Merge branch 'devel-2.x' into r72626-serve-static-webm-with-nginx-PR-devel-2.x

Author: tymofiisobchenko

.ansible-lint

@@ -14,5 +14,7 @@ skip_list:
   - template-instead-of-copy # to skip over roles/ssl/tasks/copy.yml errors, temporarily.
   - name[template] # it doesn't like Jinja templates being in the middle of a task name, which seems silly to me.
   - name[casing] # sometimes included Galaxy roles break linting rules and cause failures
+  - args[module] # causing odd issue with ACL role
+  - jinja[spacing] # pendantic! we get these from GitHub Actions anyway
 exclude_paths:
   - roles/contrib/ # we don't control these roles

docs/_Sidebar.md

@@ -3,11 +3,18 @@
   - [Install](install)
   - [Usage](scripts)
   - [Roles](roles)
+     - [Init role](/roles/_init)
+     - ["Meta" roles that group individual roles together.](/roles/_meta)
+       - [AWS account](/roles/_meta/aws_account)
+       - [AWS client](/roles/_meta/aws_client_instance)
+       - [AWS region](/roles/_meta/aws_region)
+     - [\_overrides.](/roles/_overrides)
      - [AWS Infrastructure](/roles/aws)
+       - [AWS Network Info](/roles/aws/_aws_network_info)
        - [AWS ACL](/roles/aws/aws_acl)
        - [AWS Certificate Manager](/roles/aws/aws_acm)
-       - [AWS AMI ASG Cleanup](/roles/aws/aws_ami_asg_cleanup)
        - [AWS AMI](/roles/aws/aws_ami)
+       - [AWS AMI ASG Cleanup](/roles/aws/aws_ami_asg_cleanup)
        - [AWS Backup](/roles/aws/aws_backup)
        - [AWS Backup Validation](/roles/aws/aws_backup_validation)
        - [AWS CloudFront distribution](/roles/aws/aws_cloudfront_distribution)
@@ -20,7 +27,6 @@
        - [AWS ElastiCache](/roles/aws/aws_elasticache)
        - [AWS IAM EC2](/roles/aws/aws_iam_role)
        - [AWS IAM SAML](/roles/aws/aws_iam_saml)
-       - [AWS Network Info](/roles/aws/_aws_network_info)
        - [AWS OpenSearch](/roles/aws/aws_opensearch)
        - [AWS key pair.](/roles/aws/aws_provision_ec2_keypair)
        - [AWS RDS](/roles/aws/aws_rds)
@@ -34,8 +40,8 @@
        - [VPC](/roles/aws/aws_vpc_subnet)
      - [Contributed roles](/roles/contrib)
      - [Debian Packages](/roles/debian)
-       - [Ansible Galaxy](/roles/debian/ansible_galaxy)
        - [Ansible](/roles/debian/ansible)
+       - [Ansible Galaxy](/roles/debian/ansible_galaxy)
        - [APACHE](/roles/debian/apache)
        - [Apparmor](/roles/debian/apparmor)
        - [Extra packages](/roles/debian/apt_extra_packages)
@@ -75,10 +81,10 @@
        - [PAM LinOTP](/roles/debian/pam_linotp)
        - [PHP terminal client](/roles/debian/php-cli)
        - [PHP common components](/roles/debian/php-common)
-       - [PHP Composer](/roles/debian/php_composer)
        - [PHP-FPM](/roles/debian/php-fpm)
-       - [phpMyAdmin](/roles/debian/phpmyadmin)
+       - [PHP Composer](/roles/debian/php_composer)
        - [PHP XDebug](/roles/debian/php_xdebug)
+       - [phpMyAdmin](/roles/debian/phpmyadmin)
        - [Postfix](/roles/debian/postfix)
        - [Process Manager](/roles/debian/process_manager)
        - [Python Boto](/roles/debian/python_boto)
@@ -95,9 +101,3 @@
        - [User Ansible](/roles/debian/user_ansible)
        - [varnish_config](/roles/debian/varnish_config)
        - [wazuh](/roles/debian/wazuh)
-     - [Init role](/roles/_init)
-     - ["Meta" roles that group individual roles together.](/roles/_meta)
-       - [AWS account](/roles/_meta/aws_account)
-       - [AWS client](/roles/_meta/aws_client_instance)
-       - [AWS region](/roles/_meta/aws_region)
-     - [\_overrides.](/roles/_overrides)

git-hooks/pre-push.d/ansible-lint.hook

@@ -23,7 +23,7 @@ for file in $(git diff "$1/$BASE_BRANCH" --name-only --staged); do
       case $file in
         "$ROLE"*)
           printf "\e[36m Running Ansible linter against the\e[1m %s\e[0m\e[36m role. \e[0m \n" "$ROLE"
-          ANSIBLE_LINT_CMD="$DOCKER_CMD $ANSIBLE_LINT $CONTAINER_BASE_PATH/$ROLE"
+          ANSIBLE_LINT_CMD="$DOCKER_CMD $ANSIBLE_LINT -q $CONTAINER_BASE_PATH/$ROLE"
           ERRORS=$($ANSIBLE_LINT_CMD | wc -l)
           if [ "$ERRORS" != "0" ]; then
             $ANSIBLE_LINT_CMD

