From 4b85e03e3e334609be93d026a867a23fe71fd346 Mon Sep 17 00:00:00 2001 From: Bertrand Lanson Date: Thu, 30 Nov 2023 18:50:21 +0100 Subject: [PATCH] feaT: add become: true to not rely on ansible.cfg, add vagrant tests for later --- molecule/default/verify.yml | 2 + molecule/default_vagrant/converge.yml | 7 ++ molecule/default_vagrant/molecule.yml | 35 +++++++ molecule/default_vagrant/requirements.yml | 3 + molecule/default_vagrant/verify.yml | 73 ++++++++++++++ molecule/with_ssh_keys/verify.yml | 4 + molecule/with_ssh_keys_vagrant/converge.yml | 7 ++ .../with_ssh_keys_vagrant/group_vars/all.yml | 12 +++ molecule/with_ssh_keys_vagrant/molecule.yml | 35 +++++++ .../with_ssh_keys_vagrant/requirements.yml | 3 + molecule/with_ssh_keys_vagrant/verify.yml | 95 +++++++++++++++++++ tasks/add_ssh_keys.yml | 1 + tasks/create_user.yml | 3 + 13 files changed, 280 insertions(+) create mode 100644 molecule/default_vagrant/converge.yml create mode 100644 molecule/default_vagrant/molecule.yml create mode 100644 molecule/default_vagrant/requirements.yml create mode 100644 molecule/default_vagrant/verify.yml create mode 100644 molecule/with_ssh_keys_vagrant/converge.yml create mode 100644 molecule/with_ssh_keys_vagrant/group_vars/all.yml create mode 100644 molecule/with_ssh_keys_vagrant/molecule.yml create mode 100644 molecule/with_ssh_keys_vagrant/requirements.yml create mode 100644 molecule/with_ssh_keys_vagrant/verify.yml diff --git a/molecule/default/verify.yml b/molecule/default/verify.yml index 0b1377a..7105ce6 100644 --- a/molecule/default/verify.yml +++ b/molecule/default/verify.yml @@ -48,6 +48,7 @@ ansible.builtin.stat: path: "/etc/sudoers.d/ansible" register: stat_etc_sudoers_d_ansible + become: true - name: "Verify file /etc/sudoers.d/ansible" ansible.builtin.assert: @@ -60,6 +61,7 @@ ansible.builtin.stat: path: "/opt/ansible/.ssh/authorized_keys" register: stat_opt_ansible_ssh_authorized_keys + become: true - name: "Verify file /opt/ansible/.ssh/authorized_keys" ansible.builtin.assert: diff --git a/molecule/default_vagrant/converge.yml b/molecule/default_vagrant/converge.yml new file mode 100644 index 0000000..4bcc437 --- /dev/null +++ b/molecule/default_vagrant/converge.yml @@ -0,0 +1,7 @@ +--- +- name: Converge + hosts: all + tasks: + - name: "Include ednxzu.provision_ansible_user" + ansible.builtin.include_role: + name: "ednxzu.provision_ansible_user" diff --git a/molecule/default_vagrant/molecule.yml b/molecule/default_vagrant/molecule.yml new file mode 100644 index 0000000..2b02360 --- /dev/null +++ b/molecule/default_vagrant/molecule.yml @@ -0,0 +1,35 @@ +--- +dependency: + name: galaxy + options: + requirements-file: ./requirements.yml +driver: + name: vagrant + provider: + name: libvirt +platforms: + - name: instance + box: generic/${MOLECULE_TEST_OS} + cpus: 4 + memory: 4096 +provisioner: + name: ansible + config_options: + defaults: + remote_tmp: /tmp/.ansible +verifier: + name: ansible +scenario: + name: default_vagrant + test_sequence: + - dependency + - cleanup + - destroy + - syntax + - create + - prepare + - converge + - idempotence + - verify + - cleanup + - destroy diff --git a/molecule/default_vagrant/requirements.yml b/molecule/default_vagrant/requirements.yml new file mode 100644 index 0000000..e9320f9 --- /dev/null +++ b/molecule/default_vagrant/requirements.yml @@ -0,0 +1,3 @@ +--- +# requirements file for molecule +roles: [] diff --git a/molecule/default_vagrant/verify.yml b/molecule/default_vagrant/verify.yml new file mode 100644 index 0000000..ca1120d --- /dev/null +++ b/molecule/default_vagrant/verify.yml @@ -0,0 +1,73 @@ +--- +- name: Verify + hosts: all + gather_facts: true + tasks: + - name: "Test: file /etc/hosts" + block: + - name: "Stat file /etc/hosts" + ansible.builtin.stat: + path: "/etc/hosts" + register: stat_etc_hosts + + - name: "Verify file /etc/hosts" + vars: + etc_hosts_group: + ubuntu: "adm" + debian: "root" + ansible.builtin.assert: + that: + - stat_etc_hosts.stat.exists + - stat_etc_hosts.stat.isreg + - stat_etc_hosts.stat.pw_name == 'root' + - stat_etc_hosts.stat.gr_name == etc_hosts_group[(ansible_distribution|lower)] + + - name: "Test: ansible user and group" + block: + - name: "Getent user ansible" + ansible.builtin.getent: + database: passwd + key: ansible + register: ednxzu_ansible_user + + - name: "Getent group ansible" + ansible.builtin.getent: + database: group + key: ansible + register: ednxzu_ansible_group + + - name: "Verify ansible user and group" + ansible.builtin.assert: + that: + - not ednxzu_ansible_user.failed + - not ednxzu_ansible_group.failed + - "'ansible' in ednxzu_ansible_user.ansible_facts.getent_passwd.keys()" + - "'/opt/ansible' in ednxzu_ansible_user.ansible_facts.getent_passwd['ansible']" + - "'/bin/bash' in ednxzu_ansible_user.ansible_facts.getent_passwd['ansible']" + - "'ansible' in ednxzu_ansible_group.ansible_facts.getent_group.keys()" + + - name: "Test: ansible sudo permissions" + block: + - name: "Stat file /etc/sudoers.d/ansible" + ansible.builtin.stat: + path: "/etc/sudoers.d/ansible" + register: stat_etc_sudoers_d_ansible + become: true + + - name: "Verify file /etc/sudoers.d/ansible" + ansible.builtin.assert: + that: + - not stat_etc_sudoers_d_ansible.stat.exists + + - name: "Test: ansible authorized_keys" + block: + - name: "Stat file /opt/ansible/.ssh/authorized_keys" + ansible.builtin.stat: + path: "/opt/ansible/.ssh/authorized_keys" + register: stat_opt_ansible_ssh_authorized_keys + become: true + + - name: "Verify file /opt/ansible/.ssh/authorized_keys" + ansible.builtin.assert: + that: + - not stat_opt_ansible_ssh_authorized_keys.stat.exists diff --git a/molecule/with_ssh_keys/verify.yml b/molecule/with_ssh_keys/verify.yml index 355e164..8085d31 100644 --- a/molecule/with_ssh_keys/verify.yml +++ b/molecule/with_ssh_keys/verify.yml @@ -48,11 +48,13 @@ ansible.builtin.stat: path: "/etc/sudoers.d/ansible" register: stat_etc_sudoers_d_ansible + become: true - name: "Slurp file /etc/sudoers.d/ansible" ansible.builtin.slurp: src: "/etc/sudoers.d/ansible" register: slurp_etc_sudoers_d_ansible + become: true - name: "Verify file /etc/sudoers.d/ansible" ansible.builtin.assert: @@ -70,11 +72,13 @@ ansible.builtin.stat: path: "/opt/ansible/.ssh/authorized_keys" register: stat_opt_ansible_ssh_authorized_keys + become: true - name: "Slurp file /opt/ansible/.ssh/authorized_keys" ansible.builtin.slurp: src: "/opt/ansible/.ssh/authorized_keys" register: slurp_opt_ansible_ssh_authorized_keys + become: true - name: "Verify file /opt/ansible/.ssh/authorized_keys" ansible.builtin.assert: diff --git