feat: Improve Ansible/Jinja2 validation (#752)

alessfg · alessfg · commit ece31b114743 · 2024-07-29T13:59:19.000+02:00
diff --git a/.github/workflows/f5-cla.yml b/.github/workflows/f5-cla.yml
@@ -1,40 +1,40 @@
 ---
-  name: F5 CLA
-  on:
-    issue_comment:
-      types: [created]
-    pull_request_target:
-      types: [opened, closed, synchronize]
-  permissions: read-all
-  jobs:
-    f5-cla:
-      name: F5 CLA
-      runs-on: ubuntu-24.04
-      permissions:
-        actions: write
-        pull-requests: write
-        statuses: write
-      steps:
-        - name: Run F5 Contributor License Agreement (CLA) assistant
-          if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have hereby read the F5 CLA and agree to its terms') || github.event_name == 'pull_request_target'
-          uses: contributor-assistant/github-action@9340315624c6e16cef1f2c63bdeb0f0c49c6f474 # v2.4.0
-          with:
-            # Any pull request targeting the following branch will trigger a CLA check.
-            branch: main
-            # Path to the CLA document.
-            path-to-document: https://github.com/f5/.github/blob/main/CLA/cla-markdown.md
-            # Custom CLA messages.
-            custom-notsigned-prcomment: '🎉 Thank you for your contribution! It appears you have not yet signed the F5 Contributor License Agreement (CLA), which is required for your changes to be incorporated into an F5 Open Source Software (OSS) project. Please kindly read the [F5 CLA](https://github.com/f5/.github/blob/main/CLA/cla-markdown.md) and reply on a new comment with the following text to agree:'
-            custom-pr-sign-comment: 'I have hereby read the F5 CLA and agree to its terms'
-            custom-allsigned-prcomment: '✅ All required contributors have signed the F5 CLA for this PR. Thank you!'
-            # Remote repository storing CLA signatures.
-            remote-organization-name: f5
-            remote-repository-name: f5-cla-data
-            path-to-signatures: signatures/signatures.json
-            # Comma separated list of usernames for maintainers or any other individuals who should not be prompted for a CLA.
-            allowlist: alessfg, oxpa, bot*
-            # Do not lock PRs after a merge.
-            lock-pullrequest-aftermerge: false
-          env:
-            GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-            PERSONAL_ACCESS_TOKEN: ${{ secrets.F5_CLA_TOKEN }}
+name: F5 CLA
+on:
+  issue_comment:
+    types: [created]
+  pull_request_target:
+    types: [opened, closed, synchronize]
+permissions: read-all
+jobs:
+  f5-cla:
+    name: F5 CLA
+    runs-on: ubuntu-24.04
+    permissions:
+      actions: write
+      pull-requests: write
+      statuses: write
+    steps:
+      - name: Run F5 Contributor License Agreement (CLA) assistant
+        if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have hereby read the F5 CLA and agree to its terms') || github.event_name == 'pull_request_target'
+        uses: contributor-assistant/github-action@9340315624c6e16cef1f2c63bdeb0f0c49c6f474 # v2.4.0
+        with:
+          # Any pull request targeting the following branch will trigger a CLA check.
+          branch: main
+          # Path to the CLA document.
+          path-to-document: https://github.com/f5/.github/blob/main/CLA/cla-markdown.md
+          # Custom CLA messages.
+          custom-notsigned-prcomment: '🎉 Thank you for your contribution! It appears you have not yet signed the F5 Contributor License Agreement (CLA), which is required for your changes to be incorporated into an F5 Open Source Software (OSS) project. Please kindly read the [F5 CLA](https://github.com/f5/.github/blob/main/CLA/cla-markdown.md) and reply on a new comment with the following text to agree:'
+          custom-pr-sign-comment: 'I have hereby read the F5 CLA and agree to its terms'
+          custom-allsigned-prcomment: '✅ All required contributors have signed the F5 CLA for this PR. Thank you!'
+          # Remote repository storing CLA signatures.
+          remote-organization-name: f5
+          remote-repository-name: f5-cla-data
+          path-to-signatures: signatures/signatures.json
+          # Comma separated list of usernames for maintainers or any other individuals who should not be prompted for a CLA.
+          allowlist: alessfg, oxpa, bot*
+          # Do not lock PRs after a merge.
+          lock-pullrequest-aftermerge: false
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PERSONAL_ACCESS_TOKEN: ${{ secrets.F5_CLA_TOKEN }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -1,20 +1,20 @@
 ---
-  name: Release Drafter
-  on:
-    push:
-      branches: [main]
-    pull_request_target:
-      types: [opened, reopened, synchronize]
-  permissions: read-all
-  jobs:
-    release-draft:
-      name: Update release draft
-      runs-on: ubuntu-24.04
-      permissions:
-        contents: write
-        pull-requests: write
-      steps:
-        - name: Run release drafter
-          uses: release-drafter/release-drafter@3f0f87098bd6b5c5b9a36d49c41d998ea58f9348 # v6.0.0
-          env:
-            GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+name: Release Drafter
+on:
+  push:
+    branches: [main]
+  pull_request_target:
+    types: [opened, reopened, synchronize]
+permissions: read-all
+jobs:
+  release-draft:
+    name: Update release draft
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: write
+      pull-requests: write
+    steps:
+      - name: Run release drafter
+        uses: release-drafter/release-drafter@3f0f87098bd6b5c5b9a36d49c41d998ea58f9348 # v6.0.0
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -12,6 +12,7 @@ FEATURES:
 - Add support for installing NGINX Open Source on Alpine Linux 3.20.
 - Add support for installing NGINX Agent on Ubuntu noble.
 - Add validation tasks to check the Ansible version, the Jinja2 version, and whether the required Ansible collections for this role are installed.
+- Bump the minimum version of Ansible supported to `2.16`, whilst clarifying that Ansible `2.18` is not supported at this stage.
 - Bump the Ansible `community.general` collection to `9.2.0`, `community.crypto` collection to `2.21.1` and `community.docker` collection to `3.11.0`.
 