roles/aws/aws_acl/README.md

@@ -133,4 +133,5 @@ aws_acl:
         priority: 13
 
 ```
+
 <!--ENDROLEVARS-->

roles/aws/aws_ami/tasks/repack.yml

@@ -9,13 +9,17 @@
   register: aws_ami_running_instances
 
 - name: Create a Security Group to access the controller.
-  amazon.aws.ec2_security_group:
+  ansible.builtin.include_role:
+    name: aws/aws_vpc
+    tasks_from: security_group
+  vars:
+    aws_vpc:
     profile: "{{ aws_ami.aws_profile }}"
     region: "{{ aws_ami.region }}"
     name: "{{ aws_ami.repack.cluster_name }}-repacker"
     tags: "{{ aws_ami.tags }}"
     state: present
-    vpc_id: "{{ aws_ami.repack.vpc_id }}"
+    id: "{{ aws_ami.repack.vpc_id }}"
     description: "Allow controller to access the {{ aws_ami.ami_name }}-repacking instance"
     rules:
       - proto: tcp

roles/aws/aws_backup_validation/tasks/testing_resources.yml

@@ -30,25 +30,32 @@
   register: _main_subnets_info
 
 - name: Create SG for restored instances.
-  amazon.aws.ec2_security_group:
-    name: Restore_testing
-    description: This SG is used to allow SSM and SSH access to the server
-    region: "{{ _aws_region }}"
-    vpc_id: "{{ _main_vpc_info.vpcs[0].vpc_id }}"
-    rules:
-      - proto: tcp
-        from_port: 80
-        to_port: 80
-        cidr_ip: 0.0.0.0/0
-      - proto: tcp
-        from_port: 443
-        to_port: 443
-        cidr_ip: 0.0.0.0/0
-      - proto: tcp
-        from_port: 22
-        to_port: 22
-        cidr_ip: 0.0.0.0/0
-  register: _restore_testing_sg
+  ansible.builtin.include_role:
+    name: aws/aws_vpc
+    tasks_from: security_group
+  vars:
+    aws_vpc:
+      name: "Restore_testing"
+      region: "{{ aws_ec2_autoscale_cluster.region }}"
+      id: "{{ _main_vpc_info.vpcs[0].vpc_id }}"
+      description: "This SG is used to allow SSM and SSH access to the server"
+      rules:
+        - proto: tcp
+          from_port: 80
+          to_port: 80
+          cidr_ip: 0.0.0.0/0
+        - proto: tcp
+          from_port: 443
+          to_port: 443
+          cidr_ip: 0.0.0.0/0
+        - proto: tcp
+          from_port: 22
+          to_port: 22
+          cidr_ip: 0.0.0.0/0
+
+- name: Construct AWS instance type dict.
+  ansible.builtin.set_fact:
+    _restore_testing_sg: "{{ aws_vpc._result['Restore_testing'] }}"
 
 - name: Remove restore testing query file.
   ansible.builtin.file:

roles/aws/aws_ec2_autoscale_cluster/tasks/main.yml

@@ -26,18 +26,25 @@
   when: (aws_ec2_autoscale_cluster.vpc_name is not defined or aws_ec2_autoscale_cluster.vpc_name | length < 0)
 
 - name: Create matching Security Group.
-  amazon.aws.ec2_security_group:
-    profile: "{{ aws_ec2_autoscale_cluster.aws_profile }}"
-    region: "{{ aws_ec2_autoscale_cluster.region }}"
-    name: "{{ aws_ec2_autoscale_cluster.name }}"
-    tags: "{{ aws_ec2_autoscale_cluster.tags | combine({'Name': aws_ec2_autoscale_cluster.name}) }}"
-    state: "{{ aws_ec2_autoscale_cluster.state }}"
-    vpc_id: "{{ _aws_ec2_autoscale_cluster_vpc_id }}"
-    description: "Allow internal traffic for cluster {{ aws_ec2_autoscale_cluster.name }}"
-    rules:
-      - proto: all
-        group_name: "{{ aws_ec2_autoscale_cluster.name }}"
-  register: _aws_ec2_autoscale_cluster_security_group
+  ansible.builtin.include_role:
+    name: aws/aws_vpc
+    tasks_from: security_group
+  vars:
+    aws_vpc:
+      name: "{{ aws_ec2_autoscale_cluster.name }}"
+      profile: "{{ aws_ec2_autoscale_cluster.aws_profile }}"
+      region: "{{ aws_ec2_autoscale_cluster.region }}"
+      tags: "{{ aws_ec2_autoscale_cluster.tags | combine({'Name': aws_ec2_autoscale_cluster.name}) }}"
+      state: "{{ aws_ec2_autoscale_cluster.state }}"
+      id: "{{ _aws_ec2_autoscale_cluster_vpc_id }}"
+      description: "Allow internal traffic for cluster {{ aws_ec2_autoscale_cluster.name }}"
