Merge pull request #475 from dev-sec/ansible_lint

schurzi · web-flow · commit d7eb00f4b7d2 · 2021-08-15T22:53:41.000+02:00
use Ansible lint in separate task
diff --git a/.github/workflows/ansible-lint.yml b/.github/workflows/ansible-lint.yml
@@ -0,0 +1,56 @@
+name: Ansible Lint  # feel free to pick your own name
+
+on: [push, pull_request]
+
+jobs:
+  ansible-lint:
+
+    runs-on: ubuntu-latest
+
+    steps:
+    # Important: This sets up your GITHUB_WORKSPACE environment variable
+    - uses: actions/checkout@v2
+
+    - name: Lint Ansible Playbook
+      # replace "master" with any valid ref
+      uses: ansible/ansible-lint-action@master
+      with:
+        # [required]
+        # Paths to ansible files (i.e., playbooks, tasks, handlers etc..)
+        # or valid Ansible directories according to the Ansible role
+        # directory structure.
+        # If you want to lint multiple ansible files, use the following syntax
+        # targets: |
+        #   playbook_1.yml
+        #   playbook_2.yml
+        targets: "roles/"
+        # [optional]
+        # Arguments to override a package and its version to be set explicitly.
+        # Must follow the example syntax.
+        # override-deps: |
+        #   ansible==2.9
+        #   ansible-lint==4.2.0
+        # [optional]
+        # Arguments to be passed to the ansible-lint
+
+        # Options:
+        #   -q                    quieter, although not silent output
+        #   -p                    parseable output in the format of pep8
+        #   --parseable-severity  parseable output including severity of rule
+        #   -r RULESDIR           specify one or more rules directories using one or
+        #                         more -r arguments. Any -r flags override the default
+        #                         rules in ansiblelint/rules, unless -R is also used.
+        #   -R                    Use default rules in ansiblelint/rules in addition to
+        #                         any extra
+        #                         rules directories specified with -r. There is no need
+        #                         to specify this if no -r flags are used
+        #   -t TAGS               only check rules whose id/tags match these values
+        #   -x SKIP_LIST          only check rules whose id/tags do not match these
+        #                         values
+        #   --nocolor             disable colored output
+        #   --exclude=EXCLUDE_PATHS
+        #                         path to directories or files to skip. This option is
+        #                         repeatable.
+        #   -c C                  Specify configuration file to use. Defaults to ".ansible-lint"
+        args: ""
+
diff --git a/molecule/mysql_hardening/molecule.yml b/molecule/mysql_hardening/molecule.yml
@@ -6,9 +6,6 @@ dependency:
     requirements-file: molecule/mysql_hardening/requirements.yml
 driver:
   name: docker
-lint: |
-  yamllint roles/mysql_hardening/ molecule/mysql_hardening/ .github/workflows/mysql_hardening.yml
-  ansible-lint roles/mysql_hardening/
 platforms:
   - name: instance
     image: "rndmh3ro/docker-${MOLECULE_DISTRO}-ansible:latest"
@@ -57,7 +54,6 @@ scenario:
     - destroy
   test_sequence:
     - dependency
-    - lint
     - destroy
     - syntax
     - create
diff --git a/molecule/nginx_hardening/molecule.yml b/molecule/nginx_hardening/molecule.yml
@@ -5,9 +5,6 @@ dependency:
     role-file: molecule/nginx_hardening/requirements.yml
 driver:
   name: docker
-lint: |
-  yamllint roles/nginx_hardening/ molecule/nginx_hardening/ .github/workflows/nginx_hardening.yml
-  ansible-lint roles/nginx_hardening/
 platforms:
   - name: instance
     image: "rndmh3ro/docker-${MOLECULE_DISTRO}-ansible:latest"
@@ -57,7 +54,6 @@ scenario:
     - destroy
   test_sequence:
     - dependency
-    - lint
     - destroy
     - syntax
     - create
diff --git a/molecule/os_hardening/molecule.yml b/molecule/os_hardening/molecule.yml
@@ -5,9 +5,6 @@ dependency:
     role-file: molecule/os_hardening/requirements.yml
 driver:
   name: docker
-lint: |
-  yamllint roles/os_hardening/ molecule/os_hardening/ .github/workflows/os_hardening.yml
-  ansible-lint roles/os_hardening/
 platforms:
   - name: instance
     image: "rndmh3ro/docker-${MOLECULE_DISTRO}-ansible:latest"
@@ -57,7 +54,6 @@ scenario:
     - destroy
   test_sequence:
     - dependency
-    - lint
     - destroy
     - syntax
     - create
diff --git a/molecule/ssh_hardening/molecule.yml b/molecule/ssh_hardening/molecule.yml
@@ -5,9 +5,6 @@ dependency:
     role-file: molecule/ssh_hardening/requirements.yml
 driver:
   name: docker
-lint: |
-  yamllint roles/ssh_hardening/ molecule/ssh_hardening/ .github/workflows/ssh_hardening.yml
-  ansible-lint roles/ssh_hardening/
 platforms:
   - name: instance
     image: "rndmh3ro/docker-${MOLECULE_DISTRO}-ansible:latest"
@@ -57,7 +54,6 @@ scenario:
     - destroy
   test_sequence:
     - dependency
-    - lint
     - destroy
     - syntax
     - create
diff --git a/roles/mysql_hardening/tasks/main.yml b/roles/mysql_hardening/tasks/main.yml
@@ -15,7 +15,7 @@
 # we only override variables with our default if they have not been specified already.
 # by default the lookup functions finds all varnames containing the string, therefore
 # we add ^ and $ to denote start and end of string, so this returns only exact maches.
-- name: Set OS dependent variables, if not already defined by user
+- name: Set OS dependent variables, if not already defined by user  # noqa var-naming
   set_fact:
     '{{ item.key }}': '{{ item.value }}'
   when: "not lookup('varnames', '^' + item.key + '$')"
diff --git a/roles/os_hardening/tasks/hardening.yml b/roles/os_hardening/tasks/hardening.yml
@@ -15,7 +15,7 @@
 # we only override variables with our default, if they have not been specified already
 # by default the lookup functions finds all varnames containing the string, therefore
 # we add ^ and $ to denote start and end of string, so this returns only exact matches
-- name: Set OS dependent variables, if not already defined by user
+- name: Set OS dependent variables, if not already defined by user  # noqa var-naming
   set_fact:
     '{{ item.key }}': '{{ item.value }}'
   when: "not lookup('varnames', '^' + item.key + '$')"
diff --git a/roles/ssh_hardening/tasks/hardening.yml b/roles/ssh_hardening/tasks/hardening.yml
@@ -15,7 +15,7 @@
 # we only override variables with our default, if they have not been specified already
 # by default the lookup functions finds all varnames containing the string, therefore
 # we add ^ and $ to denote start and end of string, so this returns only exact matches
-- name: Set OS dependent variables, if not already defined by user
+- name: Set OS dependent variables, if not already defined by user  # noqa var-naming
   set_fact:
     '{{ item.key }}': '{{ item.value }}'
   when: "not lookup('varnames', '^' + item.key + '$')"
