfontein/ansible
+          ansible-core-github-repository-slug: ${{ contains(fromJson('["2.10", "2.11"]'), matrix.ansible) && 'felixfontein/ansible' || 'ansible/ansible' }}
           ansible-core-version: stable-${{ matrix.ansible }}
           coverage: ${{ github.event_name == 'schedule' && 'always' || 'never' }}
           pull-request-change-detection: 'true'
@@ -75,6 +76,10 @@ jobs:
             python: '2.7'
           - ansible: '2.11'
             python: '3.5'
+          - ansible: '2.12'
+            python: '2.6'
+          - ansible: '2.12'
+            python: '3.8'
 
     steps:
       - name: >-
@@ -82,7 +87,7 @@ jobs:
           Ansible version ${{ matrix.ansible }}
         uses: felixfontein/ansible-test-gh-action@main
         with:
-          ansible-core-github-repository-slug: felixfontein/ansible
+          ansible-core-github-repository-slug: ${{ contains(fromJson('["2.10", "2.11"]'), matrix.ansible) && 'felixfontein/ansible' || 'ansible/ansible' }}
           ansible-core-version: stable-${{ matrix.ansible }}
           coverage: ${{ github.event_name == 'schedule' && 'always' || 'never' }}
           pre-test-cmd: >-
@@ -163,7 +168,49 @@ jobs:
           # - ansible: '2.11'
           #   docker: default
           #   python: '3.5'
-          #   target: azp/generic/2/
+          #   target: azp/generic/1/
+          # 2.12
+          - ansible: '2.12'
+            docker: centos6
+            python: ''
+            target: azp/posix/1/
+          - ansible: '2.12'
+            docker: centos6
+            python: ''
+            target: azp/posix/2/
+          - ansible: '2.12'
+            docker: centos6
+            python: ''
+            target: azp/posix/3/
+          - ansible: '2.12'
+            docker: fedora34
+            python: ''
+            target: azp/posix/1/
+          - ansible: '2.12'
+            docker: fedora34
+            python: ''
+            target: azp/posix/2/
+          - ansible: '2.12'
+            docker: fedora34
+            python: ''
+            target: azp/posix/3/
+          - ansible: '2.12'
+            docker: ubuntu1804
+            python: ''
+            target: azp/posix/1/
+          - ansible: '2.12'
+            docker: ubuntu1804
+            python: ''
+            target: azp/posix/2/
+          - ansible: '2.12'
+            docker: ubuntu1804
+            python: ''
+            target: azp/posix/3/
+          # Right now all generic tests are disabled. Uncomment when at least one of them is re-enabled.
+          # - ansible: '2.12'
+          #   docker: default
+          #   python: '3.8'
+          #   target: azp/generic/1/
 
     steps:
       - name: >-
@@ -172,7 +219,7 @@ jobs:
           under Python ${{ matrix.python }}
         uses: felixfontein/ansible-test-gh-action@main
         with:
-          ansible-core-github-repository-slug: felixfontein/ansible
+          ansible-core-github-repository-slug: ${{ contains(fromJson('["2.10", "2.11"]'), matrix.ansible) && 'felixfontein/ansible' || 'ansible/ansible' }}
           ansible-core-version: stable-${{ matrix.ansible }}
           coverage: ${{ github.event_name == 'schedule' && 'always' || 'never' }}
           docker-image: ${{ matrix.docker }}

CHANGELOG.rst

@@ -6,6 +6,143 @@ Community General Release Notes
 
 This changelog describes changes after version 6.0.0.
 
+v7.1.0
+======
+
+Release Summary
+---------------
+
+Regular bugfix and feature release.
+
+From this version on, community.general is using the new `Ansible semantic markup
+<https://docs.ansible.com/ansible/devel/dev_guide/developing_modules_documenting.html#semantic-markup-within-module-documentation>`__
+in its documentation. If you look at documentation with the ansible-doc CLI tool
+from ansible-core before 2.15, please note that it does not render the markup
+correctly. You should be still able to read it in most cases, but you need
+ansible-core 2.15 or later to see it as it is intended. Alternatively you can
+look at `the devel docsite <https://docs.ansible.com/ansible/devel/collections/community/general/>__`
+for the rendered HTML version of the documentation of the latest release.
+
+
+Minor Changes
+-------------
+
+- The collection will start using semantic markup (https://github.com/ansible-collections/community.general/pull/6539).
+- VarDict module utils - add method ``VarDict.as_dict()`` to convert to a plain ``dict`` object (https://github.com/ansible-collections/community.general/pull/6602).
+- cobbler inventory plugin - add ``inventory_hostname`` option to allow using the system name for the inventory hostname (https://github.com/ansible-collections/community.general/pull/6502).
+- cobbler inventory plugin - add ``want_ip_addresses`` option to collect all interface DNS name to IP address mapping (https://github.com/ansible-collections/community.general/pull/6711).
+- cobbler inventory plugin - add primary IP addess to ``cobbler_ipv4_address`` and IPv6 address to ``cobbler_ipv6_address`` host variable (https://github.com/ansible-collections/community.general/pull/6711).
+- cobbler inventory plugin - add warning for systems with empty profiles (https://github.com/ansible-collections/community.general/pull/6502).
+- copr - respawn module to use the system python interpreter when the ``dnf`` python module is not available in ``ansible_python_interpreter`` (https://github.com/ansible-collections/community.general/pull/6522).
+- datadog_monitor - adds ``notification_preset_name``, ``renotify_occurrences`` and ``renotify_statuses`` parameters (https://github.com/ansible-collections/community.general/issues/6521,https://github.com/ansible-collections/community.general/issues/5823).
+- filesystem - add ``uuid`` parameter for UUID change feature (https://github.com/ansible-collections/community.general/pull/6680).
+- keycloak_client_rolemapping - adds support for subgroups with additional parameter ``parents`` (https://github.com/ansible-collections/community.general/pull/6687).
+- keycloak_role - add composite roles support for realm and client roles (https://github.com/ansible-collections/community.general/pull/6469).
+- ldap_* - add new arguments ``client_cert`` and ``client_key`` to the LDAP modules in order to allow certificate authentication (https://github.com/ansible-collections/community.general/pull/6668).
+- ldap_search - add a new ``page_size`` option to enable paged searches (https://github.com/ansible-collections/community.general/pull/6648).
+- lvg - add ``active`` and ``inactive`` values to the ``state`` option for active state management feature (https://github.com/ansible-collections/community.general/pull/6682).
+- lvg - add ``reset_vg_uuid``, ``reset_pv_uuid`` options for UUID reset feature (https://github.com/ansible-collections/community.general/pull/6682).
+- mas - disable sign-in check for macOS 12+ as ``mas account`` is non-functional (https://github.com/ansible-collections/community.general/pull/6520).
+- onepassword lookup plugin - add service account support (https://github.com/ansible-collections/community.general/issues/6635, https://github.com/ansible-collections/community.general/pull/6660).
+- onepassword_raw lookup plugin - add service account support (https://github.com/ansible-collections/community.general/issues/6635, https://github.com/ansible-collections/community.general/pull/6660).
+- opentelemetry callback plugin - add span attributes in the span event (https://github.com/ansible-collections/community.general/pull/6531).
+- opkg - remove default value ``""`` for parameter ``force`` as it causes the same behaviour of not having that parameter (https://github.com/ansible-collections/community.general/pull/6513).
+- proxmox - support ``timezone`` parameter at container creation (https://github.com/ansible-collections/community.general/pull/6510).
+- proxmox inventory plugin - add composite variables support for Proxmox nodes (https://github.com/ansible-collections/community.general/issues/6640).
+- proxmox_kvm - added support for ``tpmstate0`` parameter to configure TPM (Trusted Platform Module) disk. TPM is required for Windows 11 installations (https://github.com/ansible-collections/community.general/pull/6533).
+- proxmox_kvm - re-use ``timeout`` module param to forcefully shutdown a virtual machine when ``state`` is ``stopped`` (https://github.com/ansible-collections/community.general/issues/6257).
+- proxmox_snap - add ``retention`` parameter to delete old snapshots (https://github.com/ansible-collections/community.general/pull/6576).
+- redfish_command - add ``MultipartHTTPPushUpdate`` command (https://github.com/ansible-collections/community.general/issues/6471, https://github.com/ansible-collections/community.general/pull/6612).
+- redhat_subscription - the internal ``RegistrationBase`` class was folded
+  into the other internal ``Rhsm`` class, as the separation had no purpose
+  anymore
+  (https://github.com/ansible-collections/community.general/pull/6658).
+- rhsm_release - improve/harden the way ``subscription-manager`` is run;
+  no behaviour change is expected
+  (https://github.com/ansible-collections/community.general/pull/6669).
+- snap - module is now aware of channel when deciding whether to install or refresh the snap (https://github.com/ansible-collections/community.general/pull/6435, https://github.com/ansible-collections/community.general/issues/1606).
+- sorcery - minor refactor (https://github.com/ansible-collections/community.general/pull/6525).
+- tss lookup plugin - allow to fetch secret IDs which are in a folder based on folder ID. Previously, we could not fetch secrets based on folder ID but now use ``fetch_secret_ids_from_folder`` option to indicate to fetch secret IDs based on folder ID (https://github.com/ansible-collections/community.general/issues/6223).
+
+Deprecated Features
+-------------------
+
+- CmdRunner module utils - deprecate ``cmd_runner_fmt.as_default_type()`` formatter (https://github.com/ansible-collections/community.general/pull/6601).
+- MH VarsMixin module utils - deprecates ``VarsMixin`` and supporting classes in favor of plain ``vardict`` module util (https://github.com/ansible-collections/community.general/pull/6649).
+- cpanm - value ``compatibility`` is deprecated as default for parameter ``mode`` (https://github.com/ansible-collections/community.general/pull/6512).
+- redhat module utils - the ``module_utils.redhat`` module is deprecated, as
+  effectively unused: the ``Rhsm``, ``RhsmPool``, and ``RhsmPools`` classes
+  will be removed in community.general 9.0.0; the ``RegistrationBase`` class
+  will be removed in community.general 10.0.0 together with the
+  ``rhn_register`` module, as it is the only user of this class; this means
+  that the whole ``module_utils.redhat`` module will be dropped in
+  community.general 10.0.0, so importing it without even using anything of it
+  will fail
+  (https://github.com/ansible-collections/community.general/pull/6663).
+- redhat_subscription - the ``autosubscribe`` alias for the ``auto_attach`` option has been
+  deprecated for many years, although only in the documentation. Officially mark this alias
+  as deprecated, and it will be removed in community.general 9.0.0
+  (https://github.com/ansible-collections/community.general/pull/6646).
+- redhat_subscription - the ``pool`` option is deprecated in favour of the
+  more precise and flexible ``pool_ids`` option
+  (https://github.com/ansible-collections/community.general/pull/6650).
+- rhsm_repository - ``state=present`` has not been working as expected for many years,
+  and it seems it was not noticed so far; also, "presence" is not really a valid concept
+  for subscription repositories, which can only be enabled or disabled. Hence, mark the
+  ``present`` and ``absent`` values of the ``state`` option as deprecated, slating them
+  for removal in community.general 10.0.0
+  (https://github.com/ansible-collections/community.general/pull/6673).
+
+Bugfixes
+--------
+
+- MH DependencyMixin module utils - deprecation notice was popping up for modules not using dependencies (https://github.com/ansible-collections/community.general/pull/6644, https://github.com/ansible-collections/community.general/issues/6639).
+- csv module utils - detects and remove unicode BOM markers from incoming CSV content (https://github.com/ansible-collections/community.general/pull/6662).
+- gitlab_group - the module passed parameters to the API call even when not set. The module is now filtering out ``None`` values to remediate this (https://github.com/ansible-collections/community.general/pull/6712).
+- icinga2_host - fix a key error when updating an existing host (https://github.com/ansible-collections/community.general/pull/6748).
+- ini_file - add the ``follow`` paramter to follow the symlinks instead of replacing them (https://github.com/ansible-collections/community.general/pull/6546).
+- ini_file - fix a bug where the inactive options were not used when possible (https://github.com/ansible-collections/community.general/pull/6575).
+- keycloak module utils - fix ``is_struct_included`` handling of lists of lists/dictionaries (https://github.com/ansible-collections/community.general/pull/6688).
+- keycloak module utils - the function ``get_user_by_username`` now return the user representation or ``None`` as stated in the documentation (https://github.com/ansible-collections/community.general/pull/6758).
+- proxmox_kvm - allow creation of VM with existing name but new vmid (https://github.com/ansible-collections/community.general/issues/6155, https://github.com/ansible-collections/community.general/pull/6709).
+- rhsm_repository - when using the ``purge`` option, the ``repositories``
+  dictionary element in the returned JSON is now properly updated according
+  to the pruning operation
+  (https://github.com/ansible-collections/community.general/pull/6676).
+- tss lookup plugin - fix multiple issues when using ``fetch_attachments=true`` (https://github.com/ansible-collections/community.general/pull/6720).
+
+Known Issues
+------------
+
+- Ansible markup will show up in raw form on ansible-doc text output for ansible-core before 2.15. If you have trouble deciphering the documentation markup, please upgrade to ansible-core 2.15 (or newer), or read the HTML documentation on https://docs.ansible.com/ansible/devel/collections/community/general/ (https://github.com/ansible-collections/community.general/pull/6539).
+
+New Modules
+-----------
+
+- gitlab_instance_variable - Creates, updates, or deletes GitLab instance variables
+- gitlab_merge_request - Create, update, or delete GitLab merge requests
+- keycloak_authentication_required_actions - Allows administration of Keycloak authentication required actions
+- keycloak_user - Create and configure a user in Keycloak
+- lvg_rename - Renames LVM volume groups
+- proxmox_pool - Pool management for Proxmox VE cluster
+- proxmox_pool_member - Add or delete members from Proxmox VE cluster pools
+
+v7.0.1
+======
+
+Release Summary
+---------------
+
+Bugfix release for Ansible 8.0.0rc1.
+
+Bugfixes
+--------
+
+- nmcli - fix bond option ``xmit_hash_policy`` (https://github.com/ansible-collections/community.general/pull/6527).
+- portage - fix ``changed_use`` and ``newuse`` not triggering rebuilds (https://github.com/ansible-collections/community.general/issues/6008, https://github.com/ansible-collections/community.general/pull/6548).
+- proxmox_tasks_info - remove ``api_user`` + ``api_password`` constraint from ``required_together`` as it causes to require ``api_password`` even when API token param is used (https://github.com/ansible-collections/community.general/issues/6201).
+- zypper - added handling of zypper exitcode 102. Changed state is set correctly now and rc 102 is still preserved to be evaluated by the playbook (https://github.com/ansible-collections/community.general/pull/6534).
+
 v7.0.0
 ======
 

README.md

@@ -24,7 +24,7 @@ If you encounter abusive behavior violating the [Ansible Code of Conduct](https:
 
 ## Tested with Ansible
 
-Tested with the current ansible-core 2.11, ansible-core 2.12, ansible-core 2.13, ansible-core 2.14 releases and the current development version of ansible-core. Ansible-core versions before 2.11.0 are not supported. This includes all ansible-base 2.10 and Ansible 2.9 releases.
+Tested with the current ansible-core 2.11, ansible-core 2.12, ansible-core 2.13, ansible-core 2.14, ansible-core 2.15 releases and the current development version of ansible-core. Ansible-core versions before 2.11.0 are not supported. This includes all ansible-base 2.10 and Ansible 2.9 releases.
 
 Parts of this collection will not work with ansible-core 2.11 on Python 3.12+.
 

changelogs/changelog.yaml

@@ -803,3 +803,282 @@ releases:
         name: merge_variables
         namespace: null
     release_date: '2023-05-09'
+  7.0.1:
+    changes:
+      bugfixes:
+      - nmcli - fix bond option ``xmit_hash_policy`` (https://github.com/ansible-collections/community.general/pull/6527).
+      - portage - fix ``changed_use`` and ``newuse`` not triggering rebuilds (https://github.com/ansible-collections/community.general/issues/6008,
+        https://github.com/ansible-collections/community.general/pull/6548).
+      - proxmox_tasks_info - remove ``api_user`` + ``api_password`` constraint from
+        ``required_together`` as it causes to require ``api_password`` even when API
+        token param is used (https://github.com/ansible-collections/community.general/issues/6201).
+      - zypper - added handling of zypper exitcode 102. Changed state is set correctly
+        now and rc 102 is still preserved to be evaluated by the playbook (https://github.com/ansible-collections/community.general/pull/6534).
+      release_summary: Bugfix release for Ansible 8.0.0rc1.
+    fragments:
+    - 6527-nmcli-bond-fix-xmit_hash_policy.yml
+    - 6534-zypper-exitcode-102-handled.yaml
+    - 6548-portage-changed_use-newuse.yml
+    - 6554-proxmox-tasks-info-fix-required-password.yaml
+    - 7.0.1.yml
+    release_date: '2023-05-22'
+  7.1.0:
+    changes:
+      bugfixes:
+      - MH DependencyMixin module utils - deprecation notice was popping up for modules
+        not using dependencies (https://github.com/ansible-collections/community.general/pull/6644,
+        https://github.com/ansible-collections/community.general/issues/6639).
+      - csv module utils - detects and remove unicode BOM markers from incoming CSV
+        content (https://github.com/ansible-collections/community.general/pull/6662).
+      - gitlab_group - the module passed parameters to the API call even when not
+        set. The module is now filtering out ``None`` values to remediate this (https://github.com/ansible-collections/community.general/pull/6712).
+      - icinga2_host - fix a key error when updating an existing host (https://github.com/ansible-collections/community.general/pull/6748).
+      - ini_file - add the ``follow`` paramter to follow the symlinks instead of replacing
+        them (https://github.com/ansible-collections/community.general/pull/6546).
+      - ini_file - fix a bug where the inactive options were not used when possible
+        (https://github.com/ansible-collections/community.general/pull/6575).
+      - keycloak module utils - fix ``is_struct_included`` handling of lists of lists/dictionaries
+        (https://github.com/ansible-collections/community.general/pull/6688).
+      - keycloak module utils - the function ``get_user_by_username`` now return the
+        user representation or ``None`` as stated in the documentation (https://github.com/ansible-collections/community.general/pull/6758).
+      - proxmox_kvm - allow creation of VM with existing name but new vmid (https://github.com/ansible-collections/community.general/issues/6155,
+        https://github.com/ansible-collections/community.general/pull/6709).
+      - 'rhsm_repository - when using the ``purge`` option, the ``repositories``
+
+        dictionary element in the returned JSON is now properly updated according
+
+        to the pruning operation
+
+        (https://github.com/ansible-collections/community.general/pull/6676).
+
+        '
+      - tss lookup plugin - fix multiple issues when using ``fetch_attachments=true``
+        (https://github.com/ansible-collections/community.general/pull/6720).
+      deprecated_features:
+      - CmdRunner module utils - deprecate ``cmd_runner_fmt.as_default_type()`` formatter
+        (https://github.com/ansible-collections/community.general/pull/6601).
+      - MH VarsMixin module utils - deprecates ``VarsMixin`` and supporting classes
+        in favor of plain ``vardict`` module util (https://github.com/ansible-collections/community.general/pull/6649).
+      - cpanm - value ``compatibility`` is deprecated as default for parameter ``mode``
+        (https://github.com/ansible-collections/community.general/pull/6512).
+      - 'redhat module utils - the ``module_utils.redhat`` module is deprecated, as
+
+        effectively unused: the ``Rhsm``, ``RhsmPool``, and ``RhsmPools`` classes
+
+        will be removed in community.general 9.0.0; the ``RegistrationBase`` class
+
+        will be removed in community.general 10.0.0 together with the
+
+        ``rhn_register`` module, as it is the only user of this class; this means
+
+        that the whole ``module_utils.redhat`` module will be dropped in
+
+        community.general 10.0.0, so importing it without even using anything of it
+
+        will fail
+
+        (https://github.com/ansible-collections/community.general/pull/6663).
+
+        '
+      - 'redhat_subscription - the ``autosubscribe`` alias for the ``auto_attach``
+        option has been
+
+        deprecated for many years, although only in the documentation. Officially
+        mark this alias
+
+        as deprecated, and it will be removed in community.general 9.0.0
+
+        (https://github.com/ansible-collections/community.general/pull/6646).
+
+        '
+      - 'redhat_subscription - the ``pool`` option is deprecated in favour of the
+
+        more precise and flexible ``pool_ids`` option
+
+        (https://github.com/ansible-collections/community.general/pull/6650).
+
+        '
+      - 'rhsm_repository - ``state=present`` has not been working as expected for
+        many years,
+
+        and it seems it was not noticed so far; also, "presence" is not really a valid
+        concept
+
+        for subscription repositories, which can only be enabled or disabled. Hence,
+        mark the
+
+        ``present`` and ``absent`` values of the ``state`` option as deprecated, slating
+        them
+
+        for removal in community.general 10.0.0
+
+        (https://github.com/ansible-collections/community.general/pull/6673).
+
+        '
+      known_issues:
+      - Ansible markup will show up in raw form on ansible-doc text output for ansible-core
+        before 2.15. If you have trouble deciphering the documentation markup, please
+        upgrade to ansible-core 2.15 (or newer), or read the HTML documentation on
+        https://docs.ansible.com/ansible/devel/collections/community/general/ (https://github.com/ansible-collections/community.general/pull/6539).
+      minor_changes:
+      - The collection will start using semantic markup (https://github.com/ansible-collections/community.general/pull/6539).
+      - VarDict module utils - add method ``VarDict.as_dict()`` to convert to a plain
+        ``dict`` object (https://github.com/ansible-collections/community.general/pull/6602).
+      - cobbler inventory plugin - add ``inventory_hostname`` option to allow using
+        the system name for the inventory hostname (https://github.com/ansible-collections/community.general/pull/6502).
+      - cobbler inventory plugin - add ``want_ip_addresses`` option to collect all
+        interface DNS name to IP address mapping (https://github.com/ansible-collections/community.general/pull/6711).
+      - cobbler inventory plugin - add primary IP addess to ``cobbler_ipv4_address``
+        and IPv6 address to ``cobbler_ipv6_address`` host variable (https://github.com/ansible-collections/community.general/pull/6711).
+      - cobbler inventory plugin - add warning for systems with empty profiles (https://github.com/ansible-collections/community.general/pull/6502).
+      - copr - respawn module to use the system python interpreter when the ``dnf``
+        python module is not available in ``ansible_python_interpreter`` (https://github.com/ansible-collections/community.general/pull/6522).
+      - datadog_monitor - adds ``notification_preset_name``, ``renotify_occurrences``
+        and ``renotify_statuses`` parameters (https://github.com/ansible-collections/community.general/issues/6521,https://github.com/ansible-collections/community.general/issues/5823).
+      - filesystem - add ``uuid`` parameter for UUID change feature (https://github.com/ansible-collections/community.general/pull/6680).
+      - keycloak_client_rolemapping - adds support for subgroups with additional parameter
+        ``parents`` (https://github.com/ansible-collections/community.general/pull/6687).
+      - keycloak_role - add composite roles support for realm and client roles (https://github.com/ansible-collections/community.general/pull/6469).
+      - ldap_* - add new arguments ``client_cert`` and ``client_key`` to the LDAP
+        modules in order to allow certificate authentication (https://github.com/ansible-collections/community.general/pull/6668).
+      - ldap_search - add a new ``page_size`` option to enable paged searches (https://github.com/ansible-collections/community.general/pull/6648).
+      - lvg - add ``active`` and ``inactive`` values to the ``state`` option for active
+        state management feature (https://github.com/ansible-collections/community.general/pull/6682).
+      - lvg - add ``reset_vg_uuid``, ``reset_pv_uuid`` options for UUID reset feature
+        (https://github.com/ansible-collections/community.general/pull/6682).
+      - mas - disable sign-in check for macOS 12+ as ``mas account`` is non-functional
+        (https://github.com/ansible-collections/community.general/pull/6520).
+      - onepassword lookup plugin - add service account support (https://github.com/ansible-collections/community.general/issues/6635,
+        https://github.com/ansible-collections/community.general/pull/6660).
+      - onepassword_raw lookup plugin - add service account support (https://github.com/ansible-collections/community.general/issues/6635,
+        https://github.com/ansible-collections/community.general/pull/6660).
+      - opentelemetry callback plugin - add span attributes in the span event (https://github.com/ansible-collections/community.general/pull/6531).
+      - opkg - remove default value ``""`` for parameter ``force`` as it causes the
+        same behaviour of not having that parameter (https://github.com/ansible-collections/community.general/pull/6513).
+      - proxmox - support ``timezone`` parameter at container creation (https://github.com/ansible-collections/community.general/pull/6510).
+      - proxmox inventory plugin - add composite variables support for Proxmox nodes
+        (https://github.com/ansible-collections/community.general/issues/6640).
+      - proxmox_kvm - added support for ``tpmstate0`` parameter to configure TPM (Trusted
+        Platform Module) disk. TPM is required for Windows 11 installations (https://github.com/ansible-collections/community.general/pull/6533).
+      - proxmox_kvm - re-use ``timeout`` module param to forcefully shutdown a virtual
+        machine when ``state`` is ``stopped`` (https://github.com/ansible-collections/community.general/issues/6257).
+      - proxmox_snap - add ``retention`` parameter to delete old snapshots (https://github.com/ansible-collections/community.general/pull/6576).
+      - redfish_command - add ``MultipartHTTPPushUpdate`` command (https://github.com/ansible-collections/community.general/issues/6471,
+        https://github.com/ansible-collections/community.general/pull/6612).
+      - 'redhat_subscription - the internal ``RegistrationBase`` class was folded
+
+        into the other internal ``Rhsm`` class, as the separation had no purpose
+
+        anymore
+
+        (https://github.com/ansible-collections/community.general/pull/6658).
+
+        '
+      - 'rhsm_release - improve/harden the way ``subscription-manager`` is run;
+
+        no behaviour change is expected
+
+        (https://github.com/ansible-collections/community.general/pull/6669).
+
+        '
+      - snap - module is now aware of channel when deciding whether to install or
+        refresh the snap (https://github.com/ansible-collections/community.general/pull/6435,
+        https://github.com/ansible-collections/community.general/issues/1606).
+      - sorcery - minor refactor (https://github.com/ansible-collections/community.general/pull/6525).
+      - tss lookup plugin - allow to fetch secret IDs which are in a folder based
+        on folder ID. Previously, we could not fetch secrets based on folder ID but
+        now use ``fetch_secret_ids_from_folder`` option to indicate to fetch secret
+        IDs based on folder ID (https://github.com/ansible-collections/community.general/issues/6223).
+      release_summary: 'Regular bugfix and feature release.
+
+
+        From this version on, community.general is using the new `Ansible semantic
+        markup
+
+        <https://docs.ansible.com/ansible/devel/dev_guide/developing_modules_documenting.html#semantic-markup-within-module-documentation>`__
+
+        in its documentation. If you look at documentation with the ansible-doc CLI
+        tool
+
+        from ansible-core before 2.15, please note that it does not render the markup
+
+        correctly. You should be still able to read it in most cases, but you need
+
+        ansible-core 2.15 or later to see it as it is intended. Alternatively you
+        can
+
+        look at `the devel docsite <https://docs.ansible.com/ansible/devel/collections/community/general/>__`
+
+        for the rendered HTML version of the documentation of the latest release.
+
+        '
+    fragments:
+    - 6223-get-secret-ids-by-folderid.yml
+    - 6435-snap-channel-aware.yml
+    - 6469-add-composites-support-for-keycloak-role.yml
+    - 6471-redfish-add-multipart-http-push-command.yml
+    - 6502-cobbler-inventory_hostname.yml
+    - 6510-proxmox-create-support_timezone.yaml
+    - 6512-cpanm-default-mode.yml
+    - 6513-opkg-default-force.yml
+    - 6520-mas-disable-signin.yaml
+    - 6522-copr-respawn.yaml
+    - 6523-datadog-monitor-notification-preset-name-and-renotify.yaml
+    - 6525-sorcery-import.yaml
+    - 6531-opentelemetry-add-event-attributes.yml
+    - 6533-proxmox_kvm-tpmstate0-support.yaml
+    - 6539-semantic-markup.yml
+    - 6568-fix-get-user-by-username-in-keycloak-module-utils.yml
+    - 6570-handle-shutdown-timeout.yaml
+    - 6576-proxmox-snap-allow-to-remove-old-snapshots.yml
+    - 6601-cmdrunner-deprecate-default-type.yml
+    - 6602-vardict-as-dict.yml
+    - 6640-proxmox-composite-variables-support.yml
+    - 6644-dependencymixin-fix.yml
+    - 6646-redhat_subscription-deprecate-autosubscribe.yml
+    - 6648_ldap_search_page_size.yml
+    - 6649-varsmixin-deprecation.yml
+    - 6650-redhat_subscription-deprecate-pool.yml
+    - 6658-redhat_subscription-internal-rhsm-refactor.yml
+    - 6660-onepassword-lookup-service-account.yaml
+    - 6662-csv-bom.yml
+    - 6663-deprecate-module_utils-redhat.yml
+    - 6668-ldap-client-cert.yml
+    - 6669-rhsm_release-internal-sub-man-exec.yml
+    - 6673-rhsm_repository-deprecate-present-absent.yml
+    - 6676-rhsm_repository-fix-returned-repositories-with-purge.yml
+    - 6680-filesystem-uuid-change.yml
+    - 6682-lvg-clonesupport.yml
+    - 6687-support-subgroups-for-keycloak-client-rolemapping.yml
+    - 6688-is-struct-included-bug-in-keycloak-py.yml
+    - 6709-proxmox-create-vm-with-existing-name.yml
+    - 6711-cobbler-ip-address.yml
+    - 6712-gitlab_group-filtered-for-none-values.yml
+    - 6720-tss-fix-fetch-attachments.yml
+    - 6748-icinga2_host-datafix.yml
+    - 7.1.0.yml
+    - ini_file-preserve-symlink.yml
+    - ini_file-use-inactive-options-when-possible.yml
+    modules:
+    - description: Creates, updates, or deletes GitLab instance variables
+      name: gitlab_instance_variable
+      namespace: ''
+    - description: Create, update, or delete GitLab merge requests
+      name: gitlab_merge_request
+      namespace: ''
+    - description: Allows administration of Keycloak authentication required actions
+      name: keycloak_authentication_required_actions
+      namespace: ''
+    - description: Create and configure a user in Keycloak
+      name: keycloak_user
+      namespace: ''
+    - description: Renames LVM volume groups
+      name: lvg_rename
+      namespace: ''
+    - description: Pool management for Proxmox VE cluster
+      name: proxmox_pool
+      namespace: ''
+    - description: Add or delete members from Proxmox VE cluster pools
+      name: proxmox_pool_member
+      namespace: ''
+    release_date: '2023-06-20'

