ansible-lint: fix YAML, file perms, changed_when

markgoddard · markgoddard · commit 77eae54ecb7e · 2023-08-02T09:54:30.000+01:00
diff --git a/.ansible-lint b/.ansible-lint
@@ -1,14 +1,7 @@
 ---
 skip_list:
   - var-naming[no-role-prefix]
-  - yaml[octal-values]
-  - yaml[trailing-spaces]
-  - yaml[truthy]
-  - name[casing]
-  - risky-file-permissions
   - galaxy[no-changelog]
-  - galaxy[tags]
   - meta-runtime[unsupported-version]
-  - no-changed-when
   - fqcn[action-core]
   - fqcn[action]
diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml
@@ -1,7 +1,7 @@
 name: Tests
 
 # Controls when the action will run.
-on:
+'on':
   pull_request:
   push:
     branches:
diff --git a/galaxy.yml b/galaxy.yml
@@ -9,7 +9,9 @@ dependencies:
 license:
   - "Apache-2.0"
 tags:
+  - consul
   - hashicorp
+  - infrastructure
+  - security
   - vault
-  - consul
 repository: "https://github.com/stackhpc/ansible-collection-hashicorp"
diff --git a/roles/vault/tasks/vault.yml b/roles/vault/tasks/vault.yml
@@ -53,7 +53,7 @@
       copy:
         content: "{{ vault_keys_result | to_nice_json }}"
         dest: "{{ vault_write_keys_file_path }}"
-        mode: 0600
+        mode: "0600"
       delegate_to: "{{ vault_write_keys_file_host }}"
       when:
         - vault_write_keys_file | bool
diff --git a/roles/vault_pki/tasks/create_cert.yml b/roles/vault_pki/tasks/create_cert.yml
@@ -33,7 +33,7 @@
       {{ item.data.issuing_ca }}
       {{ item.data.private_key }}
     dest: "{{ vault_pki_certificates_directory }}/{{ cert_name | replace(' ', '-') }}.pem"
-    mode: 0600
+    mode: "0600"
   delegate_to: "{{ vault_pki_write_certificates_host }}"
   loop: "{{ cert_data.results }}"
   loop_control:
@@ -52,7 +52,7 @@
       {{ item.data.certificate }}
       {{ item.data.issuing_ca }}
     dest: "{{ vault_pki_certificates_directory }}/{{ cert_name | replace(' ', '-') }}.crt"
-    mode: 0600
+    mode: "0600"
   delegate_to: "{{ vault_pki_write_certificates_host }}"
   loop: "{{ cert_data.results }}"
   loop_control:
@@ -61,7 +61,7 @@
     - not vault_pki_write_pem_bundle | bool
     - vault_pki_write_certificate_files | bool
     - not cert_file.stat.exists or vault_pki_overwrite_certificates | bool
-    
+
 - name: "Write out key"
   vars:
     cert_name: "{{ item.item.common_name if item.item.common_name | default() | length > 0 else item.item.extra_params.ip_sans | default() }}"
@@ -70,7 +70,7 @@
     content: |
       {{ item.data.private_key }}
     dest: "{{ vault_pki_certificates_directory }}/{{ cert_name | replace(' ', '-') }}.key"
-    mode: 0600
+    mode: "0600"
   delegate_to: "{{ vault_pki_write_certificates_host }}"
   loop: "{{ cert_data.results }}"
   loop_control:
diff --git a/roles/vault_pki/tasks/intermediate.yml b/roles/vault_pki/tasks/intermediate.yml
@@ -74,7 +74,7 @@
         content: |
           {{ intermediate_ca_csr_signed.data.certificate }}
         dest: "{{ vault_pki_certificates_directory }}/{{ vault_pki_intermediate_ca_name | replace(' ', '-') }}.crt"
-        mode: 0600
+        mode: "0600"
       delegate_to: "{{ vault_pki_write_certificates_host }}"
       when:
         - vault_pki_write_int_ca_to_file | bool
@@ -86,7 +86,7 @@
           {{ intermediate_ca_csr_signed.data.issuing_ca }}
           {{ intermediate_ca_csr.data.private_key }}
         dest: "{{ vault_pki_certificates_directory }}/{{ vault_pki_intermediate_ca_name |replace(' ', '-') }}.pem"
-        mode: 0600
+        mode: "0600"
       delegate_to: "{{ vault_pki_write_certificates_host }}"
       when:
         - vault_pki_intermediate_export | bool
diff --git a/roles/vault_pki/tasks/root.yml b/roles/vault_pki/tasks/root.yml
@@ -30,7 +30,7 @@
     content: |
       {{ root_ca_data.data.certificate }}
     dest: "{{ vault_pki_certificates_directory }}/{{ vault_pki_root_ca_name | replace(' ', '-') }}.pem"
-    mode: 0600
+    mode: "0600"
   delegate_to: "{{ vault_pki_write_certificates_host }}"
   when:
     - root_ca_data.data.certificate is defined
diff --git a/tests/test_vault.yml b/tests/test_vault.yml
@@ -13,6 +13,7 @@
       file:
         path: /etc/vault
         state: directory
+        mode: "0700"
       become: true
 
     - name: Include vault role
@@ -98,14 +99,15 @@
         - OS-CERT-TEST.crt
         - OS-CERT-TEST2.pem
 
-    - name: concatenate CAs
+    - name: Concatenate CAs
       shell: |
         cat /tmp/OS-TLS-ROOT.pem /tmp/OS-TLS-INT.crt > /tmp/CA-CHAIN.pem
       args:
         executable: /bin/bash
       become: true
+      changed_when: true
 
-    - name: verify certificate chain
+    - name: Verify certificate chain
       command: |
         openssl verify -CAfile /tmp/CA-CHAIN.pem
         /tmp/{{ item }}
@@ -114,3 +116,4 @@
       loop:
         - OS-CERT-TEST.crt
         - OS-CERT-TEST2.pem
+      changed_when: false
