-
Notifications
You must be signed in to change notification settings - Fork 0
/
role_verify.yml
47 lines (43 loc) · 1.62 KB
/
role_verify.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
---
- name: 'Validate Ansible roles'
gather_facts: false
hosts: 'all'
connection: 'local'
become: false
run_once: true
any_errors_fatal: true
tasks:
- name: 'List roles'
ansible.builtin.find:
path: "{{ playbook_dir }}/../roles" # Ansible doesn't have a fact for the role_path
file_type: 'directory'
recurse: false
register: 'roles'
delegate_to: 'localhost'
- name: 'Assemble list of roles to verify'
ansible.builtin.set_fact:
verify_list: "{{ verify_list | default([]) + [role] }}"
when: role.split('/')[-1] not in role_verify_exceptions | default([])
loop: "{{ roles['files'] | map(attribute='path') }}"
loop_control:
loop_var: 'role'
- name: 'Verify Ansible-Sign signatures'
ansible.builtin.command: ansible-sign --nocolor project gpg-verify {{ role }}
register: 'role_verify'
changed_when: false
loop: "{{ roles['files'] | map(attribute='path') }}"
loop_control:
loop_var: 'role'
label: "{{ role.split('/')[-1] }}"
delegate_to: 'localhost'
failed_when:
- role_verify['rc'] != 0
- role_verify_strict | default(true) | bool
- name: 'WARNING: The following roles did not verify succesfully'
ansible.builtin.debug:
msg: |
The role verification is running in non-strict mode and therefore will continue.
However, the following errors came up when verifying:
{{ role_verify['results'] | rejectattr('rc', 'equalto', 0) | map(attribute='stdout') }}
when: not role_verify_strict| default(true) | bool
changed_when: true