shared argument spec for FreeIPA (#28950)

Adds unified argument spec and documentation updates for FreeIPA modules. Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
2017-09-08 00:37:15 +05:30 · 2017-09-08 00:37:15 +05:30 · 4a73390823
commit 4a73390823
parent 67c7bd8745
12 changed files with 197 additions and 537 deletions
--- a/lib/ansible/module_utils/ipa.py
+++ b/lib/ansible/module_utils/ipa.py
@ -155,3 +155,14 @@ class IPAClient(object):
                    add_method(name=name, item=diff)
        return changed
 def ipa_argument_spec():
    return dict(
        ipa_prot=dict(type='str', default='https', choices=['http', 'https']),
        ipa_host=dict(type='str', default='ipa.example.com'),
        ipa_port=dict(type='int', default=443),
        ipa_user=dict(type='str', default='admin'),
        ipa_pass=dict(type='str', required=True, no_log=True),
        validate_certs=dict(type='bool', default=True),
    )
--- a/lib/ansible/modules/identity/ipa/ipa_dnsrecord.py
+++ b/lib/ansible/modules/identity/ipa/ipa_dnsrecord.py
@ -46,33 +46,7 @@ options:
    required: false
    default: present
    choices: ["present", "absent"]
-  ipa_port:
+extends_documentation_fragment: ipa.documentation
    description: Port of IPA server
    required: false
    default: 443
  ipa_host:
    description: IP or hostname of IPA server
    required: false
    default: ipa.example.com
  ipa_user:
    description: Administrative account used on IPA server
    required: false
    default: admin
  ipa_pass:
    description: Password of administrative user
    required: true
  ipa_prot:
    description: Protocol used by IPA server
    required: false
    default: https
    choices: ["http", "https"]
  validate_certs:
    description:
    - This only applies if C(ipa_prot) is I(https).
    - If set to C(no), the SSL certificates will not be validated.
    - This should only set to C(no) used on personally controlled sites using self-signed certificates.
    required: false
    default: true
 version_added: "2.4"
 '''
@ -119,7 +93,7 @@ dnsrecord:
 import traceback
 from ansible.module_utils.basic import AnsibleModule
-from ansible.module_utils.ipa import IPAClient
+from ansible.module_utils.ipa import IPAClient, ipa_argument_spec
 from ansible.module_utils._text import to_native
@ -206,22 +180,17 @@ def ensure(module, client):
 def main():
    record_types = ['A', 'AAAA', 'PTR']
-    module = AnsibleModule(
+    argument_spec = ipa_argument_spec()
-        argument_spec=dict(
+    argument_spec.update(zone_name=dict(type='str', required=True),
-            zone_name=dict(type='str', required=True),
+                         record_name=dict(type='str', aliases=['name'], required=True),
-            record_name=dict(type='str', required=True, aliases=['name']),
+                         record_type=dict(type='str', default='A', choices=record_types),
-            record_type=dict(type='str', required=False, default='A', choices=record_types),
+                         record_value=dict(type='str', required=True),
-            record_value=dict(type='str', required=True),
+                         state=dict(type='str', default='present', choices=['present', 'absent']),
-            state=dict(type='str', required=False, default='present', choices=['present', 'absent']),
+                         )
-            ipa_prot=dict(type='str', required=False, default='https', choices=['http', 'https']),
+
-            ipa_host=dict(type='str', required=False, default='ipa.example.com'),
+    module = AnsibleModule(argument_spec=argument_spec,
-            ipa_port=dict(type='int', required=False, default=443),
+                           supports_check_mode=True
-            ipa_user=dict(type='str', required=False, default='admin'),
+                           )
            ipa_pass=dict(type='str', required=True, no_log=True),
            validate_certs=dict(type='bool', required=False, default=True),
        ),
        supports_check_mode=True,
    )
    client = DNSRecordIPAClient(module=module,
                                host=module.params['ipa_host'],
--- a/lib/ansible/modules/identity/ipa/ipa_group.py
+++ b/lib/ansible/modules/identity/ipa/ipa_group.py
@ -27,11 +27,9 @@ options:
  external:
    description:
    - Allow adding external non-IPA members from trusted domains.
    required: false
  gidnumber:
    description:
    - GID (use this option to set it manually).
    required: false
  group:
    description:
    - List of group names assigned to this group.
@ -41,7 +39,6 @@ options:
  nonposix:
    description:
    - Create as a non-POSIX group.
    required: false
  user:
    description:
    - List of user names assigned to this group.
@ -51,36 +48,9 @@ options:
  state:
    description:
    - State to ensure
    required: false
    default: "present"
    choices: ["present", "absent"]
-  ipa_port:
+extends_documentation_fragment: ipa.documentation
    description: Port of IPA server
    required: false
    default: 443
  ipa_host:
    description: IP or hostname of IPA server
    required: false
    default: "ipa.example.com"
  ipa_user:
    description: Administrative account used on IPA server
    required: false
    default: "admin"
  ipa_pass:
    description: Password of administrative user
    required: true
  ipa_prot:
    description: Protocol used by IPA server
    required: false
    default: "https"
    choices: ["http", "https"]
  validate_certs:
    description:
    - This only applies if C(ipa_prot) is I(https).
    - If set to C(no), the SSL certificates will not be validated.
    - This should only set to C(no) used on personally controlled sites using self-signed certificates.
    required: false
    default: true
 version_added: "2.3"
 '''
@ -133,7 +103,7 @@ group:
 import traceback
 from ansible.module_utils.basic import AnsibleModule
-from ansible.module_utils.ipa import IPAClient
+from ansible.module_utils.ipa import IPAClient, ipa_argument_spec
 from ansible.module_utils._text import to_native
@ -247,25 +217,19 @@ def ensure(module, client):
 def main():
-    module = AnsibleModule(
+    argument_spec = ipa_argument_spec()
-        argument_spec=dict(
+    argument_spec.update(cn=dict(type='str', required=True, aliases=['name']),
-            cn=dict(type='str', required=True, aliases=['name']),
+                         description=dict(type='str'),
-            description=dict(type='str', required=False),
+                         external=dict(type='bool'),
-            external=dict(type='bool', required=False),
+                         gidnumber=dict(type='str', aliases=['gid']),
-            gidnumber=dict(type='str', required=False, aliases=['gid']),
+                         group=dict(type='list'),
-            group=dict(type='list', required=False),
+                         nonposix=dict(type='bool'),
-            nonposix=dict(type='bool', required=False),
+                         state=dict(type='str', default='present', choices=['present', 'absent']),
-            state=dict(type='str', required=False, default='present', choices=['present', 'absent']),
+                         user=dict(type='list'))
-            user=dict(type='list', required=False),
+
-            ipa_prot=dict(type='str', required=False, default='https', choices=['http', 'https']),
+    module = AnsibleModule(argument_spec=argument_spec,
-            ipa_host=dict(type='str', required=False, default='ipa.example.com'),
+                           supports_check_mode=True,
-            ipa_port=dict(type='int', required=False, default=443),
+                           )
            ipa_user=dict(type='str', required=False, default='admin'),
            ipa_pass=dict(type='str', required=True, no_log=True),
            validate_certs=dict(type='bool', required=False, default=True),
        ),
        supports_check_mode=True,
    )
    client = GroupIPAClient(module=module,
                            host=module.params['ipa_host'],
--- a/lib/ansible/modules/identity/ipa/ipa_hbacrule.py
+++ b/lib/ansible/modules/identity/ipa/ipa_hbacrule.py
@ -27,7 +27,6 @@ options:
    aliases: ["name"]
  description:
    description: Description
    required: false
  host:
    description:
    - List of host names to assign.
@ -36,7 +35,6 @@ options:
    required: false
  hostcategory:
    description: Host category
    required: false
    choices: ['all']
  hostgroup:
    description:
@ -50,7 +48,6 @@ options:
    - If option is omitted services will not be checked or changed.
  servicecategory:
    description: Service category
    required: false
    choices: ['all']
  servicegroup:
    description:
@ -64,7 +61,6 @@ options:
    - If option is omitted source hosts will not be checked or changed.
  sourcehostcategory:
    description: Source host category
    required: false
    choices: ['all']
  sourcehostgroup:
    description:
@ -73,7 +69,6 @@ options:
    - If option is omitted source host groups will not be checked or changed.
  state:
    description: State to ensure
    required: false
    default: "present"
    choices: ["present", "absent", "enabled", "disabled"]
  user:
@ -83,40 +78,13 @@ options:
    - If option is omitted users will not be checked or changed.
  usercategory:
    description: User category
    required: false
    choices: ['all']
  usergroup:
    description:
    - List of user group names to assign.
    - If an empty list if passed all assigned user groups will be removed from the rule.
    - If option is omitted user groups will not be checked or changed.
-  ipa_port:
+extends_documentation_fragment: ipa.documentation
    description: Port of IPA server
    required: false
    default: 443
  ipa_host:
    description: IP or hostname of IPA server
    required: false
    default: "ipa.example.com"
  ipa_user:
    description: Administrative account used on IPA server
    required: false
    default: "admin"
  ipa_pass:
    description: Password of administrative user
    required: true
  ipa_prot:
    description: Protocol used by IPA server
    required: false
    default: "https"
    choices: ["http", "https"]
  validate_certs:
    description:
    - This only applies if C(ipa_prot) is I(https).
    - If set to C(no), the SSL certificates will not be validated.
    - This should only set to C(no) used on personally controlled sites using self-signed certificates.
    required: false
    default: true
 version_added: "2.3"
 '''
@ -165,7 +133,7 @@ hbacrule:
 import traceback
 from ansible.module_utils.basic import AnsibleModule
-from ansible.module_utils.ipa import IPAClient
+from ansible.module_utils.ipa import IPAClient, ipa_argument_spec
 from ansible.module_utils._text import to_native
@ -329,33 +297,26 @@ def ensure(module, client):
 def main():
-    module = AnsibleModule(
+    argument_spec = ipa_argument_spec()
-        argument_spec=dict(
+    argument_spec.update(cn=dict(type='str', required=True, aliases=['name']),
-            cn=dict(type='str', required=True, aliases=['name']),
+                         description=dict(type='str'),
-            description=dict(type='str', required=False),
+                         host=dict(type='list'),
-            host=dict(type='list', required=False),
+                         hostcategory=dict(type='str', choices=['all']),
-            hostcategory=dict(type='str', required=False, choices=['all']),
+                         hostgroup=dict(type='list'),
-            hostgroup=dict(type='list', required=False),
+                         service=dict(type='list'),
-            service=dict(type='list', required=False),
+                         servicecategory=dict(type='str', choices=['all']),
-            servicecategory=dict(type='str', required=False, choices=['all']),
+                         servicegroup=dict(type='list'),
-            servicegroup=dict(type='list', required=False),
+                         sourcehost=dict(type='list'),
-            sourcehost=dict(type='list', required=False),
+                         sourcehostcategory=dict(type='str', choices=['all']),
-            sourcehostcategory=dict(type='str', required=False, choices=['all']),
+                         sourcehostgroup=dict(type='list'),
-            sourcehostgroup=dict(type='list', required=False),
+                         state=dict(type='str', default='present', choices=['present', 'absent', 'enabled', 'disabled']),
-            state=dict(type='str', required=False, default='present',
+                         user=dict(type='list'),
-                       choices=['present', 'absent', 'enabled', 'disabled']),
+                         usercategory=dict(type='str', choices=['all']),
-            user=dict(type='list', required=False),
+                         usergroup=dict(type='list'))
-            usercategory=dict(type='str', required=False, choices=['all']),
+
-            usergroup=dict(type='list', required=False),
+    module = AnsibleModule(argument_spec=argument_spec,
-            ipa_prot=dict(type='str', required=False, default='https', choices=['http', 'https']),
+                           supports_check_mode=True
-            ipa_host=dict(type='str', required=False, default='ipa.example.com'),
+                           )
            ipa_port=dict(type='int', required=False, default=443),
            ipa_user=dict(type='str', required=False, default='admin'),
            ipa_pass=dict(type='str', required=True, no_log=True),
            validate_certs=dict(type='bool', required=False, default=True),
        ),
        supports_check_mode=True,
    )
    client = HBACRuleIPAClient(module=module,
                               host=module.params['ipa_host'],
--- a/lib/ansible/modules/identity/ipa/ipa_host.py
+++ b/lib/ansible/modules/identity/ipa/ipa_host.py
@ -28,7 +28,6 @@ options:
  description:
    description:
    - A description of this host.
    required: false
  force:
    description:
    - Force host name even if not in DNS.
@ -36,29 +35,24 @@ options:
  ip_address:
    description:
    - Add the host to DNS with this IP address.
    required: false
  mac_address:
    description:
    - List of Hardware MAC address(es) off this host.
    - If option is omitted MAC addresses will not be checked or changed.
    - If an empty list is passed all assigned MAC addresses will be removed.
    - MAC addresses that are already assigned but not passed will be removed.
    required: false
    aliases: ["macaddress"]
  ns_host_location:
    description:
    - Host location (e.g. "Lab 2")
    required: false
    aliases: ["nshostlocation"]
  ns_hardware_platform:
    description:
    - Host hardware platform (e.g. "Lenovo T61")
    required: false
    aliases: ["nshardwareplatform"]
  ns_os_version:
    description:
    - Host operating system and version (e.g. "Fedora 9")
    required: false
    aliases: ["nsosversion"]
  user_certificate:
    description:
@ -66,40 +60,12 @@ options:
    - If option is omitted certificates will not be checked or changed.
    - If an empty list is passed all assigned certificates will be removed.
    - Certificates already assigned but not passed will be removed.
    required: false
    aliases: ["usercertificate"]
  state:
    description: State to ensure
    required: false
    default: present
    choices: ["present", "absent", "disabled"]
-  ipa_port:
+extends_documentation_fragment: ipa.documentation
    description: Port of IPA server
    required: false
    default: 443
  ipa_host:
    description: IP or hostname of IPA server
    required: false
    default: ipa.example.com
  ipa_user:
    description: Administrative account used on IPA server
    required: false
    default: admin
  ipa_pass:
    description: Password of administrative user
    required: true
  ipa_prot:
    description: Protocol used by IPA server
    required: false
    default: https
    choices: ["http", "https"]
  validate_certs:
    description:
    - This only applies if C(ipa_prot) is I(https).
    - If set to C(no), the SSL certificates will not be validated.
    - This should only set to C(no) used on personally controlled sites using self-signed certificates.
