Ansible-lint: Refactor rules and noqas

- Delete not needed noqas and rules
- Refactor code
- Partly osism/issues#496

Signed-off-by: Ramona Beermann <[email protected]>

.ansible-lint

@@ -6,25 +6,19 @@ exclude_paths:
   - contrib
   - doc
   - environments/kolla/files/overlays/prometheus/prometheus.yml.d/50-ceph.yml
+  - environments/kolla/files/overlays/ceilometer/event_definitions.yaml
   - netbox
   - network
   - scripts
   - terraform
 mock_roles:
   - manager
-  - osism.commons.docker_compose
-  - osism.commons.operator
-  - osism.services.docker
-  - osism.services.manager
-  - osism.services.netbox
-  - osism.services.traefik
   - stage-output
 use_default_rules: true
 rulesdir:
   - ./.ansible-lint-rules/
 skip_list:
+  - run-once[task]
   - yaml
 warn_list:
-  - command-instead-of-shell  # Use shell only when shell functionality is required.
-  - no-changed-when           # Commands should not change things if nothing needs doing.
-  - run-once[task]            # Run once should use strategy other than free.
+  - dummy

ansible/check-local-versions.yml

@@ -10,10 +10,12 @@
         msg: "Ansible core version is {{ ansible_version.full }}, see https://docs.scs.community/docs/testbed/doc/quickstart for required version."
       when: ansible_version.full < "2.13.0"
 
-    - name: Get terraform version  # noqa risky-shell-pipe
-      ansible.builtin.shell:
+    - name: Get terraform version
+      ansible.builtin.shell: >-
+        set -o pipefail &&
         terraform --version | head -n1  | awk '{print $2}' | awk -Fv '{print $2}'
       register: result
+      changed_when: false
 
     - name: Fail if terraform version is lower than 1.2.0
       ansible.builtin.fail:

ansible/manager-part-0.yml

@@ -7,6 +7,7 @@
     # NOTE: https://github.com/hashicorp/packer/issues/2639
     - name: Check /var/lib/cloud/instance/boot-finished
       ansible.builtin.raw: timeout 180 /bin/bash -c 'until stat /var/lib/cloud/instance/boot-finished 2>/dev/null; do echo Wait for cloud-init to finish; sleep 1; done'
+      changed_when: false
 
 - name: Run manager part 0
   hosts: testbed-manager.testbed.osism.xyz
@@ -24,11 +25,15 @@
         update_cache: true
         lock_timeout: "{{ apt_lock_timeout }}"
 
-    - name: Set APT options on manager  # noqa risky-shell-pipe
+    - name: Set APT options on manager
       become: true
       ansible.builtin.shell: |
-        echo "APT::Acquire::Retries \"3\";" > /etc/apt/apt.conf.d/80-retries
+        set -o pipefail &&
+        echo 'APT::Acquire::Retries "3";' > /etc/apt/apt.conf.d/80-retries
         echo '* libraries/restart-without-asking boolean true' | debconf-set-selections
+      args:
+        executable: /bin/bash
+      changed_when: true
 
     - name: Install packages on manager
       become: true
@@ -51,6 +56,7 @@
           - python3-winrm
           - python3-xmltodict
         update_cache: true
+      changed_when: true
 
     - name: Remove existing Ansible package if necessary
       become: true
@@ -62,6 +68,7 @@
       become: true
       ansible.builtin.command: |
           pip3 install --no-cache-dir 'ansible-core>=2.15.0,<2.16.0'
+      changed_when: true
 
     - name: Create source directories
       become: true
@@ -100,6 +107,7 @@
           ansible-galaxy collection install --collections-path /usr/share/ansible/collections /opt/src/osism/ansible-collection-commons
           ansible-galaxy collection install --collections-path /usr/share/ansible/collections /opt/src/osism/ansible-collection-services
           chmod -R +r /usr/share/ansible
+      changed_when: true
 
 - name: Create operator user
   hosts: testbed-manager.testbed.osism.xyz

ansible/manager-part-1.yml

@@ -46,14 +46,16 @@
       ansible.builtin.shell: |
           pip3 install --no-cache-dir python-gilt
       when: version_manager != "latest"
+      changed_when: true
 
