verify.yml 2.38 KB
Newer Older
Bengt Giger's avatar
Bengt Giger committed
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
---
# This is an example playbook to execute Ansible tests.

- name: Verify
  hosts: all
  remote_user: ansible
  become: true
  become_user: root
  tasks:
    - name: Retrieve version of /usr/local/bin/ansible
      command: /usr/local/bin/ansible --version
      register: ansible_version

    - name: Test if current ansible is installed by pip
      assert:
        that: "ansible_version.major == 2 and ansible_version.minor == 10"

    - name: Get content of vault password file
      command: "cat /root/.vault_pw.txt"
      register: vaultfile

    - name: Test if vault password is set
      assert:
        that: "'1234' is in vaultfile.stdout"

    - name: Get content of ansible-pull script
      command: "grep ansible-playbook /usr/local/bin/ansible_pull.sh"
      register: playbook_cmd

    - name: Test if inventory is set
      assert:
        that: "'-i inventory' is in playbook_cmd.stdout"

    - name: Test if vault file is set
      assert:
        that: "'--vault-password-file ~/.vault_pw.txt' is in playbook_cmd.stdout"

    - name: Test if tags are set
      assert:
        that: "'-t mytag' is in playbook_cmd.stdout"

    - name: Test if vars are set
      assert:
        that: "'myvalue' is in playbook_cmd.stdout"

    - name: Get content of crontab file
      command: "cat /etc/cron.d/ansible_pull"
      register: crontab

    - name: Test if crontab is correct
      assert:
        that: "'0,30 * * * * root /usr/local/bin/ansible_pull.sh' is in crontab.stdout"

Bengt Giger's avatar
Bengt Giger committed
54
    # can't test in current k8s environment
Bengt Giger's avatar
Bengt Giger committed
55

Bengt Giger's avatar
Bengt Giger committed
56
57
58
    # - name: Get content of postboot service
    #   command: "grep ExecStart /etc/systemd/system/ansible_postboot.service"
    #   register: postboot
Bengt Giger's avatar
Bengt Giger committed
59

Bengt Giger's avatar
Bengt Giger committed
60
61
62
    # - name: Test if firstboot service is configured
    #   assert:
    #     that: "'ExecStart=/usr/local/bin/ansible_pull.sh --firstboot' is in postboot.stdout"
Bengt Giger's avatar
Bengt Giger committed
63

64
65
66
67
68
69
70
71
    # - name: Get firstboot systemd unit state
    #   command: systemctl status ansible_postboot.service
    #   register: postboot_service
    #   ignore_errors: true

    # - name: Test if firstboot service is enabled
    #   assert:
    #     that: "'ansible_postboot.service; enabled' is in postboot_service.stdout"
Bengt Giger's avatar
Bengt Giger committed
72
73
74
75
76
77
78
79

    - name: Get latest log entries
      shell: journalctl -n 100 | grep "USER=root" | grep BECOME-SUCCESS
      register: journal

    - name: Verify that privilege escalation was used
      assert:
        that: journal.stdout_lines | length > 0