    required: false
    default: true
 version_added: "2.3"
 '''
@ -159,7 +125,7 @@ host_diff:
 import traceback
 from ansible.module_utils.basic import AnsibleModule
-from ansible.module_utils.ipa import IPAClient
+from ansible.module_utils.ipa import IPAClient, ipa_argument_spec
 from ansible.module_utils._text import to_native
@ -252,28 +218,20 @@ def ensure(module, client):
 def main():
-    module = AnsibleModule(
+    argument_spec = ipa_argument_spec()
-        argument_spec=dict(
+    argument_spec.update(description=dict(type='str'),
-            description=dict(type='str', required=False),
+                         fqdn=dict(type='str', required=True, aliases=['name']),
-            fqdn=dict(type='str', required=True, aliases=['name']),
+                         force=dict(type='bool'),
-            force=dict(type='bool', required=False),
+                         ip_address=dict(type='str'),
-            ip_address=dict(type='str', required=False),
+                         ns_host_location=dict(type='str', aliases=['nshostlocation']),
-            ns_host_location=dict(type='str', required=False, aliases=['nshostlocation']),
+                         ns_hardware_platform=dict(type='str', aliases=['nshardwareplatform']),
-            ns_hardware_platform=dict(type='str', required=False, aliases=['nshardwareplatform']),
+                         ns_os_version=dict(type='str', aliases=['nsosversion']),
-            ns_os_version=dict(type='str', required=False, aliases=['nsosversion']),
+                         user_certificate=dict(type='list', aliases=['usercertificate']),
-            user_certificate=dict(type='list', required=False, aliases=['usercertificate']),
+                         mac_address=dict(type='list', aliases=['macaddress']),
-            mac_address=dict(type='list', required=False, aliases=['macaddress']),
+                         state=dict(type='str', default='present', choices=['present', 'absent', 'enabled', 'disabled']))
-            state=dict(type='str', required=False, default='present',
+
-                       choices=['present', 'absent', 'enabled', 'disabled']),
+    module = AnsibleModule(argument_spec=argument_spec,
-            ipa_prot=dict(type='str', required=False, default='https', choices=['http', 'https']),
+                           supports_check_mode=True)
            ipa_host=dict(type='str', required=False, default='ipa.example.com'),
            ipa_port=dict(type='int', required=False, default=443),
            ipa_user=dict(type='str', required=False, default='admin'),
            ipa_pass=dict(type='str', required=True, no_log=True),
            validate_certs=dict(type='bool', required=False, default=True),
        ),
        supports_check_mode=True,
    )
    client = HostIPAClient(module=module,
                           host=module.params['ipa_host'],
--- a/lib/ansible/modules/identity/ipa/ipa_hostgroup.py
+++ b/lib/ansible/modules/identity/ipa/ipa_hostgroup.py
@ -28,54 +28,24 @@ options:
  description:
    description:
    - Description
    required: false
  host:
    description:
    - List of hosts that belong to the host-group.
    - If an empty list is passed all hosts will be removed from the group.
    - If option is omitted hosts will not be checked or changed.
    - If option is passed all assigned hosts that are not passed will be unassigned from the group.
    required: false
  hostgroup:
    description:
    - List of host-groups than belong to that host-group.
    - If an empty list is passed all host-groups will be removed from the group.
    - If option is omitted host-groups will not be checked or changed.
    - If option is passed all assigned hostgroups that are not passed will be unassigned from the group.
    required: false
  state:
    description:
    - State to ensure.
    required: false
    default: "present"
    choices: ["present", "absent"]
-  ipa_port:
+extends_documentation_fragment: ipa.documentation
    description: Port of IPA server
    required: false
    default: 443
  ipa_host:
    description: IP or hostname of IPA server
    required: false
    default: "ipa.example.com"
  ipa_user:
    description: Administrative account used on IPA server
    required: false
    default: "admin"
  ipa_pass:
    description: Password of administrative user
    required: true
  ipa_prot:
    description: Protocol used by IPA server
    required: false
    default: "https"
    choices: ["http", "https"]
  validate_certs:
    description:
    - This only applies if C(ipa_prot) is I(https).
    - If set to C(no), the SSL certificates will not be validated.
    - This should only set to C(no) used on personally controlled sites using self-signed certificates.
    required: false
    default: true
 version_added: "2.3"
 '''
@ -112,7 +82,7 @@ hostgroup:
 import traceback
 from ansible.module_utils.basic import AnsibleModule
-from ansible.module_utils.ipa import IPAClient
+from ansible.module_utils.ipa import IPAClient, ipa_argument_spec
 from ansible.module_utils._text import to_native
@ -207,23 +177,15 @@ def ensure(module, client):
 def main():
-    module = AnsibleModule(
+    argument_spec = ipa_argument_spec()
-        argument_spec=dict(
+    argument_spec.update(cn=dict(type='str', required=True, aliases=['name']),
-            cn=dict(type='str', required=True, aliases=['name']),
+                         description=dict(type='str'),
-            description=dict(type='str', required=False),
+                         host=dict(type='list'),
-            host=dict(type='list', required=False),
+                         hostgroup=dict(type='list'),
-            hostgroup=dict(type='list', required=False),
+                         state=dict(type='str', default='present', choices=['present', 'absent', 'enabled', 'disabled']))
-            state=dict(type='str', required=False, default='present',
+
-                       choices=['present', 'absent', 'enabled', 'disabled']),
+    module = AnsibleModule(argument_spec=argument_spec,
-            ipa_prot=dict(type='str', required=False, default='https', choices=['http', 'https']),
+                           supports_check_mode=True)
            ipa_host=dict(type='str', required=False, default='ipa.example.com'),
            ipa_port=dict(type='int', required=False, default=443),
            ipa_user=dict(type='str', required=False, default='admin'),
            ipa_pass=dict(type='str', required=True, no_log=True),
            validate_certs=dict(type='bool', required=False, default=True),
        ),
        supports_check_mode=True,
    )
    client = HostGroupIPAClient(module=module,
                                host=module.params['ipa_host'],
--- a/lib/ansible/modules/identity/ipa/ipa_role.py
+++ b/lib/ansible/modules/identity/ipa/ipa_role.py
@ -28,7 +28,6 @@ options:
  description:
    description:
    - A description of this role-group.
    required: false
  group:
    description:
    - List of group names assign to this role.
