From 2873cd9e4c0fa3946030b2c7060e1d2ec80140c9 Mon Sep 17 00:00:00 2001 From: Bertrand Lanson Date: Sat, 2 Dec 2023 10:09:56 +0100 Subject: [PATCH] feat: add vagrant tests, become statements, fix #1 --- handlers/main.yml | 3 + molecule/default/prepare.yml | 2 + molecule/default/verify.yml | 20 +-- molecule/default_vagrant/converge.yml | 7 + molecule/default_vagrant/molecule.yml | 35 +++++ molecule/default_vagrant/prepare.yml | 17 +++ molecule/default_vagrant/requirements.yml | 5 + molecule/default_vagrant/verify.yml | 142 ++++++++++++++++++ molecule/with_custom_config/prepare.yml | 2 + molecule/with_custom_config/verify.yml | 20 +-- .../with_custom_config_vagrant/converge.yml | 7 + .../group_vars/all.yml | 23 +++ .../with_custom_config_vagrant/molecule.yml | 35 +++++ .../with_custom_config_vagrant/prepare.yml | 17 +++ .../requirements.yml | 5 + .../with_custom_config_vagrant/verify.yml | 142 ++++++++++++++++++ tasks/configure.yml | 2 + tasks/prerequisites.yml | 3 + 18 files changed, 455 insertions(+), 32 deletions(-) create mode 100644 molecule/default_vagrant/converge.yml create mode 100644 molecule/default_vagrant/molecule.yml create mode 100644 molecule/default_vagrant/prepare.yml create mode 100644 molecule/default_vagrant/requirements.yml create mode 100644 molecule/default_vagrant/verify.yml create mode 100644 molecule/with_custom_config_vagrant/converge.yml create mode 100644 molecule/with_custom_config_vagrant/group_vars/all.yml create mode 100644 molecule/with_custom_config_vagrant/molecule.yml create mode 100644 molecule/with_custom_config_vagrant/prepare.yml create mode 100644 molecule/with_custom_config_vagrant/requirements.yml create mode 100644 molecule/with_custom_config_vagrant/verify.yml diff --git a/handlers/main.yml b/handlers/main.yml index 6c9f41b..23f6589 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -3,17 +3,20 @@ - name: "Reload service file" ansible.builtin.systemd: daemon_reload: true + become: true listen: "systemctl-daemon-reload" - name: "Enable consul-certs service" ansible.builtin.service: name: consul-certs enabled: true + become: true listen: "systemctl-enable-consul-certs" - name: "Start consul-certs service" ansible.builtin.service: name: consul-certs state: restarted + become: true listen: "systemctl-restart-consul-certs" when: renew_consul_certificates_start_service diff --git a/molecule/default/prepare.yml b/molecule/default/prepare.yml index d63429c..fb88717 100644 --- a/molecule/default/prepare.yml +++ b/molecule/default/prepare.yml @@ -6,6 +6,7 @@ ansible.builtin.group: name: "consul" state: present + become: true - name: "Create user consul" ansible.builtin.user: @@ -13,3 +14,4 @@ group: "consul" shell: /bin/false state: present + become: true diff --git a/molecule/default/verify.yml b/molecule/default/verify.yml index f443c6c..300fcc7 100644 --- a/molecule/default/verify.yml +++ b/molecule/default/verify.yml @@ -1,23 +1,8 @@ --- - name: Verify hosts: all - gather_facts: false + gather_facts: true tasks: - - name: "Test: file /etc/hosts" - block: - - name: "Stat file /etc/hosts" - ansible.builtin.stat: - path: "/etc/hosts" - register: stat_etc_hosts - - - name: "Verify file /etc/hosts" - ansible.builtin.assert: - that: - - stat_etc_hosts.stat.exists - - stat_etc_hosts.stat.isreg - - stat_etc_hosts.stat.pw_name == 'root' - - stat_etc_hosts.stat.gr_name == 'root' - - name: "Test: directory /etc/consul-template.d/consul" block: - name: "Stat directory /etc/consul-template.d/consul" @@ -34,6 +19,7 @@ ansible.builtin.slurp: src: "/etc/consul-template.d/consul/consul_config.hcl" register: slurp_etc_consul_template_d_consul_consul_config_hcl + become: true - name: "Verify directory /etc/consul-template.d/consul" ansible.builtin.assert: @@ -74,6 +60,7 @@ src: "{{ item.path }}" loop: "{{ find_etc_consul_template_d_consul_templates.files }}" register: slurp_etc_consul_template_d_nomad_templates + become: true - name: "Verify file /etc/consul-template.d/consul/templates/consul_ca.pem.tpl" vars: @@ -138,6 +125,7 @@ ansible.builtin.slurp: src: "/etc/systemd/system/consul-certs.service" register: slurp_etc_systemd_system_consul_certs_service + become: true - name: "Verify service nomad" ansible.builtin.assert: diff --git a/molecule/default_vagrant/converge.yml b/molecule/default_vagrant/converge.yml new file mode 100644 index 0000000..d9ad3ce --- /dev/null +++ b/molecule/default_vagrant/converge.yml @@ -0,0 +1,7 @@ +--- +- name: Converge + hosts: all + tasks: + - name: "Include ednxzu.renew_consul_certificates" + ansible.builtin.include_role: + name: "ednxzu.renew_consul_certificates" diff --git a/molecule/default_vagrant/molecule.yml b/molecule/default_vagrant/molecule.yml new file mode 100644 index 0000000..2b02360 --- /dev/null +++ b/molecule/default_vagrant/molecule.yml @@ -0,0 +1,35 @@ +--- +dependency: + name: galaxy + options: + requirements-file: ./requirements.yml +driver: + name: vagrant + provider: + name: libvirt +platforms: + - name: instance + box: generic/${MOLECULE_TEST_OS} + cpus: 4 + memory: 4096 +provisioner: + name: ansible + config_options: + defaults: + remote_tmp: /tmp/.ansible +verifier: + name: ansible +scenario: + name: default_vagrant + test_sequence: + - dependency + - cleanup + - destroy + - syntax + - create + - prepare + - converge + - idempotence + - verify + - cleanup + - destroy diff --git a/molecule/default_vagrant/prepare.yml b/molecule/default_vagrant/prepare.yml new file mode 100644 index 0000000..fb88717 --- /dev/null +++ b/molecule/default_vagrant/prepare.yml @@ -0,0 +1,17 @@ +--- +- name: Prepare + hosts: all + tasks: + - name: "Create group consul" + ansible.builtin.group: + name: "consul" + state: present + become: true + + - name: "Create user consul" + ansible.builtin.user: + name: "consul" + group: "consul" + shell: /bin/false + state: present + become: true diff --git a/molecule/default_vagrant/requirements.yml b/molecule/default_vagrant/requirements.yml new file mode 100644 index 0000000..0a4a9fb --- /dev/null +++ b/molecule/default_vagrant/requirements.yml @@ -0,0 +1,5 @@ +--- +# requirements file for molecule +roles: + - name: ednxzu.manage_repositories + - name: ednxzu.manage_apt_packages diff --git a/molecule/default_vagrant/verify.yml b/molecule/default_vagrant/verify.yml new file mode 100644 index 0000000..300fcc7 --- /dev/null +++ b/molecule/default_vagrant/verify.yml @@ -0,0 +1,142 @@ +--- +- name: Verify + hosts: all + gather_facts: true + tasks: + - name: "Test: directory /etc/consul-template.d/consul" + block: + - name: "Stat directory /etc/consul-template.d/consul" + ansible.builtin.stat: + path: "/etc/consul-template.d/consul" + register: stat_etc_consul_template_d_nomad + + - name: "Stat file /etc/consul-template.d/consul/consul_config.hcl" + ansible.builtin.stat: + path: "/etc/consul-template.d/consul/consul_config.hcl" + register: stat_etc_consul_template_d_nomad_nomad_config_hcl + + - name: "Slurp file /etc/consul-template.d/consul/consul_config.hcl" + ansible.builtin.slurp: + src: "/etc/consul-template.d/consul/consul_config.hcl" + register: slurp_etc_consul_template_d_consul_consul_config_hcl + become: true + + - name: "Verify directory /etc/consul-template.d/consul" + ansible.builtin.assert: + that: + - stat_etc_consul_template_d_nomad.stat.exists + - stat_etc_consul_template_d_nomad.stat.isdir + - stat_etc_consul_template_d_nomad.stat.pw_name == 'consul' + - stat_etc_consul_template_d_nomad.stat.gr_name == 'consul' + - stat_etc_consul_template_d_nomad.stat.mode == '0755' + - stat_etc_consul_template_d_nomad_nomad_config_hcl.stat.exists + - stat_etc_consul_template_d_nomad_nomad_config_hcl.stat.isreg + - stat_etc_consul_template_d_nomad_nomad_config_hcl.stat.pw_name == 'consul' + - stat_etc_consul_template_d_nomad_nomad_config_hcl.stat.gr_name == 'consul' + - stat_etc_consul_template_d_nomad_nomad_config_hcl.stat.mode == '0600' + - slurp_etc_consul_template_d_consul_consul_config_hcl.content != '' + + - name: "Test: directory /etc/consul-template.d/consul/templates" + block: + - name: "Stat directory /etc/consul-template.d/consul/templates" + ansible.builtin.stat: + path: "/etc/consul-template.d/consul/templates" + register: stat_etc_consul_template_d_consul_templates + + - name: "Find in directory /etc/consul-template.d/consul/templates" + ansible.builtin.find: + paths: "/etc/consul-template.d/consul/templates" + file_type: file + register: find_etc_consul_template_d_consul_templates + + - name: "Stat in directory /etc/consul-template.d/consul/templates" + ansible.builtin.stat: + path: "{{ item.path }}" + loop: "{{ find_etc_consul_template_d_consul_templates.files }}" + register: stat_etc_consul_template_d_consul_templates + + - name: "Slurp in directory /etc/consul-template.d/consul/templates" + ansible.builtin.slurp: + src: "{{ item.path }}" + loop: "{{ find_etc_consul_template_d_consul_templates.files }}" + register: slurp_etc_consul_template_d_nomad_templates + become: true + + - name: "Verify file /etc/consul-template.d/consul/templates/consul_ca.pem.tpl" + vars: + consul_ca_file: | + {% raw %}{{ with secret "pki/issue/your-issuer" "common_name=consul01.example.com" "ttl=90d" "alt_names=localhost" "ip_sans=127.0.0.1" }} + {{ .Data.issuing_ca }} + {{ end }}{% endraw %} + ansible.builtin.assert: + that: + - item.item.isreg + - item.item.pw_name == 'consul' + - item.item.gr_name == 'consul' + - item.item.mode == '0600' + - "(item.content|b64decode) == consul_ca_file" + loop: "{{ slurp_etc_consul_template_d_nomad_templates.results }}" + when: (item.item.path | basename) == 'consul_ca.pem.tpl' + + - name: "Verify file /etc/consul-template.d/consul/templates/consul_cert.pem.tpl" + vars: + consul_cert_file: | + {% raw %}{{ with secret "pki/issue/your-issuer" "common_name=consul01.example.com" "ttl=90d" "alt_names=localhost" "ip_sans=127.0.0.1" }} + {{ .Data.certificate }} + {{ .Data.issuing_ca }} + {{ end }}{% endraw %} + ansible.builtin.assert: + that: + - item.item.isreg + - item.item.pw_name == 'consul' + - item.item.gr_name == 'consul' + - item.item.mode == '0600' + - "(item.content|b64decode) == consul_cert_file" + loop: "{{ slurp_etc_consul_template_d_nomad_templates.results }}" + when: (item.item.path | basename) == 'consul_cert.pem.tpl' + + - name: "Verify file /etc/consul-template.d/consul/templates/consul_key.pem.tpl" + vars: + consul_key_file: | + {% raw %}{{ with secret "pki/issue/your-issuer" "common_name=consul01.example.com" "ttl=90d" "alt_names=localhost" "ip_sans=127.0.0.1" }} + {{ .Data.private_key }} + {{ end }}{% endraw %} + ansible.builtin.assert: + that: + - item.item.isreg + - item.item.pw_name == 'consul' + - item.item.gr_name == 'consul' + - item.item.mode == '0600' + - "(item.content|b64decode) == consul_key_file" + loop: "{{ slurp_etc_consul_template_d_nomad_templates.results }}" + when: (item.item.path | basename) == 'consul_key.pem.tpl' + + - name: "Test: service consul-certs" + block: + - name: "Get service consul-certs" + ansible.builtin.service_facts: + + - name: "Stat file /etc/systemd/system/consul-certs.service" + ansible.builtin.stat: + path: "/etc/systemd/system/consul-certs.service" + register: stat_etc_systemd_system_consul_certs_service + + - name: "Slurp file /etc/systemd/system/consul-certs.service" + ansible.builtin.slurp: + src: "/etc/systemd/system/consul-certs.service" + register: slurp_etc_systemd_system_consul_certs_service + become: true + + - name: "Verify service nomad" + ansible.builtin.assert: + that: + - stat_etc_systemd_system_consul_certs_service.stat.exists + - stat_etc_systemd_system_consul_certs_service.stat.isreg + - stat_etc_systemd_system_consul_certs_service.stat.pw_name == 'root' + - stat_etc_systemd_system_consul_certs_service.stat.gr_name == 'root' + - stat_etc_systemd_system_consul_certs_service.stat.mode == '0644' + - slurp_etc_systemd_system_consul_certs_service.content != '' + - ansible_facts.services['consul-certs.service'] is defined + - ansible_facts.services['consul-certs.service']['source'] == 'systemd' + - ansible_facts.services['consul-certs.service']['state'] == 'stopped' + - ansible_facts.services['consul-certs.service']['status'] == 'enabled' diff --git a/molecule/with_custom_config/prepare.yml b/molecule/with_custom_config/prepare.yml index d63429c..fb88717 100644 --- a/molecule/with_custom_config/prepare.yml +++ b/molecule/with_custom_config/prepare.yml @@ -6,6 +6,7 @@ ansible.builtin.group: name: "consul" state: present + become: true - name: "Create user consul" ansible.builtin.user: @@ -13,3 +14,4 @@ group: "consul" shell: /bin/false state: present + become: true diff --git a/molecule/with_custom_config/verify.yml b/molecule/with_custom_config/verify.yml index c6bcda0..39d7a34 100644 --- a/molecule/with_custom_config/verify.yml +++ b/molecule/with_custom_config/verify.yml @@ -1,23 +1,8 @@ --- - name: Verify hosts: all - gather_facts: false + gather_facts: true tasks: - - name: "Test: file /etc/hosts" - block: - - name: "Stat file /etc/hosts" - ansible.builtin.stat: - path: "/etc/hosts" - register: stat_etc_hosts - - - name: "Verify file /etc/hosts" - ansible.builtin.assert: - that: - - stat_etc_hosts.stat.exists - - stat_etc_hosts.stat.isreg - - stat_etc_hosts.stat.pw_name == 'root' - - stat_etc_hosts.stat.gr_name == 'root' - - name: "Test: directory /etc/consul-template.d/consul" block: - name: "Stat directory /etc/consul-template.d/consul" @@ -34,6 +19,7 @@ ansible.builtin.slurp: src: "/etc/consul-template.d/consul/consul_config.hcl" register: slurp_etc_consul_template_d_consul_consul_config_hcl + become: true - name: "Verify directory /etc/consul-template.d/consul" ansible.builtin.assert: @@ -74,6 +60,7 @@ src: "{{ item.path }}" loop: "{{ find_etc_consul_template_d_consul_templates.files }}" register: slurp_etc_consul_template_d_nomad_templates + become: true - name: "Verify file /etc/consul-template.d/consul/templates/consul_ca.pem.tpl" vars: @@ -138,6 +125,7 @@ ansible.builtin.slurp: src: "/etc/systemd/system/consul-certs.service" register: slurp_etc_systemd_system_consul_certs_service + become: true - name: "Verify service nomad" ansible.builtin.assert: diff --git a/molecule/with_custom_config_vagrant/converge.yml b/molecule/with_custom_config_vagrant/converge.yml new file mode 100644 index 0000000..d9ad3ce --- /dev/null +++ b/molecule/with_custom_config_vagrant/converge.yml @@ -0,0 +1,7 @@ +--- +- name: Converge + hosts: all + tasks: + - name: "Include ednxzu.renew_consul_certificates" + ansible.builtin.include_role: + name: "ednxzu.renew_consul_certificates" diff --git a/molecule/with_custom_config_vagrant/group_vars/all.yml b/molecule/with_custom_config_vagrant/group_vars/all.yml new file mode 100644 index 0000000..945a562 --- /dev/null +++ b/molecule/with_custom_config_vagrant/group_vars/all.yml @@ -0,0 +1,23 @@ +--- +renew_consul_certificates_config_dir: /etc/consul-template.d/consul +renew_consul_certificates_consul_user: consul +renew_consul_certificates_consul_group: consul +renew_consul_certificates_service_env_variables: + consul_http_addr: http://127.0.0.1:8500 + # consul_http_token: +renew_consul_certificates_vault_addr: "https://consul.example.com" +renew_consul_certificates_vault_token: mysupersecretconsultokenthatyoushouldchange +renew_consul_certificates_vault_token_unwrap: false +renew_consul_certificates_vault_token_renew: true +renew_consul_certificates_ca_dest: /opt/consul/tls/ca.pem +renew_consul_certificates_cert_dest: /opt/consul/tls/cert.pem +renew_consul_certificates_key_dest: /opt/consul/tls/key.pem +renew_consul_certificates_info: + issuer_path: pki/issue/your-issuer + common_name: consul01.example.com + ttl: 90d + is_server: true + include_consul_service: true +renew_consul_certificates_consul_dc_name: dc1.consul +renew_consul_certificates_consul_service_name: consul.service.consul +renew_consul_certificates_start_service: false diff --git a/molecule/with_custom_config_vagrant/molecule.yml b/molecule/with_custom_config_vagrant/molecule.yml new file mode 100644 index 0000000..890cdd0 --- /dev/null +++ b/molecule/with_custom_config_vagrant/molecule.yml @@ -0,0 +1,35 @@ +--- +dependency: + name: galaxy + options: + requirements-file: ./requirements.yml +driver: + name: vagrant + provider: + name: libvirt +platforms: + - name: instance + box: generic/${MOLECULE_TEST_OS} + cpus: 4 + memory: 4096 +provisioner: + name: ansible + config_options: + defaults: + remote_tmp: /tmp/.ansible +verifier: + name: ansible +scenario: + name: with_custom_config_vagrant + test_sequence: + - dependency + - cleanup + - destroy + - syntax + - create + - prepare + - converge + - idempotence + - verify + - cleanup + - destroy diff --git a/molecule/with_custom_config_vagrant/prepare.yml b/molecule/with_custom_config_vagrant/prepare.yml new file mode 100644 index 0000000..fb88717 --- /dev/null +++ b/molecule/with_custom_config_vagrant/prepare.yml @@ -0,0 +1,17 @@ +--- +- name: Prepare + hosts: all + tasks: + - name: "Create group consul" + ansible.builtin.group: + name: "consul" + state: present + become: true + + - name: "Create user consul" + ansible.builtin.user: + name: "consul" + group: "consul" + shell: /bin/false + state: present + become: true diff --git a/molecule/with_custom_config_vagrant/requirements.yml b/molecule/with_custom_config_vagrant/requirements.yml new file mode 100644 index 0000000..0a4a9fb --- /dev/null +++ b/molecule/with_custom_config_vagrant/requirements.yml @@ -0,0 +1,5 @@ +--- +# requirements file for molecule +roles: + - name: ednxzu.manage_repositories + - name: ednxzu.manage_apt_packages diff --git a/molecule/with_custom_config_vagrant/verify.yml b/molecule/with_custom_config_vagrant/verify.yml new file mode 100644 index 0000000..39d7a34 --- /dev/null +++ b/molecule/with_custom_config_vagrant/verify.yml @@ -0,0 +1,142 @@ +--- +- name: Verify + hosts: all + gather_facts: true + tasks: + - name: "Test: directory /etc/consul-template.d/consul" + block: + - name: "Stat directory /etc/consul-template.d/consul" + ansible.builtin.stat: + path: "/etc/consul-template.d/consul" + register: stat_etc_consul_template_d_nomad + + - name: "Stat file /etc/consul-template.d/consul/consul_config.hcl" + ansible.builtin.stat: + path: "/etc/consul-template.d/consul/consul_config.hcl" + register: stat_etc_consul_template_d_nomad_nomad_config_hcl + + - name: "Slurp file /etc/consul-template.d/consul/consul_config.hcl" + ansible.builtin.slurp: + src: "/etc/consul-template.d/consul/consul_config.hcl" + register: slurp_etc_consul_template_d_consul_consul_config_hcl + become: true + + - name: "Verify directory /etc/consul-template.d/consul" + ansible.builtin.assert: + that: + - stat_etc_consul_template_d_nomad.stat.exists + - stat_etc_consul_template_d_nomad.stat.isdir + - stat_etc_consul_template_d_nomad.stat.pw_name == 'consul' + - stat_etc_consul_template_d_nomad.stat.gr_name == 'consul' + - stat_etc_consul_template_d_nomad.stat.mode == '0755' + - stat_etc_consul_template_d_nomad_nomad_config_hcl.stat.exists + - stat_etc_consul_template_d_nomad_nomad_config_hcl.stat.isreg + - stat_etc_consul_template_d_nomad_nomad_config_hcl.stat.pw_name == 'consul' + - stat_etc_consul_template_d_nomad_nomad_config_hcl.stat.gr_name == 'consul' + - stat_etc_consul_template_d_nomad_nomad_config_hcl.stat.mode == '0600' + - slurp_etc_consul_template_d_consul_consul_config_hcl.content != '' + + - name: "Test: directory /etc/consul-template.d/consul/templates" + block: + - name: "Stat directory /etc/consul-template.d/consul/templates" + ansible.builtin.stat: + path: "/etc/consul-template.d/consul/templates" + register: stat_etc_consul_template_d_consul_templates + + - name: "Find in directory /etc/consul-template.d/consul/templates" + ansible.builtin.find: + paths: "/etc/consul-template.d/consul/templates" + file_type: file + register: find_etc_consul_template_d_consul_templates + + - name: "Stat in directory /etc/consul-template.d/consul/templates" + ansible.builtin.stat: + path: "{{ item.path }}" + loop: "{{ find_etc_consul_template_d_consul_templates.files }}" + register: stat_etc_consul_template_d_consul_templates + + - name: "Slurp in directory /etc/consul-template.d/consul/templates" + ansible.builtin.slurp: + src: "{{ item.path }}" + loop: "{{ find_etc_consul_template_d_consul_templates.files }}" + register: slurp_etc_consul_template_d_nomad_templates + become: true + + - name: "Verify file /etc/consul-template.d/consul/templates/consul_ca.pem.tpl" + vars: + consul_ca_file: | + {% raw %}{{ with secret "pki/issue/your-issuer" "common_name=consul01.example.com" "ttl=90d" "alt_names=localhost,server.dc1.consul,consul.service.consul" "ip_sans=127.0.0.1" }} + {{ .Data.issuing_ca }} + {{ end }}{% endraw %} + ansible.builtin.assert: + that: + - item.item.isreg + - item.item.pw_name == 'consul' + - item.item.gr_name == 'consul' + - item.item.mode == '0600' + - "(item.content|b64decode) == consul_ca_file" + loop: "{{ slurp_etc_consul_template_d_nomad_templates.results }}" + when: (item.item.path | basename) == 'consul_ca.pem.tpl' + + - name: "Verify file /etc/consul-template.d/consul/templates/consul_cert.pem.tpl" + vars: + consul_cert_file: | + {% raw %}{{ with secret "pki/issue/your-issuer" "common_name=consul01.example.com" "ttl=90d" "alt_names=localhost,server.dc1.consul,consul.service.consul" "ip_sans=127.0.0.1" }} + {{ .Data.certificate }} + {{ .Data.issuing_ca }} + {{ end }}{% endraw %} + ansible.builtin.assert: + that: + - item.item.isreg + - item.item.pw_name == 'consul' + - item.item.gr_name == 'consul' + - item.item.mode == '0600' + - "(item.content|b64decode) == consul_cert_file" + loop: "{{ slurp_etc_consul_template_d_nomad_templates.results }}" + when: (item.item.path | basename) == 'consul_cert.pem.tpl' + + - name: "Verify file /etc/consul-template.d/consul/templates/consul_key.pem.tpl" + vars: + consul_key_file: | + {% raw %}{{ with secret "pki/issue/your-issuer" "common_name=consul01.example.com" "ttl=90d" "alt_names=localhost,server.dc1.consul,consul.service.consul" "ip_sans=127.0.0.1" }} + {{ .Data.private_key }} + {{ end }}{% endraw %} + ansible.builtin.assert: + that: + - item.item.isreg + - item.item.pw_name == 'consul' + - item.item.gr_name == 'consul' + - item.item.mode == '0600' + - "(item.content|b64decode) == consul_key_file" + loop: "{{ slurp_etc_consul_template_d_nomad_templates.results }}" + when: (item.item.path | basename) == 'consul_key.pem.tpl' + + - name: "Test: service consul-certs" + block: + - name: "Get service consul-certs" + ansible.builtin.service_facts: + + - name: "Stat file /etc/systemd/system/consul-certs.service" + ansible.builtin.stat: + path: "/etc/systemd/system/consul-certs.service" + register: stat_etc_systemd_system_consul_certs_service + + - name: "Slurp file /etc/systemd/system/consul-certs.service" + ansible.builtin.slurp: + src: "/etc/systemd/system/consul-certs.service" + register: slurp_etc_systemd_system_consul_certs_service + become: true + + - name: "Verify service nomad" + ansible.builtin.assert: + that: + - stat_etc_systemd_system_consul_certs_service.stat.exists + - stat_etc_systemd_system_consul_certs_service.stat.isreg + - stat_etc_systemd_system_consul_certs_service.stat.pw_name == 'root' + - stat_etc_systemd_system_consul_certs_service.stat.gr_name == 'root' + - stat_etc_systemd_system_consul_certs_service.stat.mode == '0644' + - slurp_etc_systemd_system_consul_certs_service.content != '' + - ansible_facts.services['consul-certs.service'] is defined + - ansible_facts.services['consul-certs.service']['source'] == 'systemd' + - ansible_facts.services['consul-certs.service']['state'] == 'stopped' + - ansible_facts.services['consul-certs.service']['status'] == 'enabled' diff --git a/tasks/configure.yml b/tasks/configure.yml index 7ef5491..0c26971 100644 --- a/tasks/configure.yml +++ b/tasks/configure.yml @@ -1,6 +1,7 @@ --- # task/configure file for renew_consul_certificates - name: "Configure files for consul certificate renewal" + become: true notify: - "systemctl-enable-consul-certs" - "systemctl-restart-consul-certs" @@ -38,6 +39,7 @@ mode: '0600' - name: "Configure consul-certs systemd service" + become: true notify: - "systemctl-daemon-reload" block: diff --git a/tasks/prerequisites.yml b/tasks/prerequisites.yml index 32d7c20..c8496ac 100644 --- a/tasks/prerequisites.yml +++ b/tasks/prerequisites.yml @@ -7,6 +7,7 @@ owner: "{{ renew_consul_certificates_consul_user }}" group: "{{ renew_consul_certificates_consul_group }}" mode: '0755' + become: true - name: "Create directory templates directory in {{ renew_consul_certificates_config_dir }}" ansible.builtin.file: @@ -15,6 +16,7 @@ owner: "{{ renew_consul_certificates_consul_user }}" group: "{{ renew_consul_certificates_consul_group }}" mode: '0755' + become: true - name: "Ensure certificate/key directory(ies) exist(s)" ansible.builtin.file: @@ -23,6 +25,7 @@ owner: "{{ renew_consul_certificates_consul_user }}" group: "{{ renew_consul_certificates_consul_group }}" mode: '0755' + become: true loop: - "{{ renew_consul_certificates_cert_dest }}" - "{{ renew_consul_certificates_key_dest }}"