CCCHH/ansible-infra
CCCHH/ansible-infra
2
2
Fork 2
Code Issues 7 Pull requests 4 Wiki Activity Actions

Vendor Galaxy Roles and Collections
Some checks failed
/ Ansible Lint (push) Failing after 5m45s
Details
/ Ansible Lint (pull_request) Failing after 4m59s
Details

Browse source
This commit is contained in:
Stefan Bethke 2026-02-06 22:07:16 +01:00
commit 2aed20393f
3553 changed files with 387444 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

8
ansible_collections/community/sops/tests/integration/targets/sops_encrypt/aliases Normal file
View file

@ -0,0 +1,8 @@
# Copyright (c) Ansible Project
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
gha/main
skip/aix
skip/osx
skip/freebsd

10
ansible_collections/community/sops/tests/integration/targets/sops_encrypt/files/.sops.yaml Normal file
View file

@ -0,0 +1,10 @@
---
# Copyright (c) Ansible Project
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
creation_rules:
- path_regex: test_json
unencrypted_regex: ^key1$
pgp: FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4
- pgp: FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4

20
ansible_collections/community/sops/tests/integration/targets/sops_encrypt/files/broken-json-yaml Normal file
View file

@ -0,0 +1,20 @@
{
"data": "ENC[AES256_GCM,data:Gw==,iv:zVZEcknNNtMsjB7jLYUZglzdLIrHS658uwjOD4Kth6A=,tag:gzP41dCGjBAedV+XiQFepw==,type:str]",
"sops": {
"kms": null,
"gcp_kms": null,
"azure_kv": null,
"hc_vault": null,
"lastmodified": "2020-10-07T19:25:02Z",
"mac": "ENC[AES256_GCM,data:KnhqQH9rRqJ0XC40qhI79WtNBSiE9ym3SO58Bw09Bev9kq6uMVxAm9iOZvjQazOupELHaJiLO6fWT3FCoZfiU0IJBkN8JzFsKr2C59UH4B8f0RJZhNrAJ3AriBFPateFneDbrwjld0xEhP+2f286yIFv/xc/DEEPduIKRvkVN4I=,iv:yg06T0+gQ4j+bF3NAxQqwwPlJGBCcHTV6APzKT1x334=,tag:cVQ7oAh0HJ2rM8b6gVpdUg==,type:str]",
"pgp": [
{
"created_at": "2020-10-07T19:24:59Z",
"enc": "-----BEGIN PGP MESSAGE-----\n\nwcBMAyUpShfNkFB/AQgApb3VzPV0KmRyGRSiqPVRaM0cBthJtHu9H22QGXFAb8X/\nBLPXFBlFoFKbg9eUzG0EfKDzF1f5Aeeme3Fq6cGjmtU1oyynQLFtb3369zAC+Itf\nZo3u8pjC8YDPg2NpEFrAg4YZgVIr56UdEjjC4CDvzgYd08WCIYABIO6iedSneTh2\nBcqCDc5WY5vzUnon29kUnpolOPHXjDE3PHCynbdoELrlYY3lmw4ymD0sBdtcBDER\nAtM4s3Xz7C5XhF134GmxMdQ5P/QdxSR2L1vgludDs8/Q62OxSGw3vnLXFXkHmaBQ\nxYrt+0ehNAreL/TaR5em0Bu3Bk00RxmQnrUFLc1G2dLgAeRUspltx0tjMT7eiBxx\nwQ0I4W5u4PvgVOGSG+Bp4uin1nXgduUcQnRT3Dmr1EpBbDAhZ9ldlthrxk7Ir15H\ndEJxe7jtsOAk5HlYOWliZOyFb2JtqtNqMGjimD4JPeEXOgA=\n=eh24\n-----END PGP MESSAGE-----",
"fp": "FBC7B9E2A4F9289AC0C1D4843D16CEE4A27381B4"
}
],
"unencrypted_suffix": "_unencrypted",
"version": "3.6.1"
}
}

3
ansible_collections/community/sops/tests/integration/targets/sops_encrypt/files/broken-json-yaml.license Normal file
View file

@ -0,0 +1,3 @@
GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
SPDX-License-Identifier: GPL-3.0-or-later
SPDX-FileCopyrightText: Ansible Project

6
ansible_collections/community/sops/tests/integration/targets/sops_encrypt/files/wrong.yaml Normal file
View file

@ -0,0 +1,6 @@
---
# Copyright (c) Ansible Project
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
this-is-not: a sops file

