From d8377ceb6bcc715ed7723887a7e76872fb9eea6c Mon Sep 17 00:00:00 2001
From: Bertrand Lanson <bertrand.lanson@protonmail.com>
Date: Sat, 10 Jun 2023 22:42:37 +0200
Subject: [PATCH] switch to using sudoer module

---
 molecule/default/verify.yml | 170 ++++++++++++++++++++++++++++++++++++
 tasks/create_user.yml       |  12 +--
 2 files changed, 176 insertions(+), 6 deletions(-)
 create mode 100644 molecule/default/verify.yml

diff --git a/molecule/default/verify.yml b/molecule/default/verify.yml
new file mode 100644
index 0000000..a75074d
--- /dev/null
+++ b/molecule/default/verify.yml
@@ -0,0 +1,170 @@
+---
+- name: Verify
+  hosts: all
+  gather_facts: false
+  tasks:
+    - name: "Test: file /etc/hosts"
+      block:
+        - name: "Stat file /etc/hosts"
+          ansible.builtin.stat:
+            path: "/etc/hosts"
+          register: stat_etc_hosts
+
+        - name: "Verify file /etc/hosts"
+          ansible.builtin.assert:
+            that:
+              - stat_etc_hosts.stat.exists
+              - stat_etc_hosts.stat.isreg
+              - stat_etc_hosts.stat.pw_name == 'root'
+              - stat_etc_hosts.stat.gr_name == 'root'
+
+    - name: "Test: consul user and group"
+      block:
+        - name: "Getent user consul"
+          ansible.builtin.getent:
+            database: passwd
+            key: consul
+          register: consul_user
+
+        - name: "Getent group consul"
+          ansible.builtin.getent:
+            database: group
+            key: consul
+          register: consul_group
+
+        - name: "Verify consul user and group"
+          ansible.builtin.assert:
+            that:
+              - not consul_user.failed
+              - not consul_group.failed
+              - "'consul' in consul_user.ansible_facts.getent_passwd.keys()"
+              - "'/home/consul' in consul_user.ansible_facts.getent_passwd['consul']"
+              - "'/bin/false' in consul_user.ansible_facts.getent_passwd['consul']"
+              - "'consul' in consul_group.ansible_facts.getent_group.keys()"
+
+    - name: "Test: directory /etc/consul.d"
+      block:
+        - name: "Stat directory /etc/consul.d"
+          ansible.builtin.stat:
+            path: "/etc/consul.d"
+          register: stat_etc_consul_d
+
+        - name: "Stat file /etc/consul.d/consul.env"
+          ansible.builtin.stat:
+            path: "/etc/consul.d/consul.env"
+          register: stat_etc_consul_d_consul_env
+
+        - name: "Stat file /etc/consul.d/consul.json"
+          ansible.builtin.stat:
+            path: "/etc/consul.d/consul.json"
+          register: stat_etc_consul_d_consul_json
+
+        - name: "Slurp file /etc/consul.d/consul.json"
+          ansible.builtin.slurp:
+            src: "/etc/consul.d/consul.json"
+          register: slurp_etc_consul_d_consul_json
+
+        - name: "Verify directory /etc/consul.d"
+          ansible.builtin.assert:
+            that:
+              - stat_etc_consul_d.stat.exists
+              - stat_etc_consul_d.stat.isdir
+              - stat_etc_consul_d.stat.pw_name == 'consul'
+              - stat_etc_consul_d.stat.gr_name == 'consul'
+              - stat_etc_consul_d.stat.mode == '0755'
+              - stat_etc_consul_d_consul_env.stat.exists
+              - stat_etc_consul_d_consul_env.stat.isreg
+              - stat_etc_consul_d_consul_env.stat.pw_name == 'consul'
+              - stat_etc_consul_d_consul_env.stat.gr_name == 'consul'
+              - stat_etc_consul_d_consul_env.stat.mode == '0600'
+              - stat_etc_consul_d_consul_json.stat.exists
+              - stat_etc_consul_d_consul_json.stat.isreg
+              - stat_etc_consul_d_consul_json.stat.pw_name == 'consul'
+              - stat_etc_consul_d_consul_json.stat.gr_name == 'consul'
+              - stat_etc_consul_d_consul_json.stat.mode == '0600'
+              - slurp_etc_consul_d_consul_json.content != ''
+
+    - name: "Test: directory /opt/consul"
+      block:
+        - name: "Stat directory /opt/consul"
