custom config tests now work

defaults/main.yml

@@ -13,6 +13,6 @@ renew_vault_certificates_info:
   issuer_path: pki/issue/your-issuer
   common_name: vault01.example.com
   ttl: 90d
-  include_consul_service: true
+  include_consul_service: false
 renew_vault_certificates_consul_service_name: vault.service.consul
 renew_vault_certificates_start_service: false

meta/main.yml

@@ -4,7 +4,7 @@ galaxy_info:
   namespace: 'ednxzu'
   role_name: 'renew_vault_certificates'
   author: 'Bertrand Lanson'
-  description: 'Install and configure consul-template for vault TLS certificates renewal for debian-based distros.'
+  description: 'Install and configure consul-template to renew vault TLS certificates for debian-based distros.'
   license: 'license (BSD, MIT)'
   min_ansible_version: '2.10'
   platforms:

molecule/default/tests/test_default.py

@@ -25,6 +25,8 @@ def test_template_files(host):
         assert file.user == "vault"
         assert file.group == "vault"
         assert file.mode == 0o600
+    assert vault_cert_pem_tpl.content_string == '{{ with secret "pki/issue/your-issuer" "common_name=vault01.example.com" "ttl=90d" "alt_names=localhost" "ip_sans=127.0.0.1" }}\n{{ .Data.certificate }}\n{{ .Data.issuing_ca }}\n{{ end }}\n'
+    assert vault_key_pem_tpl.content_string == '{{ with secret "pki/issue/your-issuer" "common_name=vault01.example.com" "ttl=90d" "alt_names=localhost" "ip_sans=127.0.0.1" }}\n{{ .Data.private_key }}\n{{ end }}\n'
 
 def test_vault_certs_service_file(host):
     """Validate vault-certs service file."""

molecule/with_custom_config/converge.yml

@@ -0,0 +1,7 @@
+---
+- name: Converge
+  hosts: all
+  tasks:
+    - name: "Include ednxzu.renew_vault_certificates"
+      ansible.builtin.include_role:
+        name: "ednxzu.renew_vault_certificates"

molecule/with_custom_config/group_vars/all.yml

@@ -0,0 +1,17 @@
+---
+renew_vault_certificates_config_dir: /etc/consul-template.d/vault
+renew_vault_certificates_vault_user: vault
+renew_vault_certificates_vault_group: vault
+renew_vault_certificates_vault_addr: "https://vault.example.com"
+renew_vault_certificates_vault_token: mysupersecretvaulttokenthatyoushouldchange
+renew_vault_certificates_vault_token_unwrap: false
+renew_vault_certificates_vault_token_renew: true
+renew_vault_certificates_cert_dest: /opt/vault/tls/cert.pem
+renew_vault_certificates_key_dest: /opt/vault/tls/key.pem
+renew_vault_certificates_info:
+  issuer_path: pki/issue/vault-issuer
+  common_name: vault01.example.com
+  ttl: 90d
+  include_consul_service: true
+renew_vault_certificates_consul_service_name: vault.service.consul
+renew_vault_certificates_start_service: false

molecule/with_custom_config/molecule.yml

@@ -0,0 +1,41 @@
+---
+dependency:
+  name: galaxy
+  options:
+    requirements-file: ./requirements.yml
+driver:
+  name: docker
+platforms:
+  - name: instance
+    image: geerlingguy/docker-${MOLECULE_TEST_OS}-ansible
+    command: ""
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup
+    cgroupns_mode: host
+    privileged: true
+    pre_build_image: true
+provisioner:
+  name: ansible
+  config_options:
+    defaults:
+      remote_tmp: /tmp/.ansible
+verifier:
+  name: testinfra
+lint: |
+  yamllint -c .yamllint .
+  ansible-lint
+scenario:
+  name: with_custom_config
+  test_sequence:
+    - dependency
+    - lint
+    - cleanup
+    - destroy
+    - syntax
+    - create
+    - prepare
+    - converge
+    - idempotence
+    - verify
+    - cleanup
+    - destroy

molecule/with_custom_config/prepare.yml

@@ -0,0 +1,15 @@
+---
+- name: Prepare
+  hosts: all
+  tasks:
+    - name: "Create group vault"
+      ansible.builtin.group:
+        name: "vault"
+        state: present
+
+    - name: "Create user vault"
+      ansible.builtin.user:
+        name: "vault"
+        group: "vault"
+        shell: /bin/false
+        state: present