a/molecule/with_ssh_keys_vagrant/converge.yml b/molecule/with_ssh_keys_vagrant/converge.yml new file mode 100644 index 0000000..4bcc437 --- /dev/null +++ b/molecule/with_ssh_keys_vagrant/converge.yml @@ -0,0 +1,7 @@ +--- +- name: Converge + hosts: all + tasks: + - name: "Include ednxzu.provision_ansible_user" + ansible.builtin.include_role: + name: "ednxzu.provision_ansible_user" diff --git a/molecule/with_ssh_keys_vagrant/group_vars/all.yml b/molecule/with_ssh_keys_vagrant/group_vars/all.yml new file mode 100644 index 0000000..0cd9858 --- /dev/null +++ b/molecule/with_ssh_keys_vagrant/group_vars/all.yml @@ -0,0 +1,12 @@ +--- +provision_ansible_user_name: ansible +provision_ansible_user_group: ansible +provision_ansible_user_password: "*" +provision_ansible_user_is_system: true +provision_ansible_user_home: /opt/{{ provision_ansible_user_name }} +provision_ansible_user_shell: /bin/bash +provision_ansible_user_sudoer: true +provision_ansible_user_add_ssh_key: true +provision_ansible_user_ssh_key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIClfmTk73wNNL2jwvhRUmUuy80JRrz3P7cEgXUqlc5O9" +provision_ansible_user_ssh_key_options: "" +provision_ansible_user_ssh_key_exclusive: true diff --git a/molecule/with_ssh_keys_vagrant/molecule.yml b/molecule/with_ssh_keys_vagrant/molecule.yml new file mode 100644 index 0000000..25f66bc --- /dev/null +++ b/molecule/with_ssh_keys_vagrant/molecule.yml @@ -0,0 +1,35 @@ +--- +dependency: + name: galaxy + options: + requirements-file: ./requirements.yml +driver: + name: vagrant + provider: + name: libvirt +platforms: + - name: instance + box: generic/${MOLECULE_TEST_OS} + cpus: 4 + memory: 4096 +provisioner: + name: ansible + config_options: + defaults: + remote_tmp: /tmp/.ansible +verifier: + name: ansible +scenario: + name: with_ssh_keys_vagrant + test_sequence: + - dependency + - cleanup + - destroy + - syntax + - create + - prepare + - converge + - idempotence + - verify + - cleanup + - destroy diff --git a/molecule/with_ssh_keys_vagrant/requirements.yml b/molecule/with_ssh_keys_vagrant/requirements.yml new file mode 100644 index 0000000..e9320f9 --- /dev/null +++ b/molecule/with_ssh_keys_vagrant/requirements.yml @@ -0,0 +1,3 @@ +--- +# requirements file for molecule +roles: [] diff --git a/molecule/with_ssh_keys_vagrant/verify.yml b/molecule/with_ssh_keys_vagrant/verify.yml new file mode 100644 index 0000000..d11ee54 --- /dev/null +++ b/molecule/with_ssh_keys_vagrant/verify.yml @@ -0,0 +1,95 @@ +--- +- name: Verify + hosts: all + gather_facts: true + tasks: + - name: "Test: file /etc/hosts" + block: + - name: "Stat file /etc/hosts" + ansible.builtin.stat: + path: "/etc/hosts" + register: stat_etc_hosts + + - name: "Verify file /etc/hosts" + vars: + etc_hosts_group: + ubuntu: "adm" + debian: "root" + ansible.builtin.assert: + that: + - stat_etc_hosts.stat.exists + - stat_etc_hosts.stat.isreg + - stat_etc_hosts.stat.pw_name == 'root' + - stat_etc_hosts.stat.gr_name == etc_hosts_group[(ansible_distribution|lower)] + + - name: "Test: ansible user and group" + block: + - name: "Getent user ansible" + ansible.builtin.getent: + database: passwd + key: ansible + register: ednxzu_ansible_user + + - name: "Getent group ansible" + ansible.builtin.getent: + database: group + key: ansible + register: ednxzu_ansible_group + + - name: "Verify ansible user and group" + ansible.builtin.assert: + that: + - not ednxzu_ansible_user.failed + - not ednxzu_ansible_group.failed + - "'ansible' in ednxzu_ansible_user.ansible_facts.getent_passwd.keys()" + - "'/opt/ansible' in ednxzu_ansible_user.ansible_facts.getent_passwd['ansible']" + - "'/bin/bash' in ednxzu_ansible_user.ansible_facts.getent_passwd['ansible']" + - "'ansible' in ednxzu_ansible_group.ansible_facts.getent_group.keys()" + + - name: "Test: ansible sudo permissions" + block: + - name: "Stat file /etc/sudoers.d/ansible" + ansible.builtin.stat: + path: "/etc/sudoers.d/ansible" + register: stat_etc_sudoers_d_ansible + become: true + + - name: "Slurp file /etc/sudoers.d/ansible" + ansible.builtin.slurp: + src: "/etc/sudoers.d/ansible" + register: slurp_etc_sudoers_d_ansible + become: true + + - name: "Verify file /etc/sudoers.d/ansible" + ansible.builtin.assert: + that: + - stat_etc_sudoers_d_ansible.stat.exists + - stat_etc_sudoers_d_ansible.stat.isreg + - stat_etc_sudoers_d_ansible.stat.pw_name == 'root' + - stat_etc_sudoers_d_ansible.stat.gr_name == 'root' + - stat_etc_sudoers_d_ansible.stat.mode == '0440' + - "'ansible ALL=NOPASSWD:SETENV: ALL' in (slurp_etc_sudoers_d_ansible.content|b64decode)" + + - name: "Test: ansible authorized_keys" + block: + - name: "Stat file /opt/ansible/.ssh/authorized_keys" + ansible.builtin.stat: + path: "/opt/ansible/.ssh/authorized_keys" + register: stat_opt_ansible_ssh_authorized_keys + become: true + + - name: "Slurp file /opt/ansible/.ssh/authorized_keys" + ansible.builtin.slurp: + src: "/opt/ansible/.ssh/authorized_keys" + register: slurp_opt_ansible_ssh_authorized_keys + become: true + + - name: "Verify file /opt/ansible/.ssh/authorized_keys" + ansible.builtin.assert: + that: + - stat_opt_ansible_ssh_authorized_keys.stat.exists + - stat_opt_ansible_ssh_authorized_keys.stat.isreg + - stat_opt_ansible_ssh_authorized_keys.stat.pw_name == 'ansible' + - stat_opt_ansible_ssh_authorized_keys.stat.gr_name == 'ansible' + - stat_opt_ansible_ssh_authorized_keys.stat.mode == '0600' + - "'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIClfmTk73wNNL2jwvhRUmUuy80JRrz3P7cEgXUqlc5O9 ansible@instance' in (slurp_opt_ansible_ssh_authorized_keys.content|b64decode)" diff --git a/tasks/add_ssh_keys.yml b/tasks/add_ssh_keys.yml index 165bf2e..aa285ef 100644 --- a/tasks/add_ssh_keys.yml +++ b/tasks/add_ssh_keys.yml @@ -7,3 +7,4 @@ comment: "{{ provision_ansible_user_name }}@{{ ansible_hostname }}" key_options: "{{ provision_ansible_user_ssh_key_options }}" exclusive: "{{ provision_ansible_user_ssh_key_exclusive }}" + become: true \ No newline at end of file diff --git a/tasks/create_user.yml b/tasks/create_user.yml index b40d594..26fdafd 100644 --- a/tasks/create_user.yml +++ b/tasks/create_user.yml @@ -5,6 +5,7 @@ name: "{{ provision_ansible_user_group }}" state: present system: "{{ provision_ansible_user_is_system }}" + become: true - name: "Create user {{ provision_ansible_user_name }}" ansible.builtin.user: @@ -16,6 +17,7 @@ shell: "{{ provision_ansible_user_shell }}" system: "{{ provision_ansible_user_is_system }}" create_home: true + become: true - name: "Add user to sudoers" community.general.sudoers: @@ -25,3 +27,4 @@ nopassword: true setenv: true when: provision_ansible_user_sudoer + become: true