---
- name: Playbook to handle hbacrules
hosts: ipaserver
become: true
tasks:
- name: Get Domain from server name
set_fact:
ipaserver_domain: "{{ groups.ipaserver[0].split('.')[1:] | join ('.') }}"
when: ipaserver_domain is not defined
# CLEANUP TEST ITEMS
- name: Ensure test hosts are absent
ipahost:
ipaadmin_password: MyPassword123
name:
- "{{ 'testhost01.' + ipaserver_domain }}"
- "{{ 'testhost02.' + ipaserver_domain }}"
- "{{ 'testhost03.' + ipaserver_domain }}"
- "{{ 'testhost04.' + ipaserver_domain }}"
state: absent
- name: Ensure test hostgroups are absent
ipahostgroup:
ipaadmin_password: MyPassword123
name: testhostgroup01,testhostgroup02,testhostgroup03,testhostgroup04
state: absent
- name: Ensure test users are absent
ipauser:
ipaadmin_password: MyPassword123
name: testuser01,testuser02,testuser03,testuser04
state: absent
- name: Ensure test user groups are absent
ipagroup:
ipaadmin_password: MyPassword123
name: testgroup01,testgroup02,testgroup03,testgroup04
state: absent
- name: Ensure test HBAC Services are absent
ipahbacsvc:
ipaadmin_password: MyPassword123
name: testhbacsvc01,testhbacsvc02,testhbacsvc03,testhbacsvc04
state: absent
- name: Ensure test HBAC Service Groups are absent
ipahbacsvcgroup:
ipaadmin_password: MyPassword123
name: testhbacsvcgroup01,testhbacsvcgroup02,testhbacsvcgroup03,testhbacsvcgroup04
state: absent
# CREATE TEST ITEMS
- name: Ensure hosts "{{ 'host[1..4].' + ipaserver_domain }}" are present
ipahost:
ipaadmin_password: MyPassword123
hosts:
- name: "{{ 'testhost01.' + ipaserver_domain }}"
force: yes
- name: "{{ 'testhost02.' + ipaserver_domain }}"
force: yes
- name: "{{ 'testhost03.' + ipaserver_domain }}"
force: yes
- name: "{{ 'testhost04.' + ipaserver_domain }}"
force: yes
register: result
failed_when: not result.changed
- name: Ensure host-group testhostgroup01 is present
ipahostgroup:
ipaadmin_password: MyPassword123
name: testhostgroup01
register: result
failed_when: not result.changed
- name: Ensure host-group testhostgroup02 is present
ipahostgroup:
ipaadmin_password: MyPassword123
name: testhostgroup02
register: result
failed_when: not result.changed
- name: Ensure host-group testhostgroup03 is present
ipahostgroup:
ipaadmin_password: MyPassword123
name: testhostgroup03
register: result
failed_when: not result.changed
- name: Ensure host-group testhostgroup04 is present
ipahostgroup:
ipaadmin_password: MyPassword123
name: testhostgroup04
register: result
failed_when: not result.changed
- name: Ensure testusers are present
ipauser:
ipaadmin_password: MyPassword123
users:
- name: testuser01
first: test
last: user01
- name: testuser02
first: test
last: user02
- name: testuser03
first: test
last: user03
- name: testuser04
first: test
last: user04
register: result
failed_when: not result.changed
- name: Ensure user group testgroup01 is present
ipagroup:
ipaadmin_password: MyPassword123
name: testgroup01
register: result
failed_when: not result.changed
- name: Ensure user group testgroup02 is present
ipagroup:
ipaadmin_password: MyPassword123
name: testgroup02
register: result
failed_when: not result.changed
- name: Ensure user group testgroup03 is present
ipagroup:
ipaadmin_password: MyPassword123
name: testgroup03
register: result
failed_when: not result.changed
