Add response-policy to dns::view

theforeman · May 16, 2024 · 16c2ec4 · 16c2ec4
1 parent fa0ec26
commit 16c2ec4
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 0 deletions.
diff --git a/manifests/view.pp b/manifests/view.pp
@@ -38,6 +38,14 @@
 #    not to be unmanaged to be effective.
 # @param order
 #   The order parameter to the concat fragment.
+# @param response_policy
+#   Optional. An array of response policy configurations for the view in the
+#   following format:
+#   [{'zone' => '<ZONE_NAME>', 'policy' => '<POLICY_ACTION>', 'log' => true|false,
+#     'max_policy_ttl' => <TTL_VALUE>, 'cname_domain' => '<CNAME_DOMAIN>'}]
+#   Example: [{'zone' => 'example.com', 'policy' => 'passthru', 'log' => true,
+#              'max_policy_ttl' => 3600}, {'zone' => 'example.net',
+#              'policy' => 'cname', 'cname_domain' => 'example.com'}]
 #
 define dns::view (
   Array[String]                         $match_clients        = [],
@@ -57,6 +65,7 @@
   Boolean                               $include_localzones   = true,
   Boolean                               $include_defaultzones = true,
   String                                $order                = '-',
+  Optional[Dns::ResponsePolicy]         $response_policy      = undef,
 ) {
   unless $dns::enable_views {
     fail('Must set $dns::enable_views to true in order to use dns::view')

diff --git a/templates/named.view_header.erb b/templates/named.view_header.erb
@@ -41,6 +41,13 @@ view "<%= @title %>" {
 <% if @dnssec_validation -%>
     dnssec-validation <%= @dnssec_validation %>;
 <% end -%>
+<% if @response_policy -%>
+    response-policy {
+<% @response_policy.each do |policy| -%>
+        zone "<%= policy['zone'] %>"<% if policy['policy'] -%> policy <%= policy['policy'] %><% end -%><% if policy['policy'] == 'cname' && policy['cname_domain'] -%> <%= policy['cname_domain'] %><% end -%><% if policy['max_policy_ttl'] -%> max-policy-ttl <%= policy['max_policy_ttl'] %><% end -%><% if policy['log'] -%> log <%= policy['log'] %><% end -%>;
+<% end -%>
+    };
+<% end -%>
 
 <% if @include_localzones -%>
 <% if scope.lookupvar("::dns::localzonepath") != 'unmanaged' -%>

diff --git a/types/responsepolicy.pp b/types/responsepolicy.pp
@@ -0,0 +1,12 @@
+type Dns::ResponsePolicy = Array[
+  Struct[{
+    zone           => String[1],
+    policy         => Optional[Enum[
+      'given', 'disabled', 'passthru', 'drop',
+      'nxdomain', 'nodata', 'tcp-only', 'cname'
+    ]],
+    cname_domain   => Optional[String[1]],
+    max_policy_ttl => Optional[Integer],
+    log            => Optional[Boolean]
+  }], 1, 32
+]