8
ansible_collections/community/sops/tests/integration/targets/sops_encrypt/meta/main.yml Normal file
View file

@ -0,0 +1,8 @@
---
# Copyright (c) Ansible Project
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
dependencies:
- setup_sops
- setup_remote_tmp_dir

425
ansible_collections/community/sops/tests/integration/targets/sops_encrypt/tasks/main.yml Normal file
View file

@ -0,0 +1,425 @@
---
# Copyright (c) Ansible Project
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
- when: sops_installed
block:
- name: Place .sops.yaml
copy:
src: ".sops.yaml"
dest: "{{ remote_tmp_dir }}/.sops.yaml"
- name: Define test objects
set_fact:
text_value_1: This is a text.
text_value_2: |+
This is another text!
it has two newlines at the end.
binary_value_1_b64: 'AQIDAAQ='
binary_value_2_b64: 'AQIDAAQgCg=='
json_value_1:
key1: value1
key2:
- value2.1
- value2.2
json_value_2:
key1: value1
key3:
- value3.1
- value3.2
- value3.3
- value3.4
# Invalid Base64
- name: Create binary file
community.sops.sops_encrypt:
path: "{{ remote_tmp_dir }}/test_bad_base64"
content_binary: This is not Base64
register: result_not_base64
failed_when: result_not_base64 is not failed
- assert:
that:
- '"Cannot decode Base64 encoded data" in result_not_base64.msg'
# Broken file overwrite
- name: Place broken file
copy:
dest: "{{ remote_tmp_dir }}/broken"
content: I'm not sops encrypted
- name: Cannot decode existing file (overwrite, check mode)
community.sops.sops_encrypt:
path: "{{ remote_tmp_dir }}/broken"
content_text: Test
register: result_cannot_decode_check
failed_when: result_cannot_decode_check is not failed
check_mode: true
- name: Cannot decode existing file (overwrite)
community.sops.sops_encrypt:
path: "{{ remote_tmp_dir }}/broken"
content_text: Test
register: result_cannot_decode
failed_when: result_cannot_decode is not failed
- name: Cannot decode existing file (force, check mode)
community.sops.sops_encrypt:
path: "{{ remote_tmp_dir }}/broken"
content_text: Test
force: true
register: result_cannot_decode_force_check
check_mode: true
- name: Cannot decode existing file (force)
community.sops.sops_encrypt:
path: "{{ remote_tmp_dir }}/broken"
content_text: Test
force: true
register: result_cannot_decode_force
- slurp:
src: "{{ remote_tmp_dir ~ '/broken' }}"
register: slurp
- set_fact:
value: "{{ slurp.content | b64decode | community.sops.decrypt(rstrip=False, output_type='binary') }}"
- assert:
that:
- result_cannot_decode_force_check is changed
- result_cannot_decode_force is changed
- value == 'Test'
# Text content
- name: Create text file (check mode)
community.sops.sops_encrypt:
path: "{{ remote_tmp_dir }}/test_text"
content_text: "{{ text_value_1 }}"
check_mode: true
register: result_check
- name: Create text file
community.sops.sops_encrypt:
path: "{{ remote_tmp_dir }}/test_text"
content_text: "{{ text_value_1 }}"
register: result
- slurp:
src: "{{ remote_tmp_dir ~ '/test_text' }}"
register: slurp
- set_fact:
value_1: "{{ slurp.content | b64decode | community.sops.decrypt(rstrip=False, output_type='binary') }}"
- name: Create text file (idempotency, check mode)
community.sops.sops_encrypt:
path: "{{ remote_tmp_dir }}/test_text"
content_text: "{{ text_value_1 }}"
check_mode: true
register: result_idempotent_check
- name: Create text file (idempotency)
community.sops.sops_encrypt:
path: "{{ remote_tmp_dir }}/test_text"
content_text: "{{ text_value_1 }}"
register: result_idempotent
- name: Create text file (change, check mode)
community.sops.sops_encrypt:
path: "{{ remote_tmp_dir }}/test_text"
content_text: "{{ text_value_2 }}"
check_mode: true
register: result_change_check
- name: Create text file (change)
community.sops.sops_encrypt:
path: "{{ remote_tmp_dir }}/test_text"
content_text: "{{ text_value_2 }}"
register: result_change
- slurp:
src: "{{ remote_tmp_dir ~ '/test_text' }}"
register: slurp
- set_fact:
value_2: "{{ slurp.content | b64decode | community.sops.decrypt(rstrip=false, output_type='binary') }}"
- assert:
that:
- result_check is changed
- result is changed
- value_1 == text_value_1
- result_idempotent_check is not changed
- result_idempotent is not changed
- result_change_check is changed
- result_change is changed
- value_2 == text_value_2
# Binary content
- name: Create binary file (check mode)
community.sops.sops_encrypt:
path: "{{ remote_tmp_dir }}/test_binary"
content_binary: "{{ binary_value_1_b64 }}"
check_mode: true
register: result_check
- name: Create binary file
community.sops.sops_encrypt:
path: "{{ remote_tmp_dir }}/test_binary"
content_binary: "{{ binary_value_1_b64 }}"
register: result
- slurp:
src: "{{ remote_tmp_dir ~ '/test_binary' }}"
register: slurp
- set_fact:
value_1: "{{ slurp.content | b64decode | community.sops.decrypt(rstrip=False, output_type='binary') | b64encode }}"
- name: Create binary file (idempotency, check mode)
community.sops.sops_encrypt:
path: "{{ remote_tmp_dir }}/test_binary"
content_binary: "{{ binary_value_1_b64 }}"
check_mode: true
register: result_idempotent_check
- name: Create binary file (idempotency)
community.sops.sops_encrypt:
path: "{{ remote_tmp_dir }}/test_binary"
content_binary: "{{ binary_value_1_b64 }}"
register: result_idempotent
- name: Create binary file (change, check mode)
community.sops.sops_encrypt:
path: "{{ remote_tmp_dir }}/test_binary"
content_binary: "{{ binary_value_2_b64 }}"
check_mode: true
register: result_change_check
- name: Create binary file (change)
community.sops.sops_encrypt:
path: "{{ remote_tmp_dir }}/test_binary"
content_binary: "{{ binary_value_2_b64 }}"
register: result_change
- slurp:
src: "{{ remote_tmp_dir ~ '/test_binary' }}"
register: slurp
- set_fact:
value_2: "{{ slurp.content | b64decode | community.sops.decrypt(rstrip=false, output_type='binary') | b64encode }}"
- assert:
that:
- result_check is changed
- result is changed
- value_1 == binary_value_1_b64
- result_idempotent_check is not changed
- result_idempotent is not changed
- result_change_check is changed
- result_change is changed
- value_2 == binary_value_2_b64
# JSON content
- name: Create JSON file (check mode)
community.sops.sops_encrypt:
path: "{{ remote_tmp_dir }}/test_json"
content_json: "{{ json_value_1 }}"
check_mode: true
register: result_check
- name: Create JSON file
community.sops.sops_encrypt:
path: "{{ remote_tmp_dir }}/test_json"
content_json: "{{ json_value_1 }}"
register: result
- slurp:
src: "{{ remote_tmp_dir ~ '/test_json' }}"
register: slurp
- set_fact:
value_1_raw: "{{ slurp.content | b64decode | community.sops.decrypt(output_type='json') | b64encode }}"
value_1: "{{ slurp.content | b64decode | community.sops.decrypt(output_type='json') | from_json }}"
- name: "SOPS 3.9.0+: check whether path_regex in .sops.yaml works"
assert:
that:
- >-
'"key1": "value1"' in slurp.content | b64decode
- >-
'"unencrypted_regex": "^key1$"' in slurp.content | b64decode
when: sops_version_remote is version('3.9.0', '>=')
- name: "SOPS before 3.9.0: check whether path_regex in .sops.yaml did not work"
assert:
that:
- >-
'"key1": "value1"' not in slurp.content | b64decode
- >-
'"unencrypted_regex": "^key1$"' not in slurp.content | b64decode
when: sops_version_remote is version('3.9.0', '<')
- name: Create JSON file (idempotency, check mode)
community.sops.sops_encrypt:
path: "{{ remote_tmp_dir }}/test_json"
content_json: "{{ json_value_1 }}"
check_mode: true
register: result_idempotent_check
- name: Create JSON file (idempotency)
community.sops.sops_encrypt:
path: "{{ remote_tmp_dir }}/test_json"
content_json: "{{ json_value_1 }}"
register: result_idempotent
- name: Create JSON file (change, check mode)
community.sops.sops_encrypt:
path: "{{ remote_tmp_dir }}/test_json"
content_json: "{{ json_value_2 }}"
check_mode: true
register: result_change_check
- name: Create JSON file (change)
community.sops.sops_encrypt:
path: "{{ remote_tmp_dir }}/test_json"
content_json: "{{ json_value_2 }}"
register: result_change
- slurp:
src: "{{ remote_tmp_dir ~ '/test_json' }}"
register: slurp
- set_fact:
value_2: "{{ slurp.content | b64decode | community.sops.decrypt(output_type='json') | from_json }}"
- name: Place broken JSON file
copy:
src: "broken-json-yaml"
dest: "{{ remote_tmp_dir }}/test_json_broken"
- name: Update broken JSON file
community.sops.sops_encrypt:
path: "{{ remote_tmp_dir }}/test_json_broken"
content_json: "{{ json_value_1 }}"
register: result_broken_change
- assert:
that:
- result_check is changed
- result is changed
- (value_1_raw | b64decode).startswith('{')
- value_1 == json_value_1
- result_idempotent_check is not changed
- result_idempotent is not changed
- result_change_check is changed
- result_change is changed
- value_2 == json_value_2
- result_broken_change is changed
# YAML content
- name: Create YAML file (check mode)
community.sops.sops_encrypt:
path: "{{ remote_tmp_dir }}/test_yaml"
content_yaml: "{{ json_value_1 }}"
check_mode: true
register: result_check
- name: Create YAML file
community.sops.sops_encrypt:
path: "{{ remote_tmp_dir }}/test_yaml"
content_yaml: "{{ json_value_1 }}"
register: result
- slurp:
src: "{{ remote_tmp_dir ~ '/test_yaml' }}"
register: slurp
- set_fact:
value_1_raw: "{{ slurp.content | b64decode | community.sops.decrypt(output_type='yaml') | b64encode }}"
value_1: "{{ slurp.content | b64decode | community.sops.decrypt(output_type='yaml') | from_yaml }}"
- name: Create YAML file (idempotency, check mode)
community.sops.sops_encrypt:
path: "{{ remote_tmp_dir }}/test_yaml"
content_yaml: "{{ json_value_1 }}"
check_mode: true
register: result_idempotent_check
- name: Create YAML file (idempotency)
community.sops.sops_encrypt:
path: "{{ remote_tmp_dir }}/test_yaml"
content_yaml: "{{ json_value_1 }}"
register: result_idempotent
- name: Create YAML file (change, check mode)
community.sops.sops_encrypt:
path: "{{ remote_tmp_dir }}/test_yaml"
content_yaml: "{{ json_value_2 }}"
check_mode: true
register: result_change_check
- name: Create YAML file (change)
community.sops.sops_encrypt:
path: "{{ remote_tmp_dir }}/test_yaml"
content_yaml: "{{ json_value_2 }}"
register: result_change
- slurp:
src: "{{ remote_tmp_dir ~ '/test_yaml' }}"
register: slurp
- set_fact:
value_2: "{{ slurp.content | b64decode | community.sops.decrypt(output_type='yaml') | from_yaml }}"
- name: Place broken YAML file
copy:
src: "broken-json-yaml"
dest: "{{ remote_tmp_dir }}/test_yaml_broken"
- name: Update broken YAML file
community.sops.sops_encrypt:
path: "{{ remote_tmp_dir }}/test_yaml_broken"
content_json: "{{ json_value_1 }}"
register: result_broken_change
- assert:
that:
- result_check is changed
- result is changed
- not (value_1_raw | b64decode).startswith('{')
- value_1 == json_value_1
- result_idempotent_check is not changed
- result_idempotent is not changed
- result_change_check is changed
- result_change is changed
- value_2 == json_value_2
- result_broken_change is changed
# Output type JSON
- name: Create text file with output type JSON
community.sops.sops_encrypt:
path: "{{ remote_tmp_dir }}/test_output_type.json"
content_text: "{{ text_value_1 }}"
register: result
- slurp:
src: "{{ remote_tmp_dir ~ '/test_output_type.json' }}"
register: slurp
- set_fact:
value_1: "{{ slurp.content | b64decode | community.sops.decrypt(rstrip=False, output_type='json') | from_json }}"
value_2: "{{ slurp.content | b64decode | from_json }}"
- name: Create text file with output type JSON (idempotency)
community.sops.sops_encrypt:
path: "{{ remote_tmp_dir }}/test_output_type.json"
content_text: "{{ text_value_1 }}"
register: result_idem
- assert:
that:
- result_idem is not changed
- value_1.data == text_value_1
- '"data" in value_2'
- value_2.data.startswith('ENC[')