From 624ad926ecfa9c2057018117fd9d8f2d43cf466e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Sachse?= <joerg.sachse@slub-dresden.de>
Date: Wed, 30 Aug 2023 11:37:59 +0200
Subject: [PATCH] test: adapt Molecule setup to suit peculiarities from the
 latest Molecule v6 release

---
 .gitignore                               |  1 +
 .gitlab-ci.yml                           | 23 +++++++++++++++--------
 molecule/resources/playbooks/prepare.yml | 20 ++++++++++++++++++++
 molecule/virtualbox/molecule.yml         |  7 ++++---
 4 files changed, 40 insertions(+), 11 deletions(-)

diff --git a/.gitignore b/.gitignore
index ed78332..1fa681b 100644
--- a/.gitignore
+++ b/.gitignore
@@ -53,6 +53,7 @@ Thumbs.db
 *.vault
 inventory.*
 inv.*
+*.pass
 
 # Vim #
 #######
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index bff41a8..8ccc1d7 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -12,26 +12,33 @@ default:
     - source /opt/molecule/bin/activate
     - ansible --version
     - molecule --version
+variables:
+  SCENARIO: "default"
+  # ANSIBLE_VAULT_PASSWORD_FILE: "molecule/lza_server_hardening.pass"
+  ANSIBLE_VAULT_PASSWORD_FILE: "../../../lza_server_hardening.pass"
+    
 
 test-job:
   stage: test
   tags:
     - "shell"
   script:
+    - echo "CURRENT PATH= '$(pwd)'" 
     # make sure that Ansible Vaults are present and can be decrypted
-    - echo "${VAULT_SERVER_HARDENING}" > ../lza_server_hardening.pass
-    - export ANSIBLE_VAULT_PASSWORD_FILE=../lza_server_hardening.pass
+    - echo "${VAULT_SERVER_HARDENING}" > ${ANSIBLE_VAULT_PASSWORD_FILE}
+    - export ANSIBLE_VAULT_PASSWORD_FILE
+    - tree
     - rm -rf ../ansible_vaults/
     - git clone https://gitlab+deploy-token-25:${VAULT_ACCESS_TOKEN}@git.slub-dresden.de/slub-referat-2-3/ansible_vaults.git ../ansible_vaults/; \
     # run Molecule tests
-    - molecule syntax --scenario-name default
+    - molecule syntax --scenario-name ${SCENARIO}
     # We cannot use `molecule lint` anymore because:
     # - https://github.com/ansible-community/molecule/pull/3802 "Remove lint command"
     # - https://github.com/ansible-community/molecule/discussions/3825#discussioncomment-4908366
     - yamllint --strict --format colored ./
     - ansible-lint --format full --profile production --strict --force-color ./
-    - molecule create --scenario-name default
-    - molecule converge --scenario-name default
-    - molecule idempotence --scenario-name default
-    # - molecule verify --scenario-name default
-    - molecule destroy --scenario-name default
+    - molecule create --scenario-name ${SCENARIO}
+    - molecule converge --scenario-name ${SCENARIO}
+    - molecule idempotence --scenario-name ${SCENARIO}
+    # - molecule verify --scenario-name ${SCENARIO}
+    - molecule destroy --scenario-name ${SCENARIO}
diff --git a/molecule/resources/playbooks/prepare.yml b/molecule/resources/playbooks/prepare.yml
index a20ecff..eb1e2ce 100644
--- a/molecule/resources/playbooks/prepare.yml
+++ b/molecule/resources/playbooks/prepare.yml
@@ -20,3 +20,23 @@
         update_cache: true
         mode: "0644"
       become: true
+    # This Ansible role installs a multitude of firewall rules, some of which
+    # will lock us out of our Molecule test VM if we don't take precautions.
+    # As Molecule itself uses SSH just like Ansible, we need to open port
+    # tcp/22 to the private /24 subnet that Vagrant uses when provisioning the
+    # VM. As we don't know for sure what the address for this subnet is and it
+    # can change across servers/platforms, we gather this information
+    # dynamically and filter it through `ipaddr` to get the address of the
+    # whole subnet. The rule is inserted right on top of the list to make sure
+    # we always get access.
+    - name: add firewall rule to allow access from Molecule host into testing VM
+      ansible.builtin.iptables:
+        action: insert
+        rule_num: 1
+        chain: INPUT
+        comment: "molecule access"
+        jump: "ACCEPT"
+        protocol: tcp
+        source: "{{ ansible_default_ipv4.address | ansible.utils.ipaddr('network') }}/24"
+        destination_port: "22"
+      become: true
diff --git a/molecule/virtualbox/molecule.yml b/molecule/virtualbox/molecule.yml
index 6f084c7..b409ad5 100644
--- a/molecule/virtualbox/molecule.yml
+++ b/molecule/virtualbox/molecule.yml
@@ -21,7 +21,7 @@ platforms:
     # Dictionary of `config` options.
     config_options:
       ssh.keep_alive: yes
-      ssh.remote_user: "'lza'"
+      ssh.remote_user: "lza"
 provisioner:
   name: ansible
   log: true
@@ -29,13 +29,14 @@ provisioner:
     defaults:
       # https://stackoverflow.com/questions/57435811/ansible-molecule-pass-multiple-vault-ids
       #vault_identity_list: "@$HOME/.ansible/roles/lza_install_common.pass, @$HOME/.ansible/roles/passfile_1.pass"
-      vault_identity_list: "../lza_server_hardening.pass"
+      #vault_identity_list: "${MOLECULE_PROJECT_DIRECTORY}/../../lza_server_hardening.pass"
+      vault_identity_list: "../lza_server_hardening.pass, ../../../lza_server_hardening.pass"
   vvv: false
   playbooks:
     # create: ../resources/playbooks/create.yml
     # destroy: ../resources/playbooks/destroy.yml
     converge: ../resources/playbooks/converge.yml
-    # prepare: ../resources/playbooks/prepare.yml
+    prepare: ../resources/playbooks/prepare.yml
     verify: ../resources/playbooks/verify.yml
 verifier:
   name: ansible
-- 
GitLab