search

ansible-collections / community.windows

Windows community collection for Ansible
https://galaxy.ansible.com/community/windows
GNU General Public License v3.0
198 stars 153 forks source link

Adding AD group to other AD group not working with win_domain_group_membership #518

Closed mesiq closed 1 year ago

mesiq commented 1 year ago
SUMMARY

when using state: present for adding an AD group into another AD the module fails with:

failed: [XXX-> XXX] (item=USR) => {"ansible_loop_var": "item", "changed": false, "item": "USR", "msg": "Get-AnsibleParam: Argument state needs to be one of domain,workgroup but was present."}
failed: [XXX-> XXX] (item=CON) => {"ansible_loop_var": "item", "changed": false, "item": "CON", "msg": "Get-AnsibleParam: Argument state needs to be one of domain,workgroup but was present."}

The documentation used: docu

ISSUE TYPE
COMPONENT NAME

win_domain_group_membership

ANSIBLE VERSION
ansible [core 2.13.2]
  python version = 3.8.14 (default, Sep 19 2022, 09:47:48) [GCC 9.1.1 20190605 (Red Hat 9.1.1-2)]
  jinja version = 3.0.3
  libyaml = True
COLLECTION VERSION
Collection        Version
----------------- -------
community.windows 1.13.0
CONFIGURATION
ANSIBLE_PIPELINING(/opt/ansible/ansible.cfg) = True
DEFAULT_FORKS(/opt/ansible/ansible.cfg) = 100
DEFAULT_TIMEOUT(/opt/ansible/ansible.cfg) = 30
DEFAULT_VAULT_PASSWORD_FILE(/opt/ansible/ansible.cfg) = /opt/ansible/.vault
DEPRECATION_WARNINGS(/opt/ansible/ansible.cfg) = False
HOST_KEY_CHECKING(/opt/ansible/ansible.cfg) = False
INTERPRETER_PYTHON(/opt/ansible/ansible.cfg) = auto_silent
RETRY_FILES_ENABLED(/opt/ansible/ansible.cfg) = False
OS / ENVIRONMENT

ansible server: Red Hat Enterprise Linux 7.9 host server: Windows 2012R2

STEPS TO REPRODUCE
- name: "Ensure Access groups are members of Resource groups"
  win_domain_membership:
    name: "R-A-{{ item }}"
    members:
    - "A-A-{{ item }}"
    state: present
  delegate_to: "{{ domain_controlers[0] }}"
  ignore_errors: true
  ignore_unreachable: true
  loop:
  - CON
  - USR

Note: domain_controllers is the dict with AD DCs where powershell AD module is installed - other modules - e.g. win_domain_group is working normally

EXPECTED RESULTS

Group is membership is added

ACTUAL RESULTS
failed: [XXX-> XXX] (item=USR) => {"ansible_loop_var": "item", "changed": false, "item": "USR", "msg": "Get-AnsibleParam: Argument state needs to be one of domain,workgroup but was present."}
failed: [XXX-> XXX] (item=CON) => {"ansible_loop_var": "item", "changed": false, "item": "CON", "msg": "Get-AnsibleParam: Argument state needs to be one of domain,workgroup but was present."}
jborean93 commented 1 year ago

This module is now deprecated in favour of microsoft.ad.membership. But win_domain_membership and microsoft.ad.membership is designed to join/unjoin a host from a domain and not manage the group membership of an AD group. You want microsoft.ad.group which replaces the win_domain_group_membership module.

mesiq commented 1 year ago

I've noticed I used wrong module. That must be some copy/paste error :-/