galaxy.yml

@@ -5,7 +5,7 @@
 
 namespace: community
 name: general
-version: 7.0.0
+version: 7.1.0
 readme: README.md
 authors:
   - Ansible (https://github.com/ansible)

plugins/become/machinectl.py

@@ -68,7 +68,7 @@ DOCUMENTATION = '''
               - section: machinectl_become_plugin
                 key: password
     notes:
-      - When not using this plugin with user C(root), it only works correctly with a polkit rule which will alter
+      - When not using this plugin with user V(root), it only works correctly with a polkit rule which will alter
         the behaviour of machinectl. This rule must alter the prompt behaviour to ask directly for the user credentials,
         if the user is allowed to perform the action (take a look at the examples section).
         If such a rule is not present the plugin only work if it is used in context with the root user,

plugins/become/pfexec.py

@@ -82,7 +82,7 @@ DOCUMENTATION = '''
             env:
               - name: ANSIBLE_PFEXEC_WRAP_EXECUTION
     notes:
-      - This plugin ignores I(become_user) as pfexec uses it's own C(exec_attr) to figure this out.
+      - This plugin ignores O(become_user) as pfexec uses it's own C(exec_attr) to figure this out.
 '''
 
 from ansible.plugins.become import BecomeBase

plugins/cache/redis.py

@@ -18,9 +18,9 @@ DOCUMENTATION = '''
       _uri:
         description:
           - A colon separated string of connection information for Redis.
-          - The format is C(host:port:db:password), for example C(localhost:6379:0:changeme).
-          - To use encryption in transit, prefix the connection with C(tls://), as in C(tls://localhost:6379:0:changeme).
-          - To use redis sentinel, use separator C(;), for example C(localhost:26379;localhost:26379;0:changeme). Requires redis>=2.9.0.
+          - The format is V(host:port:db:password), for example V(localhost:6379:0:changeme).
+          - To use encryption in transit, prefix the connection with V(tls://), as in V(tls://localhost:6379:0:changeme).
+          - To use redis sentinel, use separator V(;), for example V(localhost:26379;localhost:26379;0:changeme). Requires redis>=2.9.0.
         required: true
         env:
           - name: ANSIBLE_CACHE_PLUGIN_CONNECTION

plugins/callback/cgroup_memory_recap.py

@@ -24,7 +24,7 @@ DOCUMENTATION = '''
     options:
       max_mem_file:
         required: true
-        description: Path to cgroups C(memory.max_usage_in_bytes) file. Example C(/sys/fs/cgroup/memory/ansible_profile/memory.max_usage_in_bytes).
+        description: Path to cgroups C(memory.max_usage_in_bytes) file. Example V(/sys/fs/cgroup/memory/ansible_profile/memory.max_usage_in_bytes).
         env:
           - name: CGROUP_MAX_MEM_FILE
         ini:
@@ -32,7 +32,7 @@ DOCUMENTATION = '''
             key: max_mem_file
       cur_mem_file:
         required: true
-        description: Path to C(memory.usage_in_bytes) file. Example C(/sys/fs/cgroup/memory/ansible_profile/memory.usage_in_bytes).
+        description: Path to C(memory.usage_in_bytes) file. Example V(/sys/fs/cgroup/memory/ansible_profile/memory.usage_in_bytes).
         env:
           - name: CGROUP_CUR_MEM_FILE
         ini:

plugins/callback/diy.py

@@ -18,7 +18,7 @@ DOCUMENTATION = r'''
   extends_documentation_fragment:
     - default_callback
   notes:
-    - Uses the C(default) callback plugin output when a custom callback message(C(msg)) is not provided.
+    - Uses the P(ansible.builtin.default#callback) callback plugin output when a custom callback V(message(msg\)) is not provided.
     - Makes the callback event data available via the C(ansible_callback_diy) dictionary, which can be used in the templating context for the options.
       The dictionary is only available in the templating context for the options. It is not a variable that is available via the other
       various execution contexts, such as playbook, play, task etc.
@@ -40,8 +40,8 @@ DOCUMENTATION = r'''
                     if value C(is not None and not omit and length is greater than 0),
                     then the option is being used with output.
        **Effect**: render value as template and output"
-    - "Valid color values: C(black), C(bright gray), C(blue), C(white), C(green), C(bright blue), C(cyan), C(bright green), C(red), C(bright cyan),
-      C(purple), C(bright red), C(yellow), C(bright purple), C(dark gray), C(bright yellow), C(magenta), C(bright magenta), C(normal)"
+    - "Valid color values: V(black), V(bright gray), V(blue), V(white), V(green), V(bright blue), V(cyan), V(bright green), V(red), V(bright cyan),
+      V(purple), V(bright red), V(yellow), V(bright purple), V(dark gray), V(bright yellow), V(magenta), V(bright magenta), V(normal)"
   seealso:
     - name: default – default Ansible screen output
       description: The official documentation on the B(default) callback plugin.
@@ -62,7 +62,7 @@ DOCUMENTATION = r'''
 
     on_any_msg_color:
       description:
-        - Output color to be used for I(on_any_msg).
+        - Output color to be used for O(on_any_msg).
         - Template should render a L(valid color value,#notes).
       ini:
         - section: callback_diy
@@ -86,7 +86,7 @@ DOCUMENTATION = r'''
 
     runner_on_failed_msg_color:
       description:
-        - Output color to be used for I(runner_on_failed_msg).
+        - Output color to be used for O(runner_on_failed_msg).
         - Template should render a L(valid color value,#notes).
       ini:
         - section: callback_diy
@@ -110,7 +110,7 @@ DOCUMENTATION = r'''
 
     runner_on_ok_msg_color:
       description:
-        - Output color to be used for I(runner_on_ok_msg).
+        - Output color to be used for O(runner_on_ok_msg).
         - Template should render a L(valid color value,#notes).
       ini:
         - section: callback_diy
@@ -134,7 +134,7 @@ DOCUMENTATION = r'''
 
     runner_on_skipped_msg_color:
       description:
-        - Output color to be used for I(runner_on_skipped_msg).
+        - Output color to be used for O(runner_on_skipped_msg).
         - Template should render a L(valid color value,#notes).
       ini:
         - section: callback_diy
@@ -158,7 +158,7 @@ DOCUMENTATION = r'''
 
     runner_on_unreachable_msg_color:
       description:
-        - Output color to be used for I(runner_on_unreachable_msg).
+        - Output color to be used for O(runner_on_unreachable_msg).
         - Template should render a L(valid color value,#notes).
       ini:
         - section: callback_diy
@@ -182,7 +182,7 @@ DOCUMENTATION = r'''
 
     playbook_on_start_msg_color:
       description:
-        - Output color to be used for I(playbook_on_start_msg).
+        - Output color to be used for O(playbook_on_start_msg).
         - Template should render a L(valid color value,#notes).
       ini:
         - section: callback_diy
@@ -206,7 +206,7 @@ DOCUMENTATION = r'''
 
     playbook_on_notify_msg_color:
       description:
-        - Output color to be used for I(playbook_on_notify_msg).
+        - Output color to be used for O(playbook_on_notify_msg).
         - Template should render a L(valid color value,#notes).
       ini:
         - section: callback_diy
@@ -230,7 +230,7 @@ DOCUMENTATION = r'''
 
     playbook_on_no_hosts_matched_msg_color:
       description:
-        - Output color to be used for I(playbook_on_no_hosts_matched_msg).
+        - Output color to be used for O(playbook_on_no_hosts_matched_msg).
         - Template should render a L(valid color value,#notes).
       ini:
         - section: callback_diy
@@ -254,7 +254,7 @@ DOCUMENTATION = r'''
 
     playbook_on_no_hosts_remaining_msg_color:
       description:
-        - Output color to be used for I(playbook_on_no_hosts_remaining_msg).
+        - Output color to be used for O(playbook_on_no_hosts_remaining_msg).
         - Template should render a L(valid color value,#notes).
       ini:
         - section: callback_diy
@@ -278,7 +278,7 @@ DOCUMENTATION = r'''
 
     playbook_on_task_start_msg_color:
       description:
-        - Output color to be used for I(playbook_on_task_start_msg).
+        - Output color to be used for O(playbook_on_task_start_msg).
         - Template should render a L(valid color value,#notes).
       ini:
         - section: callback_diy
@@ -302,7 +302,7 @@ DOCUMENTATION = r'''
 
     playbook_on_handler_task_start_msg_color:
       description:
-        - Output color to be used for I(playbook_on_handler_task_start_msg).
+        - Output color to be used for O(playbook_on_handler_task_start_msg).
         - Template should render a L(valid color value,#notes).
       ini:
         - section: callback_diy
@@ -326,7 +326,7 @@ DOCUMENTATION = r'''
 
     playbook_on_vars_prompt_msg_color:
       description:
-        - Output color to be used for I(playbook_on_vars_prompt_msg).
+        - Output color to be used for O(playbook_on_vars_prompt_msg).
         - Template should render a L(valid color value,#notes).
       ini:
         - section: callback_diy
@@ -350,7 +350,7 @@ DOCUMENTATION = r'''
 
     playbook_on_play_start_msg_color:
       description:
-        - Output color to be used for I(playbook_on_play_start_msg).
+        - Output color to be used for O(playbook_on_play_start_msg).
         - Template should render a L(valid color value,#notes).
       ini:
         - section: callback_diy
@@ -374,7 +374,7 @@ DOCUMENTATION = r'''
 
     playbook_on_stats_msg_color:
       description:
-        - Output color to be used for I(playbook_on_stats_msg).
+        - Output color to be used for O(playbook_on_stats_msg).
         - Template should render a L(valid color value,#notes).
       ini:
         - section: callback_diy
@@ -398,7 +398,7 @@ DOCUMENTATION = r'''
 
     on_file_diff_msg_color:
       description:
-        - Output color to be used for I(on_file_diff_msg).
+        - Output color to be used for O(on_file_diff_msg).
         - Template should render a L(valid color value,#notes).
       ini:
         - section: callback_diy
@@ -422,7 +422,7 @@ DOCUMENTATION = r'''
 
     playbook_on_include_msg_color:
       description:
-        - Output color to be used for I(playbook_on_include_msg).
+        - Output color to be used for O(playbook_on_include_msg).
         - Template should render a L(valid color value,#notes).
       ini:
         - section: callback_diy
@@ -446,7 +446,7 @@ DOCUMENTATION = r'''
 
     runner_item_on_ok_msg_color:
       description:
-        - Output color to be used for I(runner_item_on_ok_msg).
+        - Output color to be used for O(runner_item_on_ok_msg).
         - Template should render a L(valid color value,#notes).
       ini:
         - section: callback_diy
@@ -470,7 +470,7 @@ DOCUMENTATION = r'''
 
     runner_item_on_failed_msg_color:
       description:
-        - Output color to be used for I(runner_item_on_failed_msg).
+        - Output color to be used for O(runner_item_on_failed_msg).
         - Template should render a L(valid color value,#notes).
       ini:
         - section: callback_diy
@@ -494,7 +494,7 @@ DOCUMENTATION = r'''
 
     runner_item_on_skipped_msg_color:
       description:
-        - Output color to be used for I(runner_item_on_skipped_msg).
+        - Output color to be used for O(runner_item_on_skipped_msg).
         - Template should render a L(valid color value,#notes).
       ini:
         - section: callback_diy
@@ -518,7 +518,7 @@ DOCUMENTATION = r'''
 
     runner_retry_msg_color:
       description:
-        - Output color to be used for I(runner_retry_msg).
+        - Output color to be used for O(runner_retry_msg).
         - Template should render a L(valid color value,#notes).
       ini:
         - section: callback_diy
@@ -542,7 +542,7 @@ DOCUMENTATION = r'''
 
     runner_on_start_msg_color:
       description:
-        - Output color to be used for I(runner_on_start_msg).
+        - Output color to be used for O(runner_on_start_msg).
         - Template should render a L(valid color value,#notes).
       ini:
         - section: callback_diy
@@ -566,7 +566,7 @@ DOCUMENTATION = r'''
 
     runner_on_no_hosts_msg_color:
       description:
-        - Output color to be used for I(runner_on_no_hosts_msg).
+        - Output color to be used for O(runner_on_no_hosts_msg).
         - Template should render a L(valid color value,#notes).
       ini:
         - section: callback_diy
@@ -590,7 +590,7 @@ DOCUMENTATION = r'''
 
     playbook_on_setup_msg_color:
       description:
-        - Output color to be used for I(playbook_on_setup_msg).
+        - Output color to be used for O(playbook_on_setup_msg).
         - Template should render a L(valid color value,#notes).
       ini:
         - section: callback_diy

plugins/callback/opentelemetry.py

@@ -32,10 +32,10 @@ DOCUMENTATION = '''
       enable_from_environment:
         type: str
         description:
-          - Whether to enable this callback only if the given environment variable exists and it is set to C(true).
+          - Whether to enable this callback only if the given environment variable exists and it is set to V(true).
           - This is handy when you use Configuration as Code and want to send distributed traces
             if running in the CI rather when running Ansible locally.
-          - For such, it evaluates the given I(enable_from_environment) value as environment variable
+          - For such, it evaluates the given O(enable_from_environment) value as environment variable
             and if set to true this plugin will be enabled.
         env:
           - name: ANSIBLE_OPENTELEMETRY_ENABLE_FROM_ENVIRONMENT
@@ -73,6 +73,17 @@ DOCUMENTATION = '''
           - section: callback_opentelemetry
             key: disable_logs
         version_added: 5.8.0
+      disable_attributes_in_logs:
+        default: false
+        type: bool
+        description:
+          - Disable populating span attributes to the logs.
+        env:
+          - name: ANSIBLE_OPENTELEMETRY_DISABLE_ATTRIBUTES_IN_LOGS
+        ini:
+          - section: callback_opentelemetry
+            key: disable_attributes_in_logs
+        version_added: 7.1.0
     requirements:
       - opentelemetry-api (Python library)
       - opentelemetry-exporter-otlp (Python library)
@@ -244,7 +255,7 @@ class OpenTelemetrySource(object):
         task.dump = dump
         task.add_host(HostData(host_uuid, host_name, status, result))
 
-    def generate_distributed_traces(self, otel_service_name, ansible_playbook, tasks_data, status, traceparent, disable_logs):
+    def generate_distributed_traces(self, otel_service_name, ansible_playbook, tasks_data, status, traceparent, disable_logs, disable_attributes_in_logs):
         """ generate distributed traces from the collected TaskData and HostData """
 
         tasks = []
@@ -280,9 +291,9 @@ class OpenTelemetrySource(object):
             for task in tasks:
                 for host_uuid, host_data in task.host_data.items():
                     with tracer.start_as_current_span(task.name, start_time=task.start, end_on_exit=False) as span:
-                        self.update_span_data(task, host_data, span, disable_logs)
+                        self.update_span_data(task, host_data, span, disable_logs, disable_attributes_in_logs)
 
-    def update_span_data(self, task_data, host_data, span, disable_logs):
+    def update_span_data(self, task_data, host_data, span, disable_logs, disable_attributes_in_logs):
         """ update the span with the given TaskData and HostData """
 
         name = '[%s] %s: %s' % (host_data.name, task_data.play, task_data.name)
@@ -315,39 +326,47 @@ class OpenTelemetrySource(object):
                 status = Status(status_code=StatusCode.UNSET)
 
         span.set_status(status)
+
+        # Create the span and log attributes
+        attributes = {
+            "ansible.task.module": task_data.action,
+            "ansible.task.message": message,
+            "ansible.task.name": name,
+            "ansible.task.result": rc,
+            "ansible.task.host.name": host_data.name,
+            "ansible.task.host.status": host_data.status
+        }
         if isinstance(task_data.args, dict) and "gather_facts" not in task_data.action:
             names = tuple(self.transform_ansible_unicode_to_str(k) for k in task_data.args.keys())
             values = tuple(self.transform_ansible_unicode_to_str(k) for k in task_data.args.values())
-            self.set_span_attribute(span, ("ansible.task.args.name"), names)
-            self.set_span_attribute(span, ("ansible.task.args.value"), values)
-        self.set_span_attribute(span, "ansible.task.module", task_data.action)
-        self.set_span_attribute(span, "ansible.task.message", message)
-        self.set_span_attribute(span, "ansible.task.name", name)
-        self.set_span_attribute(span, "ansible.task.result", rc)
-        self.set_span_attribute(span, "ansible.task.host.name", host_data.name)
-        self.set_span_attribute(span, "ansible.task.host.status", host_data.status)
+            attributes[("ansible.task.args.name")] = names
+            attributes[("ansible.task.args.value")] = values
+
+        self.set_span_attributes(span, attributes)
+
         # This will allow to enrich the service map
         self.add_attributes_for_service_map_if_possible(span, task_data)
         # Send logs
         if not disable_logs:
-            span.add_event(task_data.dump)
-        span.end(end_time=host_data.finish)
+            # This will avoid populating span attributes to the logs
+            span.add_event(task_data.dump, attributes={} if disable_attributes_in_logs else attributes)
+            span.end(end_time=host_data.finish)
 
-    def set_span_attribute(self, span, attributeName, attributeValue):
-        """ update the span attribute with the given attribute and value if not None """
+    def set_span_attributes(self, span, attributes):
+        """ update the span attributes with the given attributes if not None """
 
         if span is None and self._display is not None:
             self._display.warning('span object is None. Please double check if that is expected.')
         else:
-            if attributeValue is not None:
-                span.set_attribute(attributeName, attributeValue)
+            if attributes is not None:
+                span.set_attributes(attributes)
 
     def add_attributes_for_service_map_if_possible(self, span, task_data):
         """Update the span attributes with the service that the task interacted with, if possible."""
 
         redacted_url = self.parse_and_redact_url_if_possible(task_data.args)
         if redacted_url:
-            self.set_span_attribute(span, "http.url", redacted_url.geturl())
+            span.set_attribute("http.url", redacted_url.geturl())
 
     @staticmethod
     def parse_and_redact_url_if_possible(args):
@@ -434,6 +453,7 @@ class CallbackModule(CallbackBase):
     def __init__(self, display=None):
         super(CallbackModule, self).__init__(display=display)
         self.hide_task_arguments = None
+        self.disable_attributes_in_logs = None
         self.disable_logs = None
         self.otel_service_name = None
         self.ansible_playbook = None
@@ -465,6 +485,8 @@ class CallbackModule(CallbackBase):
 
         self.hide_task_arguments = self.get_option('hide_task_arguments')
 
+        self.disable_attributes_in_logs = self.get_option('disable_attributes_in_logs')
+
         self.disable_logs = self.get_option('disable_logs')
 
         self.otel_service_name = self.get_option('otel_service_name')
@@ -562,7 +584,8 @@ class CallbackModule(CallbackBase):
             self.tasks_data,
             status,
             self.traceparent,
-            self.disable_logs
+            self.disable_logs,
+            self.disable_attributes_in_logs
         )
 
     def v2_runner_on_async_failed(self, result, **kwargs):

plugins/callback/splunk.py

@@ -36,8 +36,8 @@ DOCUMENTATION = '''
             key: authtoken
       validate_certs:
         description: Whether to validate certificates for connections to HEC. It is not recommended to set to
-                     C(false) except when you are sure that nobody can intercept the connection
-                     between this plugin and HEC, as setting it to C(false) allows man-in-the-middle attacks!
+                     V(false) except when you are sure that nobody can intercept the connection
+                     between this plugin and HEC, as setting it to V(false) allows man-in-the-middle attacks!
         env:
           - name: SPLUNK_VALIDATE_CERTS
         ini:

plugins/callback/sumologic.py

@@ -6,7 +6,7 @@
 from __future__ import (absolute_import, division, print_function)
 __metaclass__ = type
 
-DOCUMENTATION = '''
+DOCUMENTATION = r'''
 name: sumologic
 type: notification
 short_description: Sends task result events to Sumologic
@@ -15,8 +15,8 @@ description:
   - This callback plugin will send task results as JSON formatted events to a Sumologic HTTP collector source.
 requirements:
   - Whitelisting this callback plugin
-  - 'Create a HTTP collector source in Sumologic and specify a custom timestamp format of C(yyyy-MM-dd HH:mm:ss ZZZZ) and a custom timestamp locator
-    of C("timestamp": "(.*)")'
+  - 'Create a HTTP collector source in Sumologic and specify a custom timestamp format of V(yyyy-MM-dd HH:mm:ss ZZZZ) and a custom timestamp locator
+    of V("timestamp": "(.*\)")'
 options:
   url:
     description: URL to the Sumologic HTTP collector source.

plugins/doc_fragments/alicloud.py

@@ -15,40 +15,40 @@ class ModuleDocFragment(object):
 options:
   alicloud_access_key:
     description:
-      - Alibaba Cloud access key. If not set then the value of environment variable C(ALICLOUD_ACCESS_KEY),
-        C(ALICLOUD_ACCESS_KEY_ID) will be used instead.
+      - Alibaba Cloud access key. If not set then the value of environment variable E(ALICLOUD_ACCESS_KEY),
+        E(ALICLOUD_ACCESS_KEY_ID) will be used instead.
     aliases: ['access_key_id', 'access_key']
     type: str
   alicloud_secret_key:
     description:
-      - Alibaba Cloud secret key. If not set then the value of environment variable C(ALICLOUD_SECRET_KEY),
-        C(ALICLOUD_SECRET_ACCESS_KEY) will be used instead.
+      - Alibaba Cloud secret key. If not set then the value of environment variable E(ALICLOUD_SECRET_KEY),
+        E(ALICLOUD_SECRET_ACCESS_KEY) will be used instead.
     aliases: ['secret_access_key', 'secret_key']
     type: str
   alicloud_region:
     description:
       - The Alibaba Cloud region to use. If not specified then the value of environment variable
-        C(ALICLOUD_REGION), C(ALICLOUD_REGION_ID) will be used instead.
+        E(ALICLOUD_REGION), E(ALICLOUD_REGION_ID) will be used instead.
     aliases: ['region', 'region_id']
     required: true
     type: str
   alicloud_security_token:
     description:
       - The Alibaba Cloud security token. If not specified then the value of environment variable
-        C(ALICLOUD_SECURITY_TOKEN) will be used instead.
+        E(ALICLOUD_SECURITY_TOKEN) will be used instead.
     aliases: ['security_token']
     type: str
   alicloud_assume_role:
     description:
       - If provided with a role ARN, Ansible will attempt to assume this role using the supplied credentials.
-      - The nested assume_role block supports I(alicloud_assume_role_arn), I(alicloud_assume_role_session_name),
-        I(alicloud_assume_role_session_expiration) and I(alicloud_assume_role_policy)
+      - The nested assume_role block supports C(alicloud_assume_role_arn), C(alicloud_assume_role_session_name),
+        C(alicloud_assume_role_session_expiration) and C(alicloud_assume_role_policy).
     type: dict
     aliases: ['assume_role']
   alicloud_assume_role_arn:
     description:
       - The Alibaba Cloud role_arn. The ARN of the role to assume. If ARN is set to an empty string,
-        it does not perform role switching. It supports environment variable ALICLOUD_ASSUME_ROLE_ARN.
+        it does not perform role switching. It supports environment variable E(ALICLOUD_ASSUME_ROLE_ARN).
         ansible will execute with provided credentials.
     aliases: ['assume_role_arn']
     type: str
@@ -56,14 +56,14 @@ options:
     description:
       - The Alibaba Cloud session_name. The session name to use when assuming the role. If omitted,
         'ansible' is passed to the AssumeRole call as session name. It supports environment variable
-        ALICLOUD_ASSUME_ROLE_SESSION_NAME
+        E(ALICLOUD_ASSUME_ROLE_SESSION_NAME).
     aliases: ['assume_role_session_name']
     type: str
   alicloud_assume_role_session_expiration:
     description:
       - The Alibaba Cloud session_expiration. The time after which the established session for assuming
         role expires. Valid value range 900-3600 seconds. Default to 3600 (in this case Alicloud use own default
-        value). It supports environment variable ALICLOUD_ASSUME_ROLE_SESSION_EXPIRATION
+        value). It supports environment variable E(ALICLOUD_ASSUME_ROLE_SESSION_EXPIRATION).
     aliases: ['assume_role_session_expiration']
     type: int
   ecs_role_name:
@@ -79,11 +79,11 @@ options:
   profile:
     description:
       - This is the Alicloud profile name as set in the shared credentials file. It can also be sourced from the
-        ALICLOUD_PROFILE environment variable.
+        E(ALICLOUD_PROFILE) environment variable.
     type: str
   shared_credentials_file:
     description:
-      - This is the path to the shared credentials file. It can also be sourced from the ALICLOUD_SHARED_CREDENTIALS_FILE
+      - This is the path to the shared credentials file. It can also be sourced from the E(ALICLOUD_SHARED_CREDENTIALS_FILE)
         environment variable.
       - If this is not set and a profile is specified,  ~/.aliyun/config.json will be used.
     type: str
@@ -94,16 +94,16 @@ requirements:
 notes:
   - If parameters are not set within the module, the following
     environment variables can be used in decreasing order of precedence
-    C(ALICLOUD_ACCESS_KEY) or C(ALICLOUD_ACCESS_KEY_ID),
-    C(ALICLOUD_SECRET_KEY) or C(ALICLOUD_SECRET_ACCESS_KEY),
-    C(ALICLOUD_REGION) or C(ALICLOUD_REGION_ID),
-    C(ALICLOUD_SECURITY_TOKEN),
-    C(ALICLOUD_ECS_ROLE_NAME),
-    C(ALICLOUD_SHARED_CREDENTIALS_FILE),
-    C(ALICLOUD_PROFILE),
-    C(ALICLOUD_ASSUME_ROLE_ARN),
-    C(ALICLOUD_ASSUME_ROLE_SESSION_NAME),
-    C(ALICLOUD_ASSUME_ROLE_SESSION_EXPIRATION),
-  - C(ALICLOUD_REGION) or C(ALICLOUD_REGION_ID) can be typically be used to specify the
+    E(ALICLOUD_ACCESS_KEY) or E(ALICLOUD_ACCESS_KEY_ID),
+    E(ALICLOUD_SECRET_KEY) or E(ALICLOUD_SECRET_ACCESS_KEY),
+    E(ALICLOUD_REGION) or E(ALICLOUD_REGION_ID),
+    E(ALICLOUD_SECURITY_TOKEN),
+    E(ALICLOUD_ECS_ROLE_NAME),
+    E(ALICLOUD_SHARED_CREDENTIALS_FILE),
+    E(ALICLOUD_PROFILE),
+    E(ALICLOUD_ASSUME_ROLE_ARN),
+    E(ALICLOUD_ASSUME_ROLE_SESSION_NAME),
+    E(ALICLOUD_ASSUME_ROLE_SESSION_EXPIRATION),
+  - E(ALICLOUD_REGION) or E(ALICLOUD_REGION_ID) can be typically be used to specify the
     ALICLOUD region, when required, but this can also be configured in the footmark config file
 '''

plugins/doc_fragments/bitbucket.py

@@ -16,25 +16,25 @@ options:
   client_id:
     description:
       - The OAuth consumer key.
-      - If not set the environment variable C(BITBUCKET_CLIENT_ID) will be used.
+      - If not set the environment variable E(BITBUCKET_CLIENT_ID) will be used.
     type: str
   client_secret:
     description:
       - The OAuth consumer secret.
-      - If not set the environment variable C(BITBUCKET_CLIENT_SECRET) will be used.
+      - If not set the environment variable E(BITBUCKET_CLIENT_SECRET) will be used.
     type: str
   user:
     description:
       - The username.
-      - If not set the environment variable C(BITBUCKET_USERNAME) will be used.
-      - I(username) is an alias of I(user) since community.genreal 6.0.0. It was an alias of I(workspace) before.
+      - If not set the environment variable E(BITBUCKET_USERNAME) will be used.
+      - O(ignore:username) is an alias of O(user) since community.general 6.0.0. It was an alias of O(workspace) before.
     type: str
     version_added: 4.0.0
     aliases: [ username ]
   password:
     description:
       - The App password.
-      - If not set the environment variable C(BITBUCKET_PASSWORD) will be used.
+      - If not set the environment variable E(BITBUCKET_PASSWORD) will be used.
     type: str
     version_added: 4.0.0
 notes:

plugins/doc_fragments/dimensiondata.py

@@ -29,13 +29,13 @@ options:
   mcp_user:
     description:
       - The username used to authenticate to the CloudControl API.
-      - If not specified, will fall back to C(MCP_USER) from environment variable or C(~/.dimensiondata).
+      - If not specified, will fall back to E(MCP_USER) from environment variable or C(~/.dimensiondata).
     type: str
   mcp_password:
     description:
       - The password used to authenticate to the CloudControl API.
-      - If not specified, will fall back to C(MCP_PASSWORD) from environment variable or C(~/.dimensiondata).
-      - Required if I(mcp_user) is specified.
+      - If not specified, will fall back to E(MCP_PASSWORD) from environment variable or C(~/.dimensiondata).
+      - Required if O(mcp_user) is specified.
     type: str
   location:
     description:
@@ -44,7 +44,7 @@ options:
     required: true
   validate_certs:
     description:
-      - If C(false), SSL certificates will not be validated.
+      - If V(false), SSL certificates will not be validated.
       - This should only be used on private instances of the CloudControl API that use self-signed certificates.
     type: bool
     default: true

plugins/doc_fragments/dimensiondata_wait.py

@@ -25,13 +25,13 @@ options:
   wait_time:
     description:
       - The maximum amount of time (in seconds) to wait for the task to complete.
-      - Only applicable if I(wait=true).
+      - Only applicable if O(wait=true).
     type: int
     default: 600
   wait_poll_interval:
     description:
       - The amount of time (in seconds) to wait between checks for task completion.
-      - Only applicable if I(wait=true).
+      - Only applicable if O(wait=true).
     type: int
     default: 2
     '''

plugins/doc_fragments/hwc.py

@@ -51,16 +51,16 @@ options:
         type: str
 notes:
   - For authentication, you can set identity_endpoint using the
-    C(ANSIBLE_HWC_IDENTITY_ENDPOINT) env variable.
+    E(ANSIBLE_HWC_IDENTITY_ENDPOINT) env variable.
   - For authentication, you can set user using the
-    C(ANSIBLE_HWC_USER) env variable.
-  - For authentication, you can set password using the C(ANSIBLE_HWC_PASSWORD) env
+    E(ANSIBLE_HWC_USER) env variable.
+  - For authentication, you can set password using the E(ANSIBLE_HWC_PASSWORD) env
     variable.
-  - For authentication, you can set domain using the C(ANSIBLE_HWC_DOMAIN) env
+  - For authentication, you can set domain using the E(ANSIBLE_HWC_DOMAIN) env
     variable.
-  - For authentication, you can set project using the C(ANSIBLE_HWC_PROJECT) env
+  - For authentication, you can set project using the E(ANSIBLE_HWC_PROJECT) env
     variable.
-  - For authentication, you can set region using the C(ANSIBLE_HWC_REGION) env variable.
+  - For authentication, you can set region using the E(ANSIBLE_HWC_REGION) env variable.
   - Environment variables values will only be used if the playbook values are
     not set.
 '''

plugins/doc_fragments/influxdb.py

@@ -22,14 +22,14 @@ options:
   username:
     description:
     - Username that will be used to authenticate against InfluxDB server.
-    - Alias C(login_username) added in Ansible 2.5.
+    - Alias O(login_username) added in Ansible 2.5.
     type: str
     default: root
     aliases: [ login_username ]
   password:
     description:
     - Password that will be used to authenticate against InfluxDB server.
-    - Alias C(login_password) added in Ansible 2.5.
+    - Alias O(login_password) added in Ansible 2.5.
     type: str
     default: root
     aliases: [ login_password ]
@@ -47,8 +47,8 @@ options:
     version_added: '0.2.0'
   validate_certs:
     description:
-    - If set to C(false), the SSL certificates will not be validated.
-    - This should only set to C(false) used on personally controlled sites using self-signed certificates.
+    - If set to V(false), the SSL certificates will not be validated.
+    - This should only set to V(false) used on personally controlled sites using self-signed certificates.
     type: bool
     default: true
   ssl:
@@ -63,7 +63,7 @@ options:
   retries:
     description:
     - Number of retries client will try before aborting.
-    - C(0) indicates try until success.
+    - V(0) indicates try until success.
     - Only available when using python-influxdb >= 4.1.0
     type: int
     default: 3

plugins/doc_fragments/ipa.py

@@ -16,61 +16,61 @@ options:
   ipa_port:
     description:
     - Port of FreeIPA / IPA server.
-    - If the value is not specified in the task, the value of environment variable C(IPA_PORT) will be used instead.
-    - If both the environment variable C(IPA_PORT) and the value are not specified in the task, then default value is set.
+    - If the value is not specified in the task, the value of environment variable E(IPA_PORT) will be used instead.
+    - If both the environment variable E(IPA_PORT) and the value are not specified in the task, then default value is set.
     - Environment variable fallback mechanism is added in Ansible 2.5.
     type: int
     default: 443
   ipa_host:
     description:
     - IP or hostname of IPA server.
-    - If the value is not specified in the task, the value of environment variable C(IPA_HOST) will be used instead.
-    - If both the environment variable C(IPA_HOST) and the value are not specified in the task, then DNS will be used to try to discover the FreeIPA server.
+    - If the value is not specified in the task, the value of environment variable E(IPA_HOST) will be used instead.
+    - If both the environment variable E(IPA_HOST) and the value are not specified in the task, then DNS will be used to try to discover the FreeIPA server.
     - The relevant entry needed in FreeIPA is the 'ipa-ca' entry.
-    - If neither the DNS entry, nor the environment C(IPA_HOST), nor the value are available in the task, then the default value will be used.
+    - If neither the DNS entry, nor the environment E(IPA_HOST), nor the value are available in the task, then the default value will be used.
     - Environment variable fallback mechanism is added in Ansible 2.5.
     type: str
     default: ipa.example.com
   ipa_user:
     description:
     - Administrative account used on IPA server.
-    - If the value is not specified in the task, the value of environment variable C(IPA_USER) will be used instead.
-    - If both the environment variable C(IPA_USER) and the value are not specified in the task, then default value is set.
+    - If the value is not specified in the task, the value of environment variable E(IPA_USER) will be used instead.
+    - If both the environment variable E(IPA_USER) and the value are not specified in the task, then default value is set.
     - Environment variable fallback mechanism is added in Ansible 2.5.
     type: str
     default: admin
   ipa_pass:
     description:
     - Password of administrative user.
-    - If the value is not specified in the task, the value of environment variable C(IPA_PASS) will be used instead.
-    - Note that if the 'urllib_gssapi' library is available, it is possible to use GSSAPI to authenticate to FreeIPA.
-    - If the environment variable C(KRB5CCNAME) is available, the module will use this kerberos credentials cache to authenticate to the FreeIPA server.
-    - If the environment variable C(KRB5_CLIENT_KTNAME) is available, and C(KRB5CCNAME) is not; the module will use this kerberos keytab to authenticate.
-    - If GSSAPI is not available, the usage of 'ipa_pass' is required.
+    - If the value is not specified in the task, the value of environment variable E(IPA_PASS) will be used instead.
+    - Note that if the C(urllib_gssapi) library is available, it is possible to use GSSAPI to authenticate to FreeIPA.
+    - If the environment variable E(KRB5CCNAME) is available, the module will use this kerberos credentials cache to authenticate to the FreeIPA server.
+    - If the environment variable E(KRB5_CLIENT_KTNAME) is available, and E(KRB5CCNAME) is not; the module will use this kerberos keytab to authenticate.
+    - If GSSAPI is not available, the usage of O(ipa_pass) is required.
     - Environment variable fallback mechanism is added in Ansible 2.5.
     type: str
   ipa_prot:
     description:
     - Protocol used by IPA server.
-    - If the value is not specified in the task, the value of environment variable C(IPA_PROT) will be used instead.
-    - If both the environment variable C(IPA_PROT) and the value are not specified in the task, then default value is set.
+    - If the value is not specified in the task, the value of environment variable E(IPA_PROT) will be used instead.
+    - If both the environment variable E(IPA_PROT) and the value are not specified in the task, then default value is set.
     - Environment variable fallback mechanism is added in Ansible 2.5.
     type: str
     choices: [ http, https ]
     default: https
   validate_certs:
     description:
-    - This only applies if C(ipa_prot) is I(https).
-    - If set to C(false), the SSL certificates will not be validated.
-    - This should only set to C(false) used on personally controlled sites using self-signed certificates.
+    - This only applies if O(ipa_prot) is V(https).
+    - If set to V(false), the SSL certificates will not be validated.
+    - This should only set to V(false) used on personally controlled sites using self-signed certificates.
     type: bool
     default: true
   ipa_timeout:
     description:
     - Specifies idle timeout (in seconds) for the connection.
     - For bulk operations, you may want to increase this in order to avoid timeout from IPA server.
-    - If the value is not specified in the task, the value of environment variable C(IPA_TIMEOUT) will be used instead.
-    - If both the environment variable C(IPA_TIMEOUT) and the value are not specified in the task, then default value is set.
+    - If the value is not specified in the task, the value of environment variable E(IPA_TIMEOUT) will be used instead.
+    - If both the environment variable E(IPA_TIMEOUT) and the value are not specified in the task, then default value is set.
     type: int
     default: 10
 '''

plugins/doc_fragments/keycloak.py

@@ -23,7 +23,7 @@ options:
 
     auth_client_id:
         description:
-            - OpenID Connect I(client_id) to authenticate to the API with.
+            - OpenID Connect C(client_id) to authenticate to the API with.
         type: str
         default: admin-cli
 
@@ -34,7 +34,7 @@ options:
 
     auth_client_secret:
         description:
-            - Client Secret to use in conjunction with I(auth_client_id) (if required).
+            - Client Secret to use in conjunction with O(auth_client_id) (if required).
         type: str
 
     auth_username:

plugins/doc_fragments/ldap.py

@@ -21,7 +21,7 @@ options:
     type: str
   bind_pw:
     description:
-      - The password to use with I(bind_dn).
+      - The password to use with O(bind_dn).
     type: str
     default: ''
   ca_path:
@@ -29,6 +29,18 @@ options:
       - Set the path to PEM file with CA certs.
     type: path
     version_added: "6.5.0"
+  client_cert:
+    type: path
+    description:
+      - PEM formatted certificate chain file to be used for SSL client authentication.
+      - Required if O(client_key) is defined.
+    version_added: "7.1.0"
+  client_key:
+    type: path
+    description:
+      - PEM formatted file that contains your private key to be used for SSL client authentication.
+      - Required if O(client_cert) is defined.
+    version_added: "7.1.0"
   dn:
     required: true
     description:
@@ -40,12 +52,12 @@ options:
     type: str
     description:
       - Set the referrals chasing behavior.
-      - C(anonymous) follow referrals anonymously. This is the default behavior.
-      - C(disabled) disable referrals chasing. This sets C(OPT_REFERRALS) to off.
+      - V(anonymous) follow referrals anonymously. This is the default behavior.
+      - V(disabled) disable referrals chasing. This sets C(OPT_REFERRALS) to off.
     version_added: 2.0.0
   server_uri:
     description:
-      - The I(server_uri) parameter may be a comma- or whitespace-separated list of URIs containing only the schema, the host, and the port fields.
+      - The O(server_uri) parameter may be a comma- or whitespace-separated list of URIs containing only the schema, the host, and the port fields.
       - The default value lets the underlying LDAP client library look for a UNIX domain socket in its default location.
       - Note that when using multiple URIs you cannot determine to which URI your client gets connected.
       - For URIs containing additional fields, particularly when using commas, behavior is undefined.
@@ -58,14 +70,13 @@ options:
     default: false
   validate_certs:
     description:
-      - If set to C(false), SSL certificates will not be validated.
+      - If set to V(false), SSL certificates will not be validated.
       - This should only be used on sites using self-signed certificates.
     type: bool
     default: true
   sasl_class:
     description:
       - The class to use for SASL authentication.
-      - Possible choices are C(external), C(gssapi).
     type: str
     choices: ['external', 'gssapi']
     default: external
@@ -73,10 +84,9 @@ options:
   xorder_discovery:
     description:
       - Set the behavior on how to process Xordered DNs.
-      - C(enable) will perform a C(ONELEVEL) search below the superior RDN to find the matching DN.
-      - C(disable) will always use the DN unmodified (as passed by the I(dn) parameter).
-      - C(auto) will only perform a search if the first RDN does not contain an index number (C({x})).
-      - Possible choices are C(enable), C(auto), C(disable).
+      - V(enable) will perform a C(ONELEVEL) search below the superior RDN to find the matching DN.
+      - V(disable) will always use the DN unmodified (as passed by the O(dn) parameter).
+      - V(auto) will only perform a search if the first RDN does not contain an index number (C({x})).
     type: str
     choices: ['enable', 'auto', 'disable']
     default: auto

plugins/doc_fragments/manageiq.py

@@ -21,30 +21,30 @@ options:
     suboptions:
       url:
         description:
-          - ManageIQ environment url. C(MIQ_URL) env var if set. otherwise, it is required to pass it.
+          - ManageIQ environment URL. E(MIQ_URL) environment variable if set. Otherwise, it is required to pass it.
         type: str
         required: false
       username:
         description:
-          - ManageIQ username. C(MIQ_USERNAME) env var if set. otherwise, required if no token is passed in.
+          - ManageIQ username. E(MIQ_USERNAME) environment variable if set. Otherwise, required if no token is passed in.
         type: str
       password:
         description:
-          - ManageIQ password. C(MIQ_PASSWORD) env var if set. otherwise, required if no token is passed in.
+          - ManageIQ password. E(MIQ_PASSWORD) environment variable if set. Otherwise, required if no token is passed in.
         type: str
       token:
         description:
-          - ManageIQ token. C(MIQ_TOKEN) env var if set. otherwise, required if no username or password is passed in.
+          - ManageIQ token. E(MIQ_TOKEN) environment variable if set. Otherwise, required if no username or password is passed in.
         type: str
       validate_certs:
         description:
-          - Whether SSL certificates should be verified for HTTPS requests. defaults to True.
+          - Whether SSL certificates should be verified for HTTPS requests.
         type: bool
         default: true
         aliases: [ verify_ssl ]
       ca_cert:
         description:
-          - The path to a CA bundle file or directory with certificates. defaults to None.
+          - The path to a CA bundle file or directory with certificates.
         type: str
         aliases: [ ca_bundle_path ]
 

plugins/doc_fragments/online.py

@@ -37,9 +37,9 @@ options:
     default: true
 notes:
   - Also see the API documentation on U(https://console.online.net/en/api/)
-  - If C(api_token) is not set within the module, the following
+  - If O(api_token) is not set within the module, the following
     environment variables can be used in decreasing order of precedence
-    C(ONLINE_TOKEN), C(ONLINE_API_KEY), C(ONLINE_OAUTH_TOKEN), C(ONLINE_API_TOKEN)
-  - If one wants to use a different C(api_url) one can also set the C(ONLINE_API_URL)
+    E(ONLINE_TOKEN), E(ONLINE_API_KEY), E(ONLINE_OAUTH_TOKEN), E(ONLINE_API_TOKEN).
+  - If one wants to use a different O(api_url) one can also set the E(ONLINE_API_URL)
     environment variable.
 '''

plugins/doc_fragments/opennebula.py

@@ -15,26 +15,26 @@ options:
     api_url:
         description:
             - The ENDPOINT URL of the XMLRPC server.
-            - If not specified then the value of the ONE_URL environment variable, if any, is used.
+            - If not specified then the value of the E(ONE_URL) environment variable, if any, is used.
         type: str
         aliases:
             - api_endpoint
     api_username:
         description:
             - The name of the user for XMLRPC authentication.
-            - If not specified then the value of the ONE_USERNAME environment variable, if any, is used.
+            - If not specified then the value of the E(ONE_USERNAME) environment variable, if any, is used.
         type: str
     api_password:
         description:
             - The password or token for XMLRPC authentication.
-            - If not specified then the value of the ONE_PASSWORD environment variable, if any, is used.
+            - If not specified then the value of the E(ONE_PASSWORD) environment variable, if any, is used.
         type: str
         aliases:
             - api_token
     validate_certs:
         description:
-            - Whether to validate the SSL certificates or not.
-            - This parameter is ignored if PYTHONHTTPSVERIFY environment variable is used.
+            - Whether to validate the TLS/SSL certificates or not.
+            - This parameter is ignored if E(PYTHONHTTPSVERIFY) environment variable is used.
         type: bool
         default: true
     wait_timeout:

plugins/doc_fragments/openswitch.py

@@ -23,7 +23,7 @@ options:
   port:
     description:
       - Specifies the port to use when building the connection to the remote
-        device.  This value applies to either I(cli) or I(rest).  The port
+        device.  This value applies to either O(transport=cli) or O(transport=rest).  The port
         value will default to the appropriate transport common port if
         none is provided in the task.  (cli=22, http=80, https=443).  Note
         this argument does not affect the SSH transport.
@@ -36,15 +36,15 @@ options:
         either the CLI login or the eAPI authentication depending on which
         transport is used. Note this argument does not affect the SSH
         transport. If the value is not specified in the task, the value of
-        environment variable C(ANSIBLE_NET_USERNAME) will be used instead.
+        environment variable E(ANSIBLE_NET_USERNAME) will be used instead.
     type: str
   password:
     description:
       - Specifies the password to use to authenticate the connection to
-        the remote device.  This is a common argument used for either I(cli)
-        or I(rest) transports.  Note this argument does not affect the SSH
+        the remote device.  This is a common argument used for either O(transport=cli)
+        or O(transport=rest).  Note this argument does not affect the SSH
         transport. If the value is not specified in the task, the value of
-        environment variable C(ANSIBLE_NET_PASSWORD) will be used instead.
+        environment variable E(ANSIBLE_NET_PASSWORD) will be used instead.
     type: str
   timeout:
     description:
@@ -56,9 +56,9 @@ options:
   ssh_keyfile:
     description:
       - Specifies the SSH key to use to authenticate the connection to
-        the remote device.  This argument is only used for the I(cli)
-        transports. If the value is not specified in the task, the value of
-        environment variable C(ANSIBLE_NET_SSH_KEYFILE) will be used instead.
+        the remote device.  This argument is only used for O(transport=cli).
+        If the value is not specified in the task, the value of
+        environment variable E(ANSIBLE_NET_SSH_KEYFILE) will be used instead.
     type: path
   transport:
     description:
@@ -71,14 +71,14 @@ options:
     default: ssh
   use_ssl:
     description:
-      - Configures the I(transport) to use SSL if set to C(true) only when the
-        I(transport) argument is configured as rest.  If the transport
-        argument is not I(rest), this value is ignored.
+      - Configures the O(transport) to use SSL if set to V(true) only when the
+        O(transport) argument is configured as rest.  If the transport
+        argument is not V(rest), this value is ignored.
     type: bool
     default: true
   provider:
     description:
-      - Convenience method that allows all I(openswitch) arguments to be passed as
+      - Convenience method that allows all C(openswitch) arguments to be passed as
         a dict object.  All constraints (required, choices, etc) must be
         met either by individual arguments or values in this dict.
     type: dict

plugins/doc_fragments/oracle.py

@@ -18,28 +18,28 @@ class ModuleDocFragment(object):
     options:
         config_file_location:
             description:
-                - Path to configuration file. If not set then the value of the OCI_CONFIG_FILE environment variable,
+                - Path to configuration file. If not set then the value of the E(OCI_CONFIG_FILE) environment variable,
                   if any, is used. Otherwise, defaults to ~/.oci/config.
             type: str
         config_profile_name:
             description:
-                - The profile to load from the config file referenced by C(config_file_location). If not set, then the
-                  value of the OCI_CONFIG_PROFILE environment variable, if any, is used. Otherwise, defaults to the
-                  "DEFAULT" profile in C(config_file_location).
+                - The profile to load from the config file referenced by O(config_file_location). If not set, then the
+                  value of the E(OCI_CONFIG_PROFILE) environment variable, if any, is used. Otherwise, defaults to the
+                  "DEFAULT" profile in O(config_file_location).
             default: "DEFAULT"
             type: str
         api_user:
             description:
                 - The OCID of the user, on whose behalf, OCI APIs are invoked. If not set, then the
-                  value of the OCI_USER_OCID environment variable, if any, is used. This option is required if the user
-                  is not specified through a configuration file (See C(config_file_location)). To get the user's OCID,
+                  value of the E(OCI_USER_OCID) environment variable, if any, is used. This option is required if the user
+                  is not specified through a configuration file (See O(config_file_location)). To get the user's OCID,
                   please refer U(https://docs.us-phoenix-1.oraclecloud.com/Content/API/Concepts/apisigningkey.htm).
             type: str
         api_user_fingerprint:
             description:
-                - Fingerprint for the key pair being used. If not set, then the value of the OCI_USER_FINGERPRINT
+                - Fingerprint for the key pair being used. If not set, then the value of the E(OCI_USER_FINGERPRINT)
                   environment variable, if any, is used. This option is required if the key fingerprint is not
-                  specified through a configuration file (See C(config_file_location)). To get the key pair's
+                  specified through a configuration file (See O(config_file_location)). To get the key pair's
                   fingerprint value please refer
                   U(https://docs.us-phoenix-1.oraclecloud.com/Content/API/Concepts/apisigningkey.htm).
             type: str
@@ -47,21 +47,21 @@ class ModuleDocFragment(object):
             description:
                 - Full path and filename of the private key (in PEM format). If not set, then the value of the
                   OCI_USER_KEY_FILE variable, if any, is used. This option is required if the private key is
-                  not specified through a configuration file (See C(config_file_location)). If the key is encrypted
-                  with a pass-phrase, the C(api_user_key_pass_phrase) option must also be provided.
+                  not specified through a configuration file (See O(config_file_location)). If the key is encrypted
+                  with a pass-phrase, the O(api_user_key_pass_phrase) option must also be provided.
             type: path
         api_user_key_pass_phrase:
             description:
-                - Passphrase used by the key referenced in C(api_user_key_file), if it is encrypted. If not set, then
+                - Passphrase used by the key referenced in O(api_user_key_file), if it is encrypted. If not set, then
                   the value of the OCI_USER_KEY_PASS_PHRASE variable, if any, is used. This option is required if the
-                  key passphrase is not specified through a configuration file (See C(config_file_location)).
+                  key passphrase is not specified through a configuration file (See O(config_file_location)).
             type: str
         auth_type:
             description:
-                - The type of authentication to use for making API requests. By default C(auth_type="api_key") based
-                  authentication is performed and the API key (see I(api_user_key_file)) in your config file will be
+                - The type of authentication to use for making API requests. By default O(auth_type=api_key) based
+                  authentication is performed and the API key (see O(api_user_key_file)) in your config file will be
                   used. If this 'auth_type' module option is not specified, the value of the OCI_ANSIBLE_AUTH_TYPE,
-                  if any, is used. Use C(auth_type="instance_principal") to use instance principal based authentication
+                  if any, is used. Use O(auth_type=instance_principal) to use instance principal based authentication
                   when running ansible playbooks within an OCI compute instance.
             choices: ['api_key', 'instance_principal']
             default: 'api_key'
@@ -70,14 +70,14 @@ class ModuleDocFragment(object):
             description:
                 - OCID of your tenancy. If not set, then the value of the OCI_TENANCY variable, if any, is
                   used. This option is required if the tenancy OCID is not specified through a configuration file
-                  (See C(config_file_location)). To get the tenancy OCID, please refer
+                  (See O(config_file_location)). To get the tenancy OCID, please refer
                   U(https://docs.us-phoenix-1.oraclecloud.com/Content/API/Concepts/apisigningkey.htm)
             type: str
         region:
             description:
                 - The Oracle Cloud Infrastructure region to use for all OCI API requests. If not set, then the
                   value of the OCI_REGION variable, if any, is used. This option is required if the region is
-                  not specified through a configuration file (See C(config_file_location)). Please refer to
+                  not specified through a configuration file (See O(config_file_location)). Please refer to
                   U(https://docs.us-phoenix-1.oraclecloud.com/Content/General/Concepts/regions.htm) for more information
                   on OCI regions.
             type: str

plugins/doc_fragments/oracle_creatable_resource.py

@@ -14,13 +14,13 @@ class ModuleDocFragment(object):
             description: Whether to attempt non-idempotent creation of a resource. By default, create resource is an
                          idempotent operation, and doesn't create the resource if it already exists. Setting this option
                          to true, forcefully creates a copy of the resource, even if it already exists.This option is
-                         mutually exclusive with I(key_by).
+                         mutually exclusive with O(key_by).
             default: false
             type: bool
         key_by:
             description: The list of comma-separated attributes of this resource which should be used to uniquely
                          identify an instance of the resource. By default, all the attributes of a resource except
-                         I(freeform_tags) are used to uniquely identify a resource.
+                         O(freeform_tags) are used to uniquely identify a resource.
             type: list
             elements: str
     """

plugins/doc_fragments/oracle_display_name_option.py

@@ -11,7 +11,7 @@ class ModuleDocFragment(object):
     DOCUMENTATION = """
     options:
         display_name:
-            description: Use I(display_name) along with the other options to return only resources that match the given
+            description: Use O(display_name) along with the other options to return only resources that match the given
                          display name exactly.
             type: str
     """

plugins/doc_fragments/oracle_name_option.py

@@ -11,7 +11,7 @@ class ModuleDocFragment(object):
     DOCUMENTATION = """
     options:
         name:
-            description: Use I(name) along with the other options to return only resources that match the given name
+            description: Use O(name) along with the other options to return only resources that match the given name
                          exactly.
             type: str
     """

plugins/doc_fragments/oracle_wait_options.py

@@ -15,12 +15,12 @@ class ModuleDocFragment(object):
             default: true
             type: bool
         wait_timeout:
-            description: Time, in seconds, to wait when I(wait=true).
+            description: Time, in seconds, to wait when O(wait=true).
             default: 1200
             type: int
         wait_until:
-            description: The lifecycle state to wait for the resource to transition into when I(wait=true). By default,
-                         when I(wait=true), we wait for the resource to get into ACTIVE/ATTACHED/AVAILABLE/PROVISIONED/
+            description: The lifecycle state to wait for the resource to transition into when O(wait=true). By default,
+                         when O(wait=true), we wait for the resource to get into ACTIVE/ATTACHED/AVAILABLE/PROVISIONED/
                          RUNNING applicable lifecycle state during create operation & to get into DELETED/DETACHED/
                          TERMINATED lifecycle state during delete operation.
             type: str

plugins/doc_fragments/pritunl.py

@@ -38,7 +38,7 @@ options:
         default: true
         description:
         - If certificates should be validated or not.
-        - This should never be set to C(false), except if you are very sure that
+        - This should never be set to V(false), except if you are very sure that
           your connection to the server can not be subject to a Man In The Middle
           attack.
 """

plugins/doc_fragments/proxmox.py

@@ -24,7 +24,7 @@ options:
   api_password:
     description:
       - Specify the password to authenticate with.
-      - You can use C(PROXMOX_PASSWORD) environment variable.
+      - You can use E(PROXMOX_PASSWORD) environment variable.
     type: str
   api_token_id:
     description:
@@ -38,7 +38,7 @@ options:
     version_added: 1.3.0
   validate_certs:
     description:
-      - If C(false), SSL certificates will not be validated.
+      - If V(false), SSL certificates will not be validated.
       - This should only be used on personally controlled sites using self-signed certificates.
     type: bool
     default: false
@@ -55,7 +55,7 @@ options:
   node:
     description:
       - Proxmox VE node on which to operate.
-      - Only required for I(state=present).
+      - Only required for O(state=present).
       - For every other states it will be autodiscovered.
     type: str
   pool:

plugins/doc_fragments/purestorage.py

@@ -33,8 +33,8 @@ options:
     type: str
 notes:
   - This module requires the C(purity_fb) Python library
-  - You must set C(PUREFB_URL) and C(PUREFB_API) environment variables
-    if I(fb_url) and I(api_token) arguments are not passed to the module directly
+  - You must set E(PUREFB_URL) and E(PUREFB_API) environment variables
+    if O(fb_url) and O(api_token) arguments are not passed to the module directly
 requirements:
   - python >= 2.7
   - purity_fb >= 1.1
@@ -55,8 +55,8 @@ options:
     required: true
 notes:
   - This module requires the C(purestorage) Python library
-  - You must set C(PUREFA_URL) and C(PUREFA_API) environment variables
-    if I(fa_url) and I(api_token) arguments are not passed to the module directly
+  - You must set E(PUREFA_URL) and E(PUREFA_API) environment variables
+    if O(fa_url) and O(api_token) arguments are not passed to the module directly
 requirements:
   - python >= 2.7
   - purestorage

plugins/doc_fragments/rackspace.py

@@ -15,18 +15,18 @@ class ModuleDocFragment(object):
 options:
   api_key:
     description:
-      - Rackspace API key, overrides I(credentials).
+      - Rackspace API key, overrides O(credentials).
     type: str
     aliases: [ password ]
   credentials:
     description:
-      - File to find the Rackspace credentials in. Ignored if I(api_key) and
-        I(username) are provided.
+      - File to find the Rackspace credentials in. Ignored if O(api_key) and
+        O(username) are provided.
     type: path
     aliases: [ creds_file ]
   env:
     description:
-      - Environment as configured in I(~/.pyrax.cfg),
+      - Environment as configured in C(~/.pyrax.cfg),
         see U(https://github.com/rackspace/pyrax/blob/master/docs/getting_started.md#pyrax-configuration).
     type: str
   region:
@@ -35,7 +35,7 @@ options:
     type: str
   username:
     description:
-      - Rackspace username, overrides I(credentials).
+      - Rackspace username, overrides O(credentials).
     type: str
   validate_certs:
     description:
@@ -46,12 +46,12 @@ requirements:
   - python >= 2.6
   - pyrax
 notes:
-  - The following environment variables can be used, C(RAX_USERNAME),
-    C(RAX_API_KEY), C(RAX_CREDS_FILE), C(RAX_CREDENTIALS), C(RAX_REGION).
-  - C(RAX_CREDENTIALS) and C(RAX_CREDS_FILE) points to a credentials file
+  - The following environment variables can be used, E(RAX_USERNAME),
+    E(RAX_API_KEY), E(RAX_CREDS_FILE), E(RAX_CREDENTIALS), E(RAX_REGION).
+  - E(RAX_CREDENTIALS) and E(RAX_CREDS_FILE) point to a credentials file
     appropriate for pyrax. See U(https://github.com/rackspace/pyrax/blob/master/docs/getting_started.md#authenticating)
-  - C(RAX_USERNAME) and C(RAX_API_KEY) obviate the use of a credentials file
-  - C(RAX_REGION) defines a Rackspace Public Cloud region (DFW, ORD, LON, ...)
+  - E(RAX_USERNAME) and E(RAX_API_KEY) obviate the use of a credentials file
+  - E(RAX_REGION) defines a Rackspace Public Cloud region (DFW, ORD, LON, ...)
 '''
 