+          ansible.builtin.stat:
+            path: "/opt/consul"
+          register: stat_opt_consul
+
+        - name: "Verify directory /opt/consul"
+          ansible.builtin.assert:
+            that:
+              - stat_opt_consul.stat.exists
+              - stat_opt_consul.stat.isdir
+              - stat_opt_consul.stat.pw_name == 'consul'
+              - stat_opt_consul.stat.gr_name == 'consul'
+              - stat_opt_consul.stat.mode == '0755'
+
+    - name: "Test: service consul"
+      block:
+        - name: "Get service consul"
+          ansible.builtin.service_facts:
+
+        - name: "Stat file /etc/systemd/system/consul.service"
+          ansible.builtin.stat:
+            path: "/etc/systemd/system/consul.service"
+          register: stat_etc_systemd_system_consul_service
+
+        - name: "Slurp file /etc/systemd/system/consul.service"
+          ansible.builtin.slurp:
+            src: "/etc/systemd/system/consul.service"
+          register: slurp_etc_systemd_system_consul_service
+
+        - name: "Verify service consul"
+          ansible.builtin.assert:
+            that:
+              - stat_etc_systemd_system_consul_service.stat.exists
+              - stat_etc_systemd_system_consul_service.stat.isreg
+              - stat_etc_systemd_system_consul_service.stat.pw_name == 'root'
+              - stat_etc_systemd_system_consul_service.stat.gr_name == 'root'
+              - stat_etc_systemd_system_consul_service.stat.mode == '0644'
+              - slurp_etc_systemd_system_consul_service.content != ''
+              - ansible_facts.services['consul.service'] is defined
+              - ansible_facts.services['consul.service']['source'] == 'systemd'
+              - ansible_facts.services['consul.service']['state'] == 'running'
+              - ansible_facts.services['consul.service']['status'] == 'enabled'
+
+    - name: "Test: interaction consul"
+      vars:
+        acl_token: "1a1f2ce5-3730-47de-9a9c-89e037376bab"
+      block:
+        - name: "Command consul kv put"
+          ansible.builtin.command: "consul kv put foo bar"
+          environment:
+            CONSUL_HTTP_TOKEN: "{{ acl_token }}"
+          changed_when: false
+          register: consul_kv_put
+
+        - name: "Command consul kv get"
+          ansible.builtin.command: "consul kv get foo"
+          environment:
+            CONSUL_HTTP_TOKEN: "{{ acl_token }}"
+          changed_when: false
+          register: consul_kv_get
+
+        - name: "Command consul kv delete"
+          ansible.builtin.command: "consul kv delete foo"
+          environment:
+            CONSUL_HTTP_TOKEN: "{{ acl_token }}"
+          changed_when: false
+          register: consul_kv_delete
+
+        - name: "Command consul members"
+          ansible.builtin.command: "consul members"
+          environment:
+            CONSUL_HTTP_TOKEN: "{{ acl_token }}"
+          changed_when: false
+          register: consul_members
+
+        - name: "Verify consul interaction"
+          ansible.builtin.assert:
+            that:
+              - "'instance' in consul_members.stdout"
+              - consul_kv_put.stdout == 'Success! Data written to: foo'
+              - consul_kv_get.stdout == 'bar'
+              - consul_kv_delete.stdout == 'Success! Deleted key: foo'
diff --git a/tasks/create_user.yml b/tasks/create_user.yml
index 41fda0e..866a8c1 100644
--- a/tasks/create_user.yml
+++ b/tasks/create_user.yml
@@ -18,10 +18,10 @@
     create_home: true
 
 - name: "Add user to sudoers"
-  ansible.builtin.copy:
-    dest: "/etc/sudoers.d/{{ provision_management_user_name }}"
-    owner: root
-    group: root
-    mode: 0640
-    content: "{{ provision_management_user_name }}  ALL=(ALL)  NOPASSWD: ALL"
+  community.general.sudoers:
+    name: "{{ provision_management_user_name }}"
+    user: "{{ provision_management_user_name }}"
+    commands: ALL
+    nopassword: true
+    setenv: true
   when: provision_management_user_sudoer