diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml deleted file mode 100644 index 1769576..0000000 --- a/.gitlab-ci.yml +++ /dev/null @@ -1,82 +0,0 @@ ---- -stages: - - verify - - test-default - - test-with-ssh-keys - -image: - name: registry.ednz.fr/forge/ansible-runner - -variables: - ANSIBLE_HOST_KEY_CHECKING: 'false' - ANSIBLE_FORCE_COLOR: 'true' - ANSIBLE_PYTHON_INTERPRETER: /usr/bin/python3 - DOCKER_AUTH_CONFIG: $CI_DOCKER_AUTH_CONFIG - -.stage-test-default: - stage: test-default - -.stage-test-with-ssh-keys: - stage: test-with-ssh-keys - -.variables-ubuntu-2004: - variables: - MOLECULE_TEST_OS: "ubuntu2004" - -.variables-ubuntu-2204: - variables: - MOLECULE_TEST_OS: "ubuntu2204" - -.variables-debian-11: - variables: - MOLECULE_TEST_OS: "debian11" - -.script-molecule-test-default: - script: - - molecule test - -.script-molecule-test-with-ssh-keys: - script: - - molecule test -s with_ssh_keys - -ansible-verify: - stage: verify - script: - - yamllint . -c .yamllint - - ansible-lint - -ansible-test-ubuntu-2004-default: - extends: - - .stage-test-default - - .variables-ubuntu-2004 - - .script-molecule-test-default - -ansible-test-ubuntu-2204-default: - extends: - - .stage-test-default - - .variables-ubuntu-2204 - - .script-molecule-test-default - -ansible-test-debian-11-default: - extends: - - .stage-test-default - - .variables-debian-11 - - .script-molecule-test-default - -ansible-test-ubuntu-2004-with-ssh-keys: - extends: - - .stage-test-with-ssh-keys - - .variables-ubuntu-2004 - - .script-molecule-test-with-ssh-keys - -ansible-test-ubuntu-2204-with-ssh-keys: - extends: - - .stage-test-with-ssh-keys - - .variables-ubuntu-2204 - - .script-molecule-test-with-ssh-keys - -ansible-test-debian-11-with-ssh-keys: - extends: - - .stage-test-with-ssh-keys - - .variables-debian-11 - - .script-molecule-test-with-ssh-keys diff --git a/molecule/default/verify.yml b/molecule/default/verify.yml index a75074d..cd47d7d 100644 --- a/molecule/default/verify.yml +++ b/molecule/default/verify.yml @@ -18,153 +18,50 @@ - stat_etc_hosts.stat.pw_name == 'root' - stat_etc_hosts.stat.gr_name == 'root' - - name: "Test: consul user and group" + - name: "Test: ansible user and group" block: - - name: "Getent user consul" + - name: "Getent user ansible" ansible.builtin.getent: database: passwd - key: consul - register: consul_user + key: deploy + register: ansible_user - - name: "Getent group consul" + - name: "Getent group ansible" ansible.builtin.getent: database: group - key: consul - register: consul_group + key: deploy + register: ansible_group - - name: "Verify consul user and group" + - name: "Verify ansible user and group" ansible.builtin.assert: that: - - not consul_user.failed - - not consul_group.failed - - "'consul' in consul_user.ansible_facts.getent_passwd.keys()" - - "'/home/consul' in consul_user.ansible_facts.getent_passwd['consul']" - - "'/bin/false' in consul_user.ansible_facts.getent_passwd['consul']" - - "'consul' in consul_group.ansible_facts.getent_group.keys()" + - not ansible_user.failed + - not ansible_group.failed + - "'deploy' in ansible_user.ansible_facts.getent_passwd.keys()" + - "'/opt/deploy' in ansible_user.ansible_facts.getent_passwd['deploy']" + - "'/bin/bash' in ansible_user.ansible_facts.getent_passwd['deploy']" + - "'deploy' in ansible_group.ansible_facts.getent_group.keys()" - - name: "Test: directory /etc/consul.d" + - name: "Test: ansible sudo permissions" block: - - name: "Stat directory /etc/consul.d" + - name: "Stat file /etc/sudoers.d/deploy" ansible.builtin.stat: - path: "/etc/consul.d" - register: stat_etc_consul_d + path: "/etc/sudoers.d" + register: stat_etc_sudoers_d_ansible - - name: "Stat file /etc/consul.d/consul.env" - ansible.builtin.stat: - path: "/etc/consul.d/consul.env" - register: stat_etc_consul_d_consul_env - - - name: "Stat file /etc/consul.d/consul.json" - ansible.builtin.stat: - path: "/etc/consul.d/consul.json" - register: stat_etc_consul_d_consul_json - - - name: "Slurp file /etc/consul.d/consul.json" - ansible.builtin.slurp: - src: "/etc/consul.d/consul.json" - register: slurp_etc_consul_d_consul_json - - - name: "Verify directory /etc/consul.d" + - name: "Verify file /etc/sudoers.d/deploy" ansible.builtin.assert: that: - - stat_etc_consul_d.stat.exists - - stat_etc_consul_d.stat.isdir - - stat_etc_consul_d.stat.pw_name == 'consul' - - stat_etc_consul_d.stat.gr_name == 'consul' - - stat_etc_consul_d.stat.mode == '0755' - - stat_etc_consul_d_consul_env.stat.exists - - stat_etc_consul_d_consul_env.stat.isreg - - stat_etc_consul_d_consul_env.stat.pw_name == 'consul' - - stat_etc_consul_d_consul_env.stat.gr_name == 'consul' - - stat_etc_consul_d_consul_env.stat.mode == '0600' - - stat_etc_consul_d_consul_json.stat.exists - - stat_etc_consul_d_consul_json.stat.isreg - - stat_etc_consul_d_consul_json.stat.pw_name == 'consul' - - stat_etc_consul_d_consul_json.stat.gr_name == 'consul' - - stat_etc_consul_d_consul_json.stat.mode == '0600' - - slurp_etc_consul_d_consul_json.content != '' + - not stat_etc_sudoers_d_ansible.stat.exists - - name: "Test: directory /opt/consul" + - name: "Test: ansible authorized_keys" block: - - name: "Stat directory /opt/consul" + - name: "Stat file /opt/deploy/.ssh/authorized_keys" ansible.builtin.stat: - path: "/opt/consul" - register: stat_opt_consul + path: "/opt/deploy/.ssh/authorized_keys" + register: stat_opt_ansible_ssh_authorized_keys - - name: "Verify directory /opt/consul" + - name: "Verify file /opt/deploy/.ssh/authorized_keys" ansible.builtin.assert: that: - - stat_opt_consul.stat.exists - - stat_opt_consul.stat.isdir - - stat_opt_consul.stat.pw_name == 'consul' - - stat_opt_consul.stat.gr_name == 'consul' - - stat_opt_consul.stat.mode == '0755' - - - name: "Test: service consul" - block: - - name: "Get service consul" - ansible.builtin.service_facts: - - - name: "Stat file /etc/systemd/system/consul.service" - ansible.builtin.stat: - path: "/etc/systemd/system/consul.service" - register: stat_etc_systemd_system_consul_service - - - name: "Slurp file /etc/systemd/system/consul.service" - ansible.builtin.slurp: - src: "/etc/systemd/system/consul.service" - register: slurp_etc_systemd_system_consul_service - - - name: "Verify service consul" - ansible.builtin.assert: - that: - - stat_etc_systemd_system_consul_service.stat.exists - - stat_etc_systemd_system_consul_service.stat.isreg - - stat_etc_systemd_system_consul_service.stat.pw_name == 'root' - - stat_etc_systemd_system_consul_service.stat.gr_name == 'root' - - stat_etc_systemd_system_consul_service.stat.mode == '0644' - - slurp_etc_systemd_system_consul_service.content != '' - - ansible_facts.services['consul.service'] is defined - - ansible_facts.services['consul.service']['source'] == 