From cb326011bfaa01021a35ae556a3d4e24d8ef2da6 Mon Sep 17 00:00:00 2001 From: Romain Pelisse Date: Mon, 11 Mar 2024 12:41:53 +0100 Subject: [PATCH 1/4] Rework Molecule prepare phase to install sudo only if root on target --- molecule/account/molecule.yml | 17 +- molecule/account/prepare.yml | 16 ++ molecule/account/verify.yml | 1 + molecule/aphrodite/converge.yml | 1 + molecule/aphrodite/prepare.yml | 14 ++ molecule/aphrodite/verify.yml | 1 + molecule/bashrc/molecule.yml | 2 +- molecule/bashrc/prepare.yml | 16 ++ molecule/cron/molecule.yml | 15 +- molecule/cron/prepare.yml | 16 +- molecule/fast_yum_install/converge.yml | 1 + molecule/fast_yum_install/molecule.yml | 1 + molecule/fast_yum_install/prepare.yml | 16 ++ molecule/git/prepare.yml | 18 +- molecule/hosts/converge.yml | 1 + molecule/hosts/prepare.yml | 14 ++ molecule/hosts/verify.yml | 1 + molecule/java/molecule.yml | 11 +- molecule/java/prepare.yml | 12 ++ molecule/kdump/converge.yml | 1 + molecule/kdump/prepare.yml | 16 ++ molecule/kdump/verify.yml | 1 + molecule/motd/molecule.yml | 2 +- molecule/motd/prepare.yml | 13 ++ molecule/motd/verify.yml | 4 +- molecule/netrc/converge.yml | 1 + molecule/netrc/prepare.yml | 16 +- molecule/netrc/verify.yml | 1 + molecule/prepare.yml | 2 +- molecule/qualys_fix/converge.yml | 1 + molecule/qualys_fix/molecule.yml | 1 + molecule/qualys_fix/prepare.yml | 15 +- molecule/qualys_fix/verify.yml | 51 ++--- molecule/vault/converge.yml | 1 + molecule/vault/prepare.yml | 46 +++-- molecule/vault/vault_snap.yml | 15 ++ molecule/vault/vault_yum.yml | 15 ++ molecule/vault/verify.yml | 1 + roles/account/tasks/main.yml | 45 +++-- roles/aphrodite/tasks/main.yml | 1 + roles/bashrc/tasks/main.yml | 1 + roles/cci_worker/tasks/main.yml | 227 +++++++++++----------- roles/cron/defaults/main.yml | 1 + roles/cron/tasks/cronjob.yml | 51 ++--- roles/cron/tasks/main.yml | 8 +- roles/fast_yum_install/tasks/main.yml | 24 +-- roles/git/tasks/main.yml | 3 +- roles/java/tasks/archive_tool_install.yml | 59 +++--- roles/java/tasks/install_and_default.yml | 1 + roles/java/tasks/main.yml | 1 + roles/motd/tasks/main.yml | 9 +- roles/qualys_fix/tasks/main.yml | 1 + 52 files changed, 530 insertions(+), 279 deletions(-) create mode 100644 molecule/account/prepare.yml create mode 100644 molecule/bashrc/prepare.yml create mode 100644 molecule/fast_yum_install/prepare.yml create mode 100644 molecule/kdump/prepare.yml create mode 100644 molecule/vault/vault_snap.yml create mode 100644 molecule/vault/vault_yum.yml diff --git a/molecule/account/molecule.yml b/molecule/account/molecule.yml index 3b262340..9d3c118e 100644 --- a/molecule/account/molecule.yml +++ b/molecule/account/molecule.yml @@ -1,12 +1,6 @@ --- -dependency: - name: galaxy - options: - ignore-certs: True - ignore-errors: True - requirements-file: molecule/default/requirements.yml driver: - name: podman + name: docker platforms: - name: instance image: registry.access.redhat.com/ubi8/ubi-init:latest @@ -17,18 +11,25 @@ platforms: - sudo provisioner: name: ansible + config_options: + defaults: + interpreter_python: auto_silent + ssh_connection: + pipelining: false playbooks: + prepare: prepare.yml converge: converge.yml verify: verify.yml env: + ANSIBLE_FORCE_COLOR: "true" ANSIBLE_ROLES_PATH: "../../roles" verifier: name: ansible scenario: test_sequence: - - dependency - cleanup - destroy + - syntax - create - prepare - converge diff --git a/molecule/account/prepare.yml b/molecule/account/prepare.yml new file mode 100644 index 00000000..d4b19bc7 --- /dev/null +++ b/molecule/account/prepare.yml @@ -0,0 +1,16 @@ +--- +- name: Prepare + hosts: all + gather_facts: yes + tasks: + + - name: "Display Ansible version" + ansible.builtin.debug: + msg: "Ansible version is {{ ansible_version.full }}" + + - name: "Install sudo if user is root" + ansible.builtin.yum: + name: sudo + state: present + when: + - ansible_user_id == "root" diff --git a/molecule/account/verify.yml b/molecule/account/verify.yml index fb54c919..d51c2b6e 100644 --- a/molecule/account/verify.yml +++ b/molecule/account/verify.yml @@ -1,6 +1,7 @@ --- - name: Verify for account role hosts: all + become: yes vars_files: - vars.yml gather_facts: false diff --git a/molecule/aphrodite/converge.yml b/molecule/aphrodite/converge.yml index f5959227..9438fac5 100644 --- a/molecule/aphrodite/converge.yml +++ b/molecule/aphrodite/converge.yml @@ -1,6 +1,7 @@ --- - name: Converge hosts: all + become: yes vars_files: - vars.yml diff --git a/molecule/aphrodite/prepare.yml b/molecule/aphrodite/prepare.yml index 358e1b0b..cbc0e834 100644 --- a/molecule/aphrodite/prepare.yml +++ b/molecule/aphrodite/prepare.yml @@ -1,14 +1,27 @@ --- - name: Prepare hosts: all + gather_facts: yes vars_files: - vars.yml tasks: + + - name: Display Ansible version + ansible.builtin.debug: + msg: "Ansible version is {{ ansible_version.full }}" + + - name: "Install sudo if user is root" + ansible.builtin.yum: + name: sudo + state: present + when: + - ansible_user_id == "root" - name: Add the user jenkins ansible.builtin.user: name: jenkins - name: Creates directory + become: yes ansible.builtin.file: path: /opt/tools state: directory @@ -17,6 +30,7 @@ mode: 0644 - name: "Deploy aphrodite configuration to {{ aphrodite.path }}" + become: yes ansible.builtin.template: src: "../../roles/aphrodite/templates/aphrodite.json.j2" dest: "{{ aphrodite.path }}" diff --git a/molecule/aphrodite/verify.yml b/molecule/aphrodite/verify.yml index 8c4a3f97..2d9e4a61 100644 --- a/molecule/aphrodite/verify.yml +++ b/molecule/aphrodite/verify.yml @@ -1,6 +1,7 @@ --- - name: Verify for aphrodite role hosts: all + become: yes vars_files: - vars.yml gather_facts: false diff --git a/molecule/bashrc/molecule.yml b/molecule/bashrc/molecule.yml index 68995115..e7f9bb85 100644 --- a/molecule/bashrc/molecule.yml +++ b/molecule/bashrc/molecule.yml @@ -20,7 +20,7 @@ provisioner: playbooks: converge: converge.yml verify: verify.yml - prepare: ../prepare.yml + prepare: prepare.yml env: ANSIBLE_ROLES_PATH: "../../roles" verifier: diff --git a/molecule/bashrc/prepare.yml b/molecule/bashrc/prepare.yml new file mode 100644 index 00000000..fc227df7 --- /dev/null +++ b/molecule/bashrc/prepare.yml @@ -0,0 +1,16 @@ +--- +- name: Prepare + hosts: all + gather_facts: yes + tasks: + + - name: Display Ansible version + ansible.builtin.debug: + msg: "Ansible version is {{ ansible_version.full }}" + + - name: "Install sudo if user is root" + ansible.builtin.yum: + name: sudo + state: present + when: + - ansible_user_id == "root" diff --git a/molecule/cron/molecule.yml b/molecule/cron/molecule.yml index e7f9bb85..bd24f45f 100644 --- a/molecule/cron/molecule.yml +++ b/molecule/cron/molecule.yml @@ -1,12 +1,6 @@ --- -dependency: - name: galaxy - options: - ignore-certs: True - ignore-errors: True - requirements-file: molecule/default/requirements.yml driver: - name: podman + name: docker platforms: - name: instance image: registry.access.redhat.com/ubi8/ubi-init:latest @@ -17,6 +11,11 @@ platforms: - sudo provisioner: name: ansible + config_options: + defaults: + interpreter_python: auto_silent + ssh_connection: + pipelining: false playbooks: converge: converge.yml verify: verify.yml @@ -27,9 +26,9 @@ verifier: name: ansible scenario: test_sequence: - - dependency - cleanup - destroy + - syntax - create - prepare - converge diff --git a/molecule/cron/prepare.yml b/molecule/cron/prepare.yml index a6d7aad8..fbafd3cc 100644 --- a/molecule/cron/prepare.yml +++ b/molecule/cron/prepare.yml @@ -1,13 +1,27 @@ --- - name: Prepare hosts: all + gather_facts: yes vars_files: - vars.yml tasks: + + - name: Display Ansible version + ansible.builtin.debug: + msg: "Ansible version is {{ ansible_version.full }}" + + - name: "Install sudo if user is root" + ansible.builtin.yum: + name: sudo + state: present + when: + - ansible_user_id == "root" + - name: Creates directory + become: yes ansible.builtin.file: path: /opt/tools state: directory owner: root group: root - mode: 0745 \ No newline at end of file + mode: 0745 diff --git a/molecule/fast_yum_install/converge.yml b/molecule/fast_yum_install/converge.yml index 5528b223..fbc4e1bc 100644 --- a/molecule/fast_yum_install/converge.yml +++ b/molecule/fast_yum_install/converge.yml @@ -1,6 +1,7 @@ --- - name: Converge hosts: all + become: yes vars_files: - vars.yml tasks: diff --git a/molecule/fast_yum_install/molecule.yml b/molecule/fast_yum_install/molecule.yml index 3b262340..2b1a1b15 100644 --- a/molecule/fast_yum_install/molecule.yml +++ b/molecule/fast_yum_install/molecule.yml @@ -18,6 +18,7 @@ platforms: provisioner: name: ansible playbooks: + prepare: prepare.yml converge: converge.yml verify: verify.yml env: diff --git a/molecule/fast_yum_install/prepare.yml b/molecule/fast_yum_install/prepare.yml new file mode 100644 index 00000000..fc227df7 --- /dev/null +++ b/molecule/fast_yum_install/prepare.yml @@ -0,0 +1,16 @@ +--- +- name: Prepare + hosts: all + gather_facts: yes + tasks: + + - name: Display Ansible version + ansible.builtin.debug: + msg: "Ansible version is {{ ansible_version.full }}" + + - name: "Install sudo if user is root" + ansible.builtin.yum: + name: sudo + state: present + when: + - ansible_user_id == "root" diff --git a/molecule/git/prepare.yml b/molecule/git/prepare.yml index 495a00e2..9ef50b3c 100644 --- a/molecule/git/prepare.yml +++ b/molecule/git/prepare.yml @@ -1,16 +1,32 @@ --- - name: Prepare hosts: all + gather_facts: yes vars_files: - vars.yml tasks: + + - name: Display Ansible version + ansible.builtin.debug: + msg: "Ansible version is {{ ansible_version.full }}" + + - name: "Install sudo if user is root" + ansible.builtin.yum: + name: sudo + state: present + when: + - ansible_user_id == "root" + - name: Add the user jenkins + become: yes ansible.builtin.user: name: jenkins + - name: Creates directory + become: yes ansible.builtin.file: path: /home/jenkins state: directory owner: jenkins group: jenkins - mode: 0644 \ No newline at end of file + mode: 0644 diff --git a/molecule/hosts/converge.yml b/molecule/hosts/converge.yml index 717ea1a1..238187e0 100644 --- a/molecule/hosts/converge.yml +++ b/molecule/hosts/converge.yml @@ -1,6 +1,7 @@ --- - name: Converge hosts: all + become: yes vars_files: - vars.yml tasks: diff --git a/molecule/hosts/prepare.yml b/molecule/hosts/prepare.yml index f78fae88..938ec0b6 100644 --- a/molecule/hosts/prepare.yml +++ b/molecule/hosts/prepare.yml @@ -1,20 +1,34 @@ --- - name: Prepare hosts: all + gather_facts: yes vars_files: - vars.yml tasks: + - name: Display Ansible version + ansible.builtin.debug: + msg: "Ansible version is {{ ansible_version.full }}" + + - name: "Install sudo if user is root" + ansible.builtin.yum: + name: sudo + state: present + when: + - ansible_user_id == "root" + - name: "Include fast_yum_install" ansible.builtin.include_role: name: "fast_yum_install" - name: Creates /etc/fake_hosts directory + become: yes ansible.builtin.file: path: /etc/fake_hosts state: touch mode: 0644 - name: Creates /etc/real_hosts directory + become: yes ansible.builtin.file: path: /etc/real_hosts state: touch diff --git a/molecule/hosts/verify.yml b/molecule/hosts/verify.yml index a6b5ccf8..b8a467a1 100644 --- a/molecule/hosts/verify.yml +++ b/molecule/hosts/verify.yml @@ -1,6 +1,7 @@ --- - name: Verify for hosts role hosts: all + become: yes vars_files: - vars.yml gather_facts: false diff --git a/molecule/java/molecule.yml b/molecule/java/molecule.yml index 68995115..61fe8158 100644 --- a/molecule/java/molecule.yml +++ b/molecule/java/molecule.yml @@ -1,10 +1,4 @@ --- -dependency: - name: galaxy - options: - ignore-certs: True - ignore-errors: True - requirements-file: molecule/default/requirements.yml driver: name: podman platforms: @@ -18,18 +12,19 @@ platforms: provisioner: name: ansible playbooks: + prepare: prepare.yml converge: converge.yml verify: verify.yml - prepare: ../prepare.yml env: + ANSIBLE_FORCE_COLOR: "true" ANSIBLE_ROLES_PATH: "../../roles" verifier: name: ansible scenario: test_sequence: - - dependency - cleanup - destroy + - syntax - create - prepare - converge diff --git a/molecule/java/prepare.yml b/molecule/java/prepare.yml index 59dc62dc..97188bc5 100644 --- a/molecule/java/prepare.yml +++ b/molecule/java/prepare.yml @@ -1,9 +1,21 @@ --- - name: Prepare hosts: all + gather_facts: yes vars_files: - vars.yml tasks: + - name: Display Ansible version + ansible.builtin.debug: + msg: "Ansible version is {{ ansible_version.full }}" + + - name: "Install sudo if user is root" + ansible.builtin.yum: + name: sudo + state: present + when: + - ansible_user_id == "root" + - ansible.builtin.assert: that: - jdk_list is defined diff --git a/molecule/kdump/converge.yml b/molecule/kdump/converge.yml index b5a8956d..be89b97f 100644 --- a/molecule/kdump/converge.yml +++ b/molecule/kdump/converge.yml @@ -1,6 +1,7 @@ --- - name: Converge hosts: all + become: yes vars_files: - vars.yml tasks: diff --git a/molecule/kdump/prepare.yml b/molecule/kdump/prepare.yml new file mode 100644 index 00000000..fc227df7 --- /dev/null +++ b/molecule/kdump/prepare.yml @@ -0,0 +1,16 @@ +--- +- name: Prepare + hosts: all + gather_facts: yes + tasks: + + - name: Display Ansible version + ansible.builtin.debug: + msg: "Ansible version is {{ ansible_version.full }}" + + - name: "Install sudo if user is root" + ansible.builtin.yum: + name: sudo + state: present + when: + - ansible_user_id == "root" diff --git a/molecule/kdump/verify.yml b/molecule/kdump/verify.yml index f0c6e013..b2a7e9ca 100644 --- a/molecule/kdump/verify.yml +++ b/molecule/kdump/verify.yml @@ -1,6 +1,7 @@ --- - name: Verify for kdump role hosts: all + become: yes vars_files: - vars.yml gather_facts: false diff --git a/molecule/motd/molecule.yml b/molecule/motd/molecule.yml index 68995115..e7f9bb85 100644 --- a/molecule/motd/molecule.yml +++ b/molecule/motd/molecule.yml @@ -20,7 +20,7 @@ provisioner: playbooks: converge: converge.yml verify: verify.yml - prepare: ../prepare.yml + prepare: prepare.yml env: ANSIBLE_ROLES_PATH: "../../roles" verifier: diff --git a/molecule/motd/prepare.yml b/molecule/motd/prepare.yml index 9ee714cb..f7a34b82 100644 --- a/molecule/motd/prepare.yml +++ b/molecule/motd/prepare.yml @@ -1,9 +1,22 @@ --- - name: Prepare hosts: all + gather_facts: yes vars_files: - vars.yml tasks: + + - name: Display Ansible version + ansible.builtin.debug: + msg: "Ansible version is {{ ansible_version.full }}" + + - name: "Install sudo if user is root" + ansible.builtin.yum: + name: sudo + state: present + when: + - ansible_user_id == "root" + - ansible.builtin.assert: that: - motd_path is defined diff --git a/molecule/motd/verify.yml b/molecule/motd/verify.yml index 77f84296..81d64502 100644 --- a/molecule/motd/verify.yml +++ b/molecule/motd/verify.yml @@ -3,10 +3,10 @@ hosts: all vars_files: - vars.yml - gather_facts: false - + gather_facts: yes tasks: - name: Add a duplicate motd + become: yes ansible.builtin.copy: src: "../../roles/motd/files/motd.standard" dest: /etc/duplicateMotd diff --git a/molecule/netrc/converge.yml b/molecule/netrc/converge.yml index 38aa857c..487c27cd 100644 --- a/molecule/netrc/converge.yml +++ b/molecule/netrc/converge.yml @@ -1,6 +1,7 @@ --- - name: Converge hosts: all + become: yes vars_files: - vars.yml tasks: diff --git a/molecule/netrc/prepare.yml b/molecule/netrc/prepare.yml index 495a00e2..66ac09fc 100644 --- a/molecule/netrc/prepare.yml +++ b/molecule/netrc/prepare.yml @@ -1,16 +1,30 @@ --- - name: Prepare hosts: all + gather_facts: yes vars_files: - vars.yml tasks: + - name: Display Ansible version + ansible.builtin.debug: + msg: "Ansible version is {{ ansible_version.full }}" + + - name: "Install sudo if user is root" + ansible.builtin.yum: + name: sudo + state: present + when: + - ansible_user_id == "root" + - name: Add the user jenkins ansible.builtin.user: name: jenkins + - name: Creates directory + become: yes ansible.builtin.file: path: /home/jenkins state: directory owner: jenkins group: jenkins - mode: 0644 \ No newline at end of file + mode: 0644 diff --git a/molecule/netrc/verify.yml b/molecule/netrc/verify.yml index 1da71070..e4c18fa4 100644 --- a/molecule/netrc/verify.yml +++ b/molecule/netrc/verify.yml @@ -1,6 +1,7 @@ --- - name: Verify for netrc role hosts: all + become: yes vars_files: - vars.yml gather_facts: false diff --git a/molecule/prepare.yml b/molecule/prepare.yml index 79270639..68a403bd 100644 --- a/molecule/prepare.yml +++ b/molecule/prepare.yml @@ -5,4 +5,4 @@ - name: Display Ansible version ansible.builtin.debug: - msg: "Ansible version is {{ ansible_version.full }}" + msg: "Ansible version is {{ ansible_version.full }}" diff --git a/molecule/qualys_fix/converge.yml b/molecule/qualys_fix/converge.yml index 6b65155e..f1cb3e55 100644 --- a/molecule/qualys_fix/converge.yml +++ b/molecule/qualys_fix/converge.yml @@ -1,5 +1,6 @@ --- - name: Converge + become: yes hosts: all tasks: diff --git a/molecule/qualys_fix/molecule.yml b/molecule/qualys_fix/molecule.yml index 3b262340..2b1a1b15 100644 --- a/molecule/qualys_fix/molecule.yml +++ b/molecule/qualys_fix/molecule.yml @@ -18,6 +18,7 @@ platforms: provisioner: name: ansible playbooks: + prepare: prepare.yml converge: converge.yml verify: verify.yml env: diff --git a/molecule/qualys_fix/prepare.yml b/molecule/qualys_fix/prepare.yml index b7d32566..44d2cabb 100644 --- a/molecule/qualys_fix/prepare.yml +++ b/molecule/qualys_fix/prepare.yml @@ -1,10 +1,21 @@ --- - name: Prepare hosts: all - + gather_facts: yes tasks: + - name: Display Ansible version + ansible.builtin.debug: + msg: "Ansible version is {{ ansible_version.full }}" + + - name: "Install sudo if user is root" + ansible.builtin.yum: + name: sudo + state: present + when: + - ansible_user_id == "root" + - name: Creates directory ansible.builtin.file: path: /root/.ansible/roles/infosec.qualys-cloud-agent/tasks/ state: directory - mode: 0644 \ No newline at end of file + mode: 0644 diff --git a/molecule/qualys_fix/verify.yml b/molecule/qualys_fix/verify.yml index 6d04a7e1..af814e67 100644 --- a/molecule/qualys_fix/verify.yml +++ b/molecule/qualys_fix/verify.yml @@ -1,35 +1,38 @@ --- -- name: Verify for netrc role +- name: Verify for Qualys role hosts: all gather_facts: false tasks: - - name: Add a duplicate Windows specific tasks - ansible.builtin.template: - src: "../../roles/qualys_fix/templates/dummy.j2" - dest: /root/.ansible/roles/infosec.qualys-cloud-agent/tasks/duplicateTasks + - name: "Escalate privileges" + become: yes + block: + - name: Add a duplicate Windows specific tasks + ansible.builtin.template: + src: "../../roles/qualys_fix/templates/dummy.j2" + dest: /root/.ansible/roles/infosec.qualys-cloud-agent/tasks/duplicateTasks - - name: Get checksum of my original file - ansible.builtin.stat: - path: '/root/.ansible/roles/infosec.qualys-cloud-agent/tasks/setup-Windows.yml' - register: originalfile + - name: Get checksum of my original file + ansible.builtin.stat: + path: '/root/.ansible/roles/infosec.qualys-cloud-agent/tasks/setup-Windows.yml' + register: originalfile - - ansible.builtin.set_fact: - original: "{{ originalfile.stat.checksum }}" + - ansible.builtin.set_fact: + original: "{{ originalfile.stat.checksum }}" - - name: Get checksum of my duplicate file - ansible.builtin.stat: - path: "/root/.ansible/roles/infosec.qualys-cloud-agent/tasks/duplicateTasks" - register: duplicatefile + - name: Get checksum of my duplicate file + ansible.builtin.stat: + path: "/root/.ansible/roles/infosec.qualys-cloud-agent/tasks/duplicateTasks" + register: duplicatefile - - ansible.builtin.set_fact: - duplicate: "{{ duplicatefile.stat.checksum }}" + - ansible.builtin.set_fact: + duplicate: "{{ duplicatefile.stat.checksum }}" - - name: Compare both the qualys_fix files - ansible.builtin.debug: - msg: "File Compare" - failed_when: original != duplicate + - name: Compare both the qualys_fix files + ansible.builtin.debug: + msg: "File Compare" + failed_when: original != duplicate - - name: Verify that qualys_fix role was properly executed - ansible.builtin.assert: - that: true + - name: Verify that qualys_fix role was properly executed + ansible.builtin.assert: + that: true diff --git a/molecule/vault/converge.yml b/molecule/vault/converge.yml index 9a443a68..ee6de08b 100644 --- a/molecule/vault/converge.yml +++ b/molecule/vault/converge.yml @@ -1,6 +1,7 @@ --- - name: Converge hosts: all + become: yes vars_files: - vars.yml tasks: diff --git a/molecule/vault/prepare.yml b/molecule/vault/prepare.yml index 15c0e42f..75e21301 100644 --- a/molecule/vault/prepare.yml +++ b/molecule/vault/prepare.yml @@ -1,32 +1,45 @@ --- - name: Prepare hosts: all + gather_facts: yes vars_files: - vars.yml environment: - VAULT_ADDR: "{{ ansible_hashi_vault_addr }}" tasks: - - name: "Import Vault repo for installation" - ansible.builtin.yum_repository: - name: 'vault' - description: 'The vault repository' - file: external_repos - baseurl: https://rpm.releases.hashicorp.com/RHEL/$releasever/$basearch/stable - gpgcheck: no - - - name: "Install Vault and pip" + - name: Display Ansible version + ansible.builtin.debug: + msg: "Ansible version is {{ ansible_version.full }}" + + - name: "Install sudo if user is root" + ansible.builtin.yum: + name: sudo + state: present + when: + - ansible_user_id == "root" + + - name: "Install pip" + become: yes ansible.builtin.package: - name: "{{ item }}" + name: python3-pip state: present - with_items: - - vault - - python3-pip + + - name: "Install Vault on RHEL 8 ({{ ansible_distribution_major_version }})" + ansible.builtin.include_tasks: vault_yum.yml + when: + - ansible_distribution_major_version == "8" + + - name: "Install vault using snap on RHEL 9 ({{ ansible_distribution_major_version }})" + ansible.builtin.include_tasks: vault_snap.yml + when: + - ansible_distribution_major_version == "9" - name: Install hvac python package ansible.builtin.pip: name: hvac - name: "Set up Vault env - Start dev server in background for 5 minutes" + become: yes ansible.builtin.shell: "vault server -dev -dev-root-token-id={{ root_vault_token }}" async: 300 poll: 0 @@ -37,6 +50,7 @@ msg: "{{ result }}" - name: Create a temporary shell script file + become: yes ansible.builtin.copy: content: | #!/bin/bash @@ -54,6 +68,7 @@ mode: '0755' - name: Execute the script to set up Vault + become: yes command: '/tmp/setup_vault.sh' register: script_output @@ -62,12 +77,13 @@ var: script_output.stdout_lines - name: Remove the temporary script file - file: + ansible.builtin.file: path: /tmp/setup_vault.sh state: absent - name: "Set up Vault env - Write test data" - shell: | + become: yes + ansible.builtin.shell: | vault kv put {{ vault_mount }}/{{ item.vault_path }} {{ item.secrets }} with_items: "{{ test_secrets }}" diff --git a/molecule/vault/vault_snap.yml b/molecule/vault/vault_snap.yml new file mode 100644 index 00000000..6ab4065e --- /dev/null +++ b/molecule/vault/vault_snap.yml @@ -0,0 +1,15 @@ +--- +- name: "Setup snap to install {{ package_name }}" + become: yes + block: + - name: "Ensure EPEL Release for RHEL 9 is configured" + ansible.builtin.command: "sudo dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm" + + - name: "Ensure Snap is installed" + ansible.builtin.command: "sudo yum install snapd" + + - name: "Ensure Snapd.socket is enabled" + ansible.builtin.command: "sudo systemctl enable --now snapd.socket" + + - name: "Ensure {{ package_name }} is installed." + ansible.builtin.command: "sudo snap install {{ package_name }}" diff --git a/molecule/vault/vault_yum.yml b/molecule/vault/vault_yum.yml new file mode 100644 index 00000000..9cbf27b6 --- /dev/null +++ b/molecule/vault/vault_yum.yml @@ -0,0 +1,15 @@ +--- +- name: "Ensure Harshicorp repo is enabled" + ansible.builtin.yum_repository: + name: 'hashi' + description: 'Hashicorp Stable - $basearch' + gpgcheck: true + gpgkey: 'https://rpm.releases.hashicorp.com/gpg' + file: external_repos + baseurl: 'https://rpm.releases.hashicorp.com/RHEL/$releasever/$basearch/stable' + +- name: "Ensure vault package is installed." + ansible.builtin.yum: + name: vault + state: present + update_cache: true diff --git a/molecule/vault/verify.yml b/molecule/vault/verify.yml index 013863c1..1bddf8b6 100644 --- a/molecule/vault/verify.yml +++ b/molecule/vault/verify.yml @@ -1,6 +1,7 @@ --- - name: Verify for vault role hosts: all + become: yes vars_files: - vars.yml gather_facts: false diff --git a/roles/account/tasks/main.yml b/roles/account/tasks/main.yml index 6f38a957..38ed89c9 100644 --- a/roles/account/tasks/main.yml +++ b/roles/account/tasks/main.yml @@ -12,27 +12,30 @@ - account.home != "" quiet: true -- name: "Ensure group {{ account.group }} exists." - ansible.builtin.group: - name: "{{ account.group }}" - gid: "{{ account.gid }}" - state: present +- name: "Escalate privilege" + become: yes + block: + - name: "Ensure group {{ account.group }} exists." + ansible.builtin.group: + name: "{{ account.group }}" + gid: "{{ account.gid }}" + state: present -- name: "Ensure user {{ account.username }} with UID {{ account.uid }} exists." - ansible.builtin.user: - name: "{{ account.username }}" - uid: "{{ account.uid }}" - group: "{{ account.group }}" + - name: "Ensure user {{ account.username }} with UID {{ account.uid }} exists." + ansible.builtin.user: + name: "{{ account.username }}" + uid: "{{ account.uid }}" + group: "{{ account.group }}" -- name: "Ensure path provided for home is valid: {{ account.home }}" - ansible.builtin.stat: - path: "{{ account.home }}" - register: account_home + - name: "Ensure path provided for home is valid: {{ account.home }}" + ansible.builtin.stat: + path: "{{ account.home }}" + register: account_home -- name: "Ensure home directory {{ account.home }} exists." - ansible.builtin.file: - state: directory - path: "{{ account.home }}" - owner: "{{ account.username }}" - group: "{{ account.group }}" - when: account_home.stat is defined + - name: "Ensure home directory {{ account.home }} exists." + ansible.builtin.file: + state: directory + path: "{{ account.home }}" + owner: "{{ account.username }}" + group: "{{ account.group }}" + when: account_home.stat is defined diff --git a/roles/aphrodite/tasks/main.yml b/roles/aphrodite/tasks/main.yml index 63f4944b..44b2d70e 100644 --- a/roles/aphrodite/tasks/main.yml +++ b/roles/aphrodite/tasks/main.yml @@ -8,6 +8,7 @@ quiet: true - name: "Deploy aphrodite configuration to {{ aphrodite.path }}" + become: yes ansible.builtin.template: src: "{{ aphrodite.template }}" dest: "{{ aphrodite.path }}" diff --git a/roles/bashrc/tasks/main.yml b/roles/bashrc/tasks/main.yml index 02226cc8..6aa509ad 100644 --- a/roles/bashrc/tasks/main.yml +++ b/roles/bashrc/tasks/main.yml @@ -1,5 +1,6 @@ --- - name: Check bashrc configuration + become: yes ansible.builtin.template: src: templates/bashrc.j2 dest: /etc/bashrc diff --git a/roles/cci_worker/tasks/main.yml b/roles/cci_worker/tasks/main.yml index f77a976b..2607b329 100644 --- a/roles/cci_worker/tasks/main.yml +++ b/roles/cci_worker/tasks/main.yml @@ -9,116 +9,119 @@ - cci_worker.account.home is defined quiet: true -- name: "Creating {{ cci_worker.account.username }} user." - ansible.builtin.user: - name: "{{ cci_worker.account.username }}" - state: present - password: "{{ cci_worker.account.password | password_hash('sha512', 'A512') }}" - shell: /bin/bash - -- name: "Ensure path provided for home is valid" - ansible.builtin.stat: - path: "{{ cci_worker.account.home }}" - register: account_home - -- name: "Ensure home directory {{ cci_worker.account.home }} exists." - ansible.builtin.file: - state: directory - path: "{{ cci_worker.account.home }}" - owner: "{{ cci_worker.account.username }}" - when: account_home.stat is defined - -- name: "Ensure ssh directory for {{ cci_worker.account.username }} exists" - ansible.builtin.file: - state: directory - path: "{{ cci_worker.account.home }}/.ssh" - owner: "{{ cci_worker.account.username }}" - -- name: "Deploy authorized key" - ansible.posix.authorized_key: - user: "{{ cci_worker.account.username }}" - state: present - key: "{{ files }}" - with_file: - - "{{ cci_worker.pubkey_file }}" - loop_control: - loop_var: files - -- name: "Deploy fix_multicast script" - ansible.builtin.copy: - src: "files/setup_multicast.sh" - dest: "/usr/local/sbin/setup_multicast.sh" - owner: "root" - group: "root" - mode: "0755" - -- name: "Create boot-time service to fix multicast" - ansible.builtin.copy: - src: "files/setup_multicast.service" - dest: "/etc/systemd/system/setup_multicast.service" - owner: "root" - group: "root" - mode: "0644" - -- name: "Ensures setup_multicast service is running" - ansible.builtin.service: - name: "setup_multicast.service" - state: started - enabled: yes - -- name: Set environment variables +- name: "Privilege escalation" become: yes - become_user: "{{ cci_worker_username }}" - ansible.builtin.template: - src: templates/bashrc_template.j2 - dest: "/home/{{ cci_worker_username }}/.bashrc" - mode: "0644" - owner: "{{ cci_worker_username }}" - -- name: "Enable Linger for {{ cci_worker_username }}" - become: yes - become_user: "{{ cci_worker_username }}" - ansible.builtin.shell: loginctl enable-linger {{ cci_worker_username }} - -- name: Enable podman - become: yes - become_user: "{{ cci_worker_username }}" - ansible.builtin.systemd: - name: "podman.socket" - state: started - scope: user - enabled: true - -- name: "Configure testcontainers" - ansible.builtin.copy: - src: files/testcontainers.properties - dest: "/home/{{ cci_worker_username }}/.testcontainers.properties" - mode: "0644" - owner: "{{ cci_worker_username }}" - group: "{{ cci_worker_username }}" - -- name: "Configure Maven settings.xml" - ansible.builtin.template: - src: templates/settings.xml.j2 - dest: "/home/{{ cci_worker_username }}/.m2/settings.xml" - mode: "0644" - owner: "{{ cci_worker_username }}" - group: "{{ cci_worker_username }}" - -- name: Ensure CA certificates directory exists - ansible.builtin.file: - path: "{{ ca_certs_path }}" - state: directory - -- name: Download RedHat CA certificates - ansible.builtin.get_url: - url: "{{ cert.url }}" - dest: "{{ ca_certs_path}}/{{ cert.alias }}" - with_items: "{{ root_ca_certs }}" - loop_control: - loop_var: cert - register: cert_results - -- name: Update CA trust - ansible.builtin.command: update-ca-trust - changed_when: cert_results.changed \ No newline at end of file + block: + - name: "Creating {{ cci_worker.account.username }} user." + ansible.builtin.user: + name: "{{ cci_worker.account.username }}" + state: present + password: "{{ cci_worker.account.password | password_hash('sha512', 'A512') }}" + shell: /bin/bash + + - name: "Ensure path provided for home is valid" + ansible.builtin.stat: + path: "{{ cci_worker.account.home }}" + register: account_home + + - name: "Ensure home directory {{ cci_worker.account.home }} exists." + ansible.builtin.file: + state: directory + path: "{{ cci_worker.account.home }}" + owner: "{{ cci_worker.account.username }}" + when: account_home.stat is defined + + - name: "Ensure ssh directory for {{ cci_worker.account.username }} exists" + ansible.builtin.file: + state: directory + path: "{{ cci_worker.account.home }}/.ssh" + owner: "{{ cci_worker.account.username }}" + + - name: "Deploy authorized key" + ansible.posix.authorized_key: + user: "{{ cci_worker.account.username }}" + state: present + key: "{{ files }}" + with_file: + - "{{ cci_worker.pubkey_file }}" + loop_control: + loop_var: files + + - name: "Deploy fix_multicast script" + ansible.builtin.copy: + src: "files/setup_multicast.sh" + dest: "/usr/local/sbin/setup_multicast.sh" + owner: "root" + group: "root" + mode: "0755" + + - name: "Create boot-time service to fix multicast" + ansible.builtin.copy: + src: "files/setup_multicast.service" + dest: "/etc/systemd/system/setup_multicast.service" + owner: "root" + group: "root" + mode: "0644" + + - name: "Ensures setup_multicast service is running" + ansible.builtin.service: + name: "setup_multicast.service" + state: started + enabled: yes + + - name: Set environment variables + become: yes + become_user: "{{ cci_worker_username }}" + ansible.builtin.template: + src: templates/bashrc_template.j2 + dest: "/home/{{ cci_worker_username }}/.bashrc" + mode: "0644" + owner: "{{ cci_worker_username }}" + + - name: "Enable Linger for {{ cci_worker_username }}" + become: yes + become_user: "{{ cci_worker_username }}" + ansible.builtin.shell: loginctl enable-linger {{ cci_worker_username }} + + - name: Enable podman + become: yes + become_user: "{{ cci_worker_username }}" + ansible.builtin.systemd: + name: "podman.socket" + state: started + scope: user + enabled: true + + - name: "Configure testcontainers" + ansible.builtin.copy: + src: files/testcontainers.properties + dest: "/home/{{ cci_worker_username }}/.testcontainers.properties" + mode: "0644" + owner: "{{ cci_worker_username }}" + group: "{{ cci_worker_username }}" + + - name: "Configure Maven settings.xml" + ansible.builtin.template: + src: templates/settings.xml.j2 + dest: "/home/{{ cci_worker_username }}/.m2/settings.xml" + mode: "0644" + owner: "{{ cci_worker_username }}" + group: "{{ cci_worker_username }}" + + - name: Ensure CA certificates directory exists + ansible.builtin.file: + path: "{{ ca_certs_path }}" + state: directory + + - name: Download RedHat CA certificates + ansible.builtin.get_url: + url: "{{ cert.url }}" + dest: "{{ ca_certs_path}}/{{ cert.alias }}" + with_items: "{{ root_ca_certs }}" + loop_control: + loop_var: cert + register: cert_results + + - name: Update CA trust + ansible.builtin.command: update-ca-trust + changed_when: cert_results.changed diff --git a/roles/cron/defaults/main.yml b/roles/cron/defaults/main.yml index 914c0a4b..adc3c0aa 100644 --- a/roles/cron/defaults/main.yml +++ b/roles/cron/defaults/main.yml @@ -1,3 +1,4 @@ --- +cron_mail_pkg_name: mailx cronjobs: - { name: "ansible-daily-run", dest: "/opt/tools/ansible-daily-run.sh", src: "ansible-daily-run.sh.j2", special_time: "daily" } diff --git a/roles/cron/tasks/cronjob.yml b/roles/cron/tasks/cronjob.yml index d9ebc3b9..7cf2d6cb 100644 --- a/roles/cron/tasks/cronjob.yml +++ b/roles/cron/tasks/cronjob.yml @@ -10,29 +10,32 @@ - jobs.dest != "" quiet: true -- name: "Ensures script job for {{ jobs.name }} is deployed" - ansible.builtin.template: - src: "{{ jobs.src }}" - dest: "{{ jobs.dest }}" - owner: root - group: root - mode: 0745 +- name: "Escalate privileges" + become: yes + block: + - name: "Ensures script job for {{ jobs.name }} is deployed" + ansible.builtin.template: + src: "{{ jobs.src }}" + dest: "{{ jobs.dest }}" + owner: root + group: root + mode: 0745 -- name: "Ensures cron task for {{ jobs.name }} is defined." - ansible.builtin.cron: - name: "{{ jobs.name }}" - job: "{{ jobs.dest }}" - special_time: "{{ jobs.special_time }}" - when: - - jobs.special_time is defined + - name: "Ensures cron task for {{ jobs.name }} is defined." + ansible.builtin.cron: + name: "{{ jobs.name }}" + job: "{{ jobs.dest }}" + special_time: "{{ jobs.special_time }}" + when: + - jobs.special_time is defined -- name: "Ensures cron task for {{ jobs.name }} is defined." - ansible.builtin.cron: - name: "{{ jobs.name }}" - job: "{{ jobs.dest }}" - weekday: "{{ jobs.weekday | default(omit) }}" - minute: "{{ jobs.minute | default(omit) }}" - hour: "{{ jobs.hour | default(omit) }}" - day: "{{ jobs.day | default(omit) }}" - when: - - not jobs.special_time is defined + - name: "Ensures cron task for {{ jobs.name }} is defined." + ansible.builtin.cron: + name: "{{ jobs.name }}" + job: "{{ jobs.dest }}" + weekday: "{{ jobs.weekday | default(omit) }}" + minute: "{{ jobs.minute | default(omit) }}" + hour: "{{ jobs.hour | default(omit) }}" + day: "{{ jobs.day | default(omit) }}" + when: + - not jobs.special_time is defined diff --git a/roles/cron/tasks/main.yml b/roles/cron/tasks/main.yml index b49eeb60..0d5ae23c 100644 --- a/roles/cron/tasks/main.yml +++ b/roles/cron/tasks/main.yml @@ -4,12 +4,18 @@ - cronjobs is defined - cronjobs | length > 0 +- name: "Change mail tool package name if running on RHEL9 ({{ ansible_distribution_major_version }})" + ansible.builtin.set_fact: + cron_mail_pkg_name: s-nail + when: + - ansible_distribution_major_version == "9" + - ansible.builtin.include_role: name: fast_yum_install vars: package_name: "{{ files }}" with_items: - - mailx + - "{{ cron_mail_pkg_name }}" - cronie loop_control: loop_var: files diff --git a/roles/fast_yum_install/tasks/main.yml b/roles/fast_yum_install/tasks/main.yml index d5ae9ffe..6cfe518f 100644 --- a/roles/fast_yum_install/tasks/main.yml +++ b/roles/fast_yum_install/tasks/main.yml @@ -4,15 +4,17 @@ - yum.cache_update is defined quiet: true -- block: - - name: "Test if package {{ package_name }} is already installed" - ansible.builtin.command: rpm -q {{ package_name }} - register: rpm_info - changed_when: rpm_info.failed +- name: "Escalate privileges" + become: yes + block: + - name: "Test if package {{ package_name }} is already installed" + ansible.builtin.command: rpm -q {{ package_name }} + register: rpm_info + changed_when: rpm_info.failed rescue: - - name: "If package {{ package_name }} is missing, install package using yum.(cache update: {{ yum.cache_update }})" - ansible.builtin.yum: - name: "{{ package_name }}" - update_cache: "{{ yum.cache_update }}" - state: installed - when: rpm_info.failed + - name: "If package {{ package_name }} is missing, install package using yum.(cache update: {{ yum.cache_update }})" + ansible.builtin.yum: + name: "{{ package_name }}" + update_cache: "{{ yum.cache_update }}" + state: installed + when: rpm_info.failed diff --git a/roles/git/tasks/main.yml b/roles/git/tasks/main.yml index a7e5e688..569a16a3 100644 --- a/roles/git/tasks/main.yml +++ b/roles/git/tasks/main.yml @@ -3,8 +3,9 @@ name: fast_yum_install vars: package_name: git - + - name: "Ensures gitconfig is deployed for user root" + become: yes ansible.builtin.template: src: templates/gitconfig.j2 dest: "{{ config.home }}/.gitconfig" diff --git a/roles/java/tasks/archive_tool_install.yml b/roles/java/tasks/archive_tool_install.yml index cde54e2e..22c14493 100644 --- a/roles/java/tasks/archive_tool_install.yml +++ b/roles/java/tasks/archive_tool_install.yml @@ -13,35 +13,38 @@ - ansible.builtin.set_fact: path_to_archive: "{{ home_folder }}/{{ files.name }}{{ files.ext | default('.tgz') }}" -- ansible.builtin.stat: - path: "{{ path_to_archive }}" - register: archive +- name: "Escalate priviliges" + become: yes + block: + - ansible.builtin.stat: + path: "{{ path_to_archive }}" + register: archive -- name: "Download archive from {{ files.source }}" - ansible.builtin.get_url: - url: "{{ files.source }}" - dest: "{{ path_to_archive }}" - retries: 3 - delay: 5 - register: archive_download - when: - - archive.stat is defined - - not archive.stat.exists + - name: "Download archive from {{ files.source }}" + ansible.builtin.get_url: + url: "{{ files.source }}" + dest: "{{ path_to_archive }}" + retries: 3 + delay: 5 + register: archive_download + when: + - archive.stat is defined + - not archive.stat.exists -- ansible.builtin.stat: - path: "{{ files.home }}" - register: path_to_home + - ansible.builtin.stat: + path: "{{ files.home }}" + register: path_to_home -- ansible.builtin.stat: - path: "{{ files.home }}/{{ files.name }}" - register: path_to_home + - ansible.builtin.stat: + path: "{{ files.home }}/{{ files.name }}" + register: path_to_home -- name: "Unpack archive {{ path_to_archive }} to {{ files.home }}" - ansible.builtin.unarchive: - src: "{{ path_to_archive }}" - dest: "{{ files.home }}" - remote_src: yes - when: - - path_to_home is defined - - path_to_home.stat is defined - - not path_to_home.stat.exists + - name: "Unpack archive {{ path_to_archive }} to {{ files.home }}" + ansible.builtin.unarchive: + src: "{{ path_to_archive }}" + dest: "{{ files.home }}" + remote_src: yes + when: + - path_to_home is defined + - path_to_home.stat is defined + - not path_to_home.stat.exists diff --git a/roles/java/tasks/install_and_default.yml b/roles/java/tasks/install_and_default.yml index 9e8e81be..78c78a94 100644 --- a/roles/java/tasks/install_and_default.yml +++ b/roles/java/tasks/install_and_default.yml @@ -18,6 +18,7 @@ loop_var: files - name: "Symlink {{ tool_default_link }} to default version: {{ tool_default }}." + become: yes ansible.builtin.file: src: "{{ tool_default }}" dest: "{{ tool_default_link }}" diff --git a/roles/java/tasks/main.yml b/roles/java/tasks/main.yml index 4e8e01c4..a5642d0e 100644 --- a/roles/java/tasks/main.yml +++ b/roles/java/tasks/main.yml @@ -7,6 +7,7 @@ quiet: true - name: "Ensures the tools home folder exits." + become: yes ansible.builtin.file: state: directory path: "{{ folders }}" diff --git a/roles/motd/tasks/main.yml b/roles/motd/tasks/main.yml index db0ee156..e8674df3 100644 --- a/roles/motd/tasks/main.yml +++ b/roles/motd/tasks/main.yml @@ -10,17 +10,10 @@ motd_src_file: "files/motd.{{ motd.font }}" - name: Add a specific motd + become: yes ansible.builtin.copy: src: "files/motd.{{ motd.font }}" dest: /etc/motd owner: root group: root mode: 0644 - -#- include_tasks: tasks/remove_file.yml -# loop: "{{ motd.files.to_remove }}" -# when: -# - motd is defined -# - motd.files is defined -# - motd.files.to_remove is defined -# - motd.files.to_remove is iterable diff --git a/roles/qualys_fix/tasks/main.yml b/roles/qualys_fix/tasks/main.yml index 1005c086..67886f21 100644 --- a/roles/qualys_fix/tasks/main.yml +++ b/roles/qualys_fix/tasks/main.yml @@ -1,5 +1,6 @@ --- - name: "Replace content of Windows specific tasks, that are not Ansible 2.21 compliant" + become: yes ansible.builtin.template: dest: "{{ tasks }}" src: templates/dummy.j2 From e5b9c85897249aceafed71b9e9d493b60e42eaf1 Mon Sep 17 00:00:00 2001 From: Romain Pelisse Date: Mon, 11 Mar 2024 17:19:06 +0100 Subject: [PATCH 2/4] Update Github Actions Molecule setup --- .github/workflows/ci.yml | 56 +++++++--- molecule/vault/converge.yml | 16 ++- molecule/vault/molecule.yml | 7 -- molecule/vault/prepare.yml | 204 +++++++++++++++++----------------- molecule/vault/vars.yml | 3 +- molecule/vault/vault_snap.yml | 18 ++- molecule/vault/verify.yml | 21 ---- 7 files changed, 178 insertions(+), 147 deletions(-) delete mode 100644 molecule/vault/verify.yml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b1926b36..c7d20c51 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,26 +1,26 @@ ---- -name: CI - -on: +--- +name: CI + +on: pull_request: - push: + push: branches: - main - -jobs: - test: + +jobs: + test: name: molecule runs-on: ubuntu-latest - - steps: + + steps: - name: Checkout the codebase. uses: actions/checkout@v2 - + - name: Set up Python3. uses: actions/setup-python@v2 with: python-version: '3.10' - + - name: Install testing dependencies. run: | python -m pip install --upgrade pip @@ -32,10 +32,40 @@ jobs: ansible-lint --version ansible-lint -v + - name: Set up Python ${{ matrix.python_version }} + uses: actions/setup-python@v5 + with: + python-version: ${{ matrix.python_version }} + cache: 'pip' + + - name: Install ansible and molecule + uses: nick-fields/retry@v3 + with: + timeout_minutes: 5 + retry_wait_seconds: 60 + max_attempts: 3 + command: | + python -m pip install --upgrade pip + pip install --progress-bar off 'molecule>=5.0.1' 'molecule-plugins[docker]>=23.0.0' ansible-core==${{ matrix.ansible_version }} + if [ -f ansible_collections/${{ inputs.fqcn }}/requirements.txt ]; then + echo "=== Installing python deps" + pip install --progress-bar off -r ansible_collections/${{ inputs.fqcn }}/requirements.txt + fi + if [ -f ansible_collections/${{ inputs.fqcn }}/requirements.yml ]; then + echo "=== Installing dependencies" + ansible-galaxy collection install -r ansible_collections/${{ inputs.fqcn }}/requirements.yml -p /home/runner/.ansible/collections --force-with-deps + fi + if [ -f ansible_collections/${{ inputs.fqcn }}/molecule/requirements.yml ]; then + echo "=== Installing test dependencies" + ansible-galaxy role install -r ansible_collections/${{ inputs.fqcn }}/molecule/requirements.yml ||: + ansible-galaxy collection install -r ansible_collections/${{ inputs.fqcn }}/molecule/requirements.yml -p /home/runner/.ansible/collections + fi + exit 0 + - name: "Run molecule tests" run: molecule test --all env: PY_COLORS: '1' ANSIBLE_FORCE_COLOR: '1' - MOLECULE_DISTRO: rhel-8 + MOLECULE_DISTRO: rhel-8 working-directory: '.' diff --git a/molecule/vault/converge.yml b/molecule/vault/converge.yml index ee6de08b..0344f4e2 100644 --- a/molecule/vault/converge.yml +++ b/molecule/vault/converge.yml @@ -1,9 +1,23 @@ --- - name: Converge hosts: all - become: yes vars_files: - vars.yml tasks: - name: "Include vault tasks" ansible.builtin.include_tasks: vault.yml + when: + - vault_scenario_enabled is defined and vault_scenario_enabled + + post_tasks: + - name: "Verify" + ansible.builtin.assert: + that: + - ansible_site == 'ansible.com' + - ansible_nodename == 'node1' + - olympus_ip == '127.0.0.1' + - olympus_fqdn == 'olympus.host.local' + fail_msg: "Secrets in Vault should be converted to Anislbe variables" + success_msg: "Great, it passed!" + when: + - vault_scenario_enabled is defined and vault_scenario_enabled diff --git a/molecule/vault/molecule.yml b/molecule/vault/molecule.yml index 3b262340..5eb829e4 100644 --- a/molecule/vault/molecule.yml +++ b/molecule/vault/molecule.yml @@ -1,10 +1,4 @@ --- -dependency: - name: galaxy - options: - ignore-certs: True - ignore-errors: True - requirements-file: molecule/default/requirements.yml driver: name: podman platforms: @@ -26,7 +20,6 @@ verifier: name: ansible scenario: test_sequence: - - dependency - cleanup - destroy - create diff --git a/molecule/vault/prepare.yml b/molecule/vault/prepare.yml index 75e21301..0766c37a 100644 --- a/molecule/vault/prepare.yml +++ b/molecule/vault/prepare.yml @@ -7,104 +7,108 @@ environment: - VAULT_ADDR: "{{ ansible_hashi_vault_addr }}" tasks: - - name: Display Ansible version - ansible.builtin.debug: - msg: "Ansible version is {{ ansible_version.full }}" - - - name: "Install sudo if user is root" - ansible.builtin.yum: - name: sudo - state: present + - name: "Prepare for Vault scenario (if enabled)" when: - - ansible_user_id == "root" - - - name: "Install pip" - become: yes - ansible.builtin.package: - name: python3-pip - state: present - - - name: "Install Vault on RHEL 8 ({{ ansible_distribution_major_version }})" - ansible.builtin.include_tasks: vault_yum.yml - when: - - ansible_distribution_major_version == "8" - - - name: "Install vault using snap on RHEL 9 ({{ ansible_distribution_major_version }})" - ansible.builtin.include_tasks: vault_snap.yml - when: - - ansible_distribution_major_version == "9" - - - name: Install hvac python package - ansible.builtin.pip: - name: hvac - - - name: "Set up Vault env - Start dev server in background for 5 minutes" - become: yes - ansible.builtin.shell: "vault server -dev -dev-root-token-id={{ root_vault_token }}" - async: 300 - poll: 0 - register: result - - - name: "Show the Vault server start result" - ansible.builtin.debug: - msg: "{{ result }}" - - - name: Create a temporary shell script file - become: yes - ansible.builtin.copy: - content: | - #!/bin/bash - set -x - sleep 5 - echo "Create test policy to read on path: secret/*" - echo 'path "secret/*" { - capabilities = ["list", "read"] - }' | vault policy write test - - echo "Enable approle auth method" - vault auth enable approle - echo "Set up the role_id " - vault write auth/approle/role/{{ role_name }} secret_id_ttl=10m token_num_uses=10 token_ttl=20m token_max_ttl=30m secret_id_num_uses=40 policies="default","test" - dest: /tmp/setup_vault.sh - mode: '0755' - - - name: Execute the script to set up Vault - become: yes - command: '/tmp/setup_vault.sh' - register: script_output - - - name: Display script output for debugging purpose - debug: - var: script_output.stdout_lines - - - name: Remove the temporary script file - ansible.builtin.file: - path: /tmp/setup_vault.sh - state: absent - - - name: "Set up Vault env - Write test data" - become: yes - ansible.builtin.shell: | - vault kv put {{ vault_mount }}/{{ item.vault_path }} {{ item.secrets }} - with_items: "{{ test_secrets }}" - - - name: "Read role_id for role: {{ role_name }} " - community.hashi_vault.vault_read: - path: "auth/approle/role/{{ role_name }}/role-id" - register: role_id - - - name: Generate a secret-id for the given approle - community.hashi_vault.vault_write: - path: "auth/approle/role/{{ role_name }}/secret-id" - register: secret_id - - - name: "Write role_id to {{ role_id_file }}" - ansible.builtin.copy: - content: "{{ role_id.data.data.role_id }}" - dest: "{{ role_id_file }}" - mode: '0644' - - - name: "Write secret_id to {{ secret_id_file }}" - ansible.builtin.copy: - content: "{{ secret_id.data.data.secret_id }}" - dest: "{{ secret_id_file }}" - mode: '0644' + - vault_scenario_enabled is defined and vault_scenario_enabled + block: + - name: Display Ansible version + ansible.builtin.debug: + msg: "Ansible version is {{ ansible_version.full }}" + + - name: "Install sudo if user is root" + ansible.builtin.yum: + name: sudo + state: present + when: + - ansible_user_id == "root" + + - name: "Install pip" + become: yes + ansible.builtin.package: + name: python3-pip + state: present + + - name: "Install Vault on RHEL 8 ({{ ansible_distribution_major_version }})" + ansible.builtin.include_tasks: vault_yum.yml + when: + - ansible_distribution_major_version == "8" + + - name: "Install vault using snap on RHEL 9 ({{ ansible_distribution_major_version }})" + ansible.builtin.include_tasks: vault_snap.yml + when: + - ansible_distribution_major_version == "9" + + - name: Install hvac python package + ansible.builtin.pip: + name: hvac + + - name: "Set up Vault env - Start dev server in background for 5 minutes" + become: yes + ansible.builtin.shell: "vault server -dev -dev-root-token-id={{ root_vault_token }}" + async: 300 + poll: 0 + register: result + + - name: "Show the Vault server start result" + ansible.builtin.debug: + msg: "{{ result }}" + + - name: Create a temporary shell script file + become: yes + ansible.builtin.copy: + content: | + #!/bin/bash + set -x + sleep 5 + echo "Create test policy to read on path: secret/*" + echo 'path "secret/*" { + capabilities = ["list", "read"] + }' | vault policy write test - + echo "Enable approle auth method" + vault auth enable approle + echo "Set up the role_id " + vault write auth/approle/role/{{ role_name }} secret_id_ttl=10m token_num_uses=10 token_ttl=20m token_max_ttl=30m secret_id_num_uses=40 policies="default","test" + dest: /tmp/setup_vault.sh + mode: '0755' + + - name: Execute the script to set up Vault + become: yes + command: '/tmp/setup_vault.sh' + register: script_output + + - name: Display script output for debugging purpose + debug: + var: script_output.stdout_lines + + - name: Remove the temporary script file + ansible.builtin.file: + path: /tmp/setup_vault.sh + state: absent + + - name: "Set up Vault env - Write test data" + become: yes + ansible.builtin.shell: | + vault kv put {{ vault_mount }}/{{ item.vault_path }} {{ item.secrets }} + with_items: "{{ test_secrets }}" + + - name: "Read role_id for role: {{ role_name }} " + community.hashi_vault.vault_read: + path: "auth/approle/role/{{ role_name }}/role-id" + register: role_id + + - name: Generate a secret-id for the given approle + community.hashi_vault.vault_write: + path: "auth/approle/role/{{ role_name }}/secret-id" + register: secret_id + + - name: "Write role_id to {{ role_id_file }}" + ansible.builtin.copy: + content: "{{ role_id.data.data.role_id }}" + dest: "{{ role_id_file }}" + mode: '0644' + + - name: "Write secret_id to {{ secret_id_file }}" + ansible.builtin.copy: + content: "{{ secret_id.data.data.secret_id }}" + dest: "{{ secret_id_file }}" + mode: '0644' diff --git a/molecule/vault/vars.yml b/molecule/vault/vars.yml index 78283c06..315cfebe 100644 --- a/molecule/vault/vars.yml +++ b/molecule/vault/vars.yml @@ -1,4 +1,5 @@ --- +vault_scenario_enabled: True ansible_hashi_vault_addr: 'http://127.0.0.1:8200' root_vault_token: 'root-token' role_name: 'jboss-set' @@ -16,4 +17,4 @@ test_secrets: "secrets": "olympus_ip=127.0.0.1 olympus_fqdn=olympus.host.local" } role_id_file: '/tmp/role_id' -secret_id_file: '/tmp/secret_id' \ No newline at end of file +secret_id_file: '/tmp/secret_id' diff --git a/molecule/vault/vault_snap.yml b/molecule/vault/vault_snap.yml index 6ab4065e..618915bf 100644 --- a/molecule/vault/vault_snap.yml +++ b/molecule/vault/vault_snap.yml @@ -3,13 +3,23 @@ become: yes block: - name: "Ensure EPEL Release for RHEL 9 is configured" - ansible.builtin.command: "sudo dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm" + ansible.builtin.command: "dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm" - name: "Ensure Snap is installed" - ansible.builtin.command: "sudo yum install snapd" + ansible.builtin.command: "dnf install -y snapd" - name: "Ensure Snapd.socket is enabled" - ansible.builtin.command: "sudo systemctl enable --now snapd.socket" + ansible.builtin.command: "systemctl enable --now snapd.socket" + + - name: "Wait for Snapd to seed." + ansible.builtin.wait_for: + timeout: 60 - name: "Ensure {{ package_name }} is installed." - ansible.builtin.command: "sudo snap install {{ package_name }}" + block: + - name: "First try..." + ansible.builtin.command: "snap install vault" + rescue: + - name: "Second