Linux Formation - Ansible-lint et integration CI/CD

Ansible-lint

ansible-lint verifie les playbooks et roles contre les bonnes pratiques.

# Installation
pip install ansible-lint

# Execution
ansible-lint playbook.yml
ansible-lint roles/mon_role/

# Avec un fichier de configuration
ansible-lint -c .ansible-lint

Configuration .ansible-lint

# .ansible-lint
---
profile: production

exclude_paths:
  - .github/
  - molecule/
  - tests/fixtures/

skip_list:
  - yaml[line-length]
  - name[casing]

warn_list:
  - experimental

enable_list:
  - no-log-password
  - no-same-owner

Regles principales

fqcn : Utiliser les noms de modules pleinement qualifies
yaml : Respecter le format YAML standard
name : Nommer toutes les taches
no-changed-when : Definir changed_when pour command/shell
risky-file-permissions : Specifier les permissions de fichiers
no-handler : Utiliser des handlers pour les notifications

Pipeline GitLab CI

# .gitlab-ci.yml
---
stages:
  - lint
  - test
  - deploy

variables:
  PIP_CACHE_DIR: "$CI_PROJECT_DIR/.cache/pip"

cache:
  paths:
    - .cache/pip/

lint:
  stage: lint
  image: python:3.11
  script:
    - pip install ansible ansible-lint yamllint
    - yamllint .
    - ansible-lint
  rules:
    - changes:
        - "**/*.yml"
        - "**/*.yaml"

molecule_test:
  stage: test
  image: docker:24
  services:
    - docker:dind
  variables:
    DOCKER_HOST: "tcp://docker:2375"
  before_script:
    - apk add --no-cache python3 py3-pip gcc musl-dev python3-dev
    - pip install molecule molecule-docker ansible
  script:
    - cd roles/mon_role
    - molecule test
  rules:
    - changes:
        - "roles/**/*"

deploy_staging:
  stage: deploy
  image: python:3.11
  before_script:
    - pip install ansible
    - ansible-galaxy install -r requirements.yml
  script:
    - ansible-playbook -i inventory/staging deploy.yml
  environment:
    name: staging
  rules:
    - if: $CI_COMMIT_BRANCH == "develop"

deploy_production:
  stage: deploy
  image: python:3.11
  before_script:
    - pip install ansible
    - ansible-galaxy install -r requirements.yml
  script:
    - ansible-playbook -i inventory/production deploy.yml
  environment:
    name: production
  rules:
    - if: $CI_COMMIT_BRANCH == "main"
  when: manual

Pipeline GitHub Actions

# .github/workflows/ansible.yml
name: Ansible CI
on:
  push:
    branches: [main, develop]
  pull_request:

jobs:
  lint:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-python@v5
        with:
          python-version: "3.11"
      - run: pip install ansible ansible-lint
      - run: ansible-lint

  molecule:
    runs-on: ubuntu-latest
    needs: lint
    strategy:
      matrix:
        role: [webserver, database, monitoring]
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-python@v5
        with:
          python-version: "3.11"
      - run: pip install molecule molecule-docker ansible
      - run: cd roles/${{ matrix.role }} && molecule test

Best practice : Integrez ansible-lint et molecule dans votre pipeline CI pour garantir la qualite du code Ansible.