     # Documentation fragment including attributes to enable communication
@@ -61,7 +61,7 @@ options:
   api_key:
     type: str
     description:
-      - Rackspace API key, overrides I(credentials).
+      - Rackspace API key, overrides O(credentials).
     aliases: [ password ]
   auth_endpoint:
     type: str
@@ -71,13 +71,13 @@ options:
   credentials:
     type: path
     description:
-      - File to find the Rackspace credentials in. Ignored if I(api_key) and
-        I(username) are provided.
+      - File to find the Rackspace credentials in. Ignored if O(api_key) and
+        O(username) are provided.
     aliases: [ creds_file ]
   env:
     type: str
     description:
-      - Environment as configured in I(~/.pyrax.cfg),
+      - Environment as configured in C(~/.pyrax.cfg),
         see U(https://github.com/rackspace/pyrax/blob/master/docs/getting_started.md#pyrax-configuration).
   identity_type:
     type: str
@@ -99,7 +99,7 @@ options:
   username:
     type: str
     description:
-      - Rackspace username, overrides I(credentials).
+      - Rackspace username, overrides O(credentials).
   validate_certs:
     description:
       - Whether or not to require SSL validation of API endpoints.
@@ -113,10 +113,10 @@ requirements:
   - python >= 2.6
   - pyrax
 notes:
-  - The following environment variables can be used, C(RAX_USERNAME),
-    C(RAX_API_KEY), C(RAX_CREDS_FILE), C(RAX_CREDENTIALS), C(RAX_REGION).
-  - C(RAX_CREDENTIALS) and C(RAX_CREDS_FILE) points to a credentials file
+  - The following environment variables can be used, E(RAX_USERNAME),
+    E(RAX_API_KEY), E(RAX_CREDS_FILE), E(RAX_CREDENTIALS), E(RAX_REGION).
+  - E(RAX_CREDENTIALS) and E(RAX_CREDS_FILE) points to a credentials file
     appropriate for pyrax. See U(https://github.com/rackspace/pyrax/blob/master/docs/getting_started.md#authenticating)
-  - C(RAX_USERNAME) and C(RAX_API_KEY) obviate the use of a credentials file
-  - C(RAX_REGION) defines a Rackspace Public Cloud region (DFW, ORD, LON, ...)
+  - E(RAX_USERNAME) and E(RAX_API_KEY) obviate the use of a credentials file
+  - E(RAX_REGION) defines a Rackspace Public Cloud region (DFW, ORD, LON, ...)
 '''

plugins/doc_fragments/redis.py

@@ -46,8 +46,8 @@ options:
     default: true
   ca_certs:
     description:
-      - Path to root certificates file. If not set and I(tls) is
-        set to C(true), certifi ca-certificates will be used.
+      - Path to root certificates file. If not set and O(tls) is
+        set to V(true), certifi ca-certificates will be used.
     type: str
 requirements: [ "redis", "certifi" ]
 

plugins/doc_fragments/scaleway.py

@@ -43,9 +43,9 @@ options:
     default: true
 notes:
   - Also see the API documentation on U(https://developer.scaleway.com/)
-  - If C(api_token) is not set within the module, the following
+  - If O(api_token) is not set within the module, the following
     environment variables can be used in decreasing order of precedence
-    C(SCW_TOKEN), C(SCW_API_KEY), C(SCW_OAUTH_TOKEN) or C(SCW_API_TOKEN).
-  - If one wants to use a different C(api_url) one can also set the C(SCW_API_URL)
+    E(SCW_TOKEN), E(SCW_API_KEY), E(SCW_OAUTH_TOKEN) or E(SCW_API_TOKEN).
+  - If one wants to use a different O(api_url) one can also set the E(SCW_API_URL)
     environment variable.
 '''

plugins/doc_fragments/utm.py

@@ -48,8 +48,8 @@ options:
     state:
         description:
           - The desired state of the object.
-          - C(present) will create or update an object
-          - C(absent) will delete an object if it was present
+          - V(present) will create or update an object
+          - V(absent) will delete an object if it was present
         type: str
         choices: [ absent, present ]
         default: present

plugins/doc_fragments/vexata.py

@@ -39,8 +39,8 @@ options:
     type: str
   validate_certs:
     description:
-      - Allows connection when SSL certificates are not valid. Set to C(false) when certificates are not trusted.
-      - If set to C(true), please make sure Python >= 2.7.9 is installed on the given machine.
+      - Allows connection when SSL certificates are not valid. Set to V(false) when certificates are not trusted.
+      - If set to V(true), please make sure Python >= 2.7.9 is installed on the given machine.
     required: false
     type: bool
     default: false

plugins/doc_fragments/xenserver.py

@@ -15,27 +15,27 @@ options:
   hostname:
     description:
     - The hostname or IP address of the XenServer host or XenServer pool master.
-    - If the value is not specified in the task, the value of environment variable C(XENSERVER_HOST) will be used instead.
+    - If the value is not specified in the task, the value of environment variable E(XENSERVER_HOST) will be used instead.
     type: str
     default: localhost
     aliases: [ host, pool ]
   username:
     description:
     - The username to use for connecting to XenServer.
-    - If the value is not specified in the task, the value of environment variable C(XENSERVER_USER) will be used instead.
+    - If the value is not specified in the task, the value of environment variable E(XENSERVER_USER) will be used instead.
     type: str
     default: root
     aliases: [ admin, user ]
   password:
     description:
     - The password to use for connecting to XenServer.
-    - If the value is not specified in the task, the value of environment variable C(XENSERVER_PASSWORD) will be used instead.
+    - If the value is not specified in the task, the value of environment variable E(XENSERVER_PASSWORD) will be used instead.
     type: str
     aliases: [ pass, pwd ]
   validate_certs:
     description:
-    - Allows connection when SSL certificates are not valid. Set to C(false) when certificates are not trusted.
-    - If the value is not specified in the task, the value of environment variable C(XENSERVER_VALIDATE_CERTS) will be used instead.
+    - Allows connection when SSL certificates are not valid. Set to V(false) when certificates are not trusted.
+    - If the value is not specified in the task, the value of environment variable E(XENSERVER_VALIDATE_CERTS) will be used instead.
     type: bool
     default: true
 '''

plugins/filter/from_csv.py

@@ -23,7 +23,7 @@ DOCUMENTATION = '''
     dialect:
       description:
         - The CSV dialect to use when parsing the CSV file.
-        - Possible values include C(excel), C(excel-tab) or C(unix).
+        - Possible values include V(excel), V(excel-tab) or V(unix).
       type: str
       default: excel
     fieldnames:
@@ -35,19 +35,19 @@ DOCUMENTATION = '''
     delimiter:
       description:
         - A one-character string used to separate fields.
-        - When using this parameter, you change the default value used by I(dialect).
+        - When using this parameter, you change the default value used by O(dialect).
         - The default value depends on the dialect used.
       type: str
     skipinitialspace:
       description:
         - Whether to ignore any whitespaces immediately following the delimiter.
-        - When using this parameter, you change the default value used by I(dialect).
+        - When using this parameter, you change the default value used by O(dialect).
         - The default value depends on the dialect used.
       type: bool
     strict:
       description:
         - Whether to raise an exception on bad CSV input.
-        - When using this parameter, you change the default value used by I(dialect).
+        - When using this parameter, you change the default value used by O(dialect).
         - The default value depends on the dialect used.
       type: bool
 '''

plugins/filter/jc.py

@@ -25,17 +25,17 @@ DOCUMENTATION = '''
     parser:
       description:
         - The correct parser for the input data.
-        - For example C(ifconfig).
+        - For example V(ifconfig).
         - "Note: use underscores instead of dashes (if any) in the parser module name."
         - See U(https://github.com/kellyjonbrazil/jc#parsers) for the latest list of parsers.
       type: string
       required: true
     quiet:
-      description: Set to C(false) to not suppress warnings.
+      description: Set to V(false) to not suppress warnings.
       type: boolean
       default: true
     raw:
-      description: Set to C(true) to return pre-processed JSON.
+      description: Set to V(true) to return pre-processed JSON.
       type: boolean
       default: false
   requirements:

plugins/filter/lists_mergeby.py

@@ -12,9 +12,9 @@ DOCUMENTATION = '''
   version_added: 2.0.0
   author: Vladimir Botka (@vbotka)
   description:
-    - Merge two or more lists by attribute I(index). Optional parameters 'recursive' and 'list_merge'
+    - Merge two or more lists by attribute O(index). Optional parameters O(recursive) and O(list_merge)
       control the merging of the lists in values. The function merge_hash from ansible.utils.vars
-      is used. To learn details on how to use the parameters 'recursive' and 'list_merge' see
+      is used. To learn details on how to use the parameters O(recursive) and O(list_merge) see
       Ansible User's Guide chapter "Using filters to manipulate data" section "Combining
       hashes/dictionaries".
   positional: another_list, index

plugins/filter/to_days.yml

@@ -13,12 +13,12 @@ DOCUMENTATION:
     _input:
       description:
         - The time string to convert.
-        - Can use the units C(y) and C(year) for a year, C(mo) and C(month) for a month, C(w) and C(week) for a week,
-          C(d) and C(day) for a day, C(h) and C(hour) for a hour, C(m), C(min) and C(minute) for minutes, C(s), C(sec)
-          and C(second) for seconds, C(ms), C(msec), C(msecond) and C(millisecond) for milliseconds. The suffix C(s)
-          can be added to a unit as well, so C(seconds) is the same as C(second).
+        - Can use the units V(y) and V(year) for a year, V(mo) and V(month) for a month, V(w) and V(week) for a week,
+          V(d) and V(day) for a day, V(h) and V(hour) for a hour, V(m), V(min) and V(minute) for minutes, V(s), V(sec)
+          and V(second) for seconds, V(ms), V(msec), V(msecond) and V(millisecond) for milliseconds. The suffix V(s)
+          can be added to a unit as well, so V(seconds) is the same as V(second).
         - Valid strings are space separated combinations of an integer with an optional minus sign and a unit.
-        - Examples are C(1h), C(-5m), and C(3h -5m 6s).
+        - Examples are V(1h), V(-5m), and V(3h -5m 6s).
       type: string
       required: true
     year:

plugins/filter/to_hours.yml

@@ -13,12 +13,12 @@ DOCUMENTATION:
     _input:
       description:
         - The time string to convert.
-        - Can use the units C(y) and C(year) for a year, C(mo) and C(month) for a month, C(w) and C(week) for a week,
-          C(d) and C(day) for a day, C(h) and C(hour) for a hour, C(m), C(min) and C(minute) for minutes, C(s), C(sec)
-          and C(second) for seconds, C(ms), C(msec), C(msecond) and C(millisecond) for milliseconds. The suffix C(s)
-          can be added to a unit as well, so C(seconds) is the same as C(second).
+        - Can use the units V(y) and V(year) for a year, V(mo) and V(month) for a month, V(w) and V(week) for a week,
+          V(d) and V(day) for a day, V(h) and V(hour) for a hour, V(m), V(min) and V(minute) for minutes, V(s), V(sec)
+          and V(second) for seconds, V(ms), V(msec), V(msecond) and V(millisecond) for milliseconds. The suffix V(s)
+          can be added to a unit as well, so V(seconds) is the same as V(second).
         - Valid strings are space separated combinations of an integer with an optional minus sign and a unit.
-        - Examples are C(1h), C(-5m), and C(3h -5m 6s).
+        - Examples are V(1h), V(-5m), and V(3h -5m 6s).
       type: string
       required: true
     year:

plugins/filter/to_milliseconds.yml

@@ -13,12 +13,12 @@ DOCUMENTATION:
     _input:
       description:
         - The time string to convert.
-        - Can use the units C(y) and C(year) for a year, C(mo) and C(month) for a month, C(w) and C(week) for a week,
-          C(d) and C(day) for a day, C(h) and C(hour) for a hour, C(m), C(min) and C(minute) for minutes, C(s), C(sec)
-          and C(second) for seconds, C(ms), C(msec), C(msecond) and C(millisecond) for milliseconds. The suffix C(s)
-          can be added to a unit as well, so C(seconds) is the same as C(second).
+        - Can use the units V(y) and V(year) for a year, V(mo) and V(month) for a month, V(w) and V(week) for a week,
+          V(d) and V(day) for a day, V(h) and V(hour) for a hour, V(m), V(min) and V(minute) for minutes, V(s), V(sec)
+          and V(second) for seconds, V(ms), V(msec), V(msecond) and V(millisecond) for milliseconds. The suffix V(s)
+          can be added to a unit as well, so V(seconds) is the same as V(second).
         - Valid strings are space separated combinations of an integer with an optional minus sign and a unit.
-        - Examples are C(1h), C(-5m), and C(3h -5m 6s).
+        - Examples are V(1h), V(-5m), and V(3h -5m 6s).
       type: string
       required: true
     year:

plugins/filter/to_minutes.yml

@@ -13,12 +13,12 @@ DOCUMENTATION:
     _input:
       description:
         - The time string to convert.
-        - Can use the units C(y) and C(year) for a year, C(mo) and C(month) for a month, C(w) and C(week) for a week,
-          C(d) and C(day) for a day, C(h) and C(hour) for a hour, C(m), C(min) and C(minute) for minutes, C(s), C(sec)
-          and C(second) for seconds, C(ms), C(msec), C(msecond) and C(millisecond) for milliseconds. The suffix C(s)
-          can be added to a unit as well, so C(seconds) is the same as C(second).
+        - Can use the units V(y) and V(year) for a year, V(mo) and V(month) for a month, V(w) and V(week) for a week,
+          V(d) and V(day) for a day, V(h) and V(hour) for a hour, V(m), V(min) and V(minute) for minutes, V(s), V(sec)
+          and V(second) for seconds, V(ms), V(msec), V(msecond) and V(millisecond) for milliseconds. The suffix V(s)
+          can be added to a unit as well, so V(seconds) is the same as V(second).
         - Valid strings are space separated combinations of an integer with an optional minus sign and a unit.
-        - Examples are C(1h), C(-5m), and C(3h -5m 6s).
+        - Examples are V(1h), V(-5m), and V(3h -5m 6s).
       type: string
       required: true
     year:

plugins/filter/to_months.yml

@@ -13,12 +13,12 @@ DOCUMENTATION:
     _input:
       description:
         - The time string to convert.
-        - Can use the units C(y) and C(year) for a year, C(mo) and C(month) for a month, C(w) and C(week) for a week,
-          C(d) and C(day) for a day, C(h) and C(hour) for a hour, C(m), C(min) and C(minute) for minutes, C(s), C(sec)
-          and C(second) for seconds, C(ms), C(msec), C(msecond) and C(millisecond) for milliseconds. The suffix C(s)
-          can be added to a unit as well, so C(seconds) is the same as C(second).
+        - Can use the units V(y) and V(year) for a year, V(mo) and V(month) for a month, V(w) and V(week) for a week,
+          V(d) and V(day) for a day, V(h) and V(hour) for a hour, V(m), V(min) and V(minute) for minutes, V(s), V(sec)
+          and V(second) for seconds, V(ms), V(msec), V(msecond) and V(millisecond) for milliseconds. The suffix V(s)
+          can be added to a unit as well, so V(seconds) is the same as V(second).
         - Valid strings are space separated combinations of an integer with an optional minus sign and a unit.
-        - Examples are C(1h), C(-5m), and C(3h -5m 6s).
+        - Examples are V(1h), V(-5m), and V(3h -5m 6s).
       type: string
       required: true
     year:

plugins/filter/to_seconds.yml

@@ -13,12 +13,12 @@ DOCUMENTATION:
     _input:
       description:
         - The time string to convert.
-        - Can use the units C(y) and C(year) for a year, C(mo) and C(month) for a month, C(w) and C(week) for a week,
-          C(d) and C(day) for a day, C(h) and C(hour) for a hour, C(m), C(min) and C(minute) for minutes, C(s), C(sec)
-          and C(second) for seconds, C(ms), C(msec), C(msecond) and C(millisecond) for milliseconds. The suffix C(s)
-          can be added to a unit as well, so C(seconds) is the same as C(second).
+        - Can use the units V(y) and V(year) for a year, V(mo) and V(month) for a month, V(w) and V(week) for a week,
+          V(d) and V(day) for a day, V(h) and V(hour) for a hour, V(m), V(min) and V(minute) for minutes, V(s), V(sec)
+          and V(second) for seconds, V(ms), V(msec), V(msecond) and V(millisecond) for milliseconds. The suffix V(s)
+          can be added to a unit as well, so V(seconds) is the same as V(second).
         - Valid strings are space separated combinations of an integer with an optional minus sign and a unit.
-        - Examples are C(1h), C(-5m), and C(3h -5m 6s).
+        - Examples are V(1h), V(-5m), and V(3h -5m 6s).
       type: string
       required: true
     year:

plugins/filter/to_time_unit.yml

@@ -14,12 +14,12 @@ DOCUMENTATION:
     _input:
       description:
         - The time string to convert.
-        - Can use the units C(y) and C(year) for a year, C(mo) and C(month) for a month, C(w) and C(week) for a week,
-          C(d) and C(day) for a day, C(h) and C(hour) for a hour, C(m), C(min) and C(minute) for minutes, C(s), C(sec)
-          and C(second) for seconds, C(ms), C(msec), C(msecond) and C(millisecond) for milliseconds. The suffix C(s)
-          can be added to a unit as well, so C(seconds) is the same as C(second).
+        - Can use the units V(y) and V(year) for a year, V(mo) and V(month) for a month, V(w) and V(week) for a week,
+          V(d) and V(day) for a day, V(h) and V(hour) for a hour, V(m), V(min) and V(minute) for minutes, V(s), V(sec)
+          and V(second) for seconds, V(ms), V(msec), V(msecond) and V(millisecond) for milliseconds. The suffix V(s)
+          can be added to a unit as well, so V(seconds) is the same as V(second).
         - Valid strings are space separated combinations of an integer with an optional minus sign and a unit.
-        - Examples are C(1h), C(-5m), and C(3h -5m 6s).
+        - Examples are V(1h), V(-5m), and V(3h -5m 6s).
       type: string
       required: true
     unit:

plugins/filter/to_weeks.yml

@@ -13,12 +13,12 @@ DOCUMENTATION:
     _input:
       description:
         - The time string to convert.
-        - Can use the units C(y) and C(year) for a year, C(mo) and C(month) for a month, C(w) and C(week) for a week,
-          C(d) and C(day) for a day, C(h) and C(hour) for a hour, C(m), C(min) and C(minute) for minutes, C(s), C(sec)
-          and C(second) for seconds, C(ms), C(msec), C(msecond) and C(millisecond) for milliseconds. The suffix C(s)
-          can be added to a unit as well, so C(seconds) is the same as C(second).
+        - Can use the units V(y) and V(year) for a year, V(mo) and V(month) for a month, V(w) and V(week) for a week,
+          V(d) and V(day) for a day, V(h) and V(hour) for a hour, V(m), V(min) and V(minute) for minutes, V(s), V(sec)
+          and V(second) for seconds, V(ms), V(msec), V(msecond) and V(millisecond) for milliseconds. The suffix V(s)
+          can be added to a unit as well, so V(seconds) is the same as V(second).
         - Valid strings are space separated combinations of an integer with an optional minus sign and a unit.
-        - Examples are C(1h), C(-5m), and C(3h -5m 6s).
+        - Examples are V(1h), V(-5m), and V(3h -5m 6s).
       type: string
       required: true
     year:

plugins/filter/to_years.yml

@@ -13,12 +13,12 @@ DOCUMENTATION:
     _input:
       description:
         - The time string to convert.
-        - Can use the units C(y) and C(year) for a year, C(mo) and C(month) for a month, C(w) and C(week) for a week,
-          C(d) and C(day) for a day, C(h) and C(hour) for a hour, C(m), C(min) and C(minute) for minutes, C(s), C(sec)
-          and C(second) for seconds, C(ms), C(msec), C(msecond) and C(millisecond) for milliseconds. The suffix C(s)
-          can be added to a unit as well, so C(seconds) is the same as C(second).
+        - Can use the units V(y) and V(year) for a year, V(mo) and V(month) for a month, V(w) and V(week) for a week,
+          V(d) and V(day) for a day, V(h) and V(hour) for a hour, V(m), V(min) and V(minute) for minutes, V(s), V(sec)
+          and V(second) for seconds, V(ms), V(msec), V(msecond) and V(millisecond) for milliseconds. The suffix V(s)
+          can be added to a unit as well, so V(seconds) is the same as V(second).
         - Valid strings are space separated combinations of an integer with an optional minus sign and a unit.
-        - Examples are C(1h), C(-5m), and C(3h -5m 6s).
+        - Examples are V(1h), V(-5m), and V(3h -5m 6s).
       type: string
       required: true
     year:

plugins/inventory/cobbler.py

@@ -13,12 +13,14 @@ DOCUMENTATION = '''
     version_added: 1.0.0
     description:
         - Get inventory hosts from the cobbler service.
-        - "Uses a configuration file as an inventory source, it must end in C(.cobbler.yml) or C(.cobbler.yaml) and has a C(plugin: cobbler) entry."
+        - "Uses a configuration file as an inventory source, it must end in C(.cobbler.yml) or C(.cobbler.yaml) and have a C(plugin: cobbler) entry."
+        - Adds the primary IP addresses to C(cobbler_ipv4_address) and C(cobbler_ipv6_address) host variables if defined in Cobbler.  The primary IP address is
+          defined as the management interface if defined, or the interface who's DNS name matches the hostname of the system, or else the first interface found.
     extends_documentation_fragment:
         - inventory_cache
     options:
       plugin:
-        description: The name of this plugin, it should always be set to C(community.general.cobbler) for this plugin to recognize it as it's own.
+        description: The name of this plugin, it should always be set to V(community.general.cobbler) for this plugin to recognize it as it's own.
         required: true
         choices: [ 'cobbler', 'community.general.cobbler' ]
       url:
@@ -32,18 +34,18 @@ DOCUMENTATION = '''
         env:
             - name: COBBLER_USER
       password:
-        description: Cobbler authentication password
+        description: Cobbler authentication password.
         required: false
         env:
             - name: COBBLER_PASSWORD
       cache_fallback:
-        description: Fallback to cached results if connection to cobbler fails
+        description: Fallback to cached results if connection to cobbler fails.
         type: boolean
         default: false
       exclude_profiles:
         description:
           - Profiles to exclude from inventory.
-          - Ignored if I(include_profiles) is specified.
+          - Ignored if O(include_profiles) is specified.
         type: list
         default: []
         elements: str
@@ -51,26 +53,42 @@ DOCUMENTATION = '''
         description:
           - Profiles to include from inventory.
           - If specified, all other profiles will be excluded.
-          - I(exclude_profiles) is ignored if I(include_profiles) is specified.
+          - O(exclude_profiles) is ignored if O(include_profiles) is specified.
         type: list
         default: []
         elements: str
         version_added: 4.4.0
+      inventory_hostname:
+        description:
+          - What to use for the ansible inventory hostname.
+          - By default the networking hostname is used if defined, otherwise the DNS name of the management or first non-static interface.
+          - If set to V(system), the cobbler system name is used.
+        type: str
+        choices: [ 'hostname', 'system' ]
+        default: hostname
+        version_added: 7.1.0
       group_by:
-        description: Keys to group hosts by
+        description: Keys to group hosts by.
         type: list
         elements: string
         default: [ 'mgmt_classes', 'owners', 'status' ]
       group:
-        description: Group to place all hosts into
+        description: Group to place all hosts into.
         default: cobbler
       group_prefix:
-        description: Prefix to apply to cobbler groups
+        description: Prefix to apply to cobbler groups.
         default: cobbler_
       want_facts:
-        description: Toggle, if C(true) the plugin will retrieve host facts from the server
+        description: Toggle, if V(true) the plugin will retrieve host facts from the server.
         type: boolean
         default: true
+      want_ip_addresses:
+        description:
+          - Toggle, if V(true) the plugin will add a C(cobbler_ipv4_addresses) and C(cobbleer_ipv6_addresses) dictionary to the defined O(group) mapping
+            interface DNS names to IP addresses.
+        type: boolean
+        default: true
+        version_added: 7.1.0
 '''
 
 EXAMPLES = '''
@@ -85,7 +103,6 @@ import socket
 
 from ansible.errors import AnsibleError
 from ansible.module_utils.common.text.converters import to_text
-from ansible.module_utils.six import iteritems
 from ansible.plugins.inventory import BaseInventoryPlugin, Cacheable, to_safe_group_name
 
 # xmlrpc
@@ -201,6 +218,7 @@ class InventoryModule(BaseInventoryPlugin, Cacheable):
         self.exclude_profiles = self.get_option('exclude_profiles')
         self.include_profiles = self.get_option('include_profiles')
         self.group_by = self.get_option('group_by')
+        self.inventory_hostname = self.get_option('inventory_hostname')
 
         for profile in self._get_profiles():
             if profile['parent']:
@@ -236,9 +254,14 @@ class InventoryModule(BaseInventoryPlugin, Cacheable):
             self.inventory.add_group(self.group)
             self.display.vvvv('Added site group %s\n' % self.group)
 
+        ip_addresses = {}
+        ipv6_addresses = {}
         for host in self._get_systems():
             # Get the FQDN for the host and add it to the right groups
-            hostname = host['hostname']  # None
+            if self.inventory_hostname == 'system':
+                hostname = host['name']  # None
+            else:
+                hostname = host['hostname']  # None
             interfaces = host['interfaces']
 
             if self._exclude_profile(host['profile']):
@@ -247,7 +270,7 @@ class InventoryModule(BaseInventoryPlugin, Cacheable):
 
             # hostname is often empty for non-static IP hosts
             if hostname == '':
-                for (iname, ivalue) in iteritems(interfaces):
+                for iname, ivalue in interfaces.items():
                     if ivalue['management'] or not ivalue['static']:
                         this_dns_name = ivalue.get('dns_name', None)
                         if this_dns_name is not None and this_dns_name != "":
@@ -262,8 +285,11 @@ class InventoryModule(BaseInventoryPlugin, Cacheable):
             self.display.vvvv('Added host %s hostname %s\n' % (host['name'], hostname))
 
             # Add host to profile group
-            group_name = self._add_safe_group_name(host['profile'], child=hostname)
-            self.display.vvvv('Added host %s to profile group %s\n' % (hostname, group_name))
+            if host['profile'] != '':
+                group_name = self._add_safe_group_name(host['profile'], child=hostname)
+                self.display.vvvv('Added host %s to profile group %s\n' % (hostname, group_name))
+            else:
+                self.display.warning('Host %s has an empty profile\n' % (hostname))
 
             # Add host to groups specified by group_by fields
             for group_by in self.group_by:
@@ -280,8 +306,45 @@ class InventoryModule(BaseInventoryPlugin, Cacheable):
                 self.inventory.add_child(self.group, hostname)
 
             # Add host variables
+            ip_address = None
+            ipv6_address = None
+            for iname, ivalue in interfaces.items():
+                # Set to first interface or management interface if defined or hostname matches dns_name
+                if ivalue['ip_address'] != "":
+                    if ip_address is None:
+                        ip_address = ivalue['ip_address']
+                    elif ivalue['management']:
+                        ip_address = ivalue['ip_address']
+                    elif ivalue['dns_name'] == hostname and ip_address is None:
+                        ip_address = ivalue['ip_address']
+                if ivalue['ipv6_address'] != "":
+                    if ipv6_address is None:
+                        ipv6_address = ivalue['ipv6_address']
+                    elif ivalue['management']:
+                        ipv6_address = ivalue['ipv6_address']
+                    elif ivalue['dns_name'] == hostname and ipv6_address is None:
+                        ipv6_address = ivalue['ipv6_address']
+
+                # Collect all interface name mappings for adding to group vars
+                if self.get_option('want_ip_addresses'):
+                    if ivalue['dns_name'] != "":
+                        if ivalue['ip_address'] != "":
+                            ip_addresses[ivalue['dns_name']] = ivalue['ip_address']
+                        if ivalue['ipv6_address'] != "":
+                            ip_addresses[ivalue['dns_name']] = ivalue['ipv6_address']
+
+            # Add ip_address to host if defined
+            if ip_address is not None:
+                self.inventory.set_variable(hostname, 'cobbler_ipv4_address', ip_address)
+            if ipv6_address is not None:
+                self.inventory.set_variable(hostname, 'cobbler_ipv6_address', ipv6_address)
+
             if self.get_option('want_facts'):
                 try:
                     self.inventory.set_variable(hostname, 'cobbler', host)
                 except ValueError as e:
                     self.display.warning("Could not set host info for %s: %s" % (hostname, to_text(e)))
+
+        if self.get_option('want_ip_addresses'):
+            self.inventory.set_variable(self.group, 'cobbler_ipv4_addresses', ip_addresses)
+            self.inventory.set_variable(self.group, 'cobbler_ipv6_addresses', ipv6_addresses)

plugins/inventory/icinga2.py

@@ -58,7 +58,7 @@ DOCUMENTATION = '''
         description:
           - Allows the override of the inventory name based on different attributes.
           - This allows for changing the way limits are used.
-          - The current default, C(address), is sometimes not unique or present. We recommend to use C(name) instead.
+          - The current default, V(address), is sometimes not unique or present. We recommend to use V(name) instead.
         type: string
         default: address
         choices: ['name', 'display_name', 'address']

plugins/inventory/lxd.py

@@ -48,7 +48,7 @@ DOCUMENTATION = r'''
                 running this module using the following command
                 C(lxc config set core.trust_password <some random password>)
                 See U(https://www.stgraber.org/2016/04/18/lxd-api-direct-interaction/).
-            - If I(trust_password) is set, this module send a request for authentication before sending any requests.
+            - If O(trust_password) is set, this module send a request for authentication before sending any requests.
             type: str
         state:
             description: Filter the instance according to the current status.
@@ -62,7 +62,7 @@ DOCUMENTATION = r'''
             version_added: 6.2.0
         type_filter:
             description:
-            - Filter the instances by type C(virtual-machine), C(container) or C(both).
+            - Filter the instances by type V(virtual-machine), V(container) or V(both).
             - The first version of the inventory only supported containers.
             type: str
             default: container
@@ -72,8 +72,8 @@ DOCUMENTATION = r'''
             description:
             - If an instance has multiple network interfaces, select which one is the prefered as pattern.
             - Combined with the first number that can be found e.g. 'eth' + 0.
-            - The option has been renamed from I(prefered_container_network_interface) to I(prefered_instance_network_interface) in community.general 3.8.0.
-              The old name still works as an alias.
+            - The option has been renamed from O(prefered_container_network_interface) to O(prefered_instance_network_interface)
+              in community.general 3.8.0. The old name still works as an alias.
             type: str
             default: eth
             aliases:
@@ -81,7 +81,7 @@ DOCUMENTATION = r'''
         prefered_instance_network_family:
             description:
             - If an instance has multiple network interfaces, which one is the prefered by family.
-            - Specify C(inet) for IPv4 and C(inet6) for IPv6.
+            - Specify V(inet) for IPv4 and V(inet6) for IPv6.
             type: str
             default: inet
             choices: [ 'inet', 'inet6' ]

plugins/inventory/nmap.py

@@ -23,7 +23,7 @@ DOCUMENTATION = '''
             required: true
             choices: ['nmap', 'community.general.nmap']
         sudo:
-            description: Set to C(true) to execute a C(sudo nmap) plugin scan.
+            description: Set to V(true) to execute a C(sudo nmap) plugin scan.
             version_added: 4.8.0
             default: false
             type: boolean
@@ -36,7 +36,7 @@ DOCUMENTATION = '''
         exclude:
             description:
               - List of addresses to exclude.
-              - For example C(10.2.2.15-25) or C(10.2.2.15,10.2.2.16).
+              - For example V(10.2.2.15-25) or V(10.2.2.15,10.2.2.16).
             type: list
             elements: string
             env:
@@ -45,8 +45,8 @@ DOCUMENTATION = '''
         port:
             description:
                 - Only scan specific port or port range (C(-p)).
-                - For example, you could pass C(22) for a single port, C(1-65535) for a range of ports,
-                  or C(U:53,137,T:21-25,139,8080,S:9) to check port 53 with UDP, ports 21-25 with TCP, port 9 with SCTP, and ports 137, 139, and 8080 with all.
+                - For example, you could pass V(22) for a single port, V(1-65535) for a range of ports,
+                  or V(U:53,137,T:21-25,139,8080,S:9) to check port 53 with UDP, ports 21-25 with TCP, port 9 with SCTP, and ports 137, 139, and 8080 with all.
             type: string
             version_added: 6.5.0
         ports:
@@ -64,14 +64,14 @@ DOCUMENTATION = '''
         udp_scan:
             description:
                 - Scan via UDP.
-                - Depending on your system you might need I(sudo=true) for this to work.
+                - Depending on your system you might need O(sudo=true) for this to work.
             type: boolean
             default: false
             version_added: 6.1.0
         icmp_timestamp:
             description:
                 - Scan via ICMP Timestamp (C(-PP)).
-                - Depending on your system you might need I(sudo=true) for this to work.
+                - Depending on your system you might need O(sudo=true) for this to work.
             type: boolean
             default: false
             version_added: 6.1.0
@@ -81,7 +81,7 @@ DOCUMENTATION = '''
             default: false
             version_added: 6.5.0
         dns_resolve:
-            description: Whether to always (C(true)) or never (C(false)) do DNS resolution.
+            description: Whether to always (V(true)) or never (V(false)) do DNS resolution.
             type: boolean
             default: false
             version_added: 6.1.0

plugins/inventory/opennebula.py

@@ -17,9 +17,9 @@ DOCUMENTATION = r'''
         - constructed
     description:
         - Get inventory hosts from OpenNebula cloud.
-        - Uses an YAML configuration file ending with either I(opennebula.yml) or I(opennebula.yaml)
+        - Uses an YAML configuration file ending with either C(opennebula.yml) or C(opennebula.yaml)
           to set parameter values.
-        - Uses I(api_authfile), C(~/.one/one_auth), or C(ONE_AUTH) pointing to a OpenNebula credentials file.
+        - Uses O(api_authfile), C(~/.one/one_auth), or E(ONE_AUTH) pointing to a OpenNebula credentials file.
     options:
         plugin:
             description: Token that ensures this is a source file for the 'opennebula' plugin.
@@ -31,7 +31,7 @@ DOCUMENTATION = r'''
               - URL of the OpenNebula RPC server.
               - It is recommended to use HTTPS so that the username/password are not
                 transferred over the network unencrypted.
-              - If not set then the value of the C(ONE_URL) environment variable is used.
+              - If not set then the value of the E(ONE_URL) environment variable is used.
             env:
               - name: ONE_URL
             required: true
@@ -39,29 +39,29 @@ DOCUMENTATION = r'''
         api_username:
             description:
               - Name of the user to login into the OpenNebula RPC server. If not set
-                then the value of the C(ONE_USERNAME) environment variable is used.
+                then the value of the E(ONE_USERNAME) environment variable is used.
             env:
               - name: ONE_USERNAME
             type: string
         api_password:
             description:
               - Password or a token of the user to login into OpenNebula RPC server.
-              - If not set, the value of the C(ONE_PASSWORD) environment variable is used.
+              - If not set, the value of the E(ONE_PASSWORD) environment variable is used.
             env:
               - name: ONE_PASSWORD
             required: false
             type: string
         api_authfile:
             description:
-              - If both I(api_username) or I(api_password) are not set, then it will try
+              - If both O(api_username) or O(api_password) are not set, then it will try
                 authenticate with ONE auth file. Default path is C(~/.one/one_auth).
-              - Set environment variable C(ONE_AUTH) to override this path.
+              - Set environment variable E(ONE_AUTH) to override this path.
             env:
               - name: ONE_AUTH
             required: false
             type: string
         hostname:
-            description: Field to match the hostname. Note C(v4_first_ip) corresponds to the first IPv4 found on VM.
+            description: Field to match the hostname. Note V(v4_first_ip) corresponds to the first IPv4 found on VM.
             type: string
             default: v4_first_ip
             choices:

plugins/inventory/proxmox.py

@@ -25,15 +25,15 @@ DOCUMENTATION = '''
         - inventory_cache
     options:
       plugin:
-        description: The name of this plugin, it should always be set to C(community.general.proxmox) for this plugin to recognize it as it's own.
+        description: The name of this plugin, it should always be set to V(community.general.proxmox) for this plugin to recognize it as it's own.
         required: true
         choices: ['community.general.proxmox']
         type: str
       url:
         description:
           - URL to Proxmox cluster.
-          - If the value is not specified in the inventory configuration, the value of environment variable C(PROXMOX_URL) will be used instead.
-          - Since community.general 4.7.0 you can also use templating to specify the value of the I(url).
+          - If the value is not specified in the inventory configuration, the value of environment variable E(PROXMOX_URL) will be used instead.
+          - Since community.general 4.7.0 you can also use templating to specify the value of the O(url).
         default: 'http://localhost:8006'
         type: str
         env:
@@ -42,8 +42,8 @@ DOCUMENTATION = '''
       user:
         description:
           - Proxmox authentication user.
-          - If the value is not specified in the inventory configuration, the value of environment variable C(PROXMOX_USER) will be used instead.
-          - Since community.general 4.7.0 you can also use templating to specify the value of the I(user).
+          - If the value is not specified in the inventory configuration, the value of environment variable E(PROXMOX_USER) will be used instead.
+          - Since community.general 4.7.0 you can also use templating to specify the value of the O(user).
         required: true
         type: str
         env:
@@ -52,9 +52,9 @@ DOCUMENTATION = '''
       password:
         description:
           - Proxmox authentication password.
-          - If the value is not specified in the inventory configuration, the value of environment variable C(PROXMOX_PASSWORD) will be used instead.
-          - Since community.general 4.7.0 you can also use templating to specify the value of the I(password).
-          - If you do not specify a password, you must set I(token_id) and I(token_secret) instead.
+          - If the value is not specified in the inventory configuration, the value of environment variable E(PROXMOX_PASSWORD) will be used instead.
+          - Since community.general 4.7.0 you can also use templating to specify the value of the O(password).
+          - If you do not specify a password, you must set O(token_id) and O(token_secret) instead.
         type: str
         env:
           - name: PROXMOX_PASSWORD
@@ -62,8 +62,8 @@ DOCUMENTATION = '''
       token_id:
         description:
           - Proxmox authentication token ID.
-          - If the value is not specified in the inventory configuration, the value of environment variable C(PROXMOX_TOKEN_ID) will be used instead.
-          - To use token authentication, you must also specify I(token_secret). If you do not specify I(token_id) and I(token_secret),
+          - If the value is not specified in the inventory configuration, the value of environment variable E(PROXMOX_TOKEN_ID) will be used instead.
+          - To use token authentication, you must also specify O(token_secret). If you do not specify O(token_id) and O(token_secret),
             you must set a password instead.
           - Make sure to grant explicit pve permissions to the token or disable 'privilege separation' to use the users' privileges instead.
         version_added: 4.8.0
@@ -73,8 +73,8 @@ DOCUMENTATION = '''
       token_secret:
         description:
           - Proxmox authentication token secret.
-          - If the value is not specified in the inventory configuration, the value of environment variable C(PROXMOX_TOKEN_SECRET) will be used instead.
-          - To use token authentication, you must also specify I(token_id). If you do not specify I(token_id) and I(token_secret),
+          - If the value is not specified in the inventory configuration, the value of environment variable E(PROXMOX_TOKEN_SECRET) will be used instead.
+          - To use token authentication, you must also specify O(token_id). If you do not specify O(token_id) and O(token_secret),
             you must set a password instead.
         version_added: 4.8.0
         type: str
@@ -95,25 +95,25 @@ DOCUMENTATION = '''
       want_facts:
         description:
           - Gather LXC/QEMU configuration facts.
-          - When I(want_facts) is set to C(true) more details about QEMU VM status are possible, besides the running and stopped states.
+          - When O(want_facts) is set to V(true) more details about QEMU VM status are possible, besides the running and stopped states.
             Currently if the VM is running and it is suspended, the status will be running and the machine will be in C(running) group,
-            but its actual state will be paused. See I(qemu_extended_statuses) for how to retrieve the real status.
+            but its actual state will be paused. See O(qemu_extended_statuses) for how to retrieve the real status.
         default: false
         type: bool
       qemu_extended_statuses:
         description:
-          - Requires I(want_facts) to be set to C(true) to function. This will allow you to differentiate betweend C(paused) and C(prelaunch)
+          - Requires O(want_facts) to be set to V(true) to function. This will allow you to differentiate betweend C(paused) and C(prelaunch)
             statuses of the QEMU VMs.
-          - This introduces multiple groups [prefixed with I(group_prefix)] C(prelaunch) and C(paused).
+          - This introduces multiple groups [prefixed with O(group_prefix)] C(prelaunch) and C(paused).
         default: false
         type: bool
         version_added: 5.1.0
       want_proxmox_nodes_ansible_host:
         version_added: 3.0.0
         description:
-          - Whether to set C(ansbile_host) for proxmox nodes.
-          - When set to C(true) (default), will use the first available interface. This can be different from what you expect.
-          - The default of this option changed from C(true) to C(false) in community.general 6.0.0.
+          - Whether to set C(ansible_host) for proxmox nodes.
+          - When set to V(true) (default), will use the first available interface. This can be different from what you expect.
+          - The default of this option changed from V(true) to V(false) in community.general 6.0.0.
         type: bool
         default: false
       filters:
@@ -590,6 +590,10 @@ class InventoryModule(BaseInventoryPlugin, Constructable, Cacheable):
                 ip = self._get_node_ip(node['node'])
                 self.inventory.set_variable(node['node'], 'ansible_host', ip)
 
+            # Setting composite variables
+            variables = self.inventory.get_host(node['node']).get_vars()
+            self._set_composite_vars(self.get_option('compose'), variables, node['node'], strict=self.strict)
+
             # add LXC/Qemu groups for the node
             for ittype in ('lxc', 'qemu'):
                 node_type_group = self._group('%s_%s' % (node['node'], ittype))

plugins/inventory/scaleway.py

@@ -37,7 +37,7 @@ DOCUMENTATION = r'''
         scw_profile:
             description:
             - The config profile to use in config file.
-            - By default uses the one specified as C(active_profile) in the config file, or falls back to C(default) if that is not defined.
+            - By default uses the one specified as C(active_profile) in the config file, or falls back to V(default) if that is not defined.
             type: string
             version_added: 4.4.0
         oauth_token:

plugins/inventory/xen_orchestra.py

@@ -23,21 +23,21 @@ DOCUMENTATION = '''
         - inventory_cache
     options:
         plugin:
-            description: The name of this plugin, it should always be set to C(community.general.xen_orchestra) for this plugin to recognize it as its own.
+            description: The name of this plugin, it should always be set to V(community.general.xen_orchestra) for this plugin to recognize it as its own.
             required: true
             choices: ['community.general.xen_orchestra']
             type: str
         api_host:
             description:
                 - API host to XOA API.
-                - If the value is not specified in the inventory configuration, the value of environment variable C(ANSIBLE_XO_HOST) will be used instead.
+                - If the value is not specified in the inventory configuration, the value of environment variable E(ANSIBLE_XO_HOST) will be used instead.
             type: str
             env:
                 - name: ANSIBLE_XO_HOST
         user:
             description:
                 - Xen Orchestra user.
-                - If the value is not specified in the inventory configuration, the value of environment variable C(ANSIBLE_XO_USER) will be used instead.
+                - If the value is not specified in the inventory configuration, the value of environment variable E(ANSIBLE_XO_USER) will be used instead.
             required: true
             type: str
             env:
@@ -45,7 +45,7 @@ DOCUMENTATION = '''
         password:
             description:
                 - Xen Orchestra password.
-                - If the value is not specified in the inventory configuration, the value of environment variable C(ANSIBLE_XO_PASSWORD) will be used instead.
+                - If the value is not specified in the inventory configuration, the value of environment variable E(ANSIBLE_XO_PASSWORD) will be used instead.
             required: true
             type: str
             env:

plugins/lookup/bitwarden.py

@@ -12,6 +12,8 @@ DOCUMENTATION = """
     requirements:
       - bw (command line utility)
       - be logged into bitwarden
+      - bitwarden vault unlocked
+      - E(BW_SESSION) environment variable set
     short_description: Retrieve secrets from Bitwarden
     version_added: 5.4.0
     description:
@@ -23,7 +25,7 @@ DOCUMENTATION = """
         type: list
         elements: str
       search:
-        description: Field to retrieve, for example C(name) or C(id).
+        description: Field to retrieve, for example V(name) or V(id).
         type: str
         default: name
         version_added: 5.7.0

plugins/lookup/collection_version.py

@@ -13,22 +13,22 @@ short_description: Retrieves the version of an installed collection
 description:
   - This lookup allows to query the version of an installed collection, and to determine whether a
     collection is installed at all.
-  - By default it returns C(none) for non-existing collections and C(*) for collections without a
+  - By default it returns V(none) for non-existing collections and V(*) for collections without a
     version number. The latter should only happen in development environments, or when installing
     a collection from git which has no version in its C(galaxy.yml). This behavior can be adjusted
-    by providing other values with I(result_not_found) and I(result_no_version).
+    by providing other values with O(result_not_found) and O(result_no_version).
 options:
   _terms:
     description:
       - The collections to look for.
-      - For example C(community.general).
+      - For example V(community.general).
     type: list
     elements: str
     required: true
   result_not_found:
     description:
       - The value to return when the collection could not be found.
-      - By default, C(none) is returned.
+      - By default, V(none) is returned.
     type: string
     default: ~
   result_no_version:
@@ -36,7 +36,7 @@ options:
       - The value to return when the collection has no version number.
       - This can happen for collections installed from git which do not have a version number
         in C(galaxy.yml).
-      - By default, C(*) is returned.
+      - By default, V(*) is returned.
     type: string
     default: '*'
 """
@@ -51,11 +51,11 @@ RETURN = """
   _raw:
     description:
       - The version number of the collections listed as input.
-      - If a collection can not be found, it will return the value provided in I(result_not_found).
-        By default, this is C(none).
+      - If a collection can not be found, it will return the value provided in O(result_not_found).
+        By default, this is V(none).
       - If a collection can be found, but the version not identified, it will return the value provided in
-        I(result_no_version). By default, this is C(*). This can happen for collections installed
-        from git which do not have a version number in C(galaxy.yml).
+        O(result_no_version). By default, this is V(*). This can happen for collections installed
+        from git which do not have a version number in V(galaxy.yml).
     type: list
     elements: str
 """

plugins/lookup/consul_kv.py

@@ -38,23 +38,20 @@ DOCUMENTATION = '''
         default: localhost
         description:
           - The target to connect to, must be a resolvable address.
-            Will be determined from C(ANSIBLE_CONSUL_URL) if that is set.
-          - "C(ANSIBLE_CONSUL_URL) should look like this: C(https://my.consul.server:8500)"
-        env:
-          - name: ANSIBLE_CONSUL_URL
+          - Will be determined from E(ANSIBLE_CONSUL_URL) if that is set.
         ini:
           - section: lookup_consul
             key: host
       port:
         description:
           - The port of the target host to connect to.
-          - If you use C(ANSIBLE_CONSUL_URL) this value will be used from there.
+          - If you use E(ANSIBLE_CONSUL_URL) this value will be used from there.
         default: 8500
       scheme:
         default: http
         description:
           - Whether to use http or https.
-          - If you use C(ANSIBLE_CONSUL_URL) this value will be used from there.
+          - If you use E(ANSIBLE_CONSUL_URL) this value will be used from there.
       validate_certs:
         default: true
         description: Whether to verify the ssl connection or not.
@@ -71,7 +68,9 @@ DOCUMENTATION = '''
           - section: lookup_consul
             key: client_cert
       url:
-        description: "The target to connect to, should look like this: C(https://my.consul.server:8500)."
+        description:
+          - The target to connect to.
+          - "Should look like this: V(https://my.consul.server:8500)."
         type: str
         version_added: 1.0.0
         env:

plugins/lookup/dependent.py

@@ -22,7 +22,7 @@ options:
         The name is the index that is used in the result object. The value is iterated over as described below.
       - If the value is a list, it is simply iterated over.
       - If the value is a dictionary, it is iterated over and returned as if they would be processed by the
-        R(ansible.builtin.dict2items filter,ansible_collections.ansible.builtin.dict2items_filter).
+        P(ansible.builtin.dict2items#filter) filter.
       - If the value is a string, it is evaluated as Jinja2 expressions which can access the previously chosen
         elements with C(item.<index_name>). The result must be a list or a dictionary.
     type: list

plugins/lookup/dig.py

@@ -21,7 +21,7 @@ DOCUMENTATION = '''
       - In addition to (default) A record, it is also possible to specify a different record type that should be queried.
         This can be done by either passing-in additional parameter of format qtype=TYPE to the dig lookup, or by appending /TYPE to the FQDN being queried.
       - If multiple values are associated with the requested record, the results will be returned as a comma-separated list.
-        In such cases you may want to pass option I(wantlist=true) to the lookup call, or alternatively use C(query) instead of C(lookup),
+        In such cases you may want to pass option C(wantlist=true) to the lookup call, or alternatively use C(query) instead of C(lookup),
         which will result in the record values being returned as a list over which you can iterate later on.
       - By default, the lookup will rely on system-wide configured DNS servers for performing the query.
         It is also possible to explicitly specify DNS servers to query using the @DNS_SERVER_1,DNS_SERVER_2,...,DNS_SERVER_N notation.
@@ -34,8 +34,8 @@ DOCUMENTATION = '''
       qtype:
         description:
             - Record type to query.
-            - C(DLV) has been removed in community.general 6.0.0.
-            - C(CAA) has been added in community.general 6.3.0.
+            - V(DLV) has been removed in community.general 6.0.0.
+            - V(CAA) has been added in community.general 6.3.0.
         type: str
         default: 'A'
         choices: [A, ALL, AAAA, CAA, CNAME, DNAME, DNSKEY, DS, HINFO, LOC, MX, NAPTR, NS, NSEC3PARAM, PTR, RP, RRSIG, SOA, SPF, SRV, SSHFP, TLSA, TXT]
@@ -51,17 +51,17 @@ DOCUMENTATION = '''
       fail_on_error:
         description:
           - Abort execution on lookup errors.
-          - The default for this option will likely change to C(true) in the future.
-            The current default, C(false), is used for backwards compatibility, and will result in empty strings
-            or the string C(NXDOMAIN) in the result in case of errors.
+          - The default for this option will likely change to V(true) in the future.
+            The current default, V(false), is used for backwards compatibility, and will result in empty strings
+            or the string V(NXDOMAIN) in the result in case of errors.
         default: false
         type: bool
         version_added: 5.4.0
       real_empty:
         description:
-          - Return empty result without empty strings, and return empty list instead of C(NXDOMAIN).
-          - The default for this option will likely change to C(true) in the future.
-          - This option will be forced to C(true) if multiple domains to be queried are specified.
+          - Return empty result without empty strings, and return empty list instead of V(NXDOMAIN).
+          - The default for this option will likely change to V(true) in the future.
+          - This option will be forced to V(true) if multiple domains to be queried are specified.
         default: false
         type: bool
         version_added: 6.0.0

plugins/lookup/dnstxt.py

@@ -22,8 +22,8 @@ DOCUMENTATION = '''
         elements: string
       real_empty:
         description:
-          - Return empty result without empty strings, and return empty list instead of C(NXDOMAIN).
-          - The default for this option will likely change to C(true) in the future.
+          - Return empty result without empty strings, and return empty list instead of V(NXDOMAIN).
+          - The default for this option will likely change to V(true) in the future.
         default: false
         type: bool
         version_added: 6.0.0

plugins/lookup/dsv.py

@@ -13,15 +13,15 @@ short_description: Get secrets from Thycotic DevOps Secrets Vault
 version_added: 1.0.0
 description:
     - Uses the Thycotic DevOps Secrets Vault Python SDK to get Secrets from a
-      DSV I(tenant) using a I(client_id) and I(client_secret).
+      DSV O(tenant) using a O(client_id) and O(client_secret).
 requirements:
     - python-dsv-sdk - https://pypi.org/project/python-dsv-sdk/
 options:
     _terms:
-        description: The path to the secret, e.g. C(/staging/servers/web1).
+        description: The path to the secret, for example V(/staging/servers/web1).
         required: true
     tenant:
-        description: The first format parameter in the default I(url_template).
+        description: The first format parameter in the default O(url_template).
         env:
             - name: DSV_TENANT
         ini:
@@ -31,7 +31,7 @@ options:
     tld:
         default: com
         description: The top-level domain of the tenant; the second format
-            parameter in the default I(url_template).
+            parameter in the default O(url_template).
         env:
             - name: DSV_TLD
         ini:
@@ -47,7 +47,7 @@ options:
               key: client_id
         required: true
     client_secret:
-        description: The client secret associated with the specific I(client_id).
+        description: The client secret associated with the specific O(client_id).
         env:
             - name: DSV_CLIENT_SECRET
         ini:

plugins/lookup/etcd.py

@@ -24,7 +24,7 @@ DOCUMENTATION = '''
             required: true
         url:
             description:
-                - Environment variable with the url for the etcd server
+                - Environment variable with the URL for the etcd server
             default: 'http://127.0.0.1:4001'
             env:
               - name: ANSIBLE_ETCD_URL

plugins/lookup/etcd3.py

@@ -32,10 +32,10 @@ DOCUMENTATION = '''
             default: false
         endpoints:
             description:
-            - Counterpart of C(ETCDCTL_ENDPOINTS) environment variable.
-              Specify the etcd3 connection with and URL form eg. C(https://hostname:2379)  or C(<host>:<port>) form.
-            - The C(host) part is overwritten by I(host) option, if defined.
-            - The C(port) part is overwritten by I(port) option, if defined.
+            - Counterpart of E(ETCDCTL_ENDPOINTS) environment variable.
+              Specify the etcd3 connection with and URL form, for example V(https://hostname:2379), or V(<host>:<port>) form.
+            - The V(host) part is overwritten by O(host) option, if defined.
+            - The V(port) part is overwritten by O(port) option, if defined.
             env:
             - name: ETCDCTL_ENDPOINTS
             default: '127.0.0.1:2379'
@@ -43,12 +43,12 @@ DOCUMENTATION = '''
         host:
             description:
             - etcd3 listening client host.
-            - Takes precedence over I(endpoints).
+            - Takes precedence over O(endpoints).
             type: str
         port:
             description:
             - etcd3 listening client port.
-            - Takes precedence over I(endpoints).
+            - Takes precedence over O(endpoints).
             type: int
         ca_cert:
             description:
@@ -89,9 +89,9 @@ DOCUMENTATION = '''
             type: str
 
     notes:
-    - I(host) and I(port) options take precedence over (endpoints) option.
-    - The recommended way to connect to etcd3 server is using C(ETCDCTL_ENDPOINT)
-      environment variable and keep I(endpoints), I(host), and I(port) unused.
+    - O(host) and O(port) options take precedence over (endpoints) option.
+    - The recommended way to connect to etcd3 server is using E(ETCDCTL_ENDPOINT)
+      environment variable and keep O(endpoints), O(host), and O(port) unused.
     seealso:
     - module: community.general.etcd3
     - ref: ansible_collections.community.general.etcd_lookup

plugins/lookup/filetree.py

@@ -65,7 +65,7 @@ RETURN = r"""
         src:
           description:
           - Full path to file.
-          - Not returned when I(item.state) is set to C(directory).
+          - Not returned when RV(_raw[].state) is set to V(directory).
           type: path
         root:
           description: Allows filtering by original location.

