From 6b2da1707ad308611b7bbbd38a91454d8c51076a Mon Sep 17 00:00:00 2001 From: Bertrand Lanson Date: Sun, 16 Jul 2023 22:04:43 +0200 Subject: [PATCH] start of ansible tests cause molecule is deprecating testinfra --- molecule/default/molecule.yml | 2 +- molecule/default/verify.yml | 50 +++++++++++++-------------- molecule/with_ssh_keys/verify.yml | 56 +++++++++++++++++++++---------- 3 files changed, 64 insertions(+), 44 deletions(-) diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml index 7a62eb2..49efc7f 100644 --- a/molecule/default/molecule.yml +++ b/molecule/default/molecule.yml @@ -20,7 +20,7 @@ provisioner: defaults: remote_tmp: /tmp/.ansible verifier: - name: testinfra + name: ansible scenario: name: default test_sequence: diff --git a/molecule/default/verify.yml b/molecule/default/verify.yml index cd47d7d..4387b02 100644 --- a/molecule/default/verify.yml +++ b/molecule/default/verify.yml @@ -18,50 +18,50 @@ - stat_etc_hosts.stat.pw_name == 'root' - stat_etc_hosts.stat.gr_name == 'root' - - name: "Test: ansible user and group" + - name: "Test: ubuntu user and group" block: - name: "Getent user ansible" ansible.builtin.getent: database: passwd - key: deploy - register: ansible_user + key: ubuntu + register: ednxzu_management_user - - name: "Getent group ansible" + - name: "Getent group ubuntu" ansible.builtin.getent: database: group - key: deploy - register: ansible_group + key: ubuntu + register: ednxzu_management_group - - name: "Verify ansible user and group" + - name: "Verify ubuntu user and group" ansible.builtin.assert: that: - - not ansible_user.failed - - not ansible_group.failed - - "'deploy' in ansible_user.ansible_facts.getent_passwd.keys()" - - "'/opt/deploy' in ansible_user.ansible_facts.getent_passwd['deploy']" - - "'/bin/bash' in ansible_user.ansible_facts.getent_passwd['deploy']" - - "'deploy' in ansible_group.ansible_facts.getent_group.keys()" + - not ednxzu_management_user.failed + - not ednxzu_management_group.failed + - "'ubuntu' in ednxzu_management_user.ansible_facts.getent_passwd.keys()" + - "'/home/ubuntu' in ednxzu_management_user.ansible_facts.getent_passwd['ubuntu']" + - "'/bin/bash' in ednxzu_management_user.ansible_facts.getent_passwd['ubuntu']" + - "'ubuntu' in ednxzu_management_group.ansible_facts.getent_group.keys()" - - name: "Test: ansible sudo permissions" + - name: "Test: ubuntu sudo permissions" block: - - name: "Stat file /etc/sudoers.d/deploy" + - name: "Stat file /etc/sudoers.d/ubuntu" ansible.builtin.stat: - path: "/etc/sudoers.d" - register: stat_etc_sudoers_d_ansible + path: "/etc/sudoers.d/ubuntu" + register: stat_etc_sudoers_d_ubuntu - - name: "Verify file /etc/sudoers.d/deploy" + - name: "Verify file /etc/sudoers.d/ubuntu" ansible.builtin.assert: that: - - not stat_etc_sudoers_d_ansible.stat.exists + - not stat_etc_sudoers_d_ubuntu.stat.exists - - name: "Test: ansible authorized_keys" + - name: "Test: ubuntu authorized_keys" block: - - name: "Stat file /opt/deploy/.ssh/authorized_keys" + - name: "Stat file /home/ubuntu/.ssh/authorized_keys" ansible.builtin.stat: - path: "/opt/deploy/.ssh/authorized_keys" - register: stat_opt_ansible_ssh_authorized_keys + path: "/home/ubuntu/.ssh/authorized_keys" + register: stat_home_ubuntu_ssh_authorized_keys - - name: "Verify file /opt/deploy/.ssh/authorized_keys" + - name: "Verify file /home/ubuntu/.ssh/authorized_keys" ansible.builtin.assert: that: - - not stat_opt_ansible_ssh_authorized_keys.stat.exists + - not stat_home_ubuntu_ssh_authorized_keys.stat.exists diff --git a/molecule/with_ssh_keys/verify.yml b/molecule/with_ssh_keys/verify.yml index cd47d7d..355e164 100644 --- a/molecule/with_ssh_keys/verify.yml +++ b/molecule/with_ssh_keys/verify.yml @@ -23,45 +23,65 @@ - name: "Getent user ansible" ansible.builtin.getent: database: passwd - key: deploy - register: ansible_user + key: ansible + register: ednxzu_ansible_user - name: "Getent group ansible" ansible.builtin.getent: database: group - key: deploy - register: ansible_group + key: ansible + register: ednxzu_ansible_group - name: "Verify ansible user and group" ansible.builtin.assert: that: - - not ansible_user.failed - - not ansible_group.failed - - "'deploy' in ansible_user.ansible_facts.getent_passwd.keys()" - - "'/opt/deploy' in ansible_user.ansible_facts.getent_passwd['deploy']" - - "'/bin/bash' in ansible_user.ansible_facts.getent_passwd['deploy']" - - "'deploy' in ansible_group.ansible_facts.getent_group.keys()" + - not ednxzu_ansible_user.failed + - not ednxzu_ansible_group.failed + - "'ansible' in ednxzu_ansible_user.ansible_facts.getent_passwd.keys()" + - "'/opt/ansible' in ednxzu_ansible_user.ansible_facts.getent_passwd['ansible']" + - "'/bin/bash' in ednxzu_ansible_user.ansible_facts.getent_passwd['ansible']" + - "'ansible' in ednxzu_ansible_group.ansible_facts.getent_group.keys()" - name: "Test: ansible sudo permissions" block: - - name: "Stat file /etc/sudoers.d/deploy" + - name: "Stat file /etc/sudoers.d/ansible" ansible.builtin.stat: - path: "/etc/sudoers.d" + path: "/etc/sudoers.d/ansible" register: stat_etc_sudoers_d_ansible - - name: "Verify file /etc/sudoers.d/deploy" + - name: "Slurp file /etc/sudoers.d/ansible" + ansible.builtin.slurp: + src: "/etc/sudoers.d/ansible" + register: slurp_etc_sudoers_d_ansible + + - name: "Verify file /etc/sudoers.d/ansible" ansible.builtin.assert: that: - - not stat_etc_sudoers_d_ansible.stat.exists + - stat_etc_sudoers_d_ansible.stat.exists + - stat_etc_sudoers_d_ansible.stat.isreg + - stat_etc_sudoers_d_ansible.stat.pw_name == 'root' + - stat_etc_sudoers_d_ansible.stat.gr_name == 'root' + - stat_etc_sudoers_d_ansible.stat.mode == '0440' + - "'ansible ALL=NOPASSWD:SETENV: ALL' in (slurp_etc_sudoers_d_ansible.content|b64decode)" - name: "Test: ansible authorized_keys" block: - - name: "Stat file /opt/deploy/.ssh/authorized_keys" + - name: "Stat file /opt/ansible/.ssh/authorized_keys" ansible.builtin.stat: - path: "/opt/deploy/.ssh/authorized_keys" + path: "/opt/ansible/.ssh/authorized_keys" register: stat_opt_ansible_ssh_authorized_keys - - name: "Verify file /opt/deploy/.ssh/authorized_keys" + - name: "Slurp file /opt/ansible/.ssh/authorized_keys" + ansible.builtin.slurp: + src: "/opt/ansible/.ssh/authorized_keys" + register: slurp_opt_ansible_ssh_authorized_keys + + - name: "Verify file /opt/ansible/.ssh/authorized_keys" ansible.builtin.assert: that: - - not stat_opt_ansible_ssh_authorized_keys.stat.exists + - stat_opt_ansible_ssh_authorized_keys.stat.exists + - stat_opt_ansible_ssh_authorized_keys.stat.isreg + - stat_opt_ansible_ssh_authorized_keys.stat.pw_name == 'ansible' + - stat_opt_ansible_ssh_authorized_keys.stat.gr_name == 'ansible' + - stat_opt_ansible_ssh_authorized_keys.stat.mode == '0600' + - "'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIClfmTk73wNNL2jwvhRUmUuy80JRrz3P7cEgXUqlc5O9 ansible@instance' in (slurp_opt_ansible_ssh_authorized_keys.content|b64decode)"