Inspect DNS state
When To Use This
Use this when IdM integrated DNS records should gate automation decisions.
Required Authority
IdM DNS owns the queried records. The lookup reads them without changing DNS.
Safety Boundary
This workflow is read-only. Confirm that this is the intended boundary before placing it in a scheduled job or AAP workflow.
Inputs
- Zone name
- Record name or search criteria
- Read access to IdM DNS APIs
Steps
- Query the exact record with
show. - Use
findfor discovery or batch checks. - Gate downstream tasks on existence and returned record types.
ansible localhost -m ansible.builtin.debug -a "msg={{ lookup('eigenstate.ipa.dns', 'app', zone='example.com', result_format='record') }}"
Example DNS Inspection
This playbook reads IdM DNS records and fails early when the expected address is not present.
inspect-dns.yml
---
- name: Inspect IdM DNS state before deployment
hosts: localhost
gather_facts: false
vars:
expected_ip: 192.0.2.25
tasks:
- name: Read the app DNS record
ansible.builtin.set_fact:
app_dns: >-
{{ lookup('eigenstate.ipa.dns',
'app01',
zone='example.com',
server='idm-01.example.com',
kerberos_keytab='/runner/env/ipa/automation.keytab') }}
- name: Require the DNS record before continuing
ansible.builtin.assert:
that:
- expected_ip in app_dns.arecord
fail_msg: "app01.example.com does not point at {{ expected_ip }}."
Run It
ansible-playbook inspect-dns.yml
Expected Evidence
The lookup result is a structured record that can be asserted before the deployment continues:
app_dns:
exists: true
zone: example.com
name: app
arecord:
- 192.0.2.25
Troubleshooting
- Zone not found: verify the IdM DNS zone name.
- Record missing: check relative name versus FQDN.
- API unavailable: verify IdM DNS is enabled.