From cd551a0f0700ff6019d6bc50187ad6bd50c0c97c Mon Sep 17 00:00:00 2001
From: Nils Philippsen <nils@redhat.com>
Date: Fri, 12 Feb 2021 18:26:05 +0100
Subject: [PATCH] ipa/client: Split up shell access HBAC rule tasks

Need to create the rule, then add members to it.

Signed-off-by: Nils Philippsen <nils@redhat.com>
---
 roles/ipa/client/tasks/hbac.yml | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/roles/ipa/client/tasks/hbac.yml b/roles/ipa/client/tasks/hbac.yml
index dce7610cd4..1b8dfae9af 100644
--- a/roles/ipa/client/tasks/hbac.yml
+++ b/roles/ipa/client/tasks/hbac.yml
@@ -92,16 +92,24 @@
     - ipa_client_shell_groups
     - ipa_client_sudo_groups
 
-- name: Give certain groups shell access per host group
+- name: Ensure shell access HBAC rule exists
   delegate_to: "{{ item[0] }}"
   ipahbacrule:
     name: "hostgroup/{{ item[1] }}/shell-access"
     description: "Grant shell access on host group {{ item[1] }}"
     ipaadmin_password: "{{ ipa_server_admin_passwords[item[0]] }}"
-    action: member
     hbacsvcgroup:
       - shell-access
     state: present
-    group: "{{ ipa_server_host_groups_dict[item[0]][item[1]]['shell_groups'] }}"
     hostgroup: "{{ item[1] }}"
   loop: "{{ ipa_server_host_groups }}"
+
+- name: Give certain groups shell access per host group
+  delegate_to: "{{ item[0] }}"
+  ipahbacrule:
+    name: "hostgroup/{{ item[1] }}/shell-access"
+    ipaadmin_password: "{{ ipa_server_admin_passwords[item[0]] }}"
+    action: member
+    state: present
+    group: "{{ ipa_server_host_groups_dict[item[0]][item[1]]['shell_groups'] }}"
+  loop: "{{ ipa_server_host_groups }}"