ci: add molecule/vagrant test suite

juju4 · Oct 28, 2023 · 18965df · 18965df
1 parent 4b07dcd
commit 18965df
Show file tree

Hide file tree

Showing 7 changed files with 437 additions and 0 deletions.
diff --git a/molecule/vagrant/converge.yml b/molecule/vagrant/converge.yml
@@ -0,0 +1,52 @@
+---
+
+- name: Converge
+  hosts: all
+  environment:
+    http_proxy: "{{ lookup('env', 'http_proxy') }}"
+    https_proxy: "{{ lookup('env', 'https_proxy') }}"
+    no_proxy: "{{ lookup('env', 'no_proxy') }}"
+  remote_user: root
+  pre_tasks:
+    - name: Ubuntu | Install python3
+      ansible.builtin.raw: test -e /usr/bin/python3 || (apt -y update && apt install -y python3-minimal)
+      register: python3
+      changed_when: "'installed' in python3.stdout"
+      when: (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | int >= 16)
+    - name: RedHat | Install python3
+      ansible.builtin.raw: test -e /usr/bin/python3 || (yum install -y python3)
+      register: python3
+      changed_when: "'installed' in python3.stdout"
+      when: (ansible_os_family == "RedHat" and ansible_distribution_major_version | int >= 8)
+    - name: Gather Facts
+      ansible.builtin.setup:
+      when: (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | int >= 16)
+    - name: Ubuntu Bionic+, Redhat 8+ | Enforce python3 for ansible
+      ansible.builtin.set_fact:
+        ansible_python_interpreter: /usr/bin/python3
+      when: >
+        (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | int >= 16) or
+        (ansible_os_family == "RedHat" and ansible_distribution_major_version | int >= 8)
+    - name: 22.04 | Set fact
+      ansible.builtin.set_fact:
+        misp_modules_enable: false
+      when: (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | int == 22)
+  vars:
+    misp_pymisp_validation_fatal: false
+    # need pymisp
+    misp_enable_feeds: []
+    misp_webusers_list: []
+    misp_testing: false
+    harden_php_allow_url_fopen: On
+    harden_php_disable_functions: 'pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,chown,diskfreespace,disk_free_space,disk_total_space,dl,exec,escapeshellarg,escapeshellcmd,fileinode,highlight_file,max_execution_time,passthru,pclose,phpinfo,popen,proc_get_status,proc_nice,proc_terminate,show_source,system,__construct, __destruct, __call,__wakeup'
+    misp_php_snuffleupagus_enable: true
+    harden_php7_snuffleupagus: true
+    harden_php7_snuffleupagus_rules_template: 'misp-snuffleupagus-rules.ini.j2'
+    harden_apache_php_variants: ['apache2']
+    harden_apache_php74_debian_enable: true
+    harden_apache_php74_rhel9_enable: true
+    misp_no_log: false
+  roles:
+    - { role: juju4.redhat_epel, when: ansible_os_family == 'RedHat' }
+    - juju4.harden_apache
+    - juju4.misp
diff --git a/molecule/vagrant/create.yml b/molecule/vagrant/create.yml
@@ -0,0 +1,59 @@
+---
+# https://github.com/ansible-collections/community.vagrant/
+# https://github.com/ansible-community/molecule-vagrant/blob/main/molecule_vagrant/playbooks/create.yml
+
+- name: Create
+  hosts: localhost
+  connection: local
+  gather_facts: false
+  no_log: "{{ molecule_no_log }}"
+  tasks:
+    - name: Create molecule instance(s)  # noqa fqcn[action]
+      community.vagrant.vagrant:
+        instance_name: "{{ item.name }}"
+        instance_interfaces: "{{ item.interfaces | default(omit) }}"
+        instance_raw_config_args: "{{ item.instance_raw_config_args | default(omit) }}"
+        config_options: "{{ item.config_options | default(omit) }}"
+        platform_box: "{{ item.box | default('debian/bullseye64') }}"
+        platform_box_version: "{{ item.box_version | default(omit) }}"
+        platform_box_url: "{{ item.box_url | default(omit) }}"
+        provider_name: "{{ molecule_yml.driver.provider.name | default(omit, true) }}"
+        provider_memory: "{{ item.memory | default(omit) }}"
+        provider_cpus: "{{ item.cpus | default(omit) }}"
+        provider_options: "{{ item.provider_options | default(omit) }}"
+        provider_raw_config_args: "{{ item.provider_raw_config_args | default(omit) }}"
+        provider_override_args: "{{ item.provider_override_args | default(omit) }}"
+        provision: "{{ item.provision | default(omit) }}"
+        state: up
+      register: server
+      with_items: "{{ molecule_yml.platforms }}"
+      loop_control:
+        label: "{{ item.name }}"
+      no_log: false
+
+    # Mandatory configuration for Molecule to function.
