Refactor Ansible playbooks to comply with best practices and fix linting violations
ci / validate (push) Has been cancelled
ci / validate (push) Has been cancelled
- Implement 4-role architecture (base_provision, patching, hardening, decommission) - Extract hardcoded values to role defaults and group_vars - Add Ansible Vault integration for secrets management - Implement proper handlers for service restarts instead of direct tasks - Add Molecule testing framework with Docker driver - Configure ansible-lint with production profile settings Fix all 125+ ansible-lint violations: - Add FQCN (Fully Qualified Collection Names) to all modules - Replace yes/no with true/false for boolean values - Add explicit mode parameters to file/template operations - Remove duplicate post_tasks blocks from playbooks - Add newlines at end of all YAML files - Fix key ordering in tasks (name, when, block) - Convert service restarts to handlers with notify - Remove ignore_errors in favor of failed_when/changed_when - Fix line length violations and empty lines - Add noqa comments for unavoidable risky-file-permissions Update documentation: - Add REFACTORING.md with implementation details - Add VAULT_GUIDE.md for secrets management - Add per-role README.md files - Update existing documentation All playbooks now pass ansible-lint production profile with 0 violations.
This commit is contained in:
Mateusz Suski
@@ -0,0 +1,45 @@
|
||||
# Patching Role
|
||||
|
||||
Apply security patches and OS updates to enterprise infrastructure nodes.
|
||||
|
||||
## Features
|
||||
|
||||
- **Idempotent**: Properly checks for changes with `changed_when`
|
||||
- **Patch Window**: Optional enforcement of patch time windows
|
||||
- **Pre-patch Backup**: Backs up package list before patching
|
||||
- **Smart Reboot**: Automatically detects if reboot is required
|
||||
- **Service Restart**: Restarts only necessary services after patching
|
||||
- **Health Checks**: Verifies services and runs health endpoint checks
|
||||
|
||||
## Role Variables
|
||||
|
||||
See `defaults/main.yml` for all available variables.
|
||||
|
||||
### Key Variables
|
||||
|
||||
- `patch_window_start`: Patch window start time (default: 02:00)
|
||||
- `patch_window_end`: Patch window end time (default: 04:00)
|
||||
- `enforce_patch_window`: Enforce patch time window (default: true)
|
||||
- `patch_security_only`: Apply security updates only (default: true)
|
||||
- `backup_before_patch`: Create backup before patching (default: true)
|
||||
- `reboot_if_required`: Auto-reboot if required (default: false)
|
||||
- `services_to_restart`: Services to restart after patching
|
||||
- `critical_services`: Critical services to verify after patching
|
||||
|
||||
## Usage
|
||||
|
||||
```yaml
|
||||
- role: patching
|
||||
vars:
|
||||
patch_security_only: true
|
||||
enforce_patch_window: false
|
||||
reboot_if_required: true
|
||||
```
|
||||
|
||||
## Report
|
||||
|
||||
Patch report is generated at: `/var/log/patch_report_<timestamp>.log`
|
||||
|
||||
## Backup Location
|
||||
|
||||
Pre-patch backups saved to: `/var/backups/pre-patch-<timestamp>/`
|
||||
Reference in New Issue
Block a user