redhat-cop · sean-m-sullivan · Nov 8, 2024 · Nov 7, 2024 · Nov 7, 2024 · Nov 7, 2024
@@ -1,37 +1,25 @@
 ---
-# The exclude_paths does not appear to be working in pre-commit
-# this issue describes similar behavior but suggested fix doesn't work
-# https://github.com/ansible/ansible-lint/issues/371
-# exclude_paths:
+# .ansible-lint
+
+profile: production # min, basic, moderate,safety, shared, production
+
+# Allows dumping of results in SARIF format
+# sarif_file: result.sarif
+
+# exclude_paths included in this file are parsed relative to this file's location
+# and not relative to the CWD of execution. CLI arguments passed to the --exclude
+# option are parsed relative to the CWD of execution.
 exclude_paths:
-  - '.github/'
-  - 'changelogs/'
-  - 'tests/templated_role_example'
+  - .github/
+  - changelogs/
+  - tests/templated_role_example
+
 parseable: true
-use_default_rules: true
-# https://github.com/ansible/ansible-lint/issues/808
-# with verbosity set to 1, its dumping 'unknown file type messages'
+# quiet: true
+# strict: true
 # verbosity: 1
-skip_list:
-  # Skipping fqcn[action] because this collection supports using either the awx.awx or ansible.controller collection
-  #   so a FQCN cannot be used in module names
-  - fqcn[action]
-  - fqcn[keyword]
-  - jinja[spacing]
-  - meta-runtime  # This collection with the appropriate awx.awx or ansible.controller still works with older ansible.
-  - role-name[path]
-  - sanity[cannot-ignore]  # We're only ignoring sanity rules when we have to
-  - var-naming[no-role-prefix]
-kinds:
-  - playbooks: "**/examples/templates/*.{yml,yaml}"
-  - playbooks: "**/examples/*.{yml,yaml}"
-  - playbooks: "**/examples/automatetheautomation/*.{yml,yaml}"
-  - tasks: "**/examples/tasks/*.yml"
-  - vars: "**/examples/automatetheautomation/orgs_vars/**/*.yml"
-  - vars: "**/examples/configs/*.yml"
-  - vars: "**/examples/configs_export_model/*.yml"
-  - vars: "**/examples/vars/*.yml"
-  - vars: "**/roles/**/tests/configs/*.yml"
+
+# Mock modules or roles in order to pass ansible-playbook --syntax-check
 mock_modules:
   - ansible.platform.authenticator_map
   - ansible.platform.user
@@ -48,4 +36,115 @@ mock_modules:
   - ansible.platform.http_port
   - ansible.platform.route
   - job_wait
+
+# mock_roles:
+#   - mocked_role
+#   - author.role_name # old standalone galaxy role
+#   - fake_namespace.fake_collection.fake_role # role within a collection
+
+# Enable checking of loop variable prefixes in roles
+loop_var_prefix: ^(__|{role}_)
+
+# Enforce variable names to follow pattern below, in addition to Ansible own
+# requirements, like avoiding python identifiers. To disable add `var-naming`
+# to skip_list.
+var_naming_pattern: ^[a-z_][a-z0-9_]*$
+
+use_default_rules: true
+# Load custom rules from this specific folder
+# rulesdir:
+#   - ./rule/directory/
+
+# Ansible-lint is able to recognize and load skip rules stored inside
+# `.ansible-lint-ignore` (or `.config/ansible-lint-ignore.txt`) files.
+# To skip a rule just enter filename and tag, like "playbook.yml package-latest"
+# on a new line.
+# Optionally you can add comments after the tag, prefixed by "#". We discourage
+# the use of skip_list below because that will hide violations from the output.
+# When putting ignores inside the ignore file, they are marked as ignored, but
+# still visible, making it easier to address later.
+skip_list:
+  # Skipping fqcn[action] because this collection supports using either the awx.awx or ansible.controller collection
+  #   so a FQCN cannot be used in module names
+  - fqcn[action]
+  - fqcn[keyword]
+  - jinja[spacing]
+  - meta-runtime # This collection with the appropriate awx.awx or ansible.controller still works with older ansible.
+  - role-name[path]
+  - sanity[cannot-ignore] # We're only ignoring sanity rules when we have to
+  - var-naming[no-role-prefix]
+
+# Ansible-lint does not automatically load rules that have the 'opt-in' tag.
+# You must enable opt-in rules by listing each rule 'id' below.
+enable_list:
+  - args
+  - empty-string-compare # opt-in
+  - no-log-password # opt-in
+  - no-same-owner # opt-in
+  - name[prefix] # opt-in
+  - galaxy-version-incorrect # opt-in
+  # add yaml here if you want to avoid ignoring yaml checks when yamllint
+  # library is missing. Normally its absence just skips using that rule.
+  - yaml
+# Report only a subset of tags and fully ignore any others
+# tags:
+#   - jinja[spacing]
+
+# Ansible-lint does not fail on warnings from the rules or tags listed below
+warn_list:
+  - experimental # experimental is included in the implicit list
+  # - role-name
+  # - yaml[document-start]  # you can also use sub-rule matches
+
+# Some rules can transform files to fix (or make it easier to fix) identified
+# errors. `ansible-lint --fix` will reformat YAML files and run these transforms.
+# By default it will run all transforms (effectively `write_list: ["all"]`).
+# You can disable running transforms by setting `write_list: ["none"]`.
+# Or only enable a subset of rule transforms by listing rules/tags here.
+# write_list:
+#   - all
+
+# Offline mode disables installation of requirements.yml and schema refreshing
+offline: true
+
+# Define required Ansible's variables to satisfy syntax check
+# extra_vars:
+#   foo: bar
+#   multiline_string_variable: |
+#     line1
+#     line2
+#   complex_variable: ":{;\t$()"
+
+# Uncomment to enforce action validation with tasks, usually is not
+# needed as Ansible syntax check also covers it.
+# skip_action_validation: false
+
+# List of additional kind:pattern to be added at the top of the default
+# match list, first match determines the file kind.
+# kinds:
+# - playbook: "**/examples/*.{yml,yaml}"
+# - galaxy: "**/folder/galaxy.yml"
+# - tasks: "**/tasks/*.yml"
+# - vars: "**/vars/*.yml"
+# - meta: "**/meta/main.yml"
+# - yaml: "**/*.yaml-too"
+
+# List of additional collections to allow in only-builtins rule.
+# only_builtins_allow_collections:
+#   - example_ns.example_collection
+
+# List of additions modules to allow in only-builtins rule.
+# only_builtins_allow_modules:
+#   - example_module
+
+# Allow setting custom prefix for name[prefix] rule
+task_name_prefix: "{stem} | "
+# Complexity related settings
+
+# Limit the depth of the nested blocks:
+# max_block_depth: 20
+
+# Also recognize these versions of Ansible as supported:
+# supported_ansible_also:
+#   - "2.14"
 ...
@@ -4,7 +4,7 @@ default: true
 # MD003/heading-style/header-style - Heading style
 # This will ensure that the heading format is consistent across all markdown files
 MD003:
-  style: "atx"
+  style: atx
 
 # MD013/line-length - Line length
 # Setting to false to match the yamllint setting
@@ -17,5 +17,5 @@ MD0046:
 
 MD033:
   allowed_elements:
-    - "br"
+    - br
 ...
@@ -1,11 +1,11 @@
 ---
 repos:
-  - repo: 'https://github.com/pre-commit/pre-commit-hooks'
+  - repo: https://github.com/pre-commit/pre-commit-hooks
     rev: v5.0.0
     hooks:
       - id: end-of-file-fixer
       - id: trailing-whitespace
-  - repo: 'https://github.com/ansible-community/ansible-lint.git'
+  - repo: https://github.com/ansible-community/ansible-lint.git
     rev: v24.9.2
     hooks:
       # see discussions here about what arguments are used, and behavior
@@ -15,12 +15,12 @@ repos:
       - id: ansible-lint
         pass_filenames: false
         always_run: true
-        entry: "ansible-lint"
+        entry: ansible-lint
         args:
-          - "--profile=production"
+          - --profile=production
         additional_dependencies:
-          - "ansible-core>=2.15"
-          - "yamllint>=1.26,<2.0"
+          - ansible-core>=2.15
+          - yamllint>=1.26,<2.0
   - repo: https://github.com/DavidAnson/markdownlint-cli2
     rev: v0.14.0
     hooks:

