user - warn if "append" is set but not "groups" (#65795)

This fixes people unknowingly changing the primary group rather than adding a secondary group.

* Add integration test

3 files changed, 21 insertions, 2 deletions

diff --git a/changelogs/fragments/65795-warn-if-user-has-set-append-but-not-set-groups.yaml b/changelogs/fragments/65795-warn-if-user-has-set-append-but-not-set-groups.yaml
new file mode 100644
index 0000000000..03a73e3bd0
--- /dev/null
+++ b/changelogs/fragments/65795-warn-if-user-has-set-append-but-not-set-groups.yaml
@@ -0,0 +1,2 @@
+minor_changes:
+  - 'user - usage of ``append: True`` without setting a list of groups. This is currently a no-op with a warning, and will change to an error in 2.14. (https://github.com/ansible/ansible/pull/65795)'
diff --git a/lib/ansible/modules/system/user.py b/lib/ansible/modules/system/user.py
index 6f4b8d0b11..2fada8d0fd 100644
--- a/lib/ansible/modules/system/user.py
+++ b/lib/ansible/modules/system/user.py
@@ -511,6 +511,12 @@ class User(object):
         else:
             self.ssh_file = os.path.join('.ssh', 'id_%s' % self.ssh_type)
 
+        if self.groups is None and self.append:
+            # Change the argument_spec in 2.14 and remove this warning
+            # required_by={'append': ['groups']}
+            module.warn("'append' is set, but no 'groups' are specified. Use 'groups' for appending new groups."
+                        "This will change to an error in Ansible 2.14.")
+
     def check_password_encrypted(self):
         # Darwin needs cleartext password, so skip validation
         if self.module.params['password'] and self.platform != 'Darwin':
diff --git a/test/integration/targets/user/tasks/main.yml b/test/integration/targets/user/tasks/main.yml
index bee81aabab..8fd23904a0 100644
--- a/test/integration/targets/user/tasks/main.yml
+++ b/test/integration/targets/user/tasks/main.yml
@@ -1022,15 +1022,25 @@
   tags:
     - user_test_local_mode
 
+- name: Test append without groups for local_ansibulluser
+  user:
+    name: local_ansibulluser
+    state: present
+    append: yes
+  register: local_user_test_5
+  ignore_errors: yes
+  tags:
+    - user_test_local_mode
+
 - name: Ensure local user accounts were created and removed properly
   assert:
     that:
       - local_user_test_1 is changed
       - local_user_test_2 is not changed
       - local_user_test_3 is failed
-      - "local_user_test_3['msg'] is search('parameters are mutually exclusive: groups|local')"
+      - 'local_user_test_3["msg"] is search("parameters are mutually exclusive: groups|local")'
       - local_user_test_4 is failed
-      - "local_user_test_4['msg'] is search('parameters are mutually exclusive: groups|append')"
+      - 'local_user_test_4["msg"] is search("parameters are mutually exclusive: groups|append")'
       - local_user_test_remove_1 is changed
       - local_user_test_remove_2 is not changed
   tags:
@@ -1041,6 +1051,7 @@
     that:
       - local_user_test_1['warnings'] | length > 0
       - local_user_test_1['warnings'] | first is search('The local user account may already exist')
+      - local_user_test_5['warnings'] is search("'append' is set, but no 'groups' are specified. Use 'groups'")
       - local_existing['warnings'] is not defined
   when: ansible_facts.system in ['Linux']
   tags: