Support check_mode in sshca_sign plugin

This is a trivial way of "supporting" check_mode: we simply always return changed: false. The support could be improved if we found a way to actually run the ssh-keygen command remotely, but we haven't been able to pass something equivalent to 'check_mode: no' to the _execute_module invocation...

Support check_mode in sshca_sign plugin
1d7796a5 · ale · 795bb458 · 1d7796a5
Commit 1d7796a5 authored 6 years ago by ale
--- a/plugins/action/sshca_sign.py
+++ b/plugins/action/sshca_sign.py
@@ -51,6 +51,13 @@ class ActionModule(ActionBase):

        result = super(ActionModule, self).run(tmp, task_vars)

+        # TODO: Support check_mode properly. Right now we simply
+        # return with changed: false, because we are unable to run the
+        # 'ssh-keygen' command remotely to obtain the expiration time.
+        if self._play_context.check_mode:
+            result['changed'] = False
+            return result
+
        changed = False
        if self._needs_renewal(task_vars, cert_path, renew_days):
            with temp_dir() as tmpdir:
@@ -91,7 +98,6 @@ class ActionModule(ActionBase):
            module_args={
                '_raw_params': "ssh-keygen -L -f %s | awk '/Valid:/ {print $5}'" % cert_path,
                '_uses_shell': True,
-                '_ansible_check_mode': False,
            },
            task_vars=task_vars,
            wrap_async=False)