refactor: handle INJECT_FACTS_AS_VARS=false by using ansible_facts instead

[richm]

Ansible 2.20 has deprecated the use of Ansible facts as variables. For
example, ansible_distribution is now deprecated in favor of
ansible_facts["distribution"]. This is due to making the default
setting INJECT_FACTS_AS_VARS=false. For now, this will create WARNING
messages, but in Ansible 2.24 it will be an error.

Add the role facts to __firewall_required_facts and __firewall_no_subsets_facts as needed.

See https://docs.ansible.com/projects/ansible/latest/porting_guides/porting_guide_core_2.20.html#inject-facts-as-vars

Signed-off-by: Rich Megginson [email protected]

Summary by Sourcery

Update firewall role and tests to use structured ansible_facts instead of deprecated fact variables and ensure required facts are gathered explicitly.

Enhancements:

• Replace direct use of distribution-related fact variables with ansible_facts lookups across role variables and tests for compatibility with INJECT_FACTS_AS_VARS=false.
• Declare and use __firewall_required_facts and __firewall_no_subsets_facts to control which fact subsets must be gathered by the role.
• Adjust the computed Python interpreter command to read discovered_interpreter_python from ansible_facts.

[sourcery-ai]

Reviewer's Guide

Refactors firewall role and its tests to stop using deprecated top-level Ansible fact variables, instead reading from ansible_facts and ensuring the required facts are gathered correctly when INJECT_FACTS_AS_VARS is false.

File-Level Changes

Change	Details	Files
Replace deprecated top-level distribution facts with ansible_facts lookups across role and tests.	Update all conditionals and expressions that used ansible_distribution to use ansible_facts['distribution'] instead. Update all usages of ansible_distribution_major_version to ansible_facts['distribution_major_version'] in tests and helper variables. Adjust distro helper booleans (__firewall_is_rh_distro and __firewall_is_rh_distro_fedora) to use ansible_facts-based lookups in both role vars and test vars.	tests/tests_service.yml tests/tests_ansible.yml tests/tests_zone.yml tests/tests_interface_pci.yml tests/tests_reload_on_reset.yml tests/vars/rh_distros_vars.yml vars/main.yml
Ensure role explicitly gathers and uses required ansible_facts when INJECT_FACTS_AS_VARS is false.	Extend __firewall_required_facts to include discovered_interpreter_python, distribution_major_version, and distribution so they are gathered explicitly. Introduce __firewall_no_subsets_facts to list facts that should not be requested via gather_subset, and compute __firewall_required_facts_subsets using a difference filter. Switch __firewall_python_cmd to prefer ansible_facts['discovered_interpreter_python'] over bare discovered_interpreter_python, aligning with INJECT_FACTS_AS_VARS=false behavior.	vars/main.yml tasks/main.yml

Possibly linked issues

• #INJECT_FACTS_AS_VARS default to True is deprecated warnings with Ansible 2.20: PR replaces ansible_* vars with ansible_facts and adjusts required facts, fixing the reported deprecation warnings.

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've found 2 issues, and left some high level feedback:

• In tasks/main.yml, using ansible_facts['discovered_interpreter_python'] inside the d() default chain can raise a template error if that key is missing; consider guarding it with ansible_facts.get('discovered_interpreter_python') or a default filter on the facts lookup itself.
• Several test playbooks repeat the same distribution/major_version conditionals that now also exist as __firewall_is_rh_distro(_fedora); consider reusing these helper vars in tests to avoid duplication and keep future distro logic changes in one place.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- In tasks/main.yml, using `ansible_facts['discovered_interpreter_python']` inside the `d()` default chain can raise a template error if that key is missing; consider guarding it with `ansible_facts.get('discovered_interpreter_python')` or a `default` filter on the facts lookup itself.
- Several test playbooks repeat the same distribution/major_version conditionals that now also exist as `__firewall_is_rh_distro(_fedora)`; consider reusing these helper vars in tests to avoid duplication and keep future distro logic changes in one place.