try..." + ansible.builtin.command: "snap install vault" + diff --git a/molecule/vault/verify.yml b/molecule/vault/verify.yml deleted file mode 100644 index 1bddf8b6..00000000 --- a/molecule/vault/verify.yml +++ /dev/null @@ -1,21 +0,0 @@ ---- -- name: Verify for vault role - hosts: all - become: yes - vars_files: - - vars.yml - gather_facts: false - - tasks: - - name: "Include vault tasks" - ansible.builtin.include_tasks: vault.yml - - - name: Check variables - ansible.builtin.assert: - that: - - ansible_site == 'ansible.com' - - ansible_nodename == 'node1' - - olympus_ip == '127.0.0.1' - - olympus_fqdn == 'olympus.host.local' - fail_msg: "Secrets in Vault should be converted to Anislbe variables" - success_msg: "Great, it passed!" From 571c1d171a5907cda69de1ac276ebeb09df9ea1e Mon Sep 17 00:00:00 2001 From: Romain Pelisse Date: Mon, 11 Mar 2024 17:44:19 +0100 Subject: [PATCH 3/4] Replace Molecule default driver by podman --- molecule/account/molecule.yml | 2 +- molecule/cron/molecule.yml | 2 +- molecule/qualys_fix/prepare.yml | 1 + 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/molecule/account/molecule.yml b/molecule/account/molecule.yml index 9d3c118e..dadc01ea 100644 --- a/molecule/account/molecule.yml +++ b/molecule/account/molecule.yml @@ -1,6 +1,6 @@ --- driver: - name: docker + name: podman platforms: - name: instance image: registry.access.redhat.com/ubi8/ubi-init:latest diff --git a/molecule/cron/molecule.yml b/molecule/cron/molecule.yml index bd24f45f..c2a09a3d 100644 --- a/molecule/cron/molecule.yml +++ b/molecule/cron/molecule.yml @@ -1,6 +1,6 @@ --- driver: - name: docker + name: podman platforms: - name: instance image: registry.access.redhat.com/ubi8/ubi-init:latest diff --git a/molecule/qualys_fix/prepare.yml b/molecule/qualys_fix/prepare.yml index 44d2cabb..1d40db08 100644 --- a/molecule/qualys_fix/prepare.yml +++ b/molecule/qualys_fix/prepare.yml @@ -15,6 +15,7 @@ - ansible_user_id == "root" - name: Creates directory + become: yes ansible.builtin.file: path: /root/.ansible/roles/infosec.qualys-cloud-agent/tasks/ state: directory From 2ed48f7642334a4bfc76777260e9fd84bd64f294 Mon Sep 17 00:00:00 2001 From: Romain Pelisse Date: Tue, 12 Mar 2024 07:44:42 +0100 Subject: [PATCH 4/4] Reduce code duplication in molecule scenarios prepare phase --- molecule/account/prepare.yml | 12 ++------ molecule/aphrodite/prepare.yml | 33 ++++++---------------- molecule/aphrodite/vars.yml | 1 + molecule/bashrc/prepare.yml | 12 ++------ molecule/cron/prepare.yml | 26 +++++------------- molecule/fast_yum_install/prepare.yml | 12 ++------ molecule/git/prepare.yml | 31 +++++---------------- molecule/git/vars.yml | 3 +- molecule/hosts/prepare.yml | 30 ++++---------------- molecule/java/prepare.yml | 12 ++------ molecule/kdump/prepare.yml | 12 ++------ molecule/motd/prepare.yml | 21 ++++++-------- molecule/netrc/prepare.yml | 29 +++++--------------- molecule/prepare.yml | 38 ++++++++++++++++++++++---- molecule/qualys_fix/prepare.yml | 23 +++++----------- molecule/vault/converge.yml | 3 ++ molecule/vault/is_scenario_enabled.yml | 10 +++++++ molecule/vault/molecule.yml | 2 +- molecule/vault/prepare.yml | 15 ++++------ molecule/vault/vars.yml | 1 - molecule/vault/vault_snap.yml | 2 +- 21 files changed, 116 insertions(+), 212 deletions(-) create mode 100644 molecule/vault/is_scenario_enabled.yml diff --git a/molecule/account/prepare.yml b/molecule/account/prepare.yml index d4b19bc7..be19923b 100644 --- a/molecule/account/prepare.yml +++ b/molecule/account/prepare.yml @@ -4,13 +4,5 @@ gather_facts: yes tasks: - - name: "Display Ansible version" - ansible.builtin.debug: - msg: "Ansible version is {{ ansible_version.full }}" - - - name: "Install sudo if user is root" - ansible.builtin.yum: - name: sudo - state: present - when: - - ansible_user_id == "root" + - name: "Include common prepare tasks" + ansible.builtin.include_tasks: ../prepare.yml diff --git a/molecule/aphrodite/prepare.yml b/molecule/aphrodite/prepare.yml index cbc0e834..5822c469 100644 --- a/molecule/aphrodite/prepare.yml +++ b/molecule/aphrodite/prepare.yml @@ -6,34 +6,19 @@ - vars.yml tasks: - - name: Display Ansible version - ansible.builtin.debug: - msg: "Ansible version is {{ ansible_version.full }}" - - - name: "Install sudo if user is root" - ansible.builtin.yum: - name: sudo - state: present - when: - - ansible_user_id == "root" - - name: Add the user jenkins - ansible.builtin.user: - name: jenkins - - - name: Creates directory - become: yes - ansible.builtin.file: - path: /opt/tools - state: directory - owner: jenkins - group: jenkins - mode: 0644 + - name: "Include common prepare tasks" + ansible.builtin.include_tasks: ../prepare.yml + vars: + users: + - "{{ aphrodite_user }}" + dirs: + - { path: /opt/tools, owner: "{{ aphrodite_user }}", group: "{{ aphrodite_user }}" } - name: "Deploy aphrodite configuration to {{ aphrodite.path }}" become: yes ansible.builtin.template: src: "../../roles/aphrodite/templates/aphrodite.json.j2" dest: "{{ aphrodite.path }}" - owner: jenkins - group: jenkins + owner: "{{ aphrodite_user }}" + group: "{{ aphrodite_user }}" mode: 0644 diff --git a/molecule/aphrodite/vars.yml b/molecule/aphrodite/vars.yml index 248c7a39..e97e834e 100644 --- a/molecule/aphrodite/vars.yml +++ b/molecule/aphrodite/vars.yml @@ -1,4 +1,5 @@ --- +aphrodite_user: jenkins aphrodite: trackers: bugzilla: diff --git a/molecule/bashrc/prepare.yml b/molecule/bashrc/prepare.yml index fc227df7..be19923b 100644 --- a/molecule/bashrc/prepare.yml +++ b/molecule/bashrc/prepare.yml @@ -4,13 +4,5 @@ gather_facts: yes tasks: - - name: Display Ansible version - ansible.builtin.debug: - msg: "Ansible version is {{ ansible_version.full }}" - - - name: "Install sudo if user is root" - ansible.builtin.yum: - name: sudo - state: present - when: - - ansible_user_id == "root" + - name: "Include common prepare tasks" + ansible.builtin.include_tasks: ../prepare.yml diff --git a/molecule/cron/prepare.yml b/molecule/cron/prepare.yml index fbafd3cc..559467a3 100644 --- a/molecule/cron/prepare.yml +++ b/molecule/cron/prepare.yml @@ -6,22 +6,10 @@ - vars.yml tasks: - - name: Display Ansible version - ansible.builtin.debug: - msg: "Ansible version is {{ ansible_version.full }}" - - - name: "Install sudo if user is root" - ansible.builtin.yum: - name: sudo - state: present - when: - - ansible_user_id == "root" - - - name: Creates directory - become: yes - ansible.builtin.file: - path: /opt/tools - state: directory - owner: root - group: root - mode: 0745 + - name: "Include common prepare tasks" + ansible.builtin.include_tasks: ../prepare.yml + vars: + users: + - "{{ aphrodite_user }}" + dirs: + - { path: '/opt/tools', mode: '0745' } diff --git a/molecule/fast_yum_install/prepare.yml b/molecule/fast_yum_install/prepare.yml index fc227df7..be19923b 100644 --- a/molecule/fast_yum_install/prepare.yml +++ b/molecule/fast_yum_install/prepare.yml @@ -4,13 +4,5 @@ gather_facts: yes tasks: - - name: Display Ansible version - ansible.builtin.debug: - msg: "Ansible version is {{ ansible_version.full }}" - - - name: "Install sudo if user is root" - ansible.builtin.yum: - name: sudo - state: present - when: - - ansible_user_id == "root" + - name: "Include common prepare tasks" + ansible.builtin.include_tasks: ../prepare.yml diff --git a/molecule/git/prepare.yml b/molecule/git/prepare.yml index 9ef50b3c..d5fe708f 100644 --- a/molecule/git/prepare.yml +++ b/molecule/git/prepare.yml @@ -6,27 +6,10 @@ - vars.yml tasks: - - name: Display Ansible version - ansible.builtin.debug: - msg: "Ansible version is {{ ansible_version.full }}" - - - name: "Install sudo if user is root" - ansible.builtin.yum: - name: sudo - state: present - when: - - ansible_user_id == "root" - - - name: Add the user jenkins - become: yes - ansible.builtin.user: - name: jenkins - - - name: Creates directory - become: yes - ansible.builtin.file: - path: /home/jenkins - state: directory - owner: jenkins - group: jenkins - mode: 0644 + - name: "Include common prepare tasks" + ansible.builtin.include_tasks: ../prepare.yml + vars: + users: + - "{{ git_user }}" + dirs: + - { path: /home/jenkins, owner: "{{ git_user }}", group: "{{ git_user }}" } diff --git a/molecule/git/vars.yml b/molecule/git/vars.yml index dba7486c..f6fbaedc 100644 --- a/molecule/git/vars.yml +++ b/molecule/git/vars.yml @@ -1,4 +1,5 @@ --- +git_user: jenkins git: ssl: verify: false @@ -10,4 +11,4 @@ git: - user: jenkins email: jboss-set@redhat.com name: "JBoss SET" - home: "/home/jenkins/" \ No newline at end of file + home: "/home/jenkins/" diff --git a/molecule/hosts/prepare.yml b/molecule/hosts/prepare.yml index 938ec0b6..b1dbe446 100644 --- a/molecule/hosts/prepare.yml +++ b/molecule/hosts/prepare.yml @@ -5,31 +5,13 @@ vars_files: - vars.yml tasks: - - name: Display Ansible version - ansible.builtin.debug: - msg: "Ansible version is {{ ansible_version.full }}" - - - name: "Install sudo if user is root" - ansible.builtin.yum: - name: sudo - state: present - when: - - ansible_user_id == "root" + - name: "Include common prepare tasks" + ansible.builtin.include_tasks: ../prepare.yml + vars: + dirs: + - { path: /etc/fake_hosts, state: touch, mode: 0644 } + - { path: /etc/real_hosts, state: touch, mode: 0644 } - name: "Include fast_yum_install" ansible.builtin.include_role: name: "fast_yum_install" - - - name: Creates /etc/fake_hosts directory - become: yes - ansible.builtin.file: - path: /etc/fake_hosts - state: touch - mode: 0644 - - - name: Creates /etc/real_hosts directory - become: yes - ansible.builtin.file: - path: /etc/real_hosts - state: touch - mode: 0644 diff --git a/molecule/java/prepare.yml b/molecule/java/prepare.yml index 97188bc5..7db891b1 100644 --- a/molecule/java/prepare.yml +++ b/molecule/java/prepare.yml @@ -5,16 +5,8 @@ vars_files: - vars.yml tasks: - - name: Display Ansible version - ansible.builtin.debug: - msg: "Ansible version is {{ ansible_version.full }}" - - - name: "Install sudo if user is root" - ansible.builtin.yum: - name: sudo - state: present - when: - - ansible_user_id == "root" + - name: "Include common prepare tasks" + ansible.builtin.include_tasks: ../prepare.yml - ansible.builtin.assert: that: diff --git a/molecule/kdump/prepare.yml b/molecule/kdump/prepare.yml index fc227df7..be19923b 100644 --- a/molecule/kdump/prepare.yml +++ b/molecule/kdump/prepare.yml @@ -4,13 +4,5 @@ gather_facts: yes tasks: - - name: Display Ansible version - ansible.builtin.debug: - msg: "Ansible version is {{ ansible_version.full }}" - - - name: "Install sudo if user is root" - ansible.builtin.yum: - name: sudo - state: present - when: - - ansible_user_id == "root" + - name: "Include common prepare tasks" + ansible.builtin.include_tasks: ../prepare.yml diff --git a/molecule/motd/prepare.yml b/molecule/motd/prepare.yml index f7a34b82..06669491 100644 --- a/molecule/motd/prepare.yml +++ b/molecule/motd/prepare.yml @@ -6,27 +6,22 @@ - vars.yml tasks: - - name: Display Ansible version - ansible.builtin.debug: - msg: "Ansible version is {{ ansible_version.full }}" + - name: "Include common prepare tasks" + ansible.builtin.include_tasks: ../prepare.yml - - name: "Install sudo if user is root" - ansible.builtin.yum: - name: sudo - state: present - when: - - ansible_user_id == "root" - - - ansible.builtin.assert: + - name: "Check that path to motd file has been defined" + ansible.builtin.assert: that: - motd_path is defined quiet: true - - ansible.builtin.stat: + - name: "Load metadata on {{ motd_path }}" + ansible.builtin.stat: path: "{{ motd_path }}" register: file_details - - ansible.builtin.assert: + - name: "Ensure that {{ motd_path }} exists." + ansible.builtin.assert: that: - file_details is defined - file_details.stat is defined diff --git a/molecule/netrc/prepare.yml b/molecule/netrc/prepare.yml index 66ac09fc..6f5f8996 100644 --- a/molecule/netrc/prepare.yml +++ b/molecule/netrc/prepare.yml @@ -5,26 +5,11 @@ vars_files: - vars.yml tasks: - - name: Display Ansible version - ansible.builtin.debug: - msg: "Ansible version is {{ ansible_version.full }}" - - name: "Install sudo if user is root" - ansible.builtin.yum: - name: sudo - state: present - when: - - ansible_user_id == "root" - - - name: Add the user jenkins - ansible.builtin.user: - name: jenkins - - - name: Creates directory - become: yes - ansible.builtin.file: - path: /home/jenkins - state: directory - owner: jenkins - group: jenkins - mode: 0644 + - name: "Include common prepare tasks" + ansible.builtin.include_tasks: ../prepare.yml + vars: + users: + - "{{ user_name }}" + dirs: + - { path: "/home/{{ user_name }}", owner: "{{ user_name }}", group: "{{ user_name }}" } diff --git a/molecule/prepare.yml b/molecule/prepare.yml index 68a403bd..90d1f9bc 100644 --- a/molecule/prepare.yml +++ b/molecule/prepare.yml @@ -1,8 +1,34 @@ --- -- name: Prepare - hosts: all - tasks: +- name: "Display Ansible version" + ansible.builtin.debug: + msg: "Ansible version is {{ ansible_version.full }}" - - name: Display Ansible version - ansible.builtin.debug: - msg: "Ansible version is {{ ansible_version.full }}" +- name: "Install sudo if user is root" + ansible.builtin.yum: + name: sudo + state: present + when: + - ansible_user_id == "root" + +- name: Add the user "{{ user }}" + ansible.builtin.user: + name: "{{ user }}" + when: + - users is defined and users | length > 0 + loop: "{{ users }}" + loop_control: + loop_var: user + +- name: "Creates directory" + become: yes + ansible.builtin.file: + path: "{{ dir.path }}" + state: "{{ dir.state | default('directory') }}" + owner: "{{ dir.owner | default('root') }}" + group: "{{ dir.group | default('root') }}" + mode: "{{ dir.mode | default('0644') }}" + when: + - dirs is defined and dirs | length > 0 + loop: "{{ dirs }}" + loop_control: + loop_var: dir diff --git a/molecule/qualys_fix/prepare.yml b/molecule/qualys_fix/prepare.yml index 1d40db08..473f3ee9 100644 --- a/molecule/qualys_fix/prepare.yml +++ b/molecule/qualys_fix/prepare.yml @@ -3,20 +3,11 @@ hosts: all gather_facts: yes tasks: - - name: Display Ansible version - ansible.builtin.debug: - msg: "Ansible version is {{ ansible_version.full }}" - - name: "Install sudo if user is root" - ansible.builtin.yum: - name: sudo - state: present - when: - - ansible_user_id == "root" - - - name: Creates directory - become: yes - ansible.builtin.file: - path: /root/.ansible/roles/infosec.qualys-cloud-agent/tasks/ - state: directory - mode: 0644 + - name: "Include common prepare tasks" + ansible.builtin.include_tasks: ../prepare.yml + vars: + users: + - "{{ user_name }}" + dirs: + - { path: "/root/.ansible/roles/infosec.qualys-cloud-agent/tasks/" } diff --git a/molecule/vault/converge.yml b/molecule/vault/converge.yml index 0344f4e2..da72af7c 100644 --- a/molecule/vault/converge.yml +++ b/molecule/vault/converge.yml @@ -4,6 +4,9 @@ vars_files: - vars.yml tasks: + - name: "Ensure scenario can be run in this execution context." + ansible.builtin.include_tasks: is_scenario_enabled.yml + - name: "Include vault tasks" ansible.builtin.include_tasks: vault.yml when: diff --git a/molecule/vault/is_scenario_enabled.yml b/molecule/vault/is_scenario_enabled.yml new file mode 100644 index 00000000..2a2a266e --- /dev/null +++ b/molecule/vault/is_scenario_enabled.yml @@ -0,0 +1,10 @@ +--- +- name: "Determine if scenario should be run" + ansible.builtin.set_fact: + vault_scenario_enabled: True + when: + - not vault_scenario_enabled is defined and ansible_distribution_major_version == "8" + +- name: "Inform user that scenario is NOT being run" + ansible.builtin.debug: + msg: "Molecule is NOT running on RHEL8 but RHEL{{ ansible_distribution_major_version }}, Vault scenario cannot be executed" diff --git a/molecule/vault/molecule.yml b/molecule/vault/molecule.yml index 5eb829e4..8c3d2975 100644 --- a/molecule/vault/molecule.yml +++ b/molecule/vault/molecule.yml @@ -3,7 +3,7 @@ driver: name: podman platforms: - name: instance - image: registry.access.redhat.com/ubi8/ubi-init:latest + image: registry.access.redhat.com/ubi9/ubi-init:latest pre_build_image: true privileged: true command: "/usr/sbin/init" diff --git a/molecule/vault/prepare.yml b/molecule/vault/prepare.yml index 0766c37a..145e6da5 100644 --- a/molecule/vault/prepare.yml +++ b/molecule/vault/prepare.yml @@ -7,20 +7,15 @@ environment: - VAULT_ADDR: "{{ ansible_hashi_vault_addr }}" tasks: + - name: "Ensure scenario can be run in this execution context" + ansible.builtin.include_tasks: is_scenario_enabled.yml + - name: "Prepare for Vault scenario (if enabled)" when: - vault_scenario_enabled is defined and vault_scenario_enabled block: - - name: Display Ansible version - ansible.builtin.debug: - msg: "Ansible version is {{ ansible_version.full }}" - - - name: "Install sudo if user is root" - ansible.builtin.yum: - name: sudo - state: present - when: - - ansible_user_id == "root" + - name: "Include common prepare tasks" + ansible.builtin.include_tasks: ../prepare.yml - name: "Install pip" become: yes diff --git a/molecule/vault/vars.yml b/molecule/vault/vars.yml index 315cfebe..2e9de1b1 100644 --- a/molecule/vault/vars.yml +++ b/molecule/vault/vars.yml @@ -1,5 +1,4 @@ --- -vault_scenario_enabled: True ansible_hashi_vault_addr: 'http://127.0.0.1:8200' root_vault_token: 'root-token' role_name: 'jboss-set' diff --git a/molecule/vault/vault_snap.yml b/molecule/vault/vault_snap.yml index 618915bf..eb7c37a2 100644 --- a/molecule/vault/vault_snap.yml +++ b/molecule/vault/vault_snap.yml @@ -6,7 +6,7 @@ ansible.builtin.command: "dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm" - name: "Ensure Snap is installed" - ansible.builtin.command: "dnf install -y snapd" + ansible.builtin.command: "dnf install -y squashfs snapd" - name: "Ensure Snapd.socket is enabled" ansible.builtin.command: "systemctl enable --now snapd.socket"