Implement critical role improvements per ROLE_ANALYSIS_AND_IMPROVEMENTS.md

This commit addresses the critical issues identified in the role analysis:

## Security Improvements

### Remove Hardcoded Secrets (deploy_linux_vm)
- Replaced hardcoded SSH key in defaults/main.yml with vault variable reference
- Replaced hardcoded root password with vault variable reference
- Created vault.yml.example to document secret structure
- Updated README.md with comprehensive security best practices section
- Added documentation for Ansible Vault, external secret managers, and environment variables
- Included SSH key generation and password generation best practices

## Role Documentation & Planning

### CHANGELOG.md Files
- Created comprehensive CHANGELOG.md for deploy_linux_vm role
  - Documented v1.0.0 initial release features
  - Tracked v1.0.1 security improvements
- Created comprehensive CHANGELOG.md for system_info role
  - Documented v1.0.0 initial release
  - Tracked v1.0.1 critical bug fixes (block-level failed_when, Jinja2 templates, OS variables)

### ROADMAP.md Files
- Created detailed ROADMAP.md for deploy_linux_vm role
  - Version 1.1.0: Security & compliance hardening (Q1 2026)
  - Version 1.2.0: Multi-distribution support (Q2 2026)
  - Version 1.3.0: Advanced features (Q3 2026)
  - Version 2.0.0: Enterprise features (Q4 2026)
- Created detailed ROADMAP.md for system_info role
  - Version 1.1.0: Enhanced monitoring & metrics (Q1 2026)
  - Version 1.2.0: Cloud & container support (Q2 2026)
  - Version 1.3.0: Hardware & firmware deep dive (Q3 2026)
  - Version 2.0.0: Visualization & reporting (Q4 2026)

## Error Handling Enhancements

### deploy_linux_vm Role - Block/Rescue/Always Pattern
- Wrapped deployment tasks in comprehensive error handling block
- Block section:
  - Pre-deployment VM name collision check
  - Enhanced IP address acquisition with better error messages
  - Descriptive failure messages for troubleshooting
- Rescue section (automatic rollback):
  - Diagnostic information gathering
  - VM status checking
  - Attempted console log capture
  - Automatic VM destruction and cleanup
  - Disk image removal (primary, LVM, cloud-init ISO)
  - Detailed troubleshooting guidance
- Always section:
  - Deployment logging to /var/log/ansible-vm-deployments.log
  - Success/failure tracking
- Improved task FQCNs (ansible.builtin.*)

## Handlers Implementation

### deploy_linux_vm Role - Complete Handler Suite
- VM Lifecycle Handlers:
  - restart vm, shutdown vm, destroy vm
- Cloud-Init Handlers:
  - regenerate cloud-init iso (full rebuild and reattach)
- Storage Handlers:
  - refresh libvirt storage pool
  - resize vm disk (with safe shutdown/start)
- Network Handlers:
  - refresh network configuration
  - restart libvirt network
- Libvirt Daemon Handlers:
  - restart libvirtd, reload libvirtd
- Cleanup Handlers:
  - cleanup temporary files
  - remove cloud-init iso
- Validation Handlers:
  - validate vm status
  - check connectivity

## Impact

### Security
- Eliminates hardcoded secrets from version control
- Implements industry best practices for secret management
- Provides clear guidance for secure deployment

### Maintainability
- CHANGELOGs enable version tracking and change auditing
- ROADMAPs provide clear development direction and prioritization
- Comprehensive error handling reduces debugging time
- Handlers enable modular, reusable state management

### Reliability
- Automatic rollback prevents partial deployments
- Comprehensive error messages reduce MTTR
- Handlers ensure consistent state management
- Better separation of concerns

### Compliance
- Aligns with CLAUDE.md security requirements
- Implements proper secrets management per organizational policy
- Provides audit trail through changelogs

## References

- ROLE_ANALYSIS_AND_IMPROVEMENTS.md: Initial analysis document
- CLAUDE.md: Organizational infrastructure standards

