From 42b9c209ab4ee8fc5bf546d8563c46c4a623dc4a Mon Sep 17 00:00:00 2001
From: Ian Wienand <iwienand@redhat.com>
Date: Thu, 23 May 2019 17:45:01 +1000
Subject: [PATCH] Zone file validation role

This role uses named-checkzone to validate Bind zone.db files it finds
in the specified directory.  Helps to avoid committing broken DNS
configurations.

Needed-By: https://review.opendev.org/660888

Change-Id: If3dc95d1348553e5b43683f6a36d324fb978fbed
---
 doc/source/general-roles.rst              |  1 +
 roles/validate-zone-db/README.rst         | 12 ++++++++++++
 roles/validate-zone-db/defaults/main.yaml |  2 ++
 roles/validate-zone-db/tasks/main.yaml    | 17 +++++++++++++++++
 4 files changed, 32 insertions(+)
 create mode 100644 roles/validate-zone-db/README.rst
 create mode 100644 roles/validate-zone-db/defaults/main.yaml
 create mode 100644 roles/validate-zone-db/tasks/main.yaml

diff --git a/doc/source/general-roles.rst b/doc/source/general-roles.rst
index 0f50d8b9c..02fd736a7 100644
--- a/doc/source/general-roles.rst
+++ b/doc/source/general-roles.rst
@@ -33,5 +33,6 @@ General Purpose Roles
 .. zuul:autorole:: upload-git-mirror
 .. zuul:autorole:: validate-dco-license
 .. zuul:autorole:: validate-host
+.. zuul:autorole:: validate-zone-db
 .. zuul:autorole:: version-from-git
 .. zuul:autorole:: write-inventory
diff --git a/roles/validate-zone-db/README.rst b/roles/validate-zone-db/README.rst
new file mode 100644
index 000000000..8b388d7d2
--- /dev/null
+++ b/roles/validate-zone-db/README.rst
@@ -0,0 +1,12 @@
+Validate bind zone.db files
+
+This role uses ``named-checkzone`` to validate Bind ``zone.db`` files.
+
+**Role Variables**
+
+.. zuul:rolevar:: zone_files
+   :default: zuul.project.src_dir
+
+   Look for ``zone.db`` files recursively in this directory.  The
+   layout should be ``domain.xyz/zone.db`` where a parent directory is
+   named for the zone the child ``zone.db`` file describes.
diff --git a/roles/validate-zone-db/defaults/main.yaml b/roles/validate-zone-db/defaults/main.yaml
new file mode 100644
index 000000000..fd44e370e
--- /dev/null
+++ b/roles/validate-zone-db/defaults/main.yaml
@@ -0,0 +1,2 @@
+zone_files: '{{ ansible_user_dir }}/{{ zuul.project.src_dir }}'
+
diff --git a/roles/validate-zone-db/tasks/main.yaml b/roles/validate-zone-db/tasks/main.yaml
new file mode 100644
index 000000000..4c2abe01d
--- /dev/null
+++ b/roles/validate-zone-db/tasks/main.yaml
@@ -0,0 +1,17 @@
+- name: Install bind9utils
+  package:
+    name: bind9utils
+    state: present
+  become: yes
+
+- name: Find zone files
+  find:
+    paths: '{{ zone_files }}'
+    patterns: 'zone.db'
+    recurse: yes
+    file_type: 'file'
+  register: zone_db_files
+
+- name: 'Run checkzone'
+  command: '/usr/sbin/named-checkzone {{ item.path.split("/")[-2] }} {{ item.path }}'
+  loop: "{{ zone_db_files['files'] }}"