mateusz/portfolio
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e5da6cfdadf3a554dc9ceb73758612de6d620b88
portfolio/enterprise-infra-simulator/REFACTORING.md
T

208 lines
5.0 KiB
Markdown
Raw Normal View History

Refactor Ansible playbooks to comply with best practices and fix linting violations
2026-05-03 22:31:04 +00:00
# Enterprise Infrastructure Simulator - Refactored
Refactored enterprise infrastructure automation using Ansible best practices.
## Structure
```
playbooks/ # Main playbooks
├── provision.yml # Provision infrastructure nodes
├── patch.yml # Apply security patches
├── hardening.yml # Harden infrastructure
└── decommission.yml # Decommission nodes
roles/ # Reusable Ansible roles
├── base_provision/ # Base OS provisioning
├── patching/ # Patch management
├── hardening/ # Security hardening
└── decommission/ # Node decommissioning
group_vars/ # Group-level variables
├── all.yml # All hosts
├── webservers.yml # Web servers
├── databases.yml # Database servers
├── loadbalancers.yml
├── monitoring.yml
└── vault.yml # Encrypted secrets (Vault)
molecule/default/ # Testing with Molecule
├── molecule.yml # Molecule config
├── converge.yml # Test playbook
└── verify.yml # Test verification
```
## Best Practices Implemented
### ✅ Idempotencja
- All tasks use `changed_when` and `failed_when` for proper state detection
- Command modules replaced with native Ansible modules where possible
- Shell tasks include `changed_when: false` when appropriate
### ✅ Role + Struktura
- Clean role separation: `base_provision`, `patching`, `hardening`, `decommission`
- Each role has: `tasks/`, `handlers/`, `defaults/`, `templates/`, `README.md`
- Proper namespacing prevents variable conflicts
### ✅ Brak Hardcodu
- All variables in `defaults/main.yml` or `group_vars/`
- No hardcoded values in playbooks
- Configurable through `group_vars` for different environments
### ✅ Handlers zamiast Restartów
- SSH restart via handler (triggered only on config change)
- fail2ban restart via handler
- Services not restarted unnecessarily
### ✅ Vault do Sekretów
- Secrets go in `group_vars/vault.yml` (encrypted with Ansible Vault)
- Admin passwords not in plaintext
- Database credentials managed via Vault
### ✅ ansible-lint
- `.ansible-lint` configuration included
- Rules configured for project standards
- Run: `ansible-lint playbooks/ roles/`
### ✅ Molecule
- Docker-based testing in `molecule/default/`
- Test convergence and verification
- Run: `molecule test`
## Usage
### Run Provisioning
```bash
ansible-playbook playbooks/provision.yml -i inventory/hosts.ini
```
### Run Patching
```bash
ansible-playbook playbooks/patch.yml -i inventory/hosts.ini --ask-vault-pass
```
### Run Hardening
```bash
ansible-playbook playbooks/hardening.yml -i inventory/hosts.ini --ask-vault-pass
```
### Run Decommissioning
```bash
ansible-playbook playbooks/decommission.yml -i inventory/hosts.ini --ask-vault-pass
```
## Vault Management
### Create Vault Password File
```bash
echo "your-secure-password" > ~/.vault_pass.txt
chmod 600 ~/.vault_pass.txt
```
### Encrypt Secrets
```bash
ansible-vault encrypt group_vars/vault.yml --vault-password-file ~/.vault_pass.txt
```
### Edit Encrypted Vault
```bash
ansible-vault edit group_vars/vault.yml --vault-password-file ~/.vault_pass.txt
```
### Run with Vault
```bash
ansible-playbook playbooks/provision.yml \
--vault-password-file ~/.vault_pass.txt \
-i inventory/hosts.ini
```
## Linting
### Run ansible-lint
```bash
ansible-lint playbooks/ roles/
```
### Fix Issues
```bash
ansible-lint playbooks/ roles/ --fix
```
## Testing with Molecule
### Run All Tests
```bash
cd enterprise-infra-simulator
molecule test
```
### Run Specific Scenarios
```bash
molecule converge # Apply roles
molecule verify # Verify results
molecule destroy # Cleanup
```
## Role Documentation
Each role has detailed README:
- [base_provision/README.md](roles/base_provision/README.md)
- [patching/README.md](roles/patching/README.md)
- [hardening/README.md](roles/hardening/README.md)
- [decommission/README.md](roles/decommission/README.md)
## Group Variables
- `group_vars/all.yml` - Global configuration
- `group_vars/webservers.yml` - Web server config
- `group_vars/databases.yml` - Database config
- `group_vars/loadbalancers.yml` - Load balancer config
- `group_vars/monitoring.yml` - Monitoring config
- `group_vars/vault.yml` - Encrypted secrets
## Tags
Use tags to run specific parts:
```bash
ansible-playbook playbooks/provision.yml --tags base,provision
ansible-playbook playbooks/hardening.yml --tags security,hardening
```
## Error Handling
- Proper use of `failed_when` for critical failures
- Strategic use of `ignore_errors` only for optional operations
- Comprehensive assertion checks for prerequisites
## Security
- Passwords stored in encrypted Vault
- SSH key-based authentication
- Firewall configured with deny-by-default policy
- SELinux/AppArmor support
- CIS hardening levels 1-2
## Monitoring
- Health checks included in playbooks
- Service verification after operations
- Detailed logging to `/var/log/`
- Report generation for audit trails
## Support
For issues or questions about the roles, see individual role README files.
Reference in New Issue Copy Permalink