@@ -14,7 +14,7 @@ rules:
     min-spaces-from-content: 1 # prettier compatibility
   comments-indentation: false
   document-start: disable
-  document-end: {present: true}
+  document-end: { present: true }
   indentation:
     level: error
     # Require indentation https://redhat-cop.github.io/automation-good-practices/#_yaml_and_jinja2_syntax
@@ -31,6 +31,6 @@ rules:
     level: error
     # Allow only YAML 1.2 booleans https://redhat-cop.github.io/automation-good-practices/#_yaml_and_jinja2_syntax
     allowed-values:
-      - 'true'
-      - 'false'
+      - "true"
+      - "false"
 ...
@@ -40,7 +40,7 @@ These are the connection variables, These are used to connect to the platform. T
 |Variable Name|Default Value|Required|Description|Example|
 |:---|:---:|:---:|:---|:---|
 |`aap_hostname`|""|yes|URL to the Ansible Automation Platform Server.|127.0.0.1|
-|`aap_validate_certs`|`True`|no|Whether or not to validate the Ansible Automation Platform Server's SSL certificate.||
+|`aap_validate_certs`|`true`|no|Whether or not to validate the Ansible Automation Platform Server's SSL certificate.||
 |`aap_username`|""|no|Admin User on the Ansible Automation Platform Server. Either username / password or oauthtoken need to be specified.||
 |`aap_password`|""|no|Platform Admin User's password on the Server.  This should be stored in an Ansible Vault at vars/platform-secrets.yml or elsewhere and called from a parent playbook.||
 |`aap_token`|""|no|Controller Admin User's token on the Ansible Automation Platform Server. This should be stored in an Ansible Vault at or elsewhere and called from a parent playbook. Either username / password or oauthtoken need to be specified.||
@@ -52,8 +52,8 @@ Other Variables that will apply to all roles when used globally. Each of these h
 
 |Variable Name|Default Value|Required|Description|
 |:---|:---:|:---:|:---|
-|`aap_configuration_enforce_defaults`|`False`|no|Whether or not to enforce default option values. This is not universal and it is a best effort to enforce the default values of fields.|
-|`aap_configuration_secure_logging`|`False`|no|Whether or not to include the sensitive Registry role tasks in the log.  Set this value to `True` if you will be providing your sensitive values from elsewhere.|
+|`aap_configuration_enforce_defaults`|`false`|no|Whether or not to enforce default option values. This is not universal and it is a best effort to enforce the default values of fields.|
+|`aap_configuration_secure_logging`|`false`|no|Whether or not to include the sensitive Registry role tasks in the log.  Set this value to `true` if you will be providing your sensitive values from elsewhere.|
 |`aap_configuration_async_retries`|50|no|This variable sets the number of retries to attempt for each role globally.|
 |`aap_configuration_async_delay`|1|no|This sets the delay between retries for each role globally.|
 |`aap_configuration_loop_delay`|1000|no|This variable sets the loop_delay for each role globally.|

@@ -36,7 +36,7 @@ awx export --conf.host https://localhost --conf.username admin --conf.password *
      CONTROLLER_HOST: https://localhost
      CONTROLLER_USERNAME: admin
      CONTROLLER_PASSWORD: password
-     CONTROLLER_VERIFY_SSL: False
+     CONTROLLER_VERIFY_SSL: false
 
   tasks:
     - name: Export projects
@@ -50,7 +50,7 @@ awx export --conf.host https://localhost --conf.username admin --conf.password *
 
     - name: Export projects to file
       ansible.builtin.copy:
-        content: "{{ export_results | to_nice_yaml(width=50, explicit_start=True, explicit_end=True) }}"
+        content: "{{ export_results | to_nice_yaml(width=50, explicit_start=true, explicit_end=true) }}"
         dest: projects.yaml
 ...
 ```

@@ -1,3 +1,3 @@
 ---
-requires_ansible: '>=2.15.0'
+requires_ansible: ">=2.15.0"
 ...
@@ -7,7 +7,7 @@
       ansible.builtin.include_vars:
         dir: "{{ aap_configs_dir | default((lookup('env', 'AAP_CONFIGS_DIR') == '') | ternary('./configs', lookup('env', 'AAP_CONFIGS_DIR'))) }}"
         ignore_files: [controller_config.yml.template]
-        extensions: ["yml"]
+        extensions: [yml]
       tags:
         - always
 

@@ -15,7 +15,7 @@
   tasks:
     - name: Get number of JT
       ansible.builtin.uri:
-        url: "https://{{ aap_hostname }}/api/v2/metrics/?format=json"
+        url: https://{{ aap_hostname }}/api/v2/metrics/?format=json
         method: GET
         force_basic_auth: true
         user: "{{ aap_username }}"
@@ -39,7 +39,7 @@
 
     - name: Get users info
       ansible.builtin.uri:
-        url: "https://{{ aap_hostname }}/api/v2/users/?format=json"
+        url: https://{{ aap_hostname }}/api/v2/users/?format=json
         method: GET
         force_basic_auth: true
         user: "{{ aap_username }}"
@@ -82,7 +82,7 @@
 
     - name: Get subscription info
       ansible.builtin.uri:
-        url: "https://{{ aap_hostname }}/api/v2/settings/all/?format=json"
+        url: https://{{ aap_hostname }}/api/v2/settings/all/?format=json
         method: GET
         force_basic_auth: true
         user: "{{ aap_username }}"

@@ -1,10 +1,10 @@
 ---
-- name: "Play to rename an object to every other object that is using it"
+- name: Play to rename an object to every other object that is using it
   hosts: localhost
   connection: local
   gather_facts: false
   tasks:
-    - name: "Get all the files using this object from the specified path"
+    - name: Get all the files using this object from the specified path
       ansible.builtin.find:
         paths: "{{ path }}"
         file_type: file
@@ -13,11 +13,11 @@
         contains: "{{ current_name | regex_escape() }}"
       register: __list_files
 
-    - name: "Update the name into the found files"
+    - name: Update the name into the found files
       ansible.builtin.replace:
         path: "{{ __file.path }}"
-        regexp: '^(.*){{ current_name | regex_escape() }}(.*)$'
-        replace: '\1{{ new_name }}\2'
+        regexp: ^(.*){{ current_name | regex_escape() }}(.*)$
+        replace: \1{{ new_name }}\2
       loop: "{{ __list_files.files }}"
       loop_control:
         loop_var: __file

@@ -1,21 +1,21 @@
 ---
-- name: "Play to set given organization to every object found in the search path"
+- name: Play to set given organization to every object found in the search path
   hosts: localhost
   connection: local
   gather_facts: false
   tasks:
-    - name: "Get all the files from the specified path"
+    - name: Get all the files from the specified path
       ansible.builtin.find:
         paths: "{{ path }}"
         file_type: file
         recurse: true
       register: __list_files
 
-    - name: "Update the organization into the found files"
+    - name: Update the organization into the found files
       ansible.builtin.replace:
         path: "{{ __file.path }}"
-        regexp: '^(.*)organization: (.*)$'
-        replace: '\1organization: {{ new_organization }}'
+        regexp: "^(.*)organization: (.*)$"
+        replace: "\\1organization: {{ new_organization }}"
       loop: "{{ __list_files.files }}"
       loop_control:
         loop_var: __file

@@ -27,13 +27,13 @@ Currently:
 
 The following Variables compliment each other.
 If Both variables are not set, secure logging defaults to false.
-The role defaults to False as normally the ansible config task does not by default include sensitive information, we highly recommend the use of ansible vault for passwords and tokens.
+The role defaults to false as normally the ansible config task does not by default include sensitive information, we highly recommend the use of ansible vault for passwords and tokens.
 aap_configuration_ansible_config_secure_logging defaults to the value of aap_configuration_secure_logging if it is not explicitly called. This allows for secure logging to be toggled for the entire suite of automation hub configuration roles with a single variable, or for the user to selectively use it.
 
 |Variable Name|Default Value|Required|Description|
 |:---:|:---:|:---:|:---:|
-|`aap_configuration_ansible_config_secure_logging`|`False`|no|Whether or not to include the sensitive ansible config role tasks in the log.  Set this value to `True` if you will be providing your sensitive values from elsewhere.|
-|`aap_configuration_secure_logging`|`False`|no|This variable enables secure logging as well, but is shared across multiple roles, see above.|
+|`aap_configuration_ansible_config_secure_logging`|`false`|no|Whether or not to include the sensitive ansible config role tasks in the log.  Set this value to `true` if you will be providing your sensitive values from elsewhere.|
+|`aap_configuration_secure_logging`|`false`|no|This variable enables secure logging as well, but is shared across multiple roles, see above.|
 
 ## Data Structures
 

@@ -10,7 +10,7 @@
 # ansible_config_owner: # optional
 # ansible_config_group: # optional
 ansible_config_mode: "0644"
-aap_configuration_working_dir: "/var/tmp"
+aap_configuration_working_dir: /var/tmp
 validate_certs: false
 ah_path_prefix: galaxy
 # a list of dictionaries describing the Automation Hub namespace