'systemd' - - ansible_facts.services['consul.service']['state'] == 'running' - - ansible_facts.services['consul.service']['status'] == 'enabled' - - - name: "Test: interaction consul" - vars: - acl_token: "1a1f2ce5-3730-47de-9a9c-89e037376bab" - block: - - name: "Command consul kv put" - ansible.builtin.command: "consul kv put foo bar" - environment: - CONSUL_HTTP_TOKEN: "{{ acl_token }}" - changed_when: false - register: consul_kv_put - - - name: "Command consul kv get" - ansible.builtin.command: "consul kv get foo" - environment: - CONSUL_HTTP_TOKEN: "{{ acl_token }}" - changed_when: false - register: consul_kv_get - - - name: "Command consul kv delete" - ansible.builtin.command: "consul kv delete foo" - environment: - CONSUL_HTTP_TOKEN: "{{ acl_token }}" - changed_when: false - register: consul_kv_delete - - - name: "Command consul members" - ansible.builtin.command: "consul members" - environment: - CONSUL_HTTP_TOKEN: "{{ acl_token }}" - changed_when: false - register: consul_members - - - name: "Verify consul interaction" - ansible.builtin.assert: - that: - - "'instance' in consul_members.stdout" - - consul_kv_put.stdout == 'Success! Data written to: foo' - - consul_kv_get.stdout == 'bar' - - consul_kv_delete.stdout == 'Success! Deleted key: foo' + - not stat_opt_ansible_ssh_authorized_keys.stat.exists diff --git a/molecule/with_ssh_keys/verify.yml b/molecule/with_ssh_keys/verify.yml new file mode 100644 index 0000000..cd47d7d --- /dev/null +++ b/molecule/with_ssh_keys/verify.yml @@ -0,0 +1,67 @@ +--- +- name: Verify + hosts: all + gather_facts: false + tasks: + - name: "Test: file /etc/hosts" + block: + - name: "Stat file /etc/hosts" + ansible.builtin.stat: + path: "/etc/hosts" + register: stat_etc_hosts + + - name: "Verify file /etc/hosts" + ansible.builtin.assert: + that: + - stat_etc_hosts.stat.exists + - stat_etc_hosts.stat.isreg + - stat_etc_hosts.stat.pw_name == 'root' + - stat_etc_hosts.stat.gr_name == 'root' + + - name: "Test: ansible user and group" + block: + - name: "Getent user ansible" + ansible.builtin.getent: + database: passwd + key: deploy + register: ansible_user + + - name: "Getent group ansible" + ansible.builtin.getent: + database: group + key: deploy + register: ansible_group + + - name: "Verify ansible user and group" + ansible.builtin.assert: + that: + - not ansible_user.failed + - not ansible_group.failed + - "'deploy' in ansible_user.ansible_facts.getent_passwd.keys()" + - "'/opt/deploy' in ansible_user.ansible_facts.getent_passwd['deploy']" + - "'/bin/bash' in ansible_user.ansible_facts.getent_passwd['deploy']" + - "'deploy' in ansible_group.ansible_facts.getent_group.keys()" + + - name: "Test: ansible sudo permissions" + block: + - name: "Stat file /etc/sudoers.d/deploy" + ansible.builtin.stat: + path: "/etc/sudoers.d" + register: stat_etc_sudoers_d_ansible + + - name: "Verify file /etc/sudoers.d/deploy" + ansible.builtin.assert: + that: + - not stat_etc_sudoers_d_ansible.stat.exists + + - name: "Test: ansible authorized_keys" + block: + - name: "Stat file /opt/deploy/.ssh/authorized_keys" + ansible.builtin.stat: + path: "/opt/deploy/.ssh/authorized_keys" + register: stat_opt_ansible_ssh_authorized_keys + + - name: "Verify file /opt/deploy/.ssh/authorized_keys" + ansible.builtin.assert: + that: + - not stat_opt_ansible_ssh_authorized_keys.stat.exists