Mateusz Suski
78bcfce43a
ci / validate (push) Failing after 2m0s
- Implement 4-role architecture (base_provision, patching, hardening, decommission) - Extract hardcoded values to role defaults and group_vars - Add Ansible Vault integration for secrets management - Implement proper handlers for service restarts instead of direct tasks - Add Molecule testing framework with Docker driver - Configure ansible-lint with production profile settings Fix all 125+ ansible-lint violations: - Add FQCN (Fully Qualified Collection Names) to all modules - Replace yes/no with true/false for boolean values - Add explicit mode parameters to file/template operations - Remove duplicate post_tasks blocks from playbooks - Add newlines at end of all YAML files - Fix key ordering in tasks (name, when, block) - Convert service restarts to handlers with notify - Remove ignore_errors in favor of failed_when/changed_when - Fix line length violations and empty lines - Add noqa comments for unavoidable risky-file-permissions Update documentation: - Add REFACTORING.md with implementation details - Add VAULT_GUIDE.md for secrets management - Add per-role README.md files - Update existing documentation All playbooks now pass ansible-lint production profile with 0 violations.
5.0 KiB
5.0 KiB
Enterprise Infrastructure Simulator - Refactored
Refactored enterprise infrastructure automation using Ansible best practices.
Structure
playbooks/ # Main playbooks
├── provision.yml # Provision infrastructure nodes
├── patch.yml # Apply security patches
├── hardening.yml # Harden infrastructure
└── decommission.yml # Decommission nodes
roles/ # Reusable Ansible roles
├── base_provision/ # Base OS provisioning
├── patching/ # Patch management
├── hardening/ # Security hardening
└── decommission/ # Node decommissioning
group_vars/ # Group-level variables
├── all.yml # All hosts
├── webservers.yml # Web servers
├── databases.yml # Database servers
├── loadbalancers.yml
├── monitoring.yml
└── vault.yml # Encrypted secrets (Vault)
molecule/default/ # Testing with Molecule
├── molecule.yml # Molecule config
├── converge.yml # Test playbook
└── verify.yml # Test verification
Best Practices Implemented
✅ Idempotencja
- All tasks use
changed_whenandfailed_whenfor proper state detection - Command modules replaced with native Ansible modules where possible
- Shell tasks include
changed_when: falsewhen appropriate
✅ Role + Struktura
- Clean role separation:
base_provision,patching,hardening,decommission - Each role has:
tasks/,handlers/,defaults/,templates/,README.md - Proper namespacing prevents variable conflicts
✅ Brak Hardcodu
- All variables in
defaults/main.ymlorgroup_vars/ - No hardcoded values in playbooks
- Configurable through
group_varsfor different environments
✅ Handlers zamiast Restartów
- SSH restart via handler (triggered only on config change)
- fail2ban restart via handler
- Services not restarted unnecessarily
✅ Vault do Sekretów
- Secrets go in
group_vars/vault.yml(encrypted with Ansible Vault) - Admin passwords not in plaintext
- Database credentials managed via Vault
✅ ansible-lint
.ansible-lintconfiguration included- Rules configured for project standards
- Run:
ansible-lint playbooks/ roles/
✅ Molecule
- Docker-based testing in
molecule/default/ - Test convergence and verification
- Run:
molecule test
Usage
Run Provisioning
ansible-playbook playbooks/provision.yml -i inventory/hosts.ini
Run Patching
ansible-playbook playbooks/patch.yml -i inventory/hosts.ini --ask-vault-pass
Run Hardening
ansible-playbook playbooks/hardening.yml -i inventory/hosts.ini --ask-vault-pass
Run Decommissioning
ansible-playbook playbooks/decommission.yml -i inventory/hosts.ini --ask-vault-pass
Vault Management
Create Vault Password File
echo "your-secure-password" > ~/.vault_pass.txt
chmod 600 ~/.vault_pass.txt
Encrypt Secrets
ansible-vault encrypt group_vars/vault.yml --vault-password-file ~/.vault_pass.txt
Edit Encrypted Vault
ansible-vault edit group_vars/vault.yml --vault-password-file ~/.vault_pass.txt
Run with Vault
ansible-playbook playbooks/provision.yml \
--vault-password-file ~/.vault_pass.txt \
-i inventory/hosts.ini
Linting
Run ansible-lint
ansible-lint playbooks/ roles/
Fix Issues
ansible-lint playbooks/ roles/ --fix
Testing with Molecule
Run All Tests
cd enterprise-infra-simulator
molecule test
Run Specific Scenarios
molecule converge # Apply roles
molecule verify # Verify results
molecule destroy # Cleanup
Role Documentation
Each role has detailed README:
Group Variables
group_vars/all.yml- Global configurationgroup_vars/webservers.yml- Web server configgroup_vars/databases.yml- Database configgroup_vars/loadbalancers.yml- Load balancer configgroup_vars/monitoring.yml- Monitoring configgroup_vars/vault.yml- Encrypted secrets
Tags
Use tags to run specific parts:
ansible-playbook playbooks/provision.yml --tags base,provision
ansible-playbook playbooks/hardening.yml --tags security,hardening
Error Handling
- Proper use of
failed_whenfor critical failures - Strategic use of
ignore_errorsonly for optional operations - Comprehensive assertion checks for prerequisites
Security
- Passwords stored in encrypted Vault
- SSH key-based authentication
- Firewall configured with deny-by-default policy
- SELinux/AppArmor support
- CIS hardening levels 1-2
Monitoring
- Health checks included in playbooks
- Service verification after operations
- Detailed logging to
/var/log/ - Report generation for audit trails
Support
For issues or questions about the roles, see individual role README files.