plugins/lookup/flattened.py

@@ -19,7 +19,7 @@ DOCUMENTATION = '''
         elements: raw
         required: true
     notes:
-      - Unlike the R(items lookup,ansible_collections.ansible.builtin.items_lookup) which only flattens 1 level,
+      - Unlike the P(ansible.builtin.items#lookup) lookup which only flattens 1 level,
         this plugin will continue to flatten until it cannot find lists anymore.
       - Aka highlander plugin, there can only be one (list).
 '''

plugins/lookup/lmdb_kv.py

@@ -15,7 +15,7 @@ DOCUMENTATION = '''
     description:
       - This lookup returns a list of results from an LMDB DB corresponding to a list of items given to it.
     requirements:
-      - lmdb (python library https://lmdb.readthedocs.io/en/release/)
+      - lmdb (Python library U(https://lmdb.readthedocs.io/en/release/))
     options:
       _terms:
         description: List of keys to query.

plugins/lookup/merge_variables.py

@@ -19,7 +19,7 @@ DOCUMENTATION = """
     options:
       _terms:
         description:
-          - Depending on the value of I(pattern_type), this is a list of prefixes, suffixes, or regular expressions
+          - Depending on the value of O(pattern_type), this is a list of prefixes, suffixes, or regular expressions
             that will be used to match all variables that should be merged.
         required: true
         type: list
@@ -45,11 +45,11 @@ DOCUMENTATION = """
       override:
         description:
           - Return an error, print a warning or ignore it when a key will be overwritten.
-          - The default behavior C(error) makes the plugin fail when a key would be overwritten.
-          - When C(warn) and C(ignore) are used, note that it is important to know that the variables
+          - The default behavior V(error) makes the plugin fail when a key would be overwritten.
+          - When V(warn) and V(ignore) are used, note that it is important to know that the variables
             are sorted by name before being merged. Keys for later variables in this order will overwrite
             keys of the same name for variables earlier in this order. To avoid potential confusion,
-            better use I(override=error) whenever possible.
+            better use O(override=error) whenever possible.
         type: str
         default: 'error'
         choices:

plugins/lookup/onepassword.py

@@ -18,7 +18,7 @@ DOCUMENTATION = '''
       - C(op) 1Password command line utility. See U(https://support.1password.com/command-line/)
     short_description: fetch field values from 1Password
     description:
-      - C(onepassword) wraps the C(op) command line utility to fetch specific field values from 1Password.
+      - P(community.general.onepassword#lookup) wraps the C(op) command line utility to fetch specific field values from 1Password.
     options:
       _terms:
         description: identifier(s) (UUID, name, or subdomain; case-insensitive) of item(s) to retrieve.
@@ -42,13 +42,19 @@ DOCUMENTATION = '''
         description: The username used to sign in.
       secret_key:
         description: The secret key used when performing an initial sign in.
+      service_account_token:
+        description:
+          - The access key for a service account.
+          - Only works with 1Password CLI version 2 or later.
+        type: str
+        version_added: 7.1.0
       vault:
         description: Vault containing the item to retrieve (case-insensitive). If absent will search all vaults.
     notes:
       - This lookup will use an existing 1Password session if one exists. If not, and you have already
         performed an initial sign in (meaning C(~/.op/config), C(~/.config/op/config) or C(~/.config/.op/config) exists), then only the
-        C(master_password) is required. You may optionally specify C(subdomain) in this scenario, otherwise the last used subdomain will be used by C(op).
-      - This lookup can perform an initial login by providing C(subdomain), C(username), C(secret_key), and C(master_password).
+        C(master_password) is required. You may optionally specify O(subdomain) in this scenario, otherwise the last used subdomain will be used by C(op).
+      - This lookup can perform an initial login by providing O(subdomain), O(username), O(secret_key), and O(master_password).
       - Due to the B(very) sensitive nature of these credentials, it is B(highly) recommended that you only pass in the minimal credentials
         needed at any given time. Also, store these credentials in an Ansible Vault using a key that is equal to or greater in strength
         to the 1Password master password.
@@ -113,12 +119,13 @@ from ansible_collections.community.general.plugins.module_utils.onepassword impo
 class OnePassCLIBase(with_metaclass(abc.ABCMeta, object)):
     bin = "op"
 
-    def __init__(self, subdomain=None, domain="1password.com", username=None, secret_key=None, master_password=None):
+    def __init__(self, subdomain=None, domain="1password.com", username=None, secret_key=None, master_password=None, service_account_token=None):
         self.subdomain = subdomain
         self.domain = domain
         self.username = username
         self.master_password = master_password
         self.secret_key = secret_key
+        self.service_account_token = service_account_token
 
         self._path = None
         self._version = None
@@ -295,6 +302,10 @@ class OnePassCLIv1(OnePassCLIBase):
         return not bool(rc)
 
     def full_signin(self):
+        if self.service_account_token:
+            raise AnsibleLookupError(
+                "1Password CLI version 1 does not support Service Accounts. Please use version 2 or later.")
+
         required_params = [
             "subdomain",
             "username",
@@ -472,6 +483,13 @@ class OnePassCLIv2(OnePassCLIBase):
         return ""
 
     def assert_logged_in(self):
+        if self.service_account_token:
+            args = ["whoami"]
+            environment_update = {"OP_SERVICE_ACCOUNT_TOKEN": self.service_account_token}
+            rc, out, err = self._run(args, environment_update=environment_update)
+
+            return not bool(rc)
+
         args = ["account", "list"]
         if self.subdomain:
             account = "{subdomain}.{domain}".format(subdomain=self.subdomain, domain=self.domain)
@@ -517,6 +535,13 @@ class OnePassCLIv2(OnePassCLIBase):
         args = ["item", "get", item_id, "--format", "json"]
         if vault is not None:
             args += ["--vault={0}".format(vault)]
+
+        if self.service_account_token:
+            if vault is None:
+                raise AnsibleLookupError("'vault' is required with 'service_account_token'")
+            environment_update = {"OP_SERVICE_ACCOUNT_TOKEN": self.service_account_token}
+            return self._run(args, environment_update=environment_update)
+
         if token is not None:
             args += [to_bytes("--session=") + token]
 
@@ -533,12 +558,14 @@ class OnePassCLIv2(OnePassCLIBase):
 
 
 class OnePass(object):
-    def __init__(self, subdomain=None, domain="1password.com", username=None, secret_key=None, master_password=None):
+    def __init__(self, subdomain=None, domain="1password.com", username=None, secret_key=None, master_password=None,
+                 service_account_token=None):
         self.subdomain = subdomain
         self.domain = domain
         self.username = username
         self.secret_key = secret_key
         self.master_password = master_password
+        self.service_account_token = service_account_token
 
         self.logged_in = False
         self.token = None
@@ -551,7 +578,7 @@ class OnePass(object):
         for cls in OnePassCLIBase.__subclasses__():
             if cls.supports_version == version.split(".")[0]:
                 try:
-                    return cls(self.subdomain, self.domain, self.username, self.secret_key, self.master_password)
+                    return cls(self.subdomain, self.domain, self.username, self.secret_key, self.master_password, self.service_account_token)
                 except TypeError as e:
                     raise AnsibleLookupError(e)
 
@@ -614,8 +641,9 @@ class LookupModule(LookupBase):
         username = self.get_option("username")
         secret_key = self.get_option("secret_key")
         master_password = self.get_option("master_password")
+        service_account_token = self.get_option("service_account_token")
 
-        op = OnePass(subdomain, domain, username, secret_key, master_password)
+        op = OnePass(subdomain, domain, username, secret_key, master_password, service_account_token)
         op.assert_logged_in()
 
         values = []

plugins/lookup/onepassword_raw.py

@@ -18,7 +18,7 @@ DOCUMENTATION = '''
       - C(op) 1Password command line utility. See U(https://support.1password.com/command-line/)
     short_description: fetch an entire item from 1Password
     description:
-      - C(onepassword_raw) wraps C(op) command line utility to fetch an entire item from 1Password
+      - P(community.general.onepassword_raw#lookup) wraps C(op) command line utility to fetch an entire item from 1Password.
     options:
       _terms:
         description: identifier(s) (UUID, name, or domain; case-insensitive) of item(s) to retrieve.
@@ -39,13 +39,19 @@ DOCUMENTATION = '''
         description: The username used to sign in.
       secret_key:
         description: The secret key used when performing an initial sign in.
+      service_account_token:
+        description:
+          - The access key for a service account.
+          - Only works with 1Password CLI version 2 or later.
+        type: string
+        version_added: 7.1.0
       vault:
         description: Vault containing the item to retrieve (case-insensitive). If absent will search all vaults.
     notes:
       - This lookup will use an existing 1Password session if one exists. If not, and you have already
-        performed an initial sign in (meaning C(~/.op/config exists)), then only the C(master_password) is required.
-        You may optionally specify C(subdomain) in this scenario, otherwise the last used subdomain will be used by C(op).
-      - This lookup can perform an initial login by providing C(subdomain), C(username), C(secret_key), and C(master_password).
+        performed an initial sign in (meaning C(~/.op/config exists)), then only the O(master_password) is required.
+        You may optionally specify O(subdomain) in this scenario, otherwise the last used subdomain will be used by C(op).
+      - This lookup can perform an initial login by providing O(subdomain), O(username), O(secret_key), and O(master_password).
       - Due to the B(very) sensitive nature of these credentials, it is B(highly) recommended that you only pass in the minimal credentials
         needed at any given time. Also, store these credentials in an Ansible Vault using a key that is equal to or greater in strength
         to the 1Password master password.
@@ -89,8 +95,9 @@ class LookupModule(LookupBase):
         username = self.get_option("username")
         secret_key = self.get_option("secret_key")
         master_password = self.get_option("master_password")
+        service_account_token = self.get_option("service_account_token")
 
-        op = OnePass(subdomain, domain, username, secret_key, master_password)
+        op = OnePass(subdomain, domain, username, secret_key, master_password, service_account_token)
         op.assert_logged_in()
 
         values = []

plugins/lookup/passwordstore.py

@@ -16,7 +16,7 @@ DOCUMENTATION = '''
       - Enables Ansible to retrieve, create or update passwords from the passwordstore.org pass utility.
         It also retrieves YAML style keys stored as multilines in the passwordfile.
       - To avoid problems when accessing multiple secrets at once, add C(auto-expand-secmem) to
-        C(~/.gnupg/gpg-agent.conf). Where this is not possible, consider using I(lock=readwrite) instead.
+        C(~/.gnupg/gpg-agent.conf). Where this is not possible, consider using O(lock=readwrite) instead.
     options:
       _terms:
         description: query key.
@@ -24,16 +24,16 @@ DOCUMENTATION = '''
       directory:
         description:
           - The directory of the password store.
-          - If I(backend=pass), the default is C(~/.password-store) is used.
-          - If I(backend=gopass), then the default is the C(path) field in C(~/.config/gopass/config.yml),
-            falling back to C(~/.local/share/gopass/stores/root) if C(path) is not defined in the gopass config.
+          - If O(backend=pass), the default is V(~/.password-store) is used.
+          - If O(backend=gopass), then the default is the C(path) field in C(~/.config/gopass/config.yml),
+            falling back to V(~/.local/share/gopass/stores/root) if C(path) is not defined in the gopass config.
         type: path
         vars:
           - name: passwordstore
         env:
           - name: PASSWORD_STORE_DIR
       create:
-        description: Create the password if it does not already exist. Takes precedence over C(missing).
+        description: Create the password if it does not already exist. Takes precedence over O(missing).
         type: bool
         default: false
       overwrite:
@@ -43,7 +43,7 @@ DOCUMENTATION = '''
       umask:
         description:
           - Sets the umask for the created .gpg files. The first octed must be greater than 3 (user readable).
-          - Note pass' default value is C('077').
+          - Note pass' default value is V('077').
         env:
           - name: PASSWORD_STORE_UMASK
         version_added: 1.3.0
@@ -52,7 +52,7 @@ DOCUMENTATION = '''
         type: bool
         default: false
       subkey:
-        description: Return a specific subkey of the password. When set to C(password), always returns the first line.
+        description: Return a specific subkey of the password. When set to V(password), always returns the first line.
         type: str
         default: password
       userpass:
@@ -63,7 +63,7 @@ DOCUMENTATION = '''
         type: integer
         default: 16
       backup:
-        description: Used with C(overwrite=true). Backup the previous password in a subkey.
+        description: Used with O(overwrite=true). Backup the previous password in a subkey.
         type: bool
         default: false
       nosymbols:
@@ -73,10 +73,10 @@ DOCUMENTATION = '''
       missing:
         description:
           - List of preference about what to do if the password file is missing.
-          - If I(create=true), the value for this option is ignored and assumed to be C(create).
-          - If set to C(error), the lookup will error out if the passname does not exist.
-          - If set to C(create), the passname will be created with the provided length I(length) if it does not exist.
-          - If set to C(empty) or C(warn), will return a C(none) in case the passname does not exist.
+          - If O(create=true), the value for this option is ignored and assumed to be V(create).
+          - If set to V(error), the lookup will error out if the passname does not exist.
+          - If set to V(create), the passname will be created with the provided length O(length) if it does not exist.
+          - If set to V(empty) or V(warn), will return a V(none) in case the passname does not exist.
             When using C(lookup) and not C(query), this will be translated to an empty string.
         version_added: 3.1.0
         type: str
@@ -89,9 +89,9 @@ DOCUMENTATION = '''
       lock:
         description:
           - How to synchronize operations.
-          - The default of C(write) only synchronizes write operations.
-          - C(readwrite) synchronizes all operations (including read). This makes sure that gpg-agent is never called in parallel.
-          - C(none) does not do any synchronization.
+          - The default of V(write) only synchronizes write operations.
+          - V(readwrite) synchronizes all operations (including read). This makes sure that gpg-agent is never called in parallel.
+          - V(none) does not do any synchronization.
         ini:
           - section: passwordstore_lookup
             key: lock
@@ -104,8 +104,8 @@ DOCUMENTATION = '''
         version_added: 4.5.0
       locktimeout:
         description:
-          - Lock timeout applied when I(lock) is not C(none).
-          - Time with a unit suffix, C(s), C(m), C(h) for seconds, minutes, and hours, respectively. For example, C(900s) equals C(15m).
+          - Lock timeout applied when O(lock) is not V(none).
+          - Time with a unit suffix, V(s), V(m), V(h) for seconds, minutes, and hours, respectively. For example, V(900s) equals V(15m).
           - Correlates with C(pinentry-timeout) in C(~/.gnupg/gpg-agent.conf), see C(man gpg-agent) for details.
         ini:
           - section: passwordstore_lookup
@@ -116,8 +116,8 @@ DOCUMENTATION = '''
       backend:
         description:
           - Specify which backend to use.
-          - Defaults to C(pass), passwordstore.org's original pass utility.
-          - C(gopass) support is incomplete.
+          - Defaults to V(pass), passwordstore.org's original pass utility.
+          - V(gopass) support is incomplete.
         ini:
           - section: passwordstore_lookup
             key: backend

plugins/lookup/random_string.py

@@ -42,25 +42,25 @@ DOCUMENTATION = r"""
         - Special characters are taken from Python standard library C(string).
           See L(the documentation of string.punctuation,https://docs.python.org/3/library/string.html#string.punctuation)
           for which characters will be used.
-        - The choice of special characters can be changed to setting I(override_special).
+        - The choice of special characters can be changed to setting O(override_special).
         default: true
         type: bool
       min_numeric:
         description:
         - Minimum number of numeric characters in the string.
-        - If set, overrides I(numbers=false).
+        - If set, overrides O(numbers=false).
         default: 0
         type: int
       min_upper:
         description:
         - Minimum number of uppercase alphabets in the string.
-        - If set, overrides I(upper=false).
+        - If set, overrides O(upper=false).
         default: 0
         type: int
       min_lower:
         description:
         - Minimum number of lowercase alphabets in the string.
-        - If set, overrides I(lower=false).
+        - If set, overrides O(lower=false).
         default: 0
         type: int
       min_special:
@@ -71,11 +71,11 @@ DOCUMENTATION = r"""
       override_special:
         description:
         - Overide a list of special characters to use in the string.
-        - If set I(min_special) should be set to a non-default value.
+        - If set O(min_special) should be set to a non-default value.
         type: str
       override_all:
         description:
-        - Override all values of I(numbers), I(upper), I(lower), and I(special) with
+        - Override all values of O(numbers), O(upper), O(lower), and O(special) with
           the given list of characters.
         type: str
       base64:

plugins/lookup/revbitspss.py

@@ -25,7 +25,7 @@ options:
         elements: string
     base_url:
         description:
-            - This will be the base URL of the server, for example C(https://server-url-here).
+            - This will be the base URL of the server, for example V(https://server-url-here).
         required: true
         type: string
     api_key:

plugins/lookup/tss.py

@@ -13,10 +13,10 @@ short_description: Get secrets from Thycotic Secret Server
 version_added: 1.0.0
 description:
     - Uses the Thycotic Secret Server Python SDK to get Secrets from Secret
-      Server using token authentication with I(username) and I(password) on
-      the REST API at I(base_url).
+      Server using token authentication with O(username) and O(password) on
+      the REST API at O(base_url).
     - When using self-signed certificates the environment variable
-      C(REQUESTS_CA_BUNDLE) can be set to a file containing the trusted certificates
+      E(REQUESTS_CA_BUNDLE) can be set to a file containing the trusted certificates
       (in C(.pem) format).
     - For example, C(export REQUESTS_CA_BUNDLE='/etc/ssl/certs/ca-bundle.trust.crt').
 requirements:
@@ -26,10 +26,17 @@ options:
         description: The integer ID of the secret.
         required: true
         type: int
+    fetch_secret_ids_from_folder:
+        description:
+            - Boolean flag which indicates whether secret ids are in a folder is fetched by folder ID or not.
+            - V(true) then the terms will be considered as a folder IDs. Otherwise (default), they are considered as secret IDs.
+        required: false
+        type: bool
+        version_added: 7.1.0
     fetch_attachments:
         description:
             - Boolean flag which indicates whether attached files will get downloaded or not.
-            - The download will only happen if I(file_download_path) has been provided.
+            - The download will only happen if O(file_download_path) has been provided.
         required: false
         type: bool
         version_added: 7.0.0
@@ -39,7 +46,7 @@ options:
         type: path
         version_added: 7.0.0
     base_url:
-        description: The base URL of the server, e.g. C(https://localhost/SecretServer).
+        description: The base URL of the server, for example V(https://localhost/SecretServer).
         env:
             - name: TSS_BASE_URL
         ini:
@@ -56,7 +63,7 @@ options:
     password:
         description:
             - The password associated with the supplied username.
-            - Required when I(token) is not provided.
+            - Required when O(token) is not provided.
         env:
             - name: TSS_PASSWORD
         ini:
@@ -66,7 +73,7 @@ options:
         default: ""
         description:
           - The domain with which to request the OAuth2 Access Grant.
-          - Optional when I(token) is not provided.
+          - Optional when O(token) is not provided.
           - Requires C(python-tss-sdk) version 1.0.0 or greater.
         env:
             - name: TSS_DOMAIN
@@ -78,7 +85,7 @@ options:
     token:
         description:
           - Existing token for Thycotic authorizer.
-          - If provided, I(username) and I(password) are not needed.
+          - If provided, O(username) and O(password) are not needed.
           - Requires C(python-tss-sdk) version 1.0.0 or greater.
         env:
             - name: TSS_TOKEN
@@ -194,6 +201,26 @@ EXAMPLES = r"""
               | items2dict(key_name='slug',
                            value_name='itemValue'))['private-key']
           }}
+
+# If fetch_secret_ids_from_folder=true then secret IDs are in a folder is fetched based on folder ID
+- hosts: localhost
+  vars:
+      secret: >-
+        {{
+            lookup(
+                'community.general.tss',
+                102,
+                fetch_secret_ids_from_folder=true,
+                base_url='https://secretserver.domain.com/SecretServer/',
+                token='thycotic_access_token'
+            )
+        }}
+  tasks:
+    - ansible.builtin.debug:
+        msg: >
+          the secret id's are {{
+              secret
+          }}
 """
 
 import abc
@@ -204,18 +231,21 @@ from ansible.plugins.lookup import LookupBase
 from ansible.utils.display import Display
 
 try:
-    from thycotic.secrets.server import SecretServer, SecretServerError
+    from delinea.secrets.server import SecretServer, SecretServerError
 
     HAS_TSS_SDK = True
+    HAS_DELINEA_SS_SDK = True
 except ImportError:
     try:
-        from delinea.secrets.server import SecretServer, SecretServerError
+        from thycotic.secrets.server import SecretServer, SecretServerError
 
         HAS_TSS_SDK = True
+        HAS_DELINEA_SS_SDK = False
     except ImportError:
         SecretServer = None
         SecretServerError = None
         HAS_TSS_SDK = False
+        HAS_DELINEA_SS_SDK = False
 
 try:
     from thycotic.secrets.server import PasswordGrantAuthorizer, DomainPasswordGrantAuthorizer, AccessTokenAuthorizer
@@ -259,17 +289,28 @@ class TSSClient(object):
                 if file_download_path and os.path.isdir(file_download_path):
                     if i['isFile']:
                         try:
-                            with open(os.path.join(file_download_path, str(obj['id']) + "_" + i['slug']), "w") as f:
-                                f.write(i['itemValue'].text)
-                            i['itemValue'] = "*** Not Valid For Display ***"
+                            file_content = i['itemValue'].content
+                            with open(os.path.join(file_download_path, str(obj['id']) + "_" + i['slug']), "wb") as f:
+                                f.write(file_content)
                         except ValueError:
                             raise AnsibleOptionsError("Failed to download {0}".format(str(i['slug'])))
+                        except AttributeError:
+                            display.warning("Could not read file content for {0}".format(str(i['slug'])))
+                        finally:
+                            i['itemValue'] = "*** Not Valid For Display ***"
                 else:
                     raise AnsibleOptionsError("File download path does not exist")
             return obj
         else:
             return self._client.get_secret_json(secret_id)
 
+    def get_secret_ids_by_folderid(self, term):
+        display.debug("tss_lookup term: %s" % term)
+        folder_id = self._term_to_folder_id(term)
+        display.vvv(u"Secret Server lookup of Secret id's with Folder ID %d" % folder_id)
+
+        return self._client.get_secret_ids_by_folderid(folder_id)
+
     @staticmethod
     def _term_to_secret_id(term):
         try:
@@ -277,6 +318,13 @@ class TSSClient(object):
         except ValueError:
             raise AnsibleOptionsError("Secret ID must be an integer")
 
+    @staticmethod
+    def _term_to_folder_id(term):
+        try:
+            return int(term)
+        except ValueError:
+            raise AnsibleOptionsError("Folder ID must be an integer")
+
 
 class TSSClientV0(TSSClient):
     def __init__(self, **server_parameters):
@@ -345,6 +393,12 @@ class LookupModule(LookupBase):
         )
 
         try:
-            return [tss.get_secret(term, self.get_option("fetch_attachments"), self.get_option("file_download_path")) for term in terms]
+            if self.get_option("fetch_secret_ids_from_folder"):
+                if HAS_DELINEA_SS_SDK:
+                    return [tss.get_secret_ids_by_folderid(term) for term in terms]
+                else:
+                    raise AnsibleError("latest python-tss-sdk must be installed to use this plugin")
+            else:
+                return [tss.get_secret(term, self.get_option("fetch_attachments"), self.get_option("file_download_path")) for term in terms]
         except SecretServerError as error:
             raise AnsibleError("Secret Server lookup failure: %s" % error.message)

plugins/module_utils/cmd_runner.py

@@ -147,6 +147,11 @@ class _Format(object):
 
     @staticmethod
     def as_default_type(_type, arg="", ignore_none=None):
+        #
+        # DEPRECATION: This method is deprecated and will be removed in community.general 10.0.0
+        #
+        # Instead of using the implicit formats provided here, use the explicit necessary format method.
+        #
         fmt = _Format
         if _type == "dict":
             return fmt.as_func(lambda d: ["--{0}={1}".format(*a) for a in iteritems(d)], ignore_none=ignore_none)

plugins/module_utils/csv.py

@@ -55,8 +55,10 @@ def initialize_dialect(dialect, **kwargs):
 
 
 def read_csv(data, dialect, fieldnames=None):
-
+    BOM = to_native(u'\ufeff')
     data = to_native(data, errors='surrogate_or_strict')
+    if data.startswith(BOM):
+        data = data[len(BOM):]
 
     if PY3:
         fake_fh = StringIO(data)

plugins/module_utils/identity/keycloak/keycloak.py

@@ -9,6 +9,7 @@ __metaclass__ = type
 
 import json
 import traceback
+import copy
 
 from ansible.module_utils.urls import open_url
 from ansible.module_utils.six.moves.urllib.parse import urlencode, quote
@@ -64,6 +65,14 @@ URL_CLIENT_GROUP_ROLEMAPPINGS_AVAILABLE = "{url}/admin/realms/{realm}/groups/{id
 URL_CLIENT_GROUP_ROLEMAPPINGS_COMPOSITE = "{url}/admin/realms/{realm}/groups/{id}/role-mappings/clients/{client}/composite"
 
 URL_USERS = "{url}/admin/realms/{realm}/users"
+URL_USER = "{url}/admin/realms/{realm}/users/{id}"
+URL_USER_ROLE_MAPPINGS = "{url}/admin/realms/{realm}/users/{id}/role-mappings"
+URL_USER_REALM_ROLE_MAPPINGS = "{url}/admin/realms/{realm}/users/{id}/role-mappings/realm"
+URL_USER_CLIENTS_ROLE_MAPPINGS = "{url}/admin/realms/{realm}/users/{id}/role-mappings/clients"
+URL_USER_CLIENT_ROLE_MAPPINGS = "{url}/admin/realms/{realm}/users/{id}/role-mappings/clients/{client_id}"
+URL_USER_GROUPS = "{url}/admin/realms/{realm}/users/{id}/groups"
+URL_USER_GROUP = "{url}/admin/realms/{realm}/users/{id}/groups/{group_id}"
+
 URL_CLIENT_SERVICE_ACCOUNT_USER = "{url}/admin/realms/{realm}/clients/{id}/service-account-user"
 URL_CLIENT_USER_ROLEMAPPINGS = "{url}/admin/realms/{realm}/users/{id}/role-mappings/clients/{client}"
 URL_CLIENT_USER_ROLEMAPPINGS_AVAILABLE = "{url}/admin/realms/{realm}/users/{id}/role-mappings/clients/{client}/available"
@@ -81,6 +90,9 @@ URL_AUTHENTICATION_EXECUTION_CONFIG = "{url}/admin/realms/{realm}/authentication
 URL_AUTHENTICATION_EXECUTION_RAISE_PRIORITY = "{url}/admin/realms/{realm}/authentication/executions/{id}/raise-priority"
 URL_AUTHENTICATION_EXECUTION_LOWER_PRIORITY = "{url}/admin/realms/{realm}/authentication/executions/{id}/lower-priority"
 URL_AUTHENTICATION_CONFIG = "{url}/admin/realms/{realm}/authentication/config/{id}"
+URL_AUTHENTICATION_REGISTER_REQUIRED_ACTION = "{url}/admin/realms/{realm}/authentication/register-required-action"
+URL_AUTHENTICATION_REQUIRED_ACTIONS = "{url}/admin/realms/{realm}/authentication/required-actions"
+URL_AUTHENTICATION_REQUIRED_ACTIONS_ALIAS = "{url}/admin/realms/{realm}/authentication/required-actions/{alias}"
 