+      rules:
+        - proto: all
+          group_name: "{{ aws_ec2_autoscale_cluster.name }}"
+
+- name: Set _aws_ec2_autoscale_cluster_security_group variable.
+  ansible.builtin.set_fact:
+    _aws_ec2_autoscale_cluster_security_group: "{{ aws_vpc._result[aws_ec2_autoscale_cluster.name] }}"
 
 - name: Reset subnets lists.
   ansible.builtin.set_fact:

roles/aws/aws_vpc_subnet/tasks/subnet.yml

@@ -34,17 +34,21 @@
   when: subnet.nat_ipv4 is defined and subnet.nat_ipv4
 
 - name: Create matching Security Group.
-  amazon.aws.ec2_security_group:
-    name: "{{ subnet.name }}"
-    profile: "{{ aws_vpc_subnet.aws_profile }}"
-    region: "{{ aws_vpc_subnet.region }}"
-    tags: "{{ aws_vpc_subnet.tags | combine({'Name': subnet.name}) }}"
-    state: "{{ aws_vpc_subnet.state }}"
-    vpc_id: "{{ _aws_vpc_subnet_vpc_id }}"
-    description: "Allow internal traffic for subnet {{ subnet.name }}"
-    rules:
-      - proto: all
-        group_name: "{{ subnet.name }}"
+  ansible.builtin.include_role:
+    name: aws/aws_vpc
+    tasks_from: security_group
+  vars:
+    aws_vpc:
+      name: "{{ subnet.name }}"
+      profile: "{{ aws_vpc_subnet.aws_profile }}"
+      region: "{{ aws_vpc_subnet.region }}"
+      tags: "{{ aws_vpc_subnet.tags | combine({'Name': subnet.name}) }}"
+      state: "{{ aws_vpc_subnet.state }}"
+      id: "{{ _aws_vpc_subnet_vpc_id }}"
+      description: "Allow internal traffic for subnet {{ subnet.name }}"
+      rules:
+        - proto: all
+          group_name: "{{ subnet.name }}"
   when:
     - subnet.security_group is defined
     - subnet.security_group

roles/debian/pam_ldap/templates/ldap.conf.j2

@@ -14,4 +14,4 @@ pam_lookup_policy yes
 
 {% if pam_ldap.ssl_certificate_check is defined and not pam_ldap.ssl_certificate_check %}
 TLS_REQCERT never
-{% endif %}
+{% endif %}

roles/debian/sudo_config/tasks/main.yml

@@ -5,11 +5,48 @@
     state: directory
     mode: "0750"
 
-- name: "Add {{ sudo_config.entity_name }} to sudoers."
+- name: Create temporary directory for sudoers validation
+  ansible.builtin.tempfile:
+    state: directory
+    suffix: sudoers
+  register: temp_sudoers_dir
+  when: sudo_config | default([]) | length > 0
+
+- name: Create sudoers file for validation
   ansible.builtin.template:
     src: "sudoer.j2"
-    dest: "/etc/sudoers.d/{{ sudo_config.filename }}"
+    dest: "{{ temp_sudoers_dir.path }}/{{ item.filename }}"
     owner: root
     group: root
     mode: "0440"
-  when: sudo_config.entity_name | length > 0
+  when: item.entity_name | default('') | length > 0
+  with_items: "{{ sudo_config if sudo_config is iterable and sudo_config is not mapping else [sudo_config] }}"
+  register: sudo_templates
+
+- name: Validate sudoers file on remote
+  ansible.builtin.command: "visudo -cf {{ temp_sudoers_dir.path }}/{{ item.filename }}"
+  register: visudo_check
+  failed_when: visudo_check.rc != 0
+  changed_when: false
+  with_items: "{{ sudo_config if sudo_config is iterable and sudo_config is not mapping else [sudo_config] }}"
+  when: item.entity_name | default('') | length > 0
+  loop_control:
+    label: "{{ item.filename }}"
+  delegate_to: "{{ inventory_hostname }}"
+
+- name: Install validated sudoers file
+  ansible.builtin.copy:
+    src: "{{ temp_sudoers_dir.path }}/{{ item.filename }}"
+    dest: "/etc/sudoers.d/{{ item.filename }}"
+    owner: root
+    group: root
+    mode: "0440"
+    remote_src: true
+  when: item.entity_name | default('') | length > 0
+  with_items: "{{ sudo_config if sudo_config is iterable and sudo_config is not mapping else [sudo_config] }}"
+
+- name: Clean up temporary files
+  ansible.builtin.file:
+    path: "{{ temp_sudoers_dir.path }}"
+    state: absent
+  when: temp_sudoers_dir.path is defined