ansible
eba1a05e7d
This commit addresses the critical issues identified in the role analysis: ## Security Improvements ### Remove Hardcoded Secrets (deploy_linux_vm) - Replaced hardcoded SSH key in defaults/main.yml with vault variable reference - Replaced hardcoded root password with vault variable reference - Created vault.yml.example to document secret structure - Updated README.md with comprehensive security best practices section - Added documentation for Ansible Vault, external secret managers, and environment variables - Included SSH key generation and password generation best practices ## Role Documentation & Planning ### CHANGELOG.md Files - Created comprehensive CHANGELOG.md for deploy_linux_vm role - Documented v1.0.0 initial release features - Tracked v1.0.1 security improvements - Created comprehensive CHANGELOG.md for system_info role - Documented v1.0.0 initial release - Tracked v1.0.1 critical bug fixes (block-level failed_when, Jinja2 templates, OS variables) ### ROADMAP.md Files - Created detailed ROADMAP.md for deploy_linux_vm role - Version 1.1.0: Security & compliance hardening (Q1 2026) - Version 1.2.0: Multi-distribution support (Q2 2026) - Version 1.3.0: Advanced features (Q3 2026) - Version 2.0.0: Enterprise features (Q4 2026) - Created detailed ROADMAP.md for system_info role - Version 1.1.0: Enhanced monitoring & metrics (Q1 2026) - Version 1.2.0: Cloud & container support (Q2 2026) - Version 1.3.0: Hardware & firmware deep dive (Q3 2026) - Version 2.0.0: Visualization & reporting (Q4 2026) ## Error Handling Enhancements ### deploy_linux_vm Role - Block/Rescue/Always Pattern - Wrapped deployment tasks in comprehensive error handling block - Block section: - Pre-deployment VM name collision check - Enhanced IP address acquisition with better error messages - Descriptive failure messages for troubleshooting - Rescue section (automatic rollback): - Diagnostic information gathering - VM status checking - Attempted console log capture - Automatic VM destruction and cleanup - Disk image removal (primary, LVM, cloud-init ISO) - Detailed troubleshooting guidance - Always section: - Deployment logging to /var/log/ansible-vm-deployments.log - Success/failure tracking - Improved task FQCNs (ansible.builtin.*) ## Handlers Implementation ### deploy_linux_vm Role - Complete Handler Suite - VM Lifecycle Handlers: - restart vm, shutdown vm, destroy vm - Cloud-Init Handlers: - regenerate cloud-init iso (full rebuild and reattach) - Storage Handlers: - refresh libvirt storage pool - resize vm disk (with safe shutdown/start) - Network Handlers: - refresh network configuration - restart libvirt network - Libvirt Daemon Handlers: - restart libvirtd, reload libvirtd - Cleanup Handlers: - cleanup temporary files - remove cloud-init iso - Validation Handlers: - validate vm status - check connectivity ## Impact ### Security - Eliminates hardcoded secrets from version control - Implements industry best practices for secret management - Provides clear guidance for secure deployment ### Maintainability - CHANGELOGs enable version tracking and change auditing - ROADMAPs provide clear development direction and prioritization - Comprehensive error handling reduces debugging time - Handlers enable modular, reusable state management ### Reliability - Automatic rollback prevents partial deployments - Comprehensive error messages reduce MTTR - Handlers ensure consistent state management - Better separation of concerns ### Compliance - Aligns with CLAUDE.md security requirements - Implements proper secrets management per organizational policy - Provides audit trail through changelogs ## References - ROLE_ANALYSIS_AND_IMPROVEMENTS.md: Initial analysis document - CLAUDE.md: Organizational infrastructure standards 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
41 lines
1.9 KiB
Plaintext
41 lines
1.9 KiB
Plaintext
---
|
|
# =============================================================================
|
|
# Deploy Linux VM Role - Vault Variables Example
|
|
# =============================================================================
|
|
# This file shows the structure for vault-encrypted variables.
|
|
#
|
|
# SECURITY INSTRUCTIONS:
|
|
# 1. Copy this file to your secrets directory or group_vars/all/vault.yml
|
|
# 2. Update the values with your actual secrets
|
|
# 3. Encrypt the file using ansible-vault:
|
|
# ansible-vault encrypt group_vars/all/vault.yml
|
|
# 4. NEVER commit unencrypted secrets to version control
|
|
#
|
|
# Alternative: Use external secret managers:
|
|
# - HashiCorp Vault
|
|
# - AWS Secrets Manager
|
|
# - Azure Key Vault
|
|
# - CyberArk
|
|
# =============================================================================
|
|
|
|
# -----------------------------------------------------------------------------
|
|
# Ansible User SSH Key
|
|
# -----------------------------------------------------------------------------
|
|
# SSH public key for the ansible user
|
|
# Generate with: ssh-keygen -t ed25519 -C "ansible-automation"
|
|
vault_deploy_linux_vm_ansible_user_ssh_key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX ansible@automation"
|
|
|
|
# -----------------------------------------------------------------------------
|
|
# Root Password
|
|
# -----------------------------------------------------------------------------
|
|
# Root password for emergency console access
|
|
# Generate strong password with: openssl rand -base64 32
|
|
# This should be different for each environment (dev/staging/prod)
|
|
vault_deploy_linux_vm_root_password: "SuperSecurePassword!2024"
|
|
|
|
# -----------------------------------------------------------------------------
|
|
# Optional: Additional Secrets
|
|
# -----------------------------------------------------------------------------
|
|
# vault_deploy_linux_vm_api_key: "your-api-key-here"
|
|
# vault_deploy_linux_vm_registry_password: "container-registry-password"
|