     # shell required because of: command module does not accept
     # setting environment variables inline.
-    - name: Sync testbed repo with generics  # noqa command-instead-of-shell
+    - name: Sync testbed repo with generics  # noqa: command-instead-of-shell
       ansible.builtin.shell:
         chdir: /opt/configuration
         cmd: MANAGER_VERSION={{ version_manager }} gilt overlay
       when: version_manager != "latest"
+      changed_when: true
 
     - name: Copy testbed crt
       become: true
@@ -66,6 +68,8 @@
     - name: Run update-ca-certificates
       become: true
       ansible.builtin.command: update-ca-certificates
+      changed_when: true
 
     - name: Run manager part 2
       ansible.builtin.command: ansible-playbook -i testbed-manager.testbed.osism.xyz, /opt/configuration/ansible/manager-part-2.yml
+      changed_when: true

environments/custom/playbook-keycloak-ldap-federation-config.yml

@@ -53,7 +53,7 @@
             --set enabled=true
       when: keycloak_realm not in available_realms
       run_once: true
-
+      changed_when: true
 
     - name: Get available components in realm
       ansible.builtin.command: >-
@@ -65,13 +65,11 @@
       changed_when: false
       run_once: true
 
-
     - name: Filter available components in realm
       ansible.builtin.set_fact:
         available_components: "{{ available_components_json.stdout | from_json | map(attribute='name') | list }}"
       run_once: true
 
-
     - name: Add LDAP user storage provider component to realm
       ansible.builtin.command: >-
         docker exec {{ keycloak_service_container_name }} {{ keycloak_kcadm_binary }}
@@ -113,7 +111,7 @@
       when: keycloak_ldap_storage_provider_component_name not in available_components
       run_once: true
       no_log: true
-
+      changed_when: true
 
     - name: Get LDAP provider id
       ansible.builtin.command: >-
@@ -125,13 +123,11 @@
       changed_when: false
       run_once: true
 
-
     - name: Filter LDAP provider id
       ansible.builtin.set_fact:
         ldap_provider_id: "{{ ldap_provider_id_json.stdout | from_json | map(attribute='id') }}"
       run_once: true
 
-
     - name: Get "first name" LDAP mapper id
       ansible.builtin.command: >-
         docker exec {{ keycloak_service_container_name }} {{ keycloak_kcadm_binary }}
@@ -146,13 +142,11 @@
       changed_when: false
       run_once: true
 
-
     - name: Filter "first name" LDAP mapper id
       ansible.builtin.set_fact:
         first_name_mapper_id: "{{ first_name_mapper_id_json.stdout }}"
       run_once: true
 
-
     # Map LDAP attribute givenName to user.model.attribute "firstName"
     - name: Add first name mapper to LDAP storage provider
       ansible.builtin.command: >-
@@ -165,7 +159,6 @@
       changed_when: false
       run_once: true
 
-
     - name: Get e-mail LDAP mapper id
       ansible.builtin.command: >-
         docker exec {{ keycloak_service_container_name }} {{ keycloak_kcadm_binary }}
@@ -180,13 +173,11 @@
       changed_when: false
       run_once: true
 
-
     - name: Filter e-mail LDAP mapper id
       ansible.builtin.set_fact:
         email_mapper_id: "{{ email_mapper_id_json.stdout }}"
       run_once: true
 
-
     # Map LDAP attribute mailPrimaryAddress to user.model.attribute "email"
     - name: Add e-mail mapper to LDAP storage provider
       ansible.builtin.command: >-
@@ -198,7 +189,6 @@
       changed_when: false
       run_once: true
 
-
     # Check if openstack-default-project mapper exists
     - name: Get the openstack-default-project mapper ID
       ansible.builtin.command: >-
@@ -214,7 +204,6 @@
       changed_when: false
       run_once: true
 
-
     - name: Filter openstack-default-project mapper ID
       ansible.builtin.set_fact:
         project_mapper_id: "{{ project_mapper_id_json.stdout }}"
@@ -234,7 +223,7 @@
             --set 'config."attribute.value"=["admin"]'
       when: not project_mapper_id
       run_once: true
-
+      changed_when: true
 
     # Check if openstack-user-domain mapper exists
     - name: Get the openstack-user-domain mapper ID
@@ -251,7 +240,6 @@
       changed_when: false
       run_once: true
 
-
     - name: Filter openstack-user-domain mapper ID
       ansible.builtin.set_fact:
         domain_mapper_id: "{{ domain_mapper_id_json.stdout }}"
@@ -271,6 +259,7 @@
             --set 'config."attribute.value"=["default"]'
       when: not domain_mapper_id
       run_once: true
+      changed_when: true
 
     - name: Get Keycloak's LDAP user
       ansible.builtin.command: >-
@@ -291,7 +280,6 @@
               | list }}"
       run_once: true
 
-
     # Provision the LDAP user which will be used by Keycloak
     # If it doesn't exist yet
     - name: Add Keycloak's LDAP user
@@ -304,3 +292,4 @@
         executable: /usr/bin/bash
       when: ldap_binddn not in available_users
       run_once: true
+      changed_when: true

environments/custom/playbook-keycloak-oidc-client-config.yml

@@ -47,6 +47,7 @@
             --set enabled=true
       when: keycloak_realm not in available_realms
       run_once: true
+      changed_when: true
 
     - name: Get available clients in realm
       ansible.builtin.command: >-
@@ -79,6 +80,7 @@
       when: keystone_client_id not in available_clients
       run_once: true
       no_log: true
+      changed_when: true
 
     - name: "Get internal ID for client {{ keystone_client_id }}"
       ansible.builtin.command: >-
@@ -132,6 +134,7 @@
         - "openstack-user-domain"
         - "openstack-default-project"
       run_once: true
+      changed_when: true
 
     - name: Get available components in realm
       ansible.builtin.command: >-
@@ -165,6 +168,7 @@
       when: keycloak_key_provider_component_name not in available_components
       run_once: true
       no_log: true
+      changed_when: true
 
     - name: Get available users in realm
       ansible.builtin.command: >-
@@ -190,6 +194,7 @@
             --set enabled=true
             --set "attributes.openstack-default-project=test"
       when: "'alice' not in available_users"
+      changed_when: true
 
     - name: Set password of sample user
       ansible.builtin.command: >-
@@ -198,3 +203,4 @@
             --username=alice
             --new-password=password
       when: "'alice' not in available_users"
+      changed_when: true

environments/custom/playbook-openldap-umc-policies.yml

@@ -37,3 +37,4 @@
         executable: /usr/bin/bash
       when: umc_policies not in available_umc_policies
       run_once: true
+      changed_when: true

environments/custom/playbook-umc-admin-ldap.yml

@@ -42,6 +42,7 @@
         executable: /usr/bin/bash
       when: umc_ldap_binddn not in available_users
       run_once: true
+      changed_when: true
 
     - name: Add the UMC Admin to the Domain Admins group
       ansible.builtin.shell: >-
@@ -56,3 +57,4 @@
         executable: /usr/bin/bash
       when: umc_ldap_binddn not in available_users
       run_once: true
+      changed_when: true

environments/openstack/playbook-bootstrap-basic.yml

@@ -39,6 +39,7 @@
     - name: Create volume type LUKS
       ansible.builtin.command: openstack --os-cloud admin volume type create --encryption-provider luks --encryption-cipher aes-xts-plain64 --encryption-key-size 256 --encryption-control-location front-end LUKS
       when: volume_type_result.rc == 1
+      changed_when: true
 
 - name: Bootstrap basic OpenStack services
   hosts: localhost

playbooks/cleanup.yml

@@ -20,3 +20,4 @@
       ansible.builtin.shell:
         chdir: "{{ ansible_user_dir }}/src/github.com/osism/testbed/terraform"
         cmd: make ENVIRONMENT={{ cloud_env }} clean 2>&1
+      changed_when: true