molecule/with_custom_config/requirements.yml

@@ -0,0 +1,5 @@
+---
+# requirements file for molecule
+roles:
+  - name: ednxzu.manage_repositories
+  - name: ednxzu.manage_apt_packages

molecule/with_custom_config/tests/conftest.py

@@ -0,0 +1,22 @@
+"""PyTest Fixtures."""
+from __future__ import absolute_import
+
+import os
+
+import pytest
+
+
+def pytest_runtest_setup(item):
+    """Run tests only when under molecule with testinfra installed."""
+    try:
+        import testinfra
+    except ImportError:
+        pytest.skip("Test requires testinfra", allow_module_level=True)
+    if "MOLECULE_INVENTORY_FILE" in os.environ:
+        pytest.testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
+            os.environ["MOLECULE_INVENTORY_FILE"]
+        ).get_hosts("all")
+    else:
+        pytest.skip(
+            "Test should run only from inside molecule.", allow_module_level=True
+        )

molecule/with_custom_config/tests/test_default.py

@@ -0,0 +1,48 @@
+"""Role testing files using testinfra."""
+
+
+def test_hosts_file(host):
+    """Validate /etc/hosts file."""
+    etc_hosts = host.file("/etc/hosts")
+    assert etc_hosts.exists
+    assert etc_hosts.user == "root"
+    assert etc_hosts.group == "root"
+
+def test_consul_template_config(host):
+    """Validate /etc/consul-template.d/vault/ files."""
+    etc_consul_template_d_vault_config_hcl = host.file("/etc/consul-template.d/vault/vault_config.hcl")
+    assert etc_consul_template_d_vault_config_hcl.exists
+    assert etc_consul_template_d_vault_config_hcl.user == "vault"
+    assert etc_consul_template_d_vault_config_hcl.group == "vault"
+    assert etc_consul_template_d_vault_config_hcl.mode == 0o600
+
+def test_template_files(host):
+    """Validate /etc/consul-template.d/vault/templates/ files."""
+    vault_cert_pem_tpl = host.file("/etc/consul-template.d/vault/templates/vault_cert.pem.tpl")
+    vault_key_pem_tpl = host.file("/etc/consul-template.d/vault/templates/vault_key.pem.tpl")
+    for file in vault_cert_pem_tpl, vault_key_pem_tpl:
+        assert file.exists
+        assert file.user == "vault"
+        assert file.group == "vault"
+        assert file.mode == 0o600
+    assert vault_cert_pem_tpl.content_string == '{{ with secret "pki/issue/vault-issuer" "common_name=vault01.example.com" "ttl=90d" "alt_names=localhost,vault.service.consul,active.vault.service.consul,standby.vault.service.consul" "ip_sans=127.0.0.1" }}\n{{ .Data.certificate }}\n{{ .Data.issuing_ca }}\n{{ end }}\n'
+    assert vault_key_pem_tpl.content_string == '{{ with secret "pki/issue/vault-issuer" "common_name=vault01.example.com" "ttl=90d" "alt_names=localhost,vault.service.consul,active.vault.service.consul,standby.vault.service.consul" "ip_sans=127.0.0.1" }}\n{{ .Data.private_key }}\n{{ end }}\n'
+
+def test_vault_certs_service_file(host):
+    """Validate vault-certs service file."""
+    etc_systemd_system_vault_certs_service = host.file("/etc/systemd/system/vault-certs.service")
+    assert etc_systemd_system_vault_certs_service.exists
+    assert etc_systemd_system_vault_certs_service.user == "root"
+    assert etc_systemd_system_vault_certs_service.group == "root"
+    assert etc_systemd_system_vault_certs_service.mode == 0o644
+    assert etc_systemd_system_vault_certs_service.content_string != ""
+
+def test_vault_certs_service(host):
+    """Validate vault-certs service."""
+    vault_certs_service = host.service("vault-certs.service")
+    assert vault_certs_service.is_enabled
+    assert not vault_certs_service.is_running
+    assert vault_certs_service.systemd_properties["Restart"] == "on-failure"
+    assert vault_certs_service.systemd_properties["User"] == "vault"
+    assert vault_certs_service.systemd_properties["Group"] == "vault"
+    assert vault_certs_service.systemd_properties["FragmentPath"] == "/etc/systemd/system/vault-certs.service"