## Individual Comments

### Comment 1
<location> `vars/main.yml:14-21` </location>
<code_context>
   - python_version
   - service_mgr

+__firewall_no_subsets_facts:
+  - discovered_interpreter_python
+
 # the subsets of ansible_facts that need to be gathered in case any of the
 # facts in required_facts is missing; see the documentation of
 # the 'gather_subset' parameter of the 'setup' module
 __firewall_required_facts_subsets: "{{ ['!all', '!min'] +
-  __firewall_required_facts }}"
+  __firewall_required_facts | difference(__firewall_no_subsets_facts) }}"

 __firewall_packages_base: [firewalld]
</code_context>

<issue_to_address>
**nitpick:** The `difference` filter plus list concatenation relies on Jinja operator precedence; consider making it explicit for readability.

This expression depends on Jinja evaluating it as `(['!all', '!min'] + __firewall_required_facts) | difference(...)`. To avoid ambiguity and make future changes safer, consider adding parentheses:

```yaml
__firewall_required_facts_subsets: "{{ (['!all', '!min'] + __firewall_required_facts)
  | difference(__firewall_no_subsets_facts) }}"
```
</issue_to_address>

### Comment 2
<location> `tasks/main.yml:42-43` </location>
<code_context>
       list | length > 0 }}"
     __firewall_python_cmd: "{{ ansible_python_interpreter |
-      d(discovered_interpreter_python) }}"
+      d(ansible_facts['discovered_interpreter_python']) }}"
     __firewall_report_changed: true

</code_context>

<issue_to_address>
**suggestion:** Indexing `ansible_facts['discovered_interpreter_python']` directly may raise an error if the fact is unexpectedly missing.

Inside `d()`, this will fail outright if `discovered_interpreter_python` isn’t in `ansible_facts`. To make it more robust while preserving the new behavior, you could use:

```yaml
__firewall_python_cmd: "{{ ansible_python_interpreter |
  d(ansible_facts.get('discovered_interpreter_python')) }}"
```

```suggestion
    __firewall_python_cmd: "{{ ansible_python_interpreter |
      d(ansible_facts.get('discovered_interpreter_python')) }}"
```
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[sourcery-ai]

nitpick: The difference filter plus list concatenation relies on Jinja operator precedence; consider making it explicit for readability.

This expression depends on Jinja evaluating it as (['!all', '!min'] + __firewall_required_facts) | difference(...). To avoid ambiguity and make future changes safer, consider adding parentheses:

__firewall_required_facts_subsets: "{{ (['!all', '!min'] + __firewall_required_facts)
  | difference(__firewall_no_subsets_facts) }}"

[sourcery-ai]

suggestion: Indexing ansible_facts['discovered_interpreter_python'] directly may raise an error if the fact is unexpectedly missing.

Inside d(), this will fail outright if discovered_interpreter_python isn’t in ansible_facts. To make it more robust while preserving the new behavior, you could use:

__firewall_python_cmd: "{{ ansible_python_interpreter |
  d(ansible_facts.get('discovered_interpreter_python')) }}"

Suggested change

	__firewall_python_cmd: "{{ ansible_python_interpreter |
	d(discovered_interpreter_python) }}"
	d(ansible_facts['discovered_interpreter_python']) }}"
	__firewall_python_cmd: "{{ ansible_python_interpreter |
	d(ansible_facts.get('discovered_interpreter_python')) }}"

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 58.26%. Comparing base (2d7c4ba) to head (eef95a8).
⚠️ Report is 118 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #314      +/-   ##
==========================================
- Coverage   61.09%   58.26%   -2.83%     
==========================================
  Files           2        2              
  Lines         910     1294     +384     
==========================================
+ Hits          556      754     +198     
- Misses        354      540     +186     

Flag	Coverage Δ
sanity	?

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[richm]

fixes #312

[richm]

[citest]

[richm]

[citest_bad]