 URL_IDENTITY_PROVIDERS = "{url}/admin/realms/{realm}/identity-provider/instances"
 URL_IDENTITY_PROVIDER = "{url}/admin/realms/{realm}/identity-provider/instances/{alias}"
@@ -207,24 +219,30 @@ def is_struct_included(struct1, struct2, exclude=None):
             Return True if all element of dict 1 are present in dict 2, return false otherwise.
     """
     if isinstance(struct1, list) and isinstance(struct2, list):
+        if not struct1 and not struct2:
+            return True
         for item1 in struct1:
             if isinstance(item1, (list, dict)):
                 for item2 in struct2:
-                    if not is_struct_included(item1, item2, exclude):
-                        return False
+                    if is_struct_included(item1, item2, exclude):
+                        break
+                else:
+                    return False
             else:
                 if item1 not in struct2:
                     return False
         return True
     elif isinstance(struct1, dict) and isinstance(struct2, dict):
+        if not struct1 and not struct2:
+            return True
         try:
             for key in struct1:
                 if not (exclude and key in exclude):
                     if not is_struct_included(struct1[key], struct2[key], exclude):
                         return False
-            return True
         except KeyError:
             return False
+        return True
     elif isinstance(struct1, bool) and isinstance(struct2, bool):
         return struct1 == struct2
     else:
@@ -747,8 +765,15 @@ class KeycloakAPI(object):
         users_url = URL_USERS.format(url=self.baseurl, realm=realm)
         users_url += '?username=%s&exact=true' % username
         try:
-            return json.loads(to_native(open_url(users_url, method='GET', headers=self.restheaders, timeout=self.connection_timeout,
-                                                 validate_certs=self.validate_certs).read()))
+            userrep = None
+            users = json.loads(to_native(open_url(users_url, method='GET', headers=self.restheaders, timeout=self.connection_timeout,
+                                                  validate_certs=self.validate_certs).read()))
+            for user in users:
+                if user['username'] == username:
+                    userrep = user
+                    break
+            return userrep
+
         except ValueError as e:
             self.module.fail_json(msg='API returned incorrect JSON when trying to obtain the user for realm %s and username %s: %s'
                                       % (realm, username, str(e)))
@@ -1658,6 +1683,9 @@ class KeycloakAPI(object):
         """
         roles_url = URL_REALM_ROLES.format(url=self.baseurl, realm=realm)
         try:
+            if "composites" in rolerep:
+                keycloak_compatible_composites = self.convert_role_composites(rolerep["composites"])
+                rolerep["composites"] = keycloak_compatible_composites
             return open_url(roles_url, method='POST', http_agent=self.http_agent, headers=self.restheaders, timeout=self.connection_timeout,
                             data=json.dumps(rolerep), validate_certs=self.validate_certs)
         except Exception as e:
@@ -1672,12 +1700,124 @@ class KeycloakAPI(object):
         """
         role_url = URL_REALM_ROLE.format(url=self.baseurl, realm=realm, name=quote(rolerep['name']))
         try:
-            return open_url(role_url, method='PUT', http_agent=self.http_agent, headers=self.restheaders, timeout=self.connection_timeout,
-                            data=json.dumps(rolerep), validate_certs=self.validate_certs)
+            composites = None
+            if "composites" in rolerep:
+                composites = copy.deepcopy(rolerep["composites"])
+                del rolerep["composites"]
+            role_response = open_url(role_url, method='PUT', http_agent=self.http_agent, headers=self.restheaders, timeout=self.connection_timeout,
+                                     data=json.dumps(rolerep), validate_certs=self.validate_certs)
+            if composites is not None:
+                self.update_role_composites(rolerep=rolerep, composites=composites, realm=realm)
+            return role_response
         except Exception as e:
             self.module.fail_json(msg='Could not update role %s in realm %s: %s'
                                       % (rolerep['name'], realm, str(e)))
 
+    def get_role_composites(self, rolerep, clientid=None, realm='master'):
+        composite_url = ''
+        try:
+            if clientid is not None:
+                client = self.get_client_by_clientid(client_id=clientid, realm=realm)
+                cid = client['id']
+                composite_url = URL_CLIENT_ROLE_COMPOSITES.format(url=self.baseurl, realm=realm, id=cid, name=quote(rolerep["name"]))
+            else:
+                composite_url = URL_REALM_ROLE_COMPOSITES.format(url=self.baseurl, realm=realm, name=quote(rolerep["name"]))
+            # Get existing composites
+            return json.loads(to_native(open_url(
+                composite_url,
+                method='GET',
+                http_agent=self.http_agent,
+                headers=self.restheaders,
+                timeout=self.connection_timeout,
+                validate_certs=self.validate_certs).read()))
+        except Exception as e:
+            self.module.fail_json(msg='Could not get role %s composites in realm %s: %s'
+                                      % (rolerep['name'], realm, str(e)))
+
+    def create_role_composites(self, rolerep, composites, clientid=None, realm='master'):
+        composite_url = ''
+        try:
+            if clientid is not None:
+                client = self.get_client_by_clientid(client_id=clientid, realm=realm)
+                cid = client['id']
+                composite_url = URL_CLIENT_ROLE_COMPOSITES.format(url=self.baseurl, realm=realm, id=cid, name=quote(rolerep["name"]))
+            else:
+                composite_url = URL_REALM_ROLE_COMPOSITES.format(url=self.baseurl, realm=realm, name=quote(rolerep["name"]))
+            # Get existing composites
+            # create new composites
+            return open_url(composite_url, method='POST', http_agent=self.http_agent, headers=self.restheaders, timeout=self.connection_timeout,
+                            data=json.dumps(composites), validate_certs=self.validate_certs)
+        except Exception as e:
+            self.module.fail_json(msg='Could not create role %s composites in realm %s: %s'
+                                      % (rolerep['name'], realm, str(e)))
+
+    def delete_role_composites(self, rolerep, composites, clientid=None, realm='master'):
+        composite_url = ''
+        try:
+            if clientid is not None:
+                client = self.get_client_by_clientid(client_id=clientid, realm=realm)
+                cid = client['id']
+                composite_url = URL_CLIENT_ROLE_COMPOSITES.format(url=self.baseurl, realm=realm, id=cid, name=quote(rolerep["name"]))
+            else:
+                composite_url = URL_REALM_ROLE_COMPOSITES.format(url=self.baseurl, realm=realm, name=quote(rolerep["name"]))
+            # Get existing composites
+            # create new composites
+            return open_url(composite_url, method='DELETE', http_agent=self.http_agent, headers=self.restheaders, timeout=self.connection_timeout,
+                            data=json.dumps(composites), validate_certs=self.validate_certs)
+        except Exception as e:
+            self.module.fail_json(msg='Could not create role %s composites in realm %s: %s'
+                                      % (rolerep['name'], realm, str(e)))
+
+    def update_role_composites(self, rolerep, composites, clientid=None, realm='master'):
+        # Get existing composites
+        existing_composites = self.get_role_composites(rolerep=rolerep, clientid=clientid, realm=realm)
+        composites_to_be_created = []
+        composites_to_be_deleted = []
+        for composite in composites:
+            composite_found = False
+            existing_composite_client = None
+            for existing_composite in existing_composites:
+                if existing_composite["clientRole"]:
+                    existing_composite_client = self.get_client_by_id(existing_composite["containerId"], realm=realm)
+                    if ("client_id" in composite
+                            and composite['client_id'] is not None
+                            and existing_composite_client["clientId"] == composite["client_id"]
+                            and composite["name"] == existing_composite["name"]):
+                        composite_found = True
+                        break
+                else:
+                    if (("client_id" not in composite or composite['client_id'] is None)
+                            and composite["name"] == existing_composite["name"]):
+                        composite_found = True
+                        break
+            if (not composite_found and ('state' not in composite or composite['state'] == 'present')):
+                if "client_id" in composite and composite['client_id'] is not None:
+                    client_roles = self.get_client_roles(clientid=composite['client_id'], realm=realm)
+                    for client_role in client_roles:
+                        if client_role['name'] == composite['name']:
+                            composites_to_be_created.append(client_role)
+                            break
+                else:
+                    realm_role = self.get_realm_role(name=composite["name"], realm=realm)
+                    composites_to_be_created.append(realm_role)
+            elif composite_found and 'state' in composite and composite['state'] == 'absent':
+                if "client_id" in composite and composite['client_id'] is not None:
+                    client_roles = self.get_client_roles(clientid=composite['client_id'], realm=realm)
+                    for client_role in client_roles:
+                        if client_role['name'] == composite['name']:
+                            composites_to_be_deleted.append(client_role)
+                            break
+                else:
+                    realm_role = self.get_realm_role(name=composite["name"], realm=realm)
+                    composites_to_be_deleted.append(realm_role)
+
+        if len(composites_to_be_created) > 0:
+            # create new composites
+            self.create_role_composites(rolerep=rolerep, composites=composites_to_be_created, clientid=clientid, realm=realm)
+        if len(composites_to_be_deleted) > 0:
+            # delete new composites
+            self.delete_role_composites(rolerep=rolerep, composites=composites_to_be_deleted, clientid=clientid, realm=realm)
+
     def delete_realm_role(self, name, realm='master'):
         """ Delete a realm role.
 
@@ -1756,12 +1896,30 @@ class KeycloakAPI(object):
                                       % (clientid, realm))
         roles_url = URL_CLIENT_ROLES.format(url=self.baseurl, realm=realm, id=cid)
         try:
+            if "composites" in rolerep:
+                keycloak_compatible_composites = self.convert_role_composites(rolerep["composites"])
+                rolerep["composites"] = keycloak_compatible_composites
             return open_url(roles_url, method='POST', http_agent=self.http_agent, headers=self.restheaders, timeout=self.connection_timeout,
                             data=json.dumps(rolerep), validate_certs=self.validate_certs)
         except Exception as e:
             self.module.fail_json(msg='Could not create role %s for client %s in realm %s: %s'
                                       % (rolerep['name'], clientid, realm, str(e)))
 
+    def convert_role_composites(self, composites):
+        keycloak_compatible_composites = {
+            'client': {},
+            'realm': []
+        }
+        for composite in composites:
+            if 'state' not in composite or composite['state'] == 'present':
+                if "client_id" in composite and composite["client_id"] is not None:
+                    if composite["client_id"] not in keycloak_compatible_composites["client"]:
+                        keycloak_compatible_composites["client"][composite["client_id"]] = []
+                    keycloak_compatible_composites["client"][composite["client_id"]].append(composite["name"])
+                else:
+                    keycloak_compatible_composites["realm"].append(composite["name"])
+        return keycloak_compatible_composites
+
     def update_client_role(self, rolerep, clientid, realm="master"):
         """ Update an existing client role.
 
@@ -1776,8 +1934,15 @@ class KeycloakAPI(object):
                                       % (clientid, realm))
         role_url = URL_CLIENT_ROLE.format(url=self.baseurl, realm=realm, id=cid, name=quote(rolerep['name']))
         try:
-            return open_url(role_url, method='PUT', http_agent=self.http_agent, headers=self.restheaders, timeout=self.connection_timeout,
-                            data=json.dumps(rolerep), validate_certs=self.validate_certs)
+            composites = None
+            if "composites" in rolerep:
+                composites = copy.deepcopy(rolerep["composites"])
+                del rolerep['composites']
+            update_role_response = open_url(role_url, method='PUT', http_agent=self.http_agent, headers=self.restheaders, timeout=self.connection_timeout,
+                                            data=json.dumps(rolerep), validate_certs=self.validate_certs)
+            if composites is not None:
+                self.update_role_composites(rolerep=rolerep, clientid=clientid, composites=composites, realm=realm)
+            return update_role_response
         except Exception as e:
             self.module.fail_json(msg='Could not update role %s for client %s in realm %s: %s'
                                       % (rolerep['name'], clientid, realm, str(e)))
@@ -2084,6 +2249,116 @@ class KeycloakAPI(object):
             self.module.fail_json(msg='Could not get executions for authentication flow %s in realm %s: %s'
                                   % (config["alias"], realm, str(e)))
 
+    def get_required_actions(self, realm='master'):
+        """
+        Get required actions.
+        :param realm: Realm name (not id).
+        :return:      List of representations of the required actions.
+        """
+
+        try:
+            required_actions = json.load(
+                open_url(
+                    URL_AUTHENTICATION_REQUIRED_ACTIONS.format(
+                        url=self.baseurl,
+                        realm=realm
+                    ),
+                    method='GET',
+                    http_agent=self.http_agent, headers=self.restheaders,
+                    timeout=self.connection_timeout,
+                    validate_certs=self.validate_certs
+                )
+            )
+
+            return required_actions
+        except Exception:
+            return None
+
+    def register_required_action(self, rep, realm='master'):
+        """
+        Register required action.
+        :param rep:   JSON containing 'providerId', and 'name' attributes.
+        :param realm: Realm name (not id).
+        :return:      Representation of the required action.
+        """
+
+        data = {
+            'name': rep['name'],
+            'providerId': rep['providerId']
+        }
+
+        try:
+            return open_url(
+                URL_AUTHENTICATION_REGISTER_REQUIRED_ACTION.format(
+                    url=self.baseurl,
+                    realm=realm
+                ),
+                method='POST',
+                http_agent=self.http_agent, headers=self.restheaders,
+                data=json.dumps(data),
+                timeout=self.connection_timeout,
+                validate_certs=self.validate_certs
+            )
+        except Exception as e:
+            self.module.fail_json(
+                msg='Unable to register required action %s in realm %s: %s'
+                % (rep["name"], realm, str(e))
+            )
+
+    def update_required_action(self, alias, rep, realm='master'):
+        """
+        Update required action.
+        :param alias: Alias of required action.
+        :param rep:   JSON describing new state of required action.
+        :param realm: Realm name (not id).
+        :return:      HTTPResponse object on success.
+        """
+
+        try:
+            return open_url(
+                URL_AUTHENTICATION_REQUIRED_ACTIONS_ALIAS.format(
+                    url=self.baseurl,
+                    alias=quote(alias),
+                    realm=realm
+                ),
+                method='PUT',
+                http_agent=self.http_agent, headers=self.restheaders,
+                data=json.dumps(rep),
+                timeout=self.connection_timeout,
+                validate_certs=self.validate_certs
+            )
+        except Exception as e:
+            self.module.fail_json(
+                msg='Unable to update required action %s in realm %s: %s'
+                % (alias, realm, str(e))
+            )
+
+    def delete_required_action(self, alias, realm='master'):
+        """
+        Delete required action.
+        :param alias: Alias of required action.
+        :param realm: Realm name (not id).
+        :return:      HTTPResponse object on success.
+        """
+
+        try:
+            return open_url(
+                URL_AUTHENTICATION_REQUIRED_ACTIONS_ALIAS.format(
+                    url=self.baseurl,
+                    alias=quote(alias),
+                    realm=realm
+                ),
+                method='DELETE',
+                http_agent=self.http_agent, headers=self.restheaders,
+                timeout=self.connection_timeout,
+                validate_certs=self.validate_certs
+            )
+        except Exception as e:
+            self.module.fail_json(
+                msg='Unable to delete required action %s in realm %s: %s'
+                % (alias, realm, str(e))
+            )
+
     def get_identity_providers(self, realm='master'):
         """ Fetch representations for identity providers in a realm
         :param realm: realm to be queried
@@ -2375,3 +2650,245 @@ class KeycloakAPI(object):
                             validate_certs=self.validate_certs)
         except Exception as e:
             self.module.fail_json(msg='Could not delete scope %s for client %s in realm %s: %s' % (id, client_id, realm, str(e)))
+
+    def get_user_by_id(self, user_id, realm='master'):
+        """
+        Get a User by its ID.
+        :param user_id: ID of the user.
+        :param realm: Realm
+        :return: Representation of the user.
+        """
+        try:
+            user_url = URL_USER.format(
+                url=self.baseurl,
+                realm=realm,
+                id=user_id)
+            userrep = json.load(
+                open_url(
+                    user_url,
+                    method='GET',
+                    headers=self.restheaders))
+            return userrep
+        except Exception as e:
+            self.module.fail_json(msg='Could not get user %s in realm %s: %s'
+                                      % (user_id, realm, str(e)))
+
+    def create_user(self, userrep, realm='master'):
+        """
+        Create a new User.
+        :param userrep: Representation of the user to create
+        :param realm: Realm
+        :return: Representation of the user created.
+        """
+        try:
+            if 'attributes' in userrep and isinstance(userrep['attributes'], list):
+                attributes = copy.deepcopy(userrep['attributes'])
+                userrep['attributes'] = self.convert_user_attributes_to_keycloak_dict(attributes=attributes)
+            users_url = URL_USERS.format(
+                url=self.baseurl,
+                realm=realm)
+            open_url(users_url,
+                     method='POST',
+                     headers=self.restheaders,
+                     data=json.dumps(userrep))
+            created_user = self.get_user_by_username(
+                username=userrep['username'],
+                realm=realm)
+            return created_user
+        except Exception as e:
+            self.module.fail_json(msg='Could not create user %s in realm %s: %s'
+                                      % (userrep['username'], realm, str(e)))
+
+    def convert_user_attributes_to_keycloak_dict(self, attributes):
+        keycloak_user_attributes_dict = {}
+        for attribute in attributes:
+            if ('state' not in attribute or attribute['state'] == 'present') and 'name' in attribute:
+                keycloak_user_attributes_dict[attribute['name']] = attribute['values'] if 'values' in attribute else []
+        return keycloak_user_attributes_dict
+
+    def convert_keycloak_user_attributes_dict_to_module_list(self, attributes):
+        module_attributes_list = []
+        for key in attributes:
+            attr = {}
+            attr['name'] = key
+            attr['values'] = attributes[key]
+            module_attributes_list.append(attr)
+        return module_attributes_list
+
+    def update_user(self, userrep, realm='master'):
+        """
+        Update a User.
+        :param userrep: Representation of the user to update. This representation must include the ID of the user.
+        :param realm: Realm
+        :return: Representation of the updated user.
+        """
+        try:
+            if 'attributes' in userrep and isinstance(userrep['attributes'], list):
+                attributes = copy.deepcopy(userrep['attributes'])
+                userrep['attributes'] = self.convert_user_attributes_to_keycloak_dict(attributes=attributes)
+            user_url = URL_USER.format(
+                url=self.baseurl,
+                realm=realm,
+                id=userrep["id"])
+            open_url(
+                user_url,
+                method='PUT',
+                headers=self.restheaders,
+                data=json.dumps(userrep))
+            updated_user = self.get_user_by_id(
+                user_id=userrep['id'],
+                realm=realm)
+            return updated_user
+        except Exception as e:
+            self.module.fail_json(msg='Could not update user %s in realm %s: %s'
+                                      % (userrep['username'], realm, str(e)))
+
+    def delete_user(self, user_id, realm='master'):
+        """
+        Delete a User.
+        :param user_id: ID of the user to be deleted
+        :param realm: Realm
+        :return: HTTP response.
+        """
+        try:
+            user_url = URL_USER.format(
+                url=self.baseurl,
+                realm=realm,
+                id=user_id)
+            return open_url(
+                user_url,
+                method='DELETE',
+                headers=self.restheaders)
+        except Exception as e:
+            self.module.fail_json(msg='Could not delete user %s in realm %s: %s'
+                                      % (user_id, realm, str(e)))
+
+    def get_user_groups(self, user_id, realm='master'):
+        """
+        Get groups for a user.
+        :param user_id: User ID
+        :param realm: Realm
+        :return: Representation of the client groups.
+        """
+        try:
+            groups = []
+            user_groups_url = URL_USER_GROUPS.format(
+                url=self.baseurl,
+                realm=realm,
+                id=user_id)
+            user_groups = json.load(
+                open_url(
+                    user_groups_url,
+                    method='GET',
+                    headers=self.restheaders))
+            for user_group in user_groups:
+                groups.append(user_group["name"])
+            return groups
+        except Exception as e:
+            self.module.fail_json(msg='Could not get groups for user %s in realm %s: %s'
+                                      % (user_id, realm, str(e)))
+
+    def add_user_in_group(self, user_id, group_id, realm='master'):
+        """
+        Add a user to a group.
+        :param user_id: User ID
+        :param group_id: Group Id to add the user to.
+        :param realm: Realm
+        :return: HTTP Response
+        """
+        try:
+            user_group_url = URL_USER_GROUP.format(
+                url=self.baseurl,
+                realm=realm,
+                id=user_id,
+                group_id=group_id)
+            return open_url(
+                user_group_url,
+                method='PUT',
+                headers=self.restheaders)
+        except Exception as e:
+            self.module.fail_json(msg='Could not add user %s in group %s in realm %s: %s'
+                                      % (user_id, group_id, realm, str(e)))
+
+    def remove_user_from_group(self, user_id, group_id, realm='master'):
+        """
+        Remove a user from a group for a user.
+        :param user_id: User ID
+        :param group_id: Group Id to add the user to.
+        :param realm: Realm
+        :return: HTTP response
+        """
+        try:
+            user_group_url = URL_USER_GROUP.format(
+                url=self.baseurl,
+                realm=realm,
+                id=user_id,
+                group_id=group_id)
+            return open_url(
+                user_group_url,
+                method='DELETE',
+                headers=self.restheaders)
+        except Exception as e:
+            self.module.fail_json(msg='Could not remove user %s from group %s in realm %s: %s'
+                                      % (user_id, group_id, realm, str(e)))
+
+    def update_user_groups_membership(self, userrep, groups, realm='master'):
+        """
+        Update user's group membership
+        :param userrep: Representation of the user. This representation must include the ID.
+        :param realm: Realm
+        :return: True if group membership has been changed. False Otherwise.
+        """
+        changed = False
+        try:
+            user_existing_groups = self.get_user_groups(
+                user_id=userrep['id'],
+                realm=realm)
+            groups_to_add_and_remove = self.extract_groups_to_add_to_and_remove_from_user(groups)
+            # If group membership need to be changed
+            if not is_struct_included(groups_to_add_and_remove['add'], user_existing_groups):
+                # Get available goups in the realm
+                realm_groups = self.get_groups(realm=realm)
+                for realm_group in realm_groups:
+                    if "name" in realm_group and realm_group["name"] in groups_to_add_and_remove['add']:
+                        self.add_user_in_group(
+                            user_id=userrep["id"],
+                            group_id=realm_group["id"],
+                            realm=realm)
+                        changed = True
+                    elif "name" in realm_group and realm_group['name'] in groups_to_add_and_remove['remove']:
+                        self.remove_user_from_group(
+                            user_id=userrep['id'],
+                            group_id=realm_group['id'],
+                            realm=realm)
+                        changed = True
+            return changed
+        except Exception as e:
+            self.module.fail_json(msg='Could not update group membership for user %s in realm %s: %s'
+                                      % (userrep['id]'], realm, str(e)))
+
+    def extract_groups_to_add_to_and_remove_from_user(self, groups):
+        groups_extract = {}
+        groups_to_add = []
+        groups_to_remove = []
+        if isinstance(groups, list) and len(groups) > 0:
+            for group in groups:
+                group_name = group['name'] if isinstance(group, dict) and 'name' in group else group
+                if isinstance(group, dict) and ('state' not in group or group['state'] == 'present'):
+                    groups_to_add.append(group_name)
+                else:
+                    groups_to_remove.append(group_name)
+        groups_extract['add'] = groups_to_add
+        groups_extract['remove'] = groups_to_remove
+
+        return groups_extract
+
+    def convert_user_group_list_of_str_to_list_of_dict(self, groups):
+        list_of_groups = []
+        if isinstance(groups, list) and len(groups) > 0:
+            for group in groups:
+                if isinstance(group, str):
+                    group_dict = {}
+                    group_dict['name'] = group
+                    list_of_groups.append(group_dict)
+        return list_of_groups

plugins/module_utils/ldap.py

@@ -42,11 +42,17 @@ def gen_specs(**specs):
         'validate_certs': dict(default=True, type='bool'),
         'sasl_class': dict(choices=['external', 'gssapi'], default='external', type='str'),
         'xorder_discovery': dict(choices=['enable', 'auto', 'disable'], default='auto', type='str'),
+        'client_cert': dict(default=None, type='path'),
+        'client_key': dict(default=None, type='path'),
     })
 
     return specs
 
 
+def ldap_required_together():
+    return [['client_cert', 'client_key']]
+
+
 class LdapGeneric(object):
     def __init__(self, module):
         # Shortcuts
@@ -60,6 +66,8 @@ class LdapGeneric(object):
         self.verify_cert = self.module.params['validate_certs']
         self.sasl_class = self.module.params['sasl_class']
         self.xorder_discovery = self.module.params['xorder_discovery']
+        self.client_cert = self.module.params['client_cert']
+        self.client_key = self.module.params['client_key']
 
         # Establish connection
         self.connection = self._connect_to_ldap()
@@ -102,6 +110,10 @@ class LdapGeneric(object):
         if self.ca_path:
             ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, self.ca_path)
 
+        if self.client_cert and self.client_key:
+            ldap.set_option(ldap.OPT_X_TLS_CERTFILE, self.client_cert)
+            ldap.set_option(ldap.OPT_X_TLS_KEYFILE, self.client_key)
+
         connection = ldap.initialize(self.server_uri)
 
         if self.referrals_chasing == 'disabled':

plugins/module_utils/mh/mixins/deps.py

@@ -52,6 +52,8 @@ class DependencyMixin(ModuleHelperBase):
         return cls._dependencies[-1]
 
     def fail_on_missing_deps(self):
+        if not self._dependencies:
+            return
         self.module.deprecate(
             'The DependencyMixin is being deprecated. '
             'Modules should use community.general.plugins.module_utils.deps instead.',

plugins/module_utils/mh/mixins/vars.py

@@ -11,6 +11,13 @@ import copy
 
 
 class VarMeta(object):
+    """
+    DEPRECATION WARNING
+
+    This class is deprecated and will be removed in community.general 10.0.0
+    Modules should use the VarDict from plugins/module_utils/vardict.py instead.
+    """
+
     NOTHING = object()
 
     def __init__(self, diff=False, output=True, change=None, fact=False):
@@ -60,6 +67,12 @@ class VarMeta(object):
 
 
 class VarDict(object):
+    """
+    DEPRECATION WARNING
+
+    This class is deprecated and will be removed in community.general 10.0.0
+    Modules should use the VarDict from plugins/module_utils/vardict.py instead.
+    """
     def __init__(self):
         self._data = dict()
         self._meta = dict()
@@ -123,7 +136,12 @@ class VarDict(object):
 
 
 class VarsMixin(object):
+    """
+    DEPRECATION WARNING
 
+    This class is deprecated and will be removed in community.general 10.0.0
+    Modules should use the VarDict from plugins/module_utils/vardict.py instead.
+    """
     def __init__(self, module=None):
         self.vars = VarDict()
         super(VarsMixin, self).__init__(module)

plugins/module_utils/proxmox.py

@@ -107,19 +107,30 @@ class ProxmoxAnsible(object):
             self.module.fail_json(msg='%s' % e, exception=traceback.format_exc())
 
     def version(self):
-        apireturn = self.proxmox_api.version.get()
-        return LooseVersion(apireturn['version'])
+        try:
+            apiversion = self.proxmox_api.version.get()
+            return LooseVersion(apiversion['version'])
+        except Exception as e:
+            self.module.fail_json(msg='Unable to retrieve Proxmox VE version: %s' % e)
 
     def get_node(self, node):
-        nodes = [n for n in self.proxmox_api.nodes.get() if n['node'] == node]
+        try:
+            nodes = [n for n in self.proxmox_api.nodes.get() if n['node'] == node]
+        except Exception as e:
+            self.module.fail_json(msg='Unable to retrieve Proxmox VE node: %s' % e)
         return nodes[0] if nodes else None
 
     def get_nextvmid(self):
-        vmid = self.proxmox_api.cluster.nextid.get()
-        return vmid
+        try:
+            return self.proxmox_api.cluster.nextid.get()
+        except Exception as e:
+            self.module.fail_json(msg='Unable to retrieve next free vmid: %s' % e)
 
     def get_vmid(self, name, ignore_missing=False, choose_first_if_multiple=False):
-        vms = [vm['vmid'] for vm in self.proxmox_api.cluster.resources.get(type='vm') if vm.get('name') == name]
+        try:
+            vms = [vm['vmid'] for vm in self.proxmox_api.cluster.resources.get(type='vm') if vm.get('name') == name]
+        except Exception as e:
+            self.module.fail_json(msg='Unable to retrieve list of VMs filtered by name %s: %s' % (name, e))
 
         if not vms:
             if ignore_missing:
@@ -132,7 +143,10 @@ class ProxmoxAnsible(object):
         return vms[0]
 
     def get_vm(self, vmid, ignore_missing=False):
-        vms = [vm for vm in self.proxmox_api.cluster.resources.get(type='vm') if vm['vmid'] == int(vmid)]
+        try:
+            vms = [vm for vm in self.proxmox_api.cluster.resources.get(type='vm') if vm['vmid'] == int(vmid)]
+        except Exception as e:
+            self.module.fail_json(msg='Unable to retrieve list of VMs filtered by vmid %s: %s' % (vmid, e))
 
         if vms:
             return vms[0]
@@ -143,5 +157,30 @@ class ProxmoxAnsible(object):
             self.module.fail_json(msg='VM with vmid %s does not exist in cluster' % vmid)
 
     def api_task_ok(self, node, taskid):
-        status = self.proxmox_api.nodes(node).tasks(taskid).status.get()
-        return status['status'] == 'stopped' and status['exitstatus'] == 'OK'
+        try:
+            status = self.proxmox_api.nodes(node).tasks(taskid).status.get()
+            return status['status'] == 'stopped' and status['exitstatus'] == 'OK'
+        except Exception as e:
+            self.module.fail_json(msg='Unable to retrieve API task ID from node %s: %s' % (node, e))
+
+    def get_pool(self, poolid):
+        """Retrieve pool information
+
+        :param poolid: str - name of the pool
+        :return: dict - pool information
+        """
+        try:
+            return self.proxmox_api.pools(poolid).get()
+        except Exception as e:
+            self.module.fail_json(msg="Unable to retrieve pool %s information: %s" % (poolid, e))
+
+    def get_storages(self, type):
+        """Retrieve storages information
+
+        :param type: str, optional - type of storages
+        :return: list of dicts - array of storages
+        """
+        try:
+            return self.proxmox_api.storage.get(type=type)
+        except Exception as e:
+            self.module.fail_json(msg="Unable to retrieve storages information with type %s: %s" % (type, e))

plugins/module_utils/redfish_utils.py

@@ -7,9 +7,14 @@ from __future__ import absolute_import, division, print_function
 __metaclass__ = type
 
 import json
+import os
+import random
+import string
 from ansible.module_utils.urls import open_url
 from ansible.module_utils.common.text.converters import to_native
 from ansible.module_utils.common.text.converters import to_text
+from ansible.module_utils.common.text.converters import to_bytes
+from ansible.module_utils.six import text_type
 from ansible.module_utils.six.moves import http_client
 from ansible.module_utils.six.moves.urllib.error import URLError, HTTPError
 from ansible.module_utils.six.moves.urllib.parse import urlparse
@@ -153,7 +158,7 @@ class RedfishUtils(object):
                     'msg': "Failed GET request to '%s': '%s'" % (uri, to_text(e))}
         return {'ret': True, 'data': data, 'headers': headers, 'resp': resp}
 