- name: Ensure user group testgroup04 is present
ipagroup:
ipaadmin_password: MyPassword123
name: testgroup04
register: result
failed_when: not result.changed
- name: Ensure HBAC Service testhbacsvc01 is present
ipahbacsvc:
ipaadmin_password: MyPassword123
name: testhbacsvc01
register: result
failed_when: not result.changed
- name: Ensure HBAC Service testhbacsvc02 is present
ipahbacsvc:
ipaadmin_password: MyPassword123
name: testhbacsvc02
register: result
failed_when: not result.changed
- name: Ensure HBAC Service testhbacsvc03 is present
ipahbacsvc:
ipaadmin_password: MyPassword123
name: testhbacsvc03
register: result
failed_when: not result.changed
- name: Ensure HBAC Service testhbacsvc04 is present
ipahbacsvc:
ipaadmin_password: MyPassword123
name: testhbacsvc04
register: result
failed_when: not result.changed
- name: Ensure HBAC Service Group testhbacsvcgroup01 is present
ipahbacsvcgroup:
ipaadmin_password: MyPassword123
name: testhbacsvcgroup01
register: result
failed_when: not result.changed
- name: Ensure HBAC Service Group testhbacsvcgroup02 is present
ipahbacsvcgroup:
ipaadmin_password: MyPassword123
name: testhbacsvcgroup02
register: result
failed_when: not result.changed
- name: Ensure HBAC Service Group testhbacsvcgroup03 is present
ipahbacsvcgroup:
ipaadmin_password: MyPassword123
name: testhbacsvcgroup03
register: result
failed_when: not result.changed
- name: Ensure HBAC Service Group testhbacsvcgroup04 is present
ipahbacsvcgroup:
ipaadmin_password: MyPassword123
name: testhbacsvcgroup04
register: result
failed_when: not result.changed
- name: Ensure test HBAC rule hbacrule01 is absent
ipahbacrule:
ipaadmin_password: MyPassword123
name: hbacrule01
state: absent
# ENSURE HBACRULE
- name: Ensure HBAC rule hbacrule01 is present
ipahbacrule:
ipaadmin_password: MyPassword123
name: hbacrule01
register: result
failed_when: not result.changed
- name: Ensure HBAC rule hbacrule01 is present again
ipahbacrule:
ipaadmin_password: MyPassword123
name: hbacrule01
register: result
failed_when: result.changed
# CHANGE HBACRULE WITH ALL MEMBERS
- name: Ensure HBAC rule hbacrule01 is present with hosts, hostgroups, users, groups, hbassvcs and hbacsvcgroups
ipahbacrule:
ipaadmin_password: MyPassword123
name: hbacrule01
host:
- "{{ 'testhost01.' + ipaserver_domain }}"
- "{{ 'testhost02.' + ipaserver_domain }}"
hostgroup: testhostgroup01,testhostgroup02
user: testuser01,testuser02
group: testgroup01,testgroup02
hbacsvc: testhbacsvc01,testhbacsvc02
hbacsvcgroup: testhbacsvcgroup01,testhbacsvcgroup02
register: result
failed_when: not result.changed
- name: Ensure HBAC rule hbacrule01 is present with hosts, hostgroups, users, groups, hbassvcs and hbacsvcgroups again
ipahbacrule:
ipaadmin_password: MyPassword123
name: hbacrule01
host:
- "{{ 'testhost01.' + ipaserver_domain }}"
- "{{ 'testhost02.' + ipaserver_domain }}"
hostgroup: testhostgroup01,testhostgroup02
user: testuser01,testuser02
group: testgroup01,testgroup02
hbacsvc: testhbacsvc01,testhbacsvc02
hbacsvcgroup: testhbacsvcgroup01,testhbacsvcgroup02
register: result
failed_when: result.changed
# REMOVE MEMBERS ONE BY ONE
- name: Ensure test HBAC rule hbacrule01 host members are absent
ipahbacrule:
ipaadmin_password: MyPassword123
name: hbacrule01
host:
- "{{ 'testhost01.' + ipaserver_domain }}"
- "{{ 'testhost02.' + ipaserver_domain }}"
state: absent
action: member
register: result
failed_when: not result.changed
- name: Ensure test HBAC rule hbacrule01 host members are absent again
ipahbacrule:
ipaadmin_password: MyPassword123
name: hbacrule01
host:
- "{{ 'testhost01.' + ipaserver_domain }}"
- "{{ 'testhost02.' + ipaserver_domain }}"
state: absent
action: member
register: result
failed_when: result.changed
- name: Ensure test HBAC rule hbacrule01 hostgroup members are absent
ipahbacrule:
ipaadmin_password: MyPassword123
name: hbacrule01
hostgroup: testhostgroup01,testhostgroup02
state: absent
action: member
register: result
failed_when: not result.changed
- name: Ensure test HBAC rule hbacrule01 hostgroup members are absent again
ipahbacrule:
ipaadmin_password: MyPassword123
name: hbacrule01
hostgroup: testhostgroup01,testhostgroup02
state: absent
action: member
register: result
failed_when: result.changed
- name: Ensure test HBAC rule hbacrule01 user members are absent
ipahbacrule:
ipaadmin_password: MyPassword123
name: hbacrule01
user: testuser01,testuser02
state: absent
action: member
register: result
failed_when: not result.changed
- name: Ensure test HBAC rule hbacrule01 user members are absent again
ipahbacrule:
ipaadmin_password: MyPassword123
name: hbacrule01
user: testuser01,testuser02
state: absent
action: member
register: result
failed_when: result.changed
- name: Ensure test HBAC rule hbacrule01 user group members are absent
ipahbacrule:
ipaadmin_password: MyPassword123
name: hbacrule01
group: testgroup01,testgroup02
state: absent
action: member
register: result
failed_when: not result.changed
- name: Ensure test HBAC rule hbacrule01 user group members are absent again
ipahbacrule:
ipaadmin_password: MyPassword123
name: hbacrule01
group: testgroup01,testgroup02
state: absent
action: member
register: result
failed_when: result.changed
- name: Ensure test HBAC rule hbacrule01 hbacsvc members are absent
ipahbacrule:
ipaadmin_password: MyPassword123
name: hbacrule01
hbacsvc: testhbacsvc01,testhbacsvc02
state: absent
action: member
register: result
failed_when: not result.changed
- name: Ensure test HBAC rule hbacrule01 hbacsvc members are absent again
ipahbacrule:
ipaadmin_password: MyPassword123
name: hbacrule01
hbacsvc: testhbacsvc01,testhbacsvc02
state: absent
action: member
register: result
failed_when: result.changed
- name: Ensure test HBAC rule hbacrule01 hbacsvcgroup members are absent
ipahbacrule:
ipaadmin_password: MyPassword123
name: hbacrule01
hbacsvcgroup: testhbacsvcgroup01,testhbacsvcgroup02
state: absent
action: member
register: result
failed_when: not result.changed
- name: Ensure test HBAC rule hbacrule01 hbacsvcgroup members are absent again
ipahbacrule:
ipaadmin_password: MyPassword123
name: hbacrule01
hbacsvcgroup: testhbacsvcgroup01,testhbacsvcgroup02
state: absent
action: member
register: result
failed_when: result.changed
# ADD MEMBERS BACK
- name: Ensure test HBAC rule hbacrule01 host members are present
ipahbacrule:
ipaadmin_password: MyPassword123
name: hbacrule01
host:
- "{{ 'testhost01.' + ipaserver_domain }}"
- "{{ 'testhost02.' + ipaserver_domain }}"
action: member
register: result
failed_when: not result.changed
- name: Ensure test HBAC rule hbacrule01 host members are present again
ipahbacrule:
ipaadmin_password: MyPassword123
name: hbacrule01
host:
- "{{ 'testhost01.' + ipaserver_domain }}"
- "{{ 'testhost02.' + ipaserver_domain }}"
action: member
register: result
failed_when: result.changed
- name: Ensure test HBAC rule hbacrule01 hostgroup members are present
ipahbacrule:
ipaadmin_password: MyPassword123
name: hbacrule01
hostgroup: testhostgroup01,testhostgroup02
action: member
register: result
failed_when: not result.changed
- name: Ensure test HBAC rule hbacrule01 hostgroup members are present again
ipahbacrule:
ipaadmin_password: MyPassword123
name: hbacrule01
hostgroup: testhostgroup01,testhostgroup02
action: member
register: result
failed_when: result.changed
- name: Ensure test HBAC rule hbacrule01 user members are present
ipahbacrule:
ipaadmin_password: MyPassword123
name: hbacrule01
user: testuser01,testuser02
action: member
register: result
failed_when: not result.changed
- name: Ensure test HBAC rule hbacrule01 user members are present again
ipahbacrule:
ipaadmin_password: MyPassword123
name: hbacrule01
user: testuser01,testuser02
action: member
register: result
failed_when: result.changed
- name: Ensure test HBAC rule hbacrule01 user group members are present
ipahbacrule:
ipaadmin_password: MyPassword123
name: hbacrule01
group: testgroup01,testgroup02
action: member
register: result
failed_when: not result.changed
- name: Ensure test HBAC rule hbacrule01 user group members are present again
ipahbacrule:
ipaadmin_password: MyPassword123
name: hbacrule01
group: testgroup01,testgroup02
action: member
register: result
failed_when: result.changed
- name: Ensure test HBAC rule hbacrule01 hbacsvc members are present
ipahbacrule:
ipaadmin_password: MyPassword123
name: hbacrule01
hbacsvc: testhbacsvc01,testhbacsvc02
action: member
register: result
failed_when: not result.changed
- name: Ensure test HBAC rule hbacrule01 hbacsvc members are present again
ipahbacrule:
ipaadmin_password: MyPassword123
name: hbacrule01
hbacsvc: testhbacsvc01,testhbacsvc02
action: member
register: result
failed_when: result.changed
- name: Ensure test HBAC rule hbacrule01 hbacsvcgroup members are present
ipahbacrule:
ipaadmin_password: MyPassword123
name: hbacrule01
hbacsvcgroup: testhbacsvcgroup01,testhbacsvcgroup02
action: member
register: result
failed_when: not result.changed
- name: Ensure test HBAC rule hbacrule01 hbacsvcgroup members are present again
ipahbacrule:
ipaadmin_password: MyPassword123
name: hbacrule01
hbacsvcgroup: testhbacsvcgroup01,testhbacsvcgroup02
action: member
register: result
failed_when: result.changed
# CHANGE TO DIFFERENT MEMBERS
- name: Ensure HBAC rule hbacrule01 is present with different hosts, hostgroups, users, groups, hbassvcs and hbacsvcgroups
ipahbacrule:
ipaadmin_password: MyPassword123
name: hbacrule01
host:
- "{{ 'testhost03.' + ipaserver_domain }}"
- "{{ 'testhost04.' + ipaserver_domain }}"
hostgroup: testhostgroup03,testhostgroup04
user: testuser03,testuser04
group: testgroup03,testgroup04
hbacsvc: testhbacsvc03,testhbacsvc04
hbacsvcgroup: testhbacsvcgroup03,testhbacsvcgroup04
register: result
failed_when: not result.changed
- name: Ensure HBAC rule hbacrule01 is present with different hosts, hostgroups, users, groups, hbassvcs and hbacsvcgroups again
ipahbacrule:
ipaadmin_password: MyPassword123
name: hbacrule01
host:
- "{{ 'testhost03.' + ipaserver_domain }}"
- "{{ 'testhost04.' + ipaserver_domain }}"
hostgroup: testhostgroup03,testhostgroup04
user: testuser03,testuser04
group: testgroup03,testgroup04
hbacsvc: testhbacsvc03,testhbacsvc04
hbacsvcgroup: testhbacsvcgroup03,testhbacsvcgroup04
register: result
failed_when: result.changed
# ENSURE OLD TEST MEMBERS ARE ABSENT
- name: Ensure HBAC rule hbacrule01 members (same) are present
ipahbacrule:
ipaadmin_password: MyPassword123
name: hbacrule01
host:
- "{{ 'testhost01.' + ipaserver_domain }}"
- "{{ 'testhost02.' + ipaserver_domain }}"
hostgroup: testhostgroup01,testhostgroup02
user: testuser01,testuser02
group: testgroup01,testgroup02
hbacsvc: testhbacsvc01,testhbacsvc02
hbacsvcgroup: testhbacsvcgroup01,testhbacsvcgroup02
state: absent
action: member
register: result
failed_when: result.changed
# ENSURE NEW TEST MEMBERS ARE ABSENT
- name: Ensure HBAC rule hbacrule01 members are absent
ipahbacrule:
ipaadmin_password: MyPassword123
name: hbacrule01
host:
- "{{ 'testhost03.' + ipaserver_domain }}"
- "{{ 'testhost04.' + ipaserver_domain }}"
hostgroup: testhostgroup03,testhostgroup04
user: testuser03,testuser04
group: testgroup03,testgroup04
hbacsvc: testhbacsvc03,testhbacsvc04
hbacsvcgroup: testhbacsvcgroup03,testhbacsvcgroup04
state: absent
action: member
register: result
failed_when: not result.changed
- name: Ensure HBAC rule hbacrule01 members are absent again
ipahbacrule:
ipaadmin_password: MyPassword123
name: hbacrule01
host:
- "{{ 'testhost03.' + ipaserver_domain }}"
- "{{ 'testhost04.' + ipaserver_domain }}"
hostgroup: testhostgroup03,testhostgroup04
user: testuser03,testuser04
group: testgroup03,testgroup04
hbacsvc: testhbacsvc03,testhbacsvc04
hbacsvcgroup: testhbacsvcgroup03,testhbacsvcgroup04
state: absent
action: member
register: result
failed_when: result.changed
# CLEANUP TEST ITEMS
- name: Ensure test HBAC rule hbacrule01 is absent
ipahbacrule:
ipaadmin_password: MyPassword123
name: hbacrule01
state: absent
- name: Ensure test hosts are absent
ipahostgroup:
ipaadmin_password: MyPassword123
name:
- "{{ 'testhost01.' + ipaserver_domain }}"
- "{{ 'testhost02.' + ipaserver_domain }}"
- "{{ 'testhost03.' + ipaserver_domain }}"
- "{{ 'testhost04.' + ipaserver_domain }}"
state: absent
- name: Ensure test hostgroups are absent
ipahostgroup:
ipaadmin_password: MyPassword123
name: testhostgroup01,testhostgroup02,testhostgroup03,testhostgroup04
state: absent
- name: Ensure test users are absent
ipauser:
ipaadmin_password: MyPassword123
name: testuser01,testuser02,testuser03,testuser04
state: absent
- name: Ensure test user groups are absent
ipagroup:
ipaadmin_password: MyPassword123
name: testgroup01,testgroup02,testgroup03,testgroup04
state: absent
- name: Ensure test HBAC Services are absent
ipahbacsvc:
ipaadmin_password: MyPassword123
name: testhbacsvc01,testhbacsvc02,testhbacsvc03,testhbacsvc04
state: absent
- name: Ensure test HBAC Service Groups are absent
ipahbacsvcgroup:
ipaadmin_password: MyPassword123
name: testhbacsvcgroup01,testhbacsvcgroup02,testhbacsvcgroup03,testhbacsvcgroup04
state: absent