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

roles/deploy_linux_vm/ROADMAP.md

@@ -0,0 +1,185 @@
+# Roadmap - deploy_linux_vm Role
+
+This document outlines the planned improvements and future development for the `deploy_linux_vm` role.
+
+## Version 1.1.0 - Security & Compliance Hardening (Q1 2026)
+
+### Critical Priority
+
+- [ ] **Remove hardcoded secrets from defaults/main.yml**
+  - Move default passwords to Ansible Vault
+  - Use environment variables or external secret manager
+  - Document secret management in README
+  - Security impact: HIGH
+
+- [ ] **Implement comprehensive error handling**
+  - Add block/rescue/always patterns for all critical tasks
+  - Implement rollback mechanisms for failed deployments
+  - Add pre-flight validation checks
+  - Graceful cleanup on failure
+
+- [ ] **Add missing handlers**
+  - Handler for network configuration changes
+  - Handler for storage reconfiguration
+  - Handler for cloud-init regeneration
+  - Handler for VM restart if needed
+
+### High Priority
+
+- [ ] **Enhance Molecule testing**
+  - Create functional test scenarios
+  - Test VM creation and destruction
+  - Validate cloud-init configuration
+  - Test LVM partitioning verification
+  - Add security validation tests
+
+- [ ] **Input validation**
+  - Validate all required variables with assert module
+  - Check for valid VM resource ranges
+  - Validate network configuration parameters
+  - Ensure SSH key format is correct
+
+- [ ] **Idempotency improvements**
+  - Ensure tasks are fully idempotent
+  - Add proper changed_when conditions
+  - Implement check mode support
+
+## Version 1.2.0 - Multi-Distribution Support (Q2 2026)
+
+### High Priority
+
+- [ ] **RHEL/AlmaLinux/Rocky support**
+  - Create RHEL family cloud-init templates
+  - Add Kickstart support for bare-metal
+  - SELinux configuration in cloud-init
+  - DNF/YUM package management
+
+- [ ] **Ubuntu LTS version support**
+  - Test with Ubuntu 22.04 LTS
+  - Test with Ubuntu 24.04 LTS
+  - Autoinstall support for newer versions
+
+### Medium Priority
+
+- [ ] **SUSE/openSUSE support**
+  - Create SUSE-specific templates
+  - AutoYaST support for bare-metal
+  - AppArmor configuration
+
+## Version 1.3.0 - Advanced Features (Q3 2026)
+
+### Medium Priority
+
+- [ ] **Cloud provider support**
+  - AWS EC2 cloud-init integration
+  - Azure cloud-init support
+  - GCP metadata support
+  - DigitalOcean cloud-init
+
+- [ ] **Storage enhancements**
+  - Support for multiple disk configurations
+  - LVM thin provisioning option
+  - Encrypted LVM volumes (LUKS)
+  - Custom partition layouts
+
+- [ ] **Network enhancements**
+  - Multiple network interface support
+  - VLAN configuration
+  - Bond/bridge configuration
+  - IPv6 support
+
+### Low Priority
+
+- [ ] **Advanced security features**
+  - AIDE/Tripwire file integrity monitoring
+  - Automatic security updates configuration
+  - Firewall rules in cloud-init
+  - Fail2ban pre-configuration
+
+## Version 2.0.0 - Enterprise Features (Q4 2026)
+
+### High Priority
+
+- [ ] **Terraform/Pulumi integration**
+  - Terraform provider compatibility
+  - Pulumi resource support
+  - Infrastructure-as-code examples
+
+- [ ] **Monitoring and logging**
+  - Prometheus node_exporter in cloud-init
+  - Centralized logging configuration
+  - Health check endpoints
+  - Performance metrics collection
+
+### Medium Priority
+
+- [ ] **Backup and disaster recovery**
+  - LVM snapshot integration
+  - Backup schedule configuration
+  - Disaster recovery playbooks
+  - Point-in-time recovery support
+
+- [ ] **Compliance frameworks**
+  - CIS Benchmark compliance
+  - DISA STIG configuration
+  - PCI-DSS hardening
+  - HIPAA compliance options
+
+### Low Priority
+
+- [ ] **Container support**
+  - Docker pre-installation option
+  - Podman support for RHEL
+  - Kubernetes node preparation
+  - Container runtime selection
+
+## Continuous Improvements
+
+### Ongoing Tasks
+
+- [ ] **Documentation**
+  - Keep README.md updated with all features
+  - Add troubleshooting guide
+  - Create example playbooks for common scenarios
+  - Document all variables with examples
+
+- [ ] **Code quality**
+  - Regular ansible-lint compliance checks
+  - YAML formatting consistency
+  - Variable naming conventions
+  - Comment critical sections
+
+- [ ] **Testing**
+  - Expand Molecule test coverage
+  - Add integration tests
+  - Performance testing for large deployments
+  - Security scanning automation
+
+- [ ] **Performance optimization**
+  - Reduce deployment time
+  - Optimize cloud-init execution
+  - Parallel task execution where possible
+  - Fact caching optimization
+
+## Deferred/Under Consideration
+
+- [ ] Support for Windows VMs (cloud-init equivalent)
+- [ ] BSD operating system support
+- [ ] ARM architecture support
+- [ ] Bare-metal deployment support
+- [ ] PXE boot integration
+
+## Completed
+
+- [x] Initial role structure and basic functionality (v1.0.0)
+- [x] Cloud-init template for Debian/Ubuntu (v1.0.0)
+- [x] LVM partitioning configuration (v1.0.0)
+- [x] Ansible user creation with SSH keys (v1.0.0)
+- [x] Basic Molecule test structure (v1.0.0)
+- [x] CHANGELOG.md and ROADMAP.md creation (v1.0.0)
+
+---
+
+**Last Updated**: 2025-11-11
+**Current Version**: 1.0.0
+**Next Release**: 1.1.0 (Target: Q1 2026)