Added playbooks for artemis-test-migration

[FleckiBunti]

Motivation and Context

This are the files to use artemis-test-migration; for more, see ls1intum/artemis-ansible-collection#190

Description

Summary by CodeRabbit

• New Features

  • Added a dedicated test environment host and automated playbooks for loading DB backups, resetting databases, and performing initial system setup.

• Chores

  • Added a new inventory group and host entry.
  • Centralized host variables including server name, database/container names, MySQL base image, and secrets retrieved from Vault.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 00e4837a-3e15-454e-919b-7661bef00356

📥 Commits

Reviewing files that changed from the base of the PR and between d183eb5 and 560a6d1.

📒 Files selected for processing (1)

• hosts

---

📝 Walkthrough

Walkthrough

Adds a new Artemis test migration inventory host and host_vars (including Vault-sourced credentials and container/image names) and three Ansible playbooks to set up, reset, and load a migrated database on that host.

Changes

Cohort / File(s)	Summary
Inventory hosts	Added new group artemistestmigration with host artemis-test-migration.artemis.cit.tum.de and registered it as a child of multiple existing artemistests* groups.
Host variables host_vars/artemis-test-migration.artemis.cit.tum.de.yml	Defined test-specific variables: test server name, Vault lookups for DB and admin passwords, JHipster JWT, MySQL base image (mysql:8.0.45), and container names (artemis-temp-db, artemis-db, artemis_db).
Migration playbooks playbooks/artemis-migration/migration_setup.yml, playbooks/artemis-migration/migration_reset_db.yml, playbooks/artemis-migration/migration_load_new_db_backup.yml	Added three playbooks targeting the migration host: setup (applies ls1intum.artemis.artemis with setup_system: true and ls1intum.artemis.legal), reset (applies ls1intum.artemis.migration_tester), and load backup (applies ls1intum.artemis.migration_tester with dump_src and bake: true).

Sequence Diagram(s)

sequenceDiagram
  participant Ansible as "Ansible Controller"
  participant Vault as "HashiCorp Vault"
  participant Host as "artemis-test-migration"
  participant Docker as "Docker / Containers"
  participant MySQL as "MySQL Container"

  Ansible->>Vault: request DB & admin secrets
  Vault-->>Ansible: return credentials
  Ansible->>Host: run playbook (migration_setup / reset / load)
  Host->>Docker: start/configure containers (artemis-db, artemis-temp-db)
  Docker->>MySQL: provision image `mysql:8.0.45` and apply dump (if load)
  MySQL-->>Host: report status
  Host-->>Ansible: playbook success/failure

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 A rabbit hops in with a migration map,
Vault keys jingling inside my lap.
Playbooks prepare and containers hum,
Backups restored — the migration's begun! 🥕

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly summarizes the main change: adding new playbooks for artemis-test-migration. It is concise and directly reflects the primary additions across the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/artemis-test-migration

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Tip

CodeRabbit can suggest fixes for GitHub Check annotations.

Configure the reviews.tools.github-checks setting to adjust the time to wait for GitHub Checks to complete.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

playbooks/artemis-migration/migration_load_new_db_backup.yml (1)

3-3: Prefer targeting the inventory group instead of a hardcoded FQDN.

Line 3 hardcodes a single host; using artemistestmigration reduces duplication and avoids edits across multiple playbooks if the hostname changes.

Proposed change

-  hosts: artemis-test-migration.artemis.cit.tum.de
+  hosts: artemistestmigration

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@playbooks/artemis-migration/migration_load_new_db_backup.yml` at line 3, The
playbook currently hardcodes a single FQDN in the hosts directive ("hosts:
artemis-test-migration.artemis.cit.tum.de"); update the hosts line in
migration_load_new_db_backup.yml to target the inventory group name (e.g.,
"hosts: artemisestmigration" or the canonical group you maintain) so the
playbook uses the inventory group instead of a fixed host, ensuring other tasks
(and any includes/roles) implicitly target that group.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@playbooks/artemis-migration/migration_load_new_db_backup.yml`:
- Around line 7-10: The playbook sets become: true but uses a tilde in the
dump_src var which will expand to root's home at runtime; update the dump_src
variable (the dump_src YAML key in migration_load_new_db_backup.yml) to an
explicit absolute path to the backup (e.g. /home/youruser/artemis_backup.sql.gz
or wherever the file actually lives) so the task that reads dump_src finds the
correct file when run with privilege escalation.

---

Nitpick comments:
In `@playbooks/artemis-migration/migration_load_new_db_backup.yml`:
- Line 3: The playbook currently hardcodes a single FQDN in the hosts directive
("hosts: artemis-test-migration.artemis.cit.tum.de"); update the hosts line in
migration_load_new_db_backup.yml to target the inventory group name (e.g.,
"hosts: artemisestmigration" or the canonical group you maintain) so the
playbook uses the inventory group instead of a fixed host, ensuring other tasks
(and any includes/roles) implicitly target that group.

---

ℹ️ Review info

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 25659cb and d183eb5.

📒 Files selected for processing (5)

• host_vars/artemis-test-migration.artemis.cit.tum.de.yml
• hosts
• playbooks/artemis-migration/migration_load_new_db_backup.yml
• playbooks/artemis-migration/migration_reset_db.yml
• playbooks/artemis-migration/migration_setup.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

cat -n playbooks/artemis-migration/migration_load_new_db_backup.yml | head -20

Repository: ls1intum/artemis-ansible

Length of output: 367

---

🏁 Script executed:

# Check if the file exists and its full content around the specified lines
wc -l playbooks/artemis-migration/migration_load_new_db_backup.yml

Repository: ls1intum/artemis-ansible

Length of output: 131

---

🏁 Script executed:

# Search for any other usages of dump_src or similar paths in the playbook
rg "dump_src|become" playbooks/artemis-migration/migration_load_new_db_backup.yml -A 2 -B 2

Repository: ls1intum/artemis-ansible

Length of output: 216

---

🏁 Script executed:

# Look for the migration_tester role to understand how dump_src is used
find . -path "*/migration_tester*" -type d

Repository: ls1intum/artemis-ansible

Length of output: 50

---

🏁 Script executed:

# Search for other uses of dump_src to understand the pattern
rg "dump_src" -B 3 -A 3

Repository: ls1intum/artemis-ansible

Length of output: 512

---

🌐 Web query:

Ansible tilde home directory expansion with become privilege escalation

💡 Result:

~ expansion in Ansible is frequently confusing with become because:

• Most Ansible modules do not perform shell-style tilde expansion. For example, copy.dest expects a remote path (typically absolute); if you pass ~, Ansible won’t reliably expand it the way an interactive shell would. (docs.ansible.com)
• When tilde expansion does happen (typically only via a shell on the target, e.g., ansible.builtin.shell), it expands to the home of the effective user. With become: true, the effective user is usually root, so ~ becomes /root, not the SSH login user’s home. (docs.ansible.com)
• become_user only specifies who you become; it doesn’t imply become: true. (docs.ansible.com)

Practical fixes / patterns

1. Avoid ~ in module paths; use an explicit absolute path.
   Example (install a user’s authorized keys while escalating to root):

   - copy:
       src: files/authorized_keys
       dest: "/home/{{ target_user }}/.ssh/authorized_keys"
       owner: "{{ target_user }}"
       group: "{{ target_user }}"
       mode: "0600"
     become: true

2. If you truly need “that user’s home”, look it up (don’t guess).
   Common approach: query passwd DB, then build the path (works even if homes aren’t /home/<user>).

3. If you rely on shell expansion, remember it’s user-dependent under become.
   ~ expands based on the user running the shell (root under become). This is standard shell behavior. (stackoverflow.com)

4. Controller-side ~ expansion is different from remote.
   Ansible has an expanduser filter, but it expands ~ where templating runs (the controller), so it’s usually not what you want for remote home directories. (docs.ansible.com)

Citations:

• 1: https://docs.ansible.com/projects/ansible/latest/collections/ansible/builtin/copy_module.html?utm_source=openai
• 2: https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_privilege_escalation.html?utm_source=openai
• 3: https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_privilege_escalation.html?utm_source=openai
• 4: https://stackoverflow.com/questions/5748216/tilde-in-path-doesnt-expand-to-home-directory?utm_source=openai
• 5: https://docs.ansible.com/ansible/latest/collections/ansible/builtin/expanduser_filter.html?utm_source=openai

---

🏁 Script executed:

rg "become_user|migration_tester" playbooks/artemis-migration/ -B 2 -A 2

Repository: ls1intum/artemis-ansible

Length of output: 741

---

🏁 Script executed:

# Check if there are other playbooks with similar patterns to understand context
rg "become.*true" playbooks/ -l | head -5

Repository: ls1intum/artemis-ansible

Length of output: 294

---

Use an absolute dump_src path when running with become.

Line 9 uses ~, but line 7 enables privilege escalation. Ansible does not perform shell-style tilde expansion in module arguments, and when expansion occurs via shell (e.g., with shell modules), ~ resolves to the effective user's home. With become: true and no become_user specified, the effective user is root, so ~ becomes /root, not the original user's home—causing the dump file to not be found at runtime.

Use an explicit absolute path instead:

Safer path example

-        dump_src: "~/artemis_backup.sql.gz"
+        dump_src: "/tmp/artemis_backup.sql.gz"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@playbooks/artemis-migration/migration_load_new_db_backup.yml` around lines 7
- 10, The playbook sets become: true but uses a tilde in the dump_src var which
will expand to root's home at runtime; update the dump_src variable (the
dump_src YAML key in migration_load_new_db_backup.yml) to an explicit absolute
path to the backup (e.g. /home/youruser/artemis_backup.sql.gz or wherever the
file actually lives) so the task that reads dump_src finds the correct file when
run with privilege escalation.

[bensofficial]

Isn't this already covered by the playbook in playbooks/artemis-tests/artemis-tests.yml?

[FleckiBunti]

It is. You'd just have to limit the hosts to the migration tester. if you'd like me to remove the file, I will do so

[Mtze]

Linter fails

[FleckiBunti]

Linter fails

It needs github.com/ls1intum/artemis-ansible-collection/pull/190 to be merged for it to work

[Mtze]

True - i reviewed the other one 👍