@ -41,21 +40,18 @@ options:
    - If an empty list is passed all assigned hosts will be unassigned from the role.
    - If option is omitted hosts will not be checked or changed.
    - If option is passed all assigned hosts that are not passed will be unassigned from the role.
    required: false
  hostgroup:
    description:
    - List of host group names to assign.
    - If an empty list is passed all assigned host groups will be removed from the role.
    - If option is omitted host groups will not be checked or changed.
    - If option is passed all assigned hostgroups that are not passed will be unassigned from the role.
    required: false
  privilege:
    description:
    - List of privileges granted to the role.
    - If an empty list is passed all assigned privileges will be removed.
    - If option is omitted privileges will not be checked or changed.
    - If option is passed all assigned privileges that are not passed will be removed.
    required: false
    default: None
    version_added: "2.4"
  service:
@ -64,10 +60,8 @@ options:
    - If an empty list is passed all assigned services will be removed from the role.
    - If option is omitted services will not be checked or changed.
    - If option is passed all assigned services that are not passed will be removed from the role.
    required: false
  state:
    description: State to ensure
    required: false
    default: "present"
    choices: ["present", "absent"]
  user:
@ -75,34 +69,7 @@ options:
    - List of user names to assign.
    - If an empty list is passed all assigned users will be removed from the role.
    - If option is omitted users will not be checked or changed.
-    required: false
+extends_documentation_fragment: ipa.documentation
  ipa_port:
    description: Port of IPA server
    required: false
    default: 443
  ipa_host:
    description: IP or hostname of IPA server
    required: false
    default: "ipa.example.com"
  ipa_user:
    description: Administrative account used on IPA server
    required: false
    default: "admin"
  ipa_pass:
    description: Password of administrative user
    required: true
  ipa_prot:
    description: Protocol used by IPA server
    required: false
    default: "https"
    choices: ["http", "https"]
  validate_certs:
    description:
    - This only applies if C(ipa_prot) is I(https).
    - If set to C(no), the SSL certificates will not be validated.
    - This should only set to C(no) used on personally controlled sites using self-signed certificates.
    required: false
    default: true
 version_added: "2.3"
 '''
@ -154,7 +121,7 @@ role:
 import traceback
 from ansible.module_utils.basic import AnsibleModule
-from ansible.module_utils.ipa import IPAClient
+from ansible.module_utils.ipa import IPAClient, ipa_argument_spec
 from ansible.module_utils._text import to_native
@ -294,26 +261,19 @@ def ensure(module, client):
 def main():
-    module = AnsibleModule(
+    argument_spec = ipa_argument_spec()
-        argument_spec=dict(
+    argument_spec.update(cn=dict(type='str', required=True, aliases=['name']),
-            cn=dict(type='str', required=True, aliases=['name']),
+                         description=dict(type='str'),
-            description=dict(type='str', required=False),
+                         group=dict(type='list'),
-            group=dict(type='list', required=False),
+                         host=dict(type='list'),
-            host=dict(type='list', required=False),
+                         hostgroup=dict(type='list'),
-            hostgroup=dict(type='list', required=False),
+                         privilege=dict(type='list'),
-            privilege=dict(type='list', required=False),
+                         service=dict(type='list'),
-            service=dict(type='list', required=False),
+                         state=dict(type='str', default='present', choices=['present', 'absent']),
-            state=dict(type='str', required=False, default='present', choices=['present', 'absent']),
+                         user=dict(type='list'))
-            user=dict(type='list', required=False),
+
-            ipa_prot=dict(type='str', required=False, default='https', choices=['http', 'https']),
+    module = AnsibleModule(argument_spec=argument_spec,
-            ipa_host=dict(type='str', required=False, default='ipa.example.com'),
+                           supports_check_mode=True)
            ipa_port=dict(type='int', required=False, default=443),
            ipa_user=dict(type='str', required=False, default='admin'),
            ipa_pass=dict(type='str', required=True, no_log=True),
            validate_certs=dict(type='bool', required=False, default=True),
        ),
        supports_check_mode=True,
    )
    client = RoleIPAClient(module=module,
                           host=module.params['ipa_host'],
--- a/lib/ansible/modules/identity/ipa/ipa_sudocmd.py
+++ b/lib/ansible/modules/identity/ipa/ipa_sudocmd.py
@ -27,39 +27,11 @@ options:
  description:
    description:
    - A description of this command.
    required: false
  state:
    description: State to ensure
    required: false
    default: present
    choices: ['present', 'absent']
-  ipa_port:
+extends_documentation_fragment: ipa.documentation
    description: Port of IPA server
    required: false
    default: 443
  ipa_host:
    description: IP or hostname of IPA server
    required: false
    default: "ipa.example.com"
  ipa_user:
    description: Administrative account used on IPA server
    required: false
    default: "admin"
  ipa_pass:
    description: Password of administrative user
    required: true
  ipa_prot:
    description: Protocol used by IPA server
    required: false
    default: "https"
    choices: ["http", "https"]
  validate_certs:
    description:
    - This only applies if C(ipa_prot) is I(https).
    - If set to C(no), the SSL certificates will not be validated.
    - This should only set to C(no) used on personally controlled sites using self-signed certificates.
    required: false
    default: true
 version_added: "2.3"
 '''
@ -91,7 +63,7 @@ sudocmd:
 import traceback
 from ansible.module_utils.basic import AnsibleModule
-from ansible.module_utils.ipa import IPAClient
+from ansible.module_utils.ipa import IPAClient, ipa_argument_spec
 from ansible.module_utils._text import to_native
@ -155,21 +127,13 @@ def ensure(module, client):
 def main():
-    module = AnsibleModule(
+    argument_spec = ipa_argument_spec()
-        argument_spec=dict(
+    argument_spec.update(description=dict(type='str'),
-            description=dict(type='str', required=False),
+                         state=dict(type='str', default='present', choices=['present', 'absent', 'enabled', 'disabled']),
-            state=dict(type='str', required=False, default='present',
+                         sudocmd=dict(type='str', required=True, aliases=['name']))
-                       choices=['present', 'absent', 'enabled', 'disabled']),
+
-            sudocmd=dict(type='str', required=True, aliases=['name']),
+    module = AnsibleModule(argument_spec=argument_spec,
-            ipa_prot=dict(type='str', required=False, default='https', choices=['http', 'https']),
+                           supports_check_mode=True)
            ipa_host=dict(type='str', required=False, default='ipa.example.com'),
            ipa_port=dict(type='int', required=False, default=443),
            ipa_user=dict(type='str', required=False, default='admin'),
            ipa_pass=dict(type='str', required=True, no_log=True),
            validate_certs=dict(type='bool', required=False, default=True),
        ),
        supports_check_mode=True,
    )
    client = SudoCmdIPAClient(module=module,
                              host=module.params['ipa_host'],
--- a/lib/ansible/modules/identity/ipa/ipa_sudocmdgroup.py
+++ b/lib/ansible/modules/identity/ipa/ipa_sudocmdgroup.py
@ -29,7 +29,6 @@ options:
    - Group description.
  state:
    description: State to ensure
    required: false
    default: present
    choices: ['present', 'absent']
  sudocmd:
@ -37,34 +36,7 @@ options:
    - List of sudo commands to assign to the group.
    - If an empty list is passed all assigned commands will be removed from the group.
    - If option is omitted sudo commands will not be checked or changed.
-    required: false
+extends_documentation_fragment: ipa.documentation
  ipa_port:
    description: Port of IPA server
    required: false
    default: 443
  ipa_host:
    description: IP or hostname of IPA server
    required: false
    default: "ipa.example.com"
  ipa_user:
    description: Administrative account used on IPA server
    required: false
    default: "admin"
  ipa_pass:
    description: Password of administrative user
    required: true
  ipa_prot:
    description: Protocol used by IPA server
    required: false
    default: "https"
    choices: ["http", "https"]
  validate_certs:
    description:
    - This only applies if C(ipa_prot) is I(https).
    - If set to C(no), the SSL certificates will not be validated.
    - This should only set to C(no) used on personally controlled sites using self-signed certificates.
    required: false
    default: true
 version_added: "2.3"
 '''
@ -98,7 +70,7 @@ sudocmdgroup:
 import traceback
 from ansible.module_utils.basic import AnsibleModule
-from ansible.module_utils.ipa import IPAClient
+from ansible.module_utils.ipa import IPAClient, ipa_argument_spec
 from ansible.module_utils._text import to_native
@ -180,22 +152,14 @@ def ensure(module, client):
 def main():
-    module = AnsibleModule(
+    argument_spec = ipa_argument_spec()
-        argument_spec=dict(
+    argument_spec.update(cn=dict(type='str', required=True, aliases=['name']),
-            cn=dict(type='str', required=True, aliases=['name']),
+                         description=dict(type='str'),
-            description=dict(type='str', required=False),
+                         state=dict(type='str', default='present', choices=['present', 'absent', 'enabled', 'disabled']),
-            state=dict(type='str', required=False, default='present',
+                         sudocmd=dict(type='list'))
-                       choices=['present', 'absent', 'enabled', 'disabled']),
+
-            sudocmd=dict(type='list', required=False),
+    module = AnsibleModule(argument_spec=argument_spec,
-            ipa_prot=dict(type='str', required=False, default='https', choices=['http', 'https']),
+                           supports_check_mode=True)
            ipa_host=dict(type='str', required=False, default='ipa.example.com'),
            ipa_port=dict(type='int', required=False, default=443),
            ipa_user=dict(type='str', required=False, default='admin'),
            ipa_pass=dict(type='str', required=True, no_log=True),
            validate_certs=dict(type='bool', required=False, default=True),
        ),
        supports_check_mode=True,
    )
    client = SudoCmdGroupIPAClient(module=module,
                                   host=module.params['ipa_host'],
--- a/lib/ansible/modules/identity/ipa/ipa_sudorule.py
+++ b/lib/ansible/modules/identity/ipa/ipa_sudorule.py
@ -29,83 +29,48 @@ options:
    description:
    - Command category the rule applies to.
    choices: ['all']
    required: false
  cmd:
    description:
    - List of commands assigned to the rule.
    - If an empty list is passed all commands will be removed from the rule.
    - If option is omitted commands will not be checked or changed.
    required: false
  host:
    description:
    - List of hosts assigned to the rule.
    - If an empty list is passed all hosts will be removed from the rule.
    - If option is omitted hosts will not be checked or changed.
    - Option C(hostcategory) must be omitted to assign hosts.
    required: false
  hostcategory:
    description:
    - Host category the rule applies to.
    - If 'all' is passed one must omit C(host) and C(hostgroup).
    - Option C(host) and C(hostgroup) must be omitted to assign 'all'.
    choices: ['all']
    required: false
  hostgroup:
    description:
    - List of host groups assigned to the rule.
    - If an empty list is passed all host groups will be removed from the rule.
    - If option is omitted host groups will not be checked or changed.
    - Option C(hostcategory) must be omitted to assign host groups.
    required: false
  user:
    description:
    - List of users assigned to the rule.
    - If an empty list is passed all users will be removed from the rule.
    - If option is omitted users will not be checked or changed.
    required: false
  usercategory:
    description:
    - User category the rule applies to.
    choices: ['all']
    required: false
  usergroup:
    description:
    - List of user groups assigned to the rule.
    - If an empty list is passed all user groups will be removed from the rule.
    - If option is omitted user groups will not be checked or changed.
    required: false
  state:
    description: State to ensure
    required: false
    default: present
    choices: ['present', 'absent', 'enabled', 'disabled']
-  ipa_port:
+extends_documentation_fragment: ipa.documentation
    description: Port of IPA server
    required: false
    default: 443
  ipa_host:
    description: IP or hostname of IPA server
    required: false
    default: "ipa.example.com"
  ipa_user:
    description: Administrative account used on IPA server
    required: false
    default: "admin"
  ipa_pass:
    description: Password of administrative user
    required: true
  ipa_prot:
    description: Protocol used by IPA server
    required: false
    default: "https"
    choices: ["http", "https"]
  validate_certs:
    description:
    - This only applies if C(ipa_prot) is I(https).
    - If set to C(no), the SSL certificates will not be validated.
    - This should only set to C(no) used on personally controlled sites using self-signed certificates.
    required: false
    default: true
 version_added: "2.3"
 '''
@ -150,7 +115,7 @@ sudorule:
 import traceback
 from ansible.module_utils.basic import AnsibleModule
-from ansible.module_utils.ipa import IPAClient
+from ansible.module_utils.ipa import IPAClient, ipa_argument_spec
 from ansible.module_utils._text import to_native
@ -335,35 +300,27 @@ def ensure(module, client):
 def main():
-    module = AnsibleModule(
+    argument_spec = ipa_argument_spec()
-        argument_spec=dict(
+    argument_spec.update(cmd=dict(type='list', required=False),
-            cmd=dict(type='list', required=False),
+                         cmdcategory=dict(type='str', required=False, choices=['all']),
-            cmdcategory=dict(type='str', required=False, choices=['all']),
+                         cn=dict(type='str', required=True, aliases=['name']),
-            cn=dict(type='str', required=True, aliases=['name']),
+                         description=dict(type='str', required=False),
-            description=dict(type='str', required=False),
+                         host=dict(type='list', required=False),
-            host=dict(type='list', required=False),
+                         hostcategory=dict(type='str', required=False, choices=['all']),
-            hostcategory=dict(type='str', required=False, choices=['all']),
+                         hostgroup=dict(type='list', required=False),
-            hostgroup=dict(type='list', required=False),
+                         sudoopt=dict(type='list', required=False),
-            sudoopt=dict(type='list', required=False),
+                         state=dict(type='str', required=False, default='present', choices=['present', 'absent', 'enabled', 'disabled']),
-            state=dict(type='str', required=False, default='present',
+                         user=dict(type='list', required=False),
-                       choices=['present', 'absent', 'enabled', 'disabled']),
+                         usercategory=dict(type='str', required=False, choices=['all']),
-            user=dict(type='list', required=False),
+                         usergroup=dict(type='list', required=False))
-            usercategory=dict(type='str', required=False, choices=['all']),
+
-            usergroup=dict(type='list', required=False),
+    module = AnsibleModule(argument_spec=argument_spec,
-            ipa_prot=dict(type='str', required=False, default='https', choices=['http', 'https']),
+                           mutually_exclusive=[['cmdcategory', 'cmd'],
-            ipa_host=dict(type='str', required=False, default='ipa.example.com'),
+                                               ['hostcategory', 'host'],
-            ipa_port=dict(type='int', required=False, default=443),
+                                               ['hostcategory', 'hostgroup'],
-            ipa_user=dict(type='str', required=False, default='admin'),
+                                               ['usercategory', 'user'],
-            ipa_pass=dict(type='str', required=True, no_log=True),
+                                               ['usercategory', 'usergroup']],
-            validate_certs=dict(type='bool', required=False, default=True),
+                           supports_check_mode=True)
        ),
        mutually_exclusive=[['cmdcategory', 'cmd'],
                            ['hostcategory', 'host'],
                            ['hostcategory', 'hostgroup'],
                            ['usercategory', 'user'],
                            ['usercategory', 'usergroup']],
        supports_check_mode=True,
    )
    client = SudoRuleIPAClient(module=module,
                               host=module.params['ipa_host'],
--- a/lib/ansible/modules/identity/ipa/ipa_user.py
+++ b/lib/ansible/modules/identity/ipa/ipa_user.py
@ -21,35 +21,27 @@ description:
 options:
  displayname:
    description: Display name
    required: false
  givenname:
    description: First name
    required: false
  loginshell:
    description: Login shell
    required: false
  mail:
    description:
    - List of mail addresses assigned to the user.
    - If an empty list is passed all assigned email addresses will be deleted.
    - If None is passed email addresses will not be checked or changed.
    required: false
  password:
    description:
-    - Password
+    - Password for new user
    required: false
  sn:
    description: Surname
    required: false
  sshpubkey:
    description:
    - List of public SSH key.
    - If an empty list is passed all assigned public keys will be deleted.
    - If None is passed SSH public keys will not be checked or changed.
    required: false
  state:
    description: State to ensure
    required: false
    default: "present"
    choices: ["present", "absent", "enabled", "disabled"]
  telephonenumber:
@ -57,41 +49,13 @@ options:
    - List of telephone numbers assigned to the user.
    - If an empty list is passed all assigned telephone numbers will be deleted.
    - If None is passed telephone numbers will not be checked or changed.
    required: false
  title:
    description: Title
    required: false
  uid:
    description: uid of the user
    required: true
    aliases: ["name"]
-  ipa_port:
+extends_documentation_fragment: ipa.documentation
    description: Port of IPA server
    required: false
    default: 443
  ipa_host:
    description: IP or hostname of IPA server
    required: false
    default: "ipa.example.com"
  ipa_user:
    description: Administrative account used on IPA server
    required: false
    default: "admin"
  ipa_pass:
    description: Password of administrative user
    required: true
  ipa_prot:
    description: Protocol used by IPA server
    required: false
    default: "https"
    choices: ["http", "https"]
  validate_certs:
    description:
    - This only applies if C(ipa_prot) is I(https).
    - If set to C(no), the SSL certificates will not be validated.
    - This should only set to C(no) used on personally controlled sites using self-signed certificates.
    required: false
    default: true
 version_added: "2.3"
 requirements:
 - base64
@ -137,7 +101,7 @@ import hashlib
 import traceback
 from ansible.module_utils.basic import AnsibleModule
-from ansible.module_utils.ipa import IPAClient
+from ansible.module_utils.ipa import IPAClient, ipa_argument_spec
 from ansible.module_utils._text import to_native
@ -279,29 +243,22 @@ def ensure(module, client):
 def main():
-    module = AnsibleModule(
+    argument_spec = ipa_argument_spec()
-        argument_spec=dict(
+    argument_spec.update(displayname=dict(type='str'),
-            displayname=dict(type='str', required=False),
+                         givenname=dict(type='str'),
-            givenname=dict(type='str', required=False),
+                         loginshell=dict(type='str'),
-            loginshell=dict(type='str', required=False),
+                         mail=dict(type='list'),
-            mail=dict(type='list', required=False),
+                         sn=dict(type='str'),
-            sn=dict(type='str', required=False),
+                         uid=dict(type='str', required=True, aliases=['name']),
-            uid=dict(type='str', required=True, aliases=['name']),
+                         password=dict(type='str', no_log=True),
-            password=dict(type='str', required=False, no_log=True),
+                         sshpubkey=dict(type='list'),
-            sshpubkey=dict(type='list', required=False),
+                         state=dict(type='str', default='present',
-            state=dict(type='str', required=False, default='present',
+                                    choices=['present', 'absent', 'enabled', 'disabled']),
-                       choices=['present', 'absent', 'enabled', 'disabled']),
+                         telephonenumber=dict(type='list'),
-            telephonenumber=dict(type='list', required=False),
+                         title=dict(type='str'))
-            title=dict(type='str', required=False),
+
-            ipa_prot=dict(type='str', required=False, default='https', choices=['http', 'https']),
+    module = AnsibleModule(argument_spec=argument_spec,
-            ipa_host=dict(type='str', required=False, default='ipa.example.com'),
+                           supports_check_mode=True)
            ipa_port=dict(type='int', required=False, default=443),
            ipa_user=dict(type='str', required=False, default='admin'),
            ipa_pass=dict(type='str', required=True, no_log=True),
            validate_certs=dict(type='bool', required=False, default=True),
        ),
        supports_check_mode=True,
    )
    client = UserIPAClient(module=module,
                           host=module.params['ipa_host'],
--- a/lib/ansible/utils/module_docs_fragments/ipa.py
+++ b/lib/ansible/utils/module_docs_fragments/ipa.py
@ -0,0 +1,33 @@
 # Copyright (c) 2017, Ansible Project
 # Copyright (c) 2017, Abhijeet Kasurde (akasurde@redhat.com)
 # GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
 class ModuleDocFragment(object):
    # Parameters for FreeIPA/IPA modules
    DOCUMENTATION = '''
 options:
  ipa_port:
    description: Port of IPA server
    default: 443
  ipa_host:
    description: IP or hostname of IPA server
    default: ipa.example.com
  ipa_user:
    description: Administrative account used on IPA server
    default: admin
  ipa_pass:
    description: Password of administrative user
    required: true
  ipa_prot:
    description: Protocol used by IPA server
    default: https
    choices: ["http", "https"]
  validate_certs:
    description:
    - This only applies if C(ipa_prot) is I(https).
    - If set to C(no), the SSL certificates will not be validated.
    - This should only set to C(no) used on personally controlled sites using self-signed certificates.
    default: true
 '''