Testing Ansible Playbooks With ansible-lint
More Python To Create Tests To Run Over Your Ansible Playbooks
If you’ve never even thought about testing your Ansible playbooks, it’s actually something you can achieved pretty easily using ansible-lint. It doesn’t go all the way to ensure your playbook is 100% perfect, but by comparing your code and configurations to specific style guides and rules, ansible-lint will go part of the way in limiting issues that can arise during your infrastructure deployments.
If your looking for ways to get up to scratch with Ansible, checkout our latest book on the subject:
Full credit needs to be given to Will Thames for the creation of ansible-lint, where it is available on GitHub (https://github.com/willthames). Although there is not a huge amount of documentation on the command, the defaults give you a lot of functionality, which we will be able to provide a few more details below.
First Install ansible-lint
Unfortunately, anible-lint is not part of the Ansible package, so you may need to install it on your system, if you have not installed it already. There are a number of ways you can add it to your system.
- Install the application directly from the GitHub repository: https://github.com/willthames/ansible-lint
- If your on a Ubuntu/Debian based Linux environment, you can use the apt command to install:
sudo apt install ansible-lint- It is a Python based application just like Ansible, so you can also use Pip:
pip2 install ansible-lint- To verify you have installed the application, check with version you are running, by using the –version option:
ansible-lint --versionansible-lint 3.4.20
Running ansible-lint Over Your Playbooks
All you need to do now is use the ansible-lint command with your playbook YAML file and it will run over all the configurations and roles associated with that playbook to make sure the playbook has the best possibility of running without any issues.
If we use the -v option, we can also get some pretty nice output from the console. In our example below, we are using the test_deploy.yml playbook which deploys a Splunk server into our environment. Fortunately, the role we have to deploy the server, doesn’t seem to have too many issues besides some trailing whitespace in the code.
ansible-lint test_deploy.yml -vExamining test_deploy.yml of type playbook Examining server_deploy/roles/splunk_server/tasks/main.yml of type tasks Examining server_deploy/roles/splunk_server/handlers/main.yml of type handlers Examining server_deploy/roles/splunk_server/meta/main.yml of type meta [ANSIBLE0002] Trailing whitespace server_deploy/roles/splunk_server/tasks/main.yml:38 wait: true[ANSIBLE0002] Trailing whitespace
server_deploy/roles/splunk_server/tasks/main.yml:48
port: 22
[ANSIBLE0002] Trailing whitespace
server_deploy/roles/splunk_server/tasks/main.yml:74
- debug:
Creating Your Own Lint Tests
There’s no reason why we can’t expand ansible-lint and create your own tests relevant to you. In the example below, we are going to write a simply test using Python test to make sure you do now share you AWS Credentials in your code. This isn’t a real world example, but gives you a good indication of how to set up the code to create your ansible-lint test.
1.Start by creating a directory in your working directory…In this instance we will call it test_rules:
mkdir test_rules2.We will call our new test AWSCredentials.py so we can create the file in our new directory:
touch test_rules/AWSCredentials.py3.We can now set up the following Python code that will test to see we have not included the values of aws_access_key_id or aws_secret_access_key anywhere in our playbooks or roles:
1 from ansiblelint import AnsibleLintRule
2
3 class AWSCredentials(AnsibleLintRule):
4 id = 'TESTLINT01'
5 shortdesc = 'Playbook May Contain AWS Credentials'
6 description = 'AWS credentials should not be included in variables, especially if they are stored publically'
7 tags = ['variables']
8
9 def match(self, file, line):
10 if "aws_access_key_id" in line:
11 self.shortdesc
12 return True
13 if "aws_secret_access_key" in line:
14 self.shortdesc
15 return True
16 return FalseFrom the code above, we start by adding the library AnsibleLintRule that python will use, we then create a Class extending this library in line 3. Line 4, 5 and 6set the Test ID and the description to show if the test finds something. Lines 9 to 16 are the function that is run as part of the test looking for the specific values of “aws_access_key_id” and “aws_secret_access_key” in our code.
4.To test our changes, we can create a basic playbook that will only set a variable, and hopefully trigger our new test. In our working directory, create a new playbook call test_play.yml and add in the following code:
1 ---
2 - hosts: all
3 tasks:
4 - name: AWS Creds
5 var:
6 aws_secret_access_key: AKIAJL123456789qazw5.You don’t have to worry as it is not an actual secret key. To run our new test over this playbook, all we do is use ansible-lint with the -r option to run it over the rules directory we created:
ansible-lint test_play.yml -r test_rules/[TESTLINT01] Playbook May Contain AWS Credentials
test_play.yml:6
aws_secret_access_key: AKIAJL123456789qazw
As you can see our new test has found an issue in our test playbook, giving us the exact location of the issue.
Found this post useful? Kindly tap the clap button below! :)
About The Author