+
+    - name: Create molecule instances configuration
+      when: server is changed  # noqa no-handler
+      block:
+
+        - name: Populate instance config dict
+          ansible.builtin.set_fact:
+            instance_conf_dict: {
+              'instance': "{{ item.Host }}",
+              'address': "{{ item.HostName }}",
+              'user': "{{ item.User }}",
+              'port': "{{ item.Port }}",
+              'identity_file': "{{ item.IdentityFile }}", }
+          with_items: "{{ server.results }}"
+          register: instance_config_dict
+
+        - name: Convert instance config dict to a list
+          ansible.builtin.set_fact:
+            instance_conf: "{{ instance_config_dict.results | map(attribute='ansible_facts.instance_conf_dict') | list }}"
+
+        - name: Dump instance config
+          ansible.builtin.copy:
+            content: "{{ instance_conf | to_json | from_json | to_yaml }}"
+            dest: "{{ molecule_instance_config }}"
+            mode: 0600
diff --git a/molecule/vagrant/destroy.yml b/molecule/vagrant/destroy.yml
@@ -0,0 +1,39 @@
+---
+# https://github.com/ansible-collections/community.vagrant/
+# https://github.com/ansible-community/molecule-vagrant/blob/main/molecule_vagrant/playbooks/destroy.yml
+
+- name: Destroy
+  hosts: localhost
+  connection: local
+  gather_facts: false
+  no_log: "{{ molecule_no_log }}"
+  tasks:
+    - name: Delete molecule instance(s)  # noqa fqcn[action]
+      community.vagrant.vagrant:
+        instance_name: "{{ item.name }}"
+        platform_box: "{{ item.box | default(omit) }}"
+        provider_name: "{{ molecule_yml.driver.provider.name | default(omit, true) }}"
+        provider_options: "{{ item.provider_options | default(omit) }}"
+        provider_raw_config_args: "{{ item.provider_raw_config_args | default(omit) }}"
+        force_stop: "{{ item.force_stop | default(true) }}"
+        state: destroy
+      register: server
+      with_items: "{{ molecule_yml.platforms }}"
+      loop_control:
+        label: "{{ item.name }}"
+      no_log: false
+
+    # Mandatory configuration for Molecule to function.
+
+    - name: Populate instance config
+      ansible.builtin.set_fact:
+        instance_conf: {}
+
+    - name: Dump instance config
+      ansible.builtin.copy:
+        content: |
+          # Molecule managed
+          {{ instance_conf | to_json | from_json | to_yaml }}
+        dest: "{{ molecule_instance_config }}"
+        mode: 0600
+      when: server.changed | default(false) | bool  # noqa no-handler
diff --git a/molecule/vagrant/molecule.yml b/molecule/vagrant/molecule.yml
@@ -0,0 +1,48 @@
+---
+dependency:
+  name: galaxy
+driver:
+  name: vagrant
+  provider:
+    name: libvirt
+    type: libvirt
+    options:
+      memory: 4096 # lol, ubuntu 22.04 will deadlock on boot due to lack of memory.
+      cpus: 1
+platforms:
+  - name: instance
+    box: ${MOLECULE_DISTRO:-generic/ubuntu2004}
+    interfaces:
+      - auto_config: true
+        network_name: private_network
+        type: static
+        ip: 192.168.10.10
+    # env:
+    #   http_proxy: ${http_proxy}
+    #   https_proxy: ${https_proxy}
+    #   no_proxy: ${no_proxy}
+    groups:
+      - mispgroup
+provisioner:
+  name: ansible
+  config_options:
+    defaults:
+      verbosity: 2
+  connection_options:
+    ansible_ssh_user: vagrant
+    ansible_become: true
+scenario:
+  name: default
+  test_sequence:
+    - dependency
+    # - lint
+    - cleanup
+    - destroy
+    - syntax
+    - create
+    - prepare
+    - converge
+    # - idempotence
+    - verify
+verifier:
+  name: ansible
diff --git a/molecule/vagrant/playbook.yml b/molecule/vagrant/playbook.yml
@@ -0,0 +1,7 @@
+---
+- name: Converge
+  hosts: all
+  vars:
+    misp_pymisp_validation_fatal: false
+  roles:
+    - juju4.misp
diff --git a/molecule/vagrant/requirements.yml b/molecule/vagrant/requirements.yml
@@ -0,0 +1,21 @@
+---
+
+collections:
+  - ansible.posix
+  - community.vagrant
+
+roles:
+  - src: https://github.com/juju4/ansible-redhat-epel/
+    version: main
+    name: juju4.redhat_epel
+  - src: https://github.com/juju4/ansible-harden-apache/
+    version: main
+    name: juju4.harden_apache
+  - src: https://github.com/juju4/ansible-harden-nginx/
+    version: main
+    name: juju4.harden_nginx
+  - src: https://github.com/juju4/ansible-faup/
+    version: main
+    name: juju4.faup
+  - name: geerlingguy.nginx
+  - name: geerlingguy.apache