ipa_group: add append option (#3545)

* ipa: add append parameter to modify_if_diff

* ipa_group: add state: append

* ipa_group: rework append to an option instead of another state

* ipa_group: append default=no

* ipa_group: add change fragment for new append option

* ipa_group: restore descriptions for group and user

* ipa_group: re-add missed quotation mark

* ipa_group: set default for append in
argument_spec

* ipa_group: add .yml ext to fragement file

* ipa_group: corrections to append description

* ipa_group: refine change fragement text

Co-authored-by: Felix Fontein <felix@fontein.de>

* ipa_group: use correct macros in option descriptions

Co-authored-by: Felix Fontein <felix@fontein.de>

* ipa_group: include append in user and group descriptions

* ipa_group: add version_added

Co-authored-by: Felix Fontein <felix@fontein.de>

Co-authored-by: Felix Fontein <felix@fontein.de>

changelogs/fragments/3545-ipa_group-add-append-option.yml

@@ -0,0 +1,2 @@
+minor_changes:
+  - "ipa_group - add ``append`` option for adding group and users members, instead of replacing the respective lists (https://github.com/ansible-collections/community.general/pull/3545)."

plugins/module_utils/ipa.py

@@ -179,10 +179,10 @@ class IPAClient(object):
                 result.append(key)
         return result
 
-    def modify_if_diff(self, name, ipa_list, module_list, add_method, remove_method, item=None):
+    def modify_if_diff(self, name, ipa_list, module_list, add_method, remove_method, item=None, append=None):
         changed = False
         diff = list(set(ipa_list) - set(module_list))
-        if len(diff) > 0:
+        if append is not True and len(diff) > 0:
             changed = True
             if not self.module.check_mode:
                 if item:

plugins/modules/identity/ipa/ipa_group.py

@@ -14,6 +14,13 @@ short_description: Manage FreeIPA group
 description:
 - Add, modify and delete group within IPA server
 options:
+  append:
+    description:
+    - If C(yes), add the listed I(user) and I(group) to the group members.
+    - If C(no), only the listed I(user) and I(group) will be group members, removing any other members.
+    default: no
+    type: bool
+    version_added: 4.0.0
   cn:
     description:
     - Canonical name.
@@ -37,9 +44,10 @@ options:
   group:
     description:
     - List of group names assigned to this group.
-    - If an empty list is passed all groups will be removed from this group.
-    - If option is omitted assigned groups will not be checked or changed.
+    - If I(append=no) and an empty list is passed all groups will be removed from this group.
     - Groups that are already assigned but not passed will be removed.
+    - If I(append=yes) the listed groups will be assigned without removing other groups.
+    - If option is omitted assigned groups will not be checked or changed.
     type: list
     elements: str
   nonposix:
@@ -49,9 +57,10 @@ options:
   user:
     description:
     - List of user names assigned to this group.
-    - If an empty list is passed all users will be removed from this group.
-    - If option is omitted assigned users will not be checked or changed.
+    - If I(append=no) and an empty list is passed all users will be removed from this group.
     - Users that are already assigned but not passed will be removed.
+    - If I(append=yes) the listed users will be assigned without removing other users.
+    - If option is omitted assigned users will not be checked or changed.
     type: list
     elements: str
   state:
@@ -95,6 +104,17 @@ EXAMPLES = r'''
     ipa_user: admin
     ipa_pass: topsecret
 
+- name: Ensure that new starter named john is member of the group, without removing other members
+  community.general.ipa_group:
+    name: developers
+    user:
+    - john
+    append: yes
+    state: present
+    ipa_host: ipa.example.com
+    ipa_user: admin
+    ipa_pass: topsecret
+
 - name: Ensure group is absent
   community.general.ipa_group:
     name: sysops
@@ -187,6 +207,7 @@ def ensure(module, client):
     name = module.params['cn']
     group = module.params['group']
     user = module.params['user']
+    append = module.params['append']
 
     module_group = get_group_dict(description=module.params['description'], external=module.params['external'],
                                   gid=module.params['gidnumber'], nonposix=module.params['nonposix'])
@@ -211,12 +232,14 @@ def ensure(module, client):
         if group is not None:
             changed = client.modify_if_diff(name, ipa_group.get('member_group', []), group,
                                             client.group_add_member_group,
-                                            client.group_remove_member_group) or changed
+                                            client.group_remove_member_group,
+                                            append=append) or changed
 
         if user is not None:
             changed = client.modify_if_diff(name, ipa_group.get('member_user', []), user,
                                             client.group_add_member_user,
-                                            client.group_remove_member_user) or changed
+                                            client.group_remove_member_user,
+                                            append=append) or changed
 
     else:
         if ipa_group:
@@ -236,7 +259,8 @@ def main():
                          group=dict(type='list', elements='str'),
                          nonposix=dict(type='bool'),
                          state=dict(type='str', default='present', choices=['present', 'absent']),
-                         user=dict(type='list', elements='str'))
+                         user=dict(type='list', elements='str'),
+                         append=dict(type='bool', default=False))
 
     module = AnsibleModule(argument_spec=argument_spec,
                            supports_check_mode=True,