feat!: disable facts injection for security purpose

2023-12-10 00:00:00 +00:00 · 2023-12-10 00:00:00 +00:00 · 0829d7807f
commit 0829d7807f
parent b33a29d0d9
9 changed files with 36 additions and 34 deletions
--- a/collections/ansible_collections/nullified/infrastructure/roles/development/handlers/main.yml
+++ b/collections/ansible_collections/nullified/infrastructure/roles/development/handlers/main.yml
@ -5,4 +5,4 @@
    name: docker
    enabled: true
    state: restarted
-  when: ansible_virtualization_type is not match("docker")
+  when: ansible_facts['virtualization_type'] is not match("docker")
--- a/collections/ansible_collections/nullified/infrastructure/roles/development/tasks/main.yml
+++ b/collections/ansible_collections/nullified/infrastructure/roles/development/tasks/main.yml
@ -17,7 +17,7 @@
    key: "{{ development.user_account }}"
    split: ":"
  changed_when: false
-  when: getent_passwd is undefined or development.user_account not in getent_passwd
+  when: ansible_facts['getent_passwd'] is undefined or development.user_account not in ansible_facts['getent_passwd']

 - name: '[apt] install dependencies and tools'
  become: true
@ -219,13 +219,13 @@
  block:
    - name: '[apt key] add docker key'
      ansible.builtin.get_url:
-        url: "https://download.docker.com/linux/{{ ansible_distribution | lower }}/gpg"
+        url: "https://download.docker.com/linux/{{ ansible_facts['distribution'] | lower }}/gpg"
        dest: /etc/apt/trusted.gpg.d/docker.asc
        mode: '0644'

    - name: '[apt key] add source'
      ansible.builtin.apt_repository:
-        repo: "deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/docker.asc] https://download.docker.com/linux/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} stable"
+        repo: "deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/docker.asc] https://download.docker.com/linux/{{ ansible_facts['distribution'] | lower }} {{ ansible_facts['distribution_release'] }} stable"
        state: present
        filename: docker
        update_cache: true
@ -264,7 +264,7 @@
  become_user: "{{ development.user_account }}"
  ansible.builtin.command:
    cmd: "pipx install {{ item.cmd }}"
-    creates: "{{ getent_passwd[development.user_account][4] }}/.local/bin/{{ item.creates }}"
+    creates: "{{ ansible_facts['getent_passwd'][development.user_account][4] }}/.local/bin/{{ item.creates }}"
  loop:
    - { "cmd": "black", "creates": "black" }
    - { "cmd": "flake8", "creates": "flake8" }
@ -275,7 +275,7 @@
  ansible.builtin.command:
    cmd: "pipx inject {{ item.venv }} {{ item.extension }}"
    creates:
-      "{{ getent_passwd[development.user_account][4] }}/.local/pipx/venvs/{{ item.venv }}/lib/python3.11/site-packages/{{ item.creates }}"
+      "{{ ansible_facts['getent_passwd'][development.user_account][4] }}/.local/pipx/venvs/{{ item.venv }}/lib/python3.11/site-packages/{{ item.creates }}"
  loop:
    - venv: "flake8"
      extension: "flake8-annotations-complexity"
@ -337,7 +337,7 @@

 - name: '[rust] check if rust is already installed'
  ansible.builtin.file:
-    path: "{{ getent_passwd[development.user_account][4] }}/.cargo/bin/rustc"
+    path: "{{ ansible_facts['getent_passwd'][development.user_account][4] }}/.cargo/bin/rustc"
  register: rustc_stat
  changed_when: false
  failed_when: false
@ -359,4 +359,4 @@
      become_user: "{{ development.user_account }}"
      script:
        cmd: /tmp/rustup.sh -qy
-        creates: "{{ getent_passwd[development.user_account][4] }}/.cargo/bin/rustc"
+        creates: "{{ ansible_facts['getent_passwd'][development.user_account][4] }}/.cargo/bin/rustc"