-    def post_request(self, uri, pyld):
+    def post_request(self, uri, pyld, multipart=False):
         req_headers = dict(POST_HEADERS)
         username, password, basic_auth = self._auth_params(req_headers)
         try:
@@ -162,7 +167,14 @@ class RedfishUtils(object):
             # header since this can cause conflicts with some services
             if self.sessions_uri is not None and uri == (self.root_uri + self.sessions_uri):
                 basic_auth = False
-            resp = open_url(uri, data=json.dumps(pyld),
+            if multipart:
+                # Multipart requests require special handling to encode the request body
+                multipart_encoder = self._prepare_multipart(pyld)
+                data = multipart_encoder[0]
+                req_headers['content-type'] = multipart_encoder[1]
+            else:
+                data = json.dumps(pyld)
+            resp = open_url(uri, data=data,
                             headers=req_headers, method="POST",
                             url_username=username, url_password=password,
                             force_basic_auth=basic_auth, validate_certs=False,
@@ -298,6 +310,59 @@ class RedfishUtils(object):
                     'msg': "Failed DELETE request to '%s': '%s'" % (uri, to_text(e))}
         return {'ret': True, 'resp': resp}
 
+    @staticmethod
+    def _prepare_multipart(fields):
+        """Prepares a multipart body based on a set of fields provided.
+
+        Ideally it would have been good to use the existing 'prepare_multipart'
+        found in ansible.module_utils.urls, but it takes files and encodes them
+        as Base64 strings, which is not expected by Redfish services.  It also
+        adds escaping of certain bytes in the payload, such as inserting '\r'
+        any time it finds a standlone '\n', which corrupts the image payload
+        send to the service.  This implementation is simplified to Redfish's
+        usage and doesn't necessarily represent an exhaustive method of
+        building multipart requests.
+        """
+
+        def write_buffer(body, line):
+            # Adds to the multipart body based on the provided data type
+            # At this time there is only support for strings, dictionaries, and bytes (default)
+            if isinstance(line, text_type):
+                body.append(to_bytes(line, encoding='utf-8'))
+            elif isinstance(line, dict):
+                body.append(to_bytes(json.dumps(line), encoding='utf-8'))
+            else:
+                body.append(line)
+            return
+
+        # Generate a random boundary marker; may need to consider probing the
+        # payload for potential conflicts in the future
+        boundary = ''.join(random.choice(string.digits + string.ascii_letters) for i in range(30))
+        body = []
+        for form in fields:
+            # Fill in the form details
+            write_buffer(body, '--' + boundary)
+
+            # Insert the headers (Content-Disposition and Content-Type)
+            if 'filename' in fields[form]:
+                name = os.path.basename(fields[form]['filename']).replace('"', '\\"')
+                write_buffer(body, u'Content-Disposition: form-data; name="%s"; filename="%s"' % (to_text(form), to_text(name)))
+            else:
+                write_buffer(body, 'Content-Disposition: form-data; name="%s"' % form)
+            write_buffer(body, 'Content-Type: %s' % fields[form]['mime_type'])
+            write_buffer(body, '')
+
+            # Insert the payload; read from the file if not given by the caller
+            if 'content' not in fields[form]:
+                with open(to_bytes(fields[form]['filename'], errors='surrogate_or_strict'), 'rb') as f:
+                    fields[form]['content'] = f.read()
+            write_buffer(body, fields[form]['content'])
+
+        # Finalize the entire request
+        write_buffer(body, '--' + boundary + '--')
+        write_buffer(body, '')
+        return (b'\r\n'.join(body), 'multipart/form-data; boundary=' + boundary)
+
     @staticmethod
     def _get_extended_message(error):
         """
@@ -1572,6 +1637,61 @@ class RedfishUtils(object):
                 'msg': "SimpleUpdate requested",
                 'update_status': self._operation_results(response['resp'], response['data'])}
 
+    def multipath_http_push_update(self, update_opts):
+        """
+        Provides a software update via the URI specified by the
+        MultipartHttpPushUri property.  Callers should adjust the 'timeout'
+        variable in the base object to accommodate the size of the image and
+        speed of the transfer.  For example, a 200MB image will likely take
+        more than the default 10 second timeout.
+
+        :param update_opts: The parameters for the update operation
+        :return: dict containing the response of the update request
+        """
+        image_file = update_opts.get('update_image_file')
+        targets = update_opts.get('update_targets')
+        apply_time = update_opts.get('update_apply_time')
+
+        # Ensure the image file is provided
+        if not image_file:
+            return {'ret': False, 'msg':
+                    'Must specify update_image_file for the MultipartHTTPPushUpdate command'}
+        if not os.path.isfile(image_file):
+            return {'ret': False, 'msg':
+                    'Must specify a valid file for the MultipartHTTPPushUpdate command'}
+        try:
+            with open(image_file, 'rb') as f:
+                image_payload = f.read()
+        except Exception as e:
+            return {'ret': False, 'msg':
+                    'Could not read file %s' % image_file}
+
+        # Check that multipart HTTP push updates are supported
+        response = self.get_request(self.root_uri + self.update_uri)
+        if response['ret'] is False:
+            return response
+        data = response['data']
+        if 'MultipartHttpPushUri' not in data:
+            return {'ret': False, 'msg': 'Service does not support MultipartHttpPushUri'}
+        update_uri = data['MultipartHttpPushUri']
+
+        # Assemble the JSON payload portion of the request
+        payload = {"@Redfish.OperationApplyTime": "Immediate"}
+        if targets:
+            payload["Targets"] = targets
+        if apply_time:
+            payload["@Redfish.OperationApplyTime"] = apply_time
+        multipart_payload = {
+            'UpdateParameters': {'content': json.dumps(payload), 'mime_type': 'application/json'},
+            'UpdateFile': {'filename': image_file, 'content': image_payload, 'mime_type': 'application/octet-stream'}
+        }
+        response = self.post_request(self.root_uri + update_uri, multipart_payload, multipart=True)
+        if response['ret'] is False:
+            return response
+        return {'ret': True, 'changed': True,
+                'msg': "MultipartHTTPPushUpdate requested",
+                'update_status': self._operation_results(response['resp'], response['data'])}
+
     def get_update_status(self, update_handle):
         """
         Gets the status of an update operation.

plugins/module_utils/redhat.py

@@ -24,6 +24,14 @@ from ansible.module_utils.six.moves import configparser
 
 
 class RegistrationBase(object):
+    """
+    DEPRECATION WARNING
+
+    This class is deprecated and will be removed in community.general 10.0.0.
+    There is no replacement for it; please contact the community.general
+    maintainers in case you are using it.
+    """
+
     def __init__(self, module, username=None, password=None):
         self.module = module
         self.username = username
@@ -71,10 +79,23 @@ class RegistrationBase(object):
 
 
 class Rhsm(RegistrationBase):
+    """
+    DEPRECATION WARNING
+
+    This class is deprecated and will be removed in community.general 9.0.0.
+    There is no replacement for it; please contact the community.general
+    maintainers in case you are using it.
+    """
+
     def __init__(self, module, username=None, password=None):
         RegistrationBase.__init__(self, module, username, password)
         self.config = self._read_config()
         self.module = module
+        self.module.deprecate(
+            'The Rhsm class is deprecated with no replacement.',
+            version='9.0.0',
+            collection_name='community.general',
+        )
 
     def _read_config(self, rhsm_conf='/etc/rhsm/rhsm.conf'):
         '''
@@ -200,14 +221,25 @@ class Rhsm(RegistrationBase):
 
 
 class RhsmPool(object):
-    '''
-        Convenience class for housing subscription information
-    '''
+    """
+    Convenience class for housing subscription information
+
+    DEPRECATION WARNING
+
+    This class is deprecated and will be removed in community.general 9.0.0.
+    There is no replacement for it; please contact the community.general
+    maintainers in case you are using it.
+    """
 
     def __init__(self, module, **kwargs):
         self.module = module
         for k, v in kwargs.items():
             setattr(self, k, v)
+        self.module.deprecate(
+            'The RhsmPool class is deprecated with no replacement.',
+            version='9.0.0',
+            collection_name='community.general',
+        )
 
     def __str__(self):
         return str(self.__getattribute__('_name'))
@@ -223,11 +255,23 @@ class RhsmPool(object):
 
 class RhsmPools(object):
     """
-        This class is used for manipulating pools subscriptions with RHSM
+    This class is used for manipulating pools subscriptions with RHSM
+
+    DEPRECATION WARNING
+
+    This class is deprecated and will be removed in community.general 9.0.0.
+    There is no replacement for it; please contact the community.general
+    maintainers in case you are using it.
     """
+
     def __init__(self, module):
         self.module = module
         self.products = self._load_product_list()
+        self.module.deprecate(
+            'The RhsmPools class is deprecated with no replacement.',
+            version='9.0.0',
+            collection_name='community.general',
+        )
 
     def __iter__(self):
         return self.products.__iter__()

plugins/module_utils/snap.py

@@ -20,6 +20,7 @@ _state_map = dict(
     absent='remove',
     enabled='enable',
     disabled='disable',
+    refresh='refresh',
 )
 
 

plugins/module_utils/vardict.py

@@ -0,0 +1,178 @@
+# -*- coding: utf-8 -*-
+# (c) 2023, Alexei Znamensky <russoz@gmail.com>
+# Copyright (c) 2023, Ansible Project
+# Simplified BSD License (see LICENSES/BSD-2-Clause.txt or https://opensource.org/licenses/BSD-2-Clause)
+# SPDX-License-Identifier: BSD-2-Clause
+
+from __future__ import absolute_import, division, print_function
+__metaclass__ = type
+
+import copy
+
+
+class _Variable(object):
+    NOTHING = object()
+
+    def __init__(self, diff=False, output=True, change=None, fact=False, verbosity=0):
+        self.init = False
+        self.initial_value = None
+        self.value = None
+
+        self.diff = None
+        self._change = None
+        self.output = None
+        self.fact = None
+        self._verbosity = None
+        self.set_meta(output=output, diff=diff, change=change, fact=fact, verbosity=verbosity)
+
+    def getchange(self):
+        return self.diff if self._change is None else self._change
+
+    def setchange(self, value):
+        self._change = value
+
+    def getverbosity(self):
+        return self._verbosity
+
+    def setverbosity(self, v):
+        if not (0 <= v <= 4):
+            raise ValueError("verbosity must be an int in the range 0 to 4")
+        self._verbosity = v
+
+    change = property(getchange, setchange)
+    verbosity = property(getverbosity, setverbosity)
+
+    def set_meta(self, output=None, diff=None, change=None, fact=None, initial_value=NOTHING, verbosity=None):
+        """Set the metadata for the variable
+
+        Args:
+            output (bool, optional): flag indicating whether the variable should be in the output of the module. Defaults to None.
+            diff (bool, optional): flag indicating whether to generate diff mode output for this variable. Defaults to None.
+            change (bool, optional): flag indicating whether to track if changes happened to this variable. Defaults to None.
+            fact (bool, optional): flag indicating whether the varaiable should be exposed as a fact of the module. Defaults to None.
+            initial_value (any, optional): initial value of the variable, to be used with `change`. Defaults to NOTHING.
+            verbosity (int, optional): level of verbosity in which this variable is reported by the module as `output`, `fact` or `diff`. Defaults to None.
+        """
+        if output is not None:
+            self.output = output
+        if change is not None:
+            self.change = change
+        if diff is not None:
+            self.diff = diff
+        if fact is not None:
+            self.fact = fact
+        if initial_value is not _Variable.NOTHING:
+            self.initial_value = copy.deepcopy(initial_value)
+        if verbosity is not None:
+            self.verbosity = verbosity
+
+    def set_value(self, value):
+        if not self.init:
+            self.initial_value = copy.deepcopy(value)
+            self.init = True
+        self.value = value
+        return self
+
+    def is_visible(self, verbosity):
+        return self.verbosity <= verbosity
+
+    @property
+    def has_changed(self):
+        return self.change and (self.initial_value != self.value)
+
+    @property
+    def diff_result(self):
+        if self.diff and self.has_changed:
+            return {'before': self.initial_value, 'after': self.value}
+        return
+
+    def __str__(self):
+        return "<_Variable: value={0!r}, initial={1!r}, diff={2}, output={3}, change={4}, verbosity={5}>".format(
+            self.value, self.initial_value, self.diff, self.output, self.change, self.verbosity
+        )
+
+
+class VarDict(object):
+    reserved_names = ('__vars__', 'var', 'set_meta', 'set', 'output', 'diff', 'facts', 'has_changed')
+
+    def __init__(self):
+        self.__vars__ = dict()
+
+    def __getitem__(self, item):
+        return self.__vars__[item].value
+
+    def __setitem__(self, key, value):
+        self.set(key, value)
+
+    def __getattr__(self, item):
+        try:
+            return self.__vars__[item].value
+        except KeyError:
+            return getattr(super(VarDict, self), item)
+
+    def __setattr__(self, key, value):
+        if key == '__vars__':
+            super(VarDict, self).__setattr__(key, value)
+        else:
+            self.set(key, value)
+
+    def _var(self, name):
+        return self.__vars__[name]
+
+    def set_meta(self, name, **kwargs):
+        """Set the metadata for the variable
+
+        Args:
+            name (str): name of the variable having its metadata changed
+            output (bool, optional): flag indicating whether the variable should be in the output of the module. Defaults to None.
+            diff (bool, optional): flag indicating whether to generate diff mode output for this variable. Defaults to None.
+            change (bool, optional): flag indicating whether to track if changes happened to this variable. Defaults to None.
+            fact (bool, optional): flag indicating whether the varaiable should be exposed as a fact of the module. Defaults to None.
+            initial_value (any, optional): initial value of the variable, to be used with `change`. Defaults to NOTHING.
+            verbosity (int, optional): level of verbosity in which this variable is reported by the module as `output`, `fact` or `diff`. Defaults to None.
+        """
+        self._var(name).set_meta(**kwargs)
+
+    def set(self, name, value, **kwargs):
+        """Set the value and optionally metadata for a variable. The variable is not required to exist prior to calling `set`.
+
+        For details on the accepted metada see the documentation for method `set_meta`.
+
+        Args:
+            name (str): name of the variable being changed
+            value (any): the value of the variable, it can be of any type
+
+        Raises:
+            ValueError: Raised if trying to set a variable with a reserved name.
+        """
+        if name in self.reserved_names:
+            raise ValueError("Name {0} is reserved".format(name))
+        if name in self.__vars__:
+            var = self._var(name)
+            var.set_meta(**kwargs)
+        else:
+            var = _Variable(**kwargs)
+        var.set_value(value)
+        self.__vars__[name] = var
+
+    def output(self, verbosity=0):
+        return dict((n, v.value) for n, v in self.__vars__.items() if v.output and v.is_visible(verbosity))
+
+    def diff(self, verbosity=0):
+        diff_results = [(n, v.diff_result) for n, v in self.__vars__.items() if v.diff_result and v.is_visible(verbosity)]
+        if diff_results:
+            before = dict((n, dr['before']) for n, dr in diff_results)
+            after = dict((n, dr['after']) for n, dr in diff_results)
+            return {'before': before, 'after': after}
+        return None
+
+    def facts(self, verbosity=0):
+        facts_result = dict((n, v.value) for n, v in self.__vars__.items() if v.fact and v.is_visible(verbosity))
+        return facts_result if facts_result else None
+
+    @property
+    def has_changed(self):
+        return any(True for var in self.__vars__.values() if var.has_changed)
+
+    def as_dict(self):
+        return dict((name, var.value) for name, var in self.__vars__.items())

plugins/modules/airbrake_deployment.py

@@ -72,7 +72,7 @@ options:
     type: str
   validate_certs:
     description:
-      - If C(false), SSL certificates for the target url will not be validated. This should only be used
+      - If V(false), SSL certificates for the target url will not be validated. This should only be used
         on personally controlled sites using self-signed certificates.
     required: false
     default: true

plugins/modules/aix_devices.py

@@ -31,7 +31,7 @@ options:
   device:
     description:
     - The name of the device.
-    - C(all) is valid to rescan C(available) all devices (AIX cfgmgr command).
+    - V(all) is valid to rescan C(available) all devices (AIX cfgmgr command).
     type: str
   force:
     description:
@@ -46,9 +46,9 @@ options:
   state:
     description:
     - Controls the device state.
-    - C(available) (alias C(present)) rescan a specific device or all devices (when C(device) is not specified).
-    - C(removed) (alias C(absent) removes a device.
-    - C(defined) changes device to Defined state.
+    - V(available) (alias V(present)) rescan a specific device or all devices (when O(device) is not specified).
+    - V(removed) (alias V(absent) removes a device.
+    - V(defined) changes device to Defined state.
     type: str
     choices: [ available, defined, removed ]
     default: available

plugins/modules/aix_filesystem.py

@@ -58,7 +58,7 @@ options:
     default: jfs2
   permissions:
     description:
-      - Set file system permissions. C(rw) (read-write) or C(ro) (read-only).
+      - Set file system permissions. V(rw) (read-write) or V(ro) (read-only).
     type: str
     choices: [ ro, rw ]
     default: rw
@@ -77,13 +77,13 @@ options:
     type: str
   rm_mount_point:
     description:
-      - Removes the mount point directory when used with state C(absent).
+      - Removes the mount point directory when used with state V(absent).
     type: bool
     default: false
   size:
     description:
       - Specifies the file system size.
-      - For already C(present) it will be resized.
+      - For already V(present) it will be resized.
       - 512-byte blocks, Megabytes or Gigabytes. If the value has M specified
         it will be in Megabytes. If the value has G specified it will be in
         Gigabytes.
@@ -96,10 +96,10 @@ options:
   state:
     description:
       - Controls the file system state.
-      - C(present) check if file system exists, creates or resize.
-      - C(absent) removes existing file system if already C(unmounted).
-      - C(mounted) checks if the file system is mounted or mount the file system.
-      - C(unmounted) check if the file system is unmounted or unmount the file system.
+      - V(present) check if file system exists, creates or resize.
+      - V(absent) removes existing file system if already V(unmounted).
+      - V(mounted) checks if the file system is mounted or mount the file system.
+      - V(unmounted) check if the file system is unmounted or unmount the file system.
     type: str
     choices: [ absent, mounted, present, unmounted ]
     default: present
@@ -108,7 +108,7 @@ options:
       - Specifies an existing volume group (VG).
     type: str
 notes:
-  - For more C(attributes), please check "crfs" AIX manual.
+  - For more O(attributes), please check "crfs" AIX manual.
 '''
 
 EXAMPLES = r'''

plugins/modules/aix_lvg.py

@@ -36,13 +36,13 @@ options:
   pvs:
     description:
     - List of comma-separated devices to use as physical devices in this volume group.
-    - Required when creating or extending (C(present) state) the volume group.
-    - If not informed reducing (C(absent) state) the volume group will be removed.
+    - Required when creating or extending (V(present) state) the volume group.
+    - If not informed reducing (V(absent) state) the volume group will be removed.
     type: list
     elements: str
   state:
     description:
-    - Control if the volume group exists and volume group AIX state varyonvg C(varyon) or varyoffvg C(varyoff).
+    - Control if the volume group exists and volume group AIX state varyonvg V(varyon) or varyoffvg V(varyoff).
     type: str
     choices: [ absent, present, varyoff, varyon ]
     default: present

plugins/modules/aix_lvol.py

@@ -53,15 +53,15 @@ options:
   policy:
     description:
     - Sets the interphysical volume allocation policy.
-    - C(maximum) allocates logical partitions across the maximum number of physical volumes.
-    - C(minimum) allocates logical partitions across the minimum number of physical volumes.
+    - V(maximum) allocates logical partitions across the maximum number of physical volumes.
+    - V(minimum) allocates logical partitions across the minimum number of physical volumes.
     type: str
     choices: [ maximum, minimum ]
     default: maximum
   state:
     description:
-    - Control if the logical volume exists. If C(present) and the
-      volume does not already exist then the C(size) option is required.
+    - Control if the logical volume exists. If V(present) and the
+      volume does not already exist then the O(size) option is required.
     type: str
     choices: [ absent, present ]
     default: present
@@ -72,7 +72,7 @@ options:
     default: ''
   pvs:
     description:
-    - A list of physical volumes e.g. C(hdisk1,hdisk2).
+    - A list of physical volumes, for example V(hdisk1,hdisk2).
     type: list
     elements: str
     default: []

plugins/modules/alerta_customer.py

@@ -58,7 +58,7 @@ options:
   state:
     description:
       - Whether the customer should exist or not.
-      - Both I(customer) and I(match) identify a customer that should be added or removed.
+      - Both O(customer) and O(match) identify a customer that should be added or removed.
     type: str
     choices: [ absent, present ]
     default: present

plugins/modules/ali_instance.py

@@ -51,12 +51,12 @@ options:
       type: str
     image_id:
       description:
-        - Image ID used to launch instances. Required when I(state=present) and creating new ECS instances.
+        - Image ID used to launch instances. Required when O(state=present) and creating new ECS instances.
       aliases: ['image']
       type: str
     instance_type:
       description:
-        - Instance type used to launch instances. Required when I(state=present) and creating new ECS instances.
+        - Instance type used to launch instances. Required when O(state=present) and creating new ECS instances.
       aliases: ['type']
       type: str
     security_groups:
@@ -95,7 +95,7 @@ options:
     max_bandwidth_out:
       description:
         - Maximum outgoing bandwidth to the public network, measured in Mbps (Megabits per second).
-          Required when I(allocate_public_ip=true). Ignored when I(allocate_public_ip=false).
+          Required when O(allocate_public_ip=true). Ignored when O(allocate_public_ip=false).
       default: 0
       type: int
     host_name:
@@ -134,16 +134,16 @@ options:
       type: str
     count:
       description:
-        - The number of the new instance. An integer value which indicates how many instances that match I(count_tag)
+        - The number of the new instance. An integer value which indicates how many instances that match O(count_tag)
           should be running. Instances are either created or terminated based on this value.
       default: 1
       type: int
     count_tag:
       description:
-      - I(count) determines how many instances based on a specific tag criteria should be present.
+      - O(count) determines how many instances based on a specific tag criteria should be present.
         This can be expressed in multiple ways and is shown in the EXAMPLES section.
-        The specified count_tag must already exist or be passed in as the I(tags) option.
-        If it is not specified, it will be replaced by I(instance_name).
+        The specified count_tag must already exist or be passed in as the O(tags) option.
+        If it is not specified, it will be replaced by O(instance_name).
       type: str
     allocate_public_ip:
       description:
@@ -159,7 +159,7 @@ options:
       type: str
     period:
       description:
-        - The charge duration of the instance, in months. Required when I(instance_charge_type=PrePaid).
+        - The charge duration of the instance, in months. Required when O(instance_charge_type=PrePaid).
         - The valid value are [1-9, 12, 24, 36].
       default: 1
       type: int
@@ -170,13 +170,13 @@ options:
       default: false
     auto_renew_period:
       description:
-        - The duration of the automatic renew the charge of the instance. Required when I(auto_renew=true).
+        - The duration of the automatic renew the charge of the instance. Required when O(auto_renew=true).
       choices: [1, 2, 3, 6, 12]
       type: int
     instance_ids:
       description:
         - A list of instance ids. It is required when need to operate existing instances.
-          If it is specified, I(count) will lose efficacy.
+          If it is specified, O(count) will lose efficacy.
       type: list
       elements: str
     force:
@@ -186,7 +186,7 @@ options:
       type: bool
     tags:
       description:
-        - A hash/dictionaries of instance tags, to add to the new instance or for starting/stopping instance by tag. C({"key":"value"})
+        - A hash/dictionaries of instance tags, to add to the new instance or for starting/stopping instance by tag. V({"key":"value"})
       aliases: ["instance_tags"]
       type: dict
       version_added: '0.2.0'
@@ -229,7 +229,7 @@ options:
       version_added: '0.2.0'
     period_unit:
       description:
-        - The duration unit that you will buy the resource. It is valid when I(instance_charge_type=PrePaid).
+        - The duration unit that you will buy the resource. It is valid when O(instance_charge_type=PrePaid).
       choices: ['Month', 'Week']
       default: 'Month'
       type: str
@@ -237,10 +237,10 @@ options:
     dry_run:
       description:
         - Specifies whether to send a dry-run request.
-        - If I(dry_run=true), Only a dry-run request is sent and no instance is created. The system checks whether the
+        - If O(dry_run=true), Only a dry-run request is sent and no instance is created. The system checks whether the
           required parameters are set, and validates the request format, service permissions, and available ECS instances.
           If the validation fails, the corresponding error code is returned. If the validation succeeds, the DryRunOperation error code is returned.
-        - If I(dry_run=false), A request is sent. If the validation succeeds, the instance is created.
+        - If O(dry_run=false), A request is sent. If the validation succeeds, the instance is created.
       default: false
       type: bool
       version_added: '0.2.0'

plugins/modules/ali_instance_info.py

@@ -53,9 +53,9 @@ options:
       description:
         - A dict of filters to apply. Each dict item consists of a filter key and a filter value. The filter keys can be
           all of request parameters. See U(https://www.alibabacloud.com/help/doc-detail/25506.htm) for parameter details.
-          Filter keys can be same as request parameter name or be lower case and use underscore ("_") or dash ("-") to
-          connect different words in one parameter. 'InstanceIds' should be a list.
-          'Tag.n.Key' and 'Tag.n.Value' should be a dict and using I(tags) instead.
+          Filter keys can be same as request parameter name or be lower case and use underscore (V("_")) or dash (V("-")) to
+          connect different words in one parameter. C(InstanceIds) should be a list.
+          C(Tag.n.Key) and C(Tag.n.Value) should be a dict and using O(tags) instead.
       type: dict
       version_added: '0.2.0'
 author: