System Roles should consistently use ansible_managed in configuration…

… files it manages (#112)

bz#2044640

The certificate role needs to generate the hook scripts with the
correct `ansible_managed` string commented in the same format as
generated by the template module.  Borrowed the method from the
kernel_settings to get the ansible managed comment and updated
the base class in module_utils so that it adds the comment to
the pre and post scripts as follows.

  ==> {pre,post}-scripts/<filename>.sh <==
  #!/bin/bash
  #
  # Ansible managed
  #

  ... script ...

Signed-off-by: Noriko Hosoi <[email protected]>

library/certificate_request.py

@@ -160,6 +160,13 @@
     description:
       - Command that should run after saving the certificate.
     required: false
+  ansible_managed_new:
+    description:
+      - Ansible ansible_managed string to put in header of file
+      - should be in the format of {{ ansible_managed | comment }}
+      - as rendered by the template module
+    type: str
+    required: true
 
 author:
   - Sergio Oliveira Campos (@seocam)
@@ -359,6 +366,7 @@ def _get_argument_spec():
             wait=dict(type="bool", default=True),
             run_before=dict(type="str"),
             run_after=dict(type="str"),
+            ansible_managed_new=dict(type="str"),
         )
 
     @property

module_utils/certificate_lsr/providers/base.py

@@ -547,6 +547,10 @@ def certificate_key_path(self):
         """Path where key should be placed."""
         return self._get_store_location(key=True)
 
+    def _get_ansible_managed_new(self):
+        """New ansible managed comment."""
+        return self.module.params.get("ansible_managed_new")
+
     def _get_hook_script_path(self, dirname):
         script_name = "{cert_name}-{request_id}.sh".format(
             cert_name=os.path.basename(self.module.params.get("name")),
@@ -570,7 +574,7 @@ def _convert_hook_param_to_script(self, param_name):
         if not param:
             return None
 
-        script = ["#!/bin/bash", "", param]
+        script = ["#!/bin/bash", self._get_ansible_managed_new(), param]
         return "\n".join(script)
 
     @property
@@ -672,6 +676,15 @@ def _write_param_to_file_if_diff(self, param_name, filepath, check_mode):
 
         # if file and param are the same just return
         if param_sha1 == file_sha1:
+            # Even if file and param are identical,
+            # if the script exists and the content of the script
+            # is different from the current one including the
+            # ansible managed comment, update the script.
+            cur_script = open(filepath, encoding="utf-8").read()
+            if param != cur_script:
+                with open(filepath, "w") as script_fp:
+                    script_fp.write(param)
+                return True
             return False
 
         # Changes needs to be performed.

tasks/main.yml

@@ -140,4 +140,8 @@
     run_before: "{{ item.run_before | default(omit) }}"
     run_after: "{{ item.run_after | default(omit) }}"
     ca: "{{ item.ca | default(omit) }}"
+    ansible_managed_new: "{{ __certificate_new_header }}"
   loop: "{{ certificate_requests }}"
+  vars:
+    __certificate_new_header: "{{
+      lookup('template', 'get_ansible_managed.j2') }}"

templates/get_ansible_managed.j2

@@ -0,0 +1 @@
+{{ ansible_managed | comment }}

tests/roles/linux-system-roles.certificate/templates

@@ -0,0 +1 @@
+../../../templates/

tests/tests_run_hooks.yml

@@ -62,3 +62,13 @@
             fail_msg: >-
               {{ after_result.stat.mtime }} <=
               {{ cert_result.stat.mtime }}
+
+    - name: Get the ansible_managed comment in pre/post-scripts
+      command: >-
+        find /etc/certmonger/pre-scripts /etc/certmonger/post-scripts
+        -type f -exec grep "^# Ansible managed" {} \;
+      register: _result
+
+    - name: Verify the ansible_managed comment in pre/post-scripts
+      assert:
+        that: _result.stdout_lines | length == 2