 DOCUMENTATION:
@@ -28,6 +29,7 @@ CI/CD:
 - Update GitHub Actions to Ubuntu 24.04.
 - Switch GitHub Actions from using tags to release hashes.
 - Remove commented out Molecule platforms and GitHub Actions QEMU step for the time being. These changes will be reverted if multi-arch testing can be reinstated in GitHub Actions.
+- Bump the minimum version of Ansible supported on Ansible Galaxy to `2.16`.
 - Remove platform metadata from the Ansible Galaxy role metadata since platforms are no longer supported in Ansible Galaxy NG.
 - Implement OSSF Scorecard.
 
@@ -62,7 +64,7 @@ CI/CD:
 - Add Molecule tests for NGINX Amplify.
 - Update the RHEL based tests to use the latest UBI release.
 - Use the local role name (`ansible-role-nginx`) instead of the fully qualified role name (`nginxinc.nginx`) in Molecule to ensure tests always work as intended in environments where the role has been already installed beforehand.
-- Implement F5 CLA signatures.
+- Implement F5 CLA.
 - Hardcode version of Python requests module given its propensity to break the Docker Python SDK.
 
 ## 0.24.2 (October 3rd, 2023)
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -21,7 +21,7 @@ Follow this project's [Installation Guide](/README.md#Installation) to install A
 
 ### Project Structure
 
-- The NGINX Ansible role is written in `yaml` and supports NGINX Open Source, NGINX Plus, NGINX Agent and NGINX Amplify.
+- The NGINX Ansible role is written in [`yaml`](https://yaml.org) and supports NGINX Open Source, NGINX Plus, NGINX Agent and NGINX Amplify.
 - The project follows the standard [Ansible role directory structure](https://docs.ansible.com/ansible/latest/user_guide/playbooks_reuse_roles.html):
   - The main "codebase" is found in the [`tasks/`](/tasks/) directory.
   - Variables can be found in [`defaults/main/`](/defaults/main/). The filenames in this directory highlight which variables are contained in each file.
diff --git a/README.md b/README.md
@@ -45,6 +45,8 @@ This will also ensure you are deploying/running this role with a fully tested ve
 #### Ansible core
 
 - This role is developed and tested with [maintained](https://docs.ansible.com/ansible/devel/reference_appendices/release_and_maintenance.html) versions of Ansible core and Python.
+
+  ***Note:** Ansible `2.18` does no longer support the `yum` module and as such, is not supported by this role until Amazon Linux 2 reaches EoL.*
 - When using Ansible core, you will also need to install the following Ansible collections:
 
   ```yaml
@@ -96,7 +98,7 @@ If you want to contribute to this role, you will also need to install Ansible Li
 
 - Molecule is used to test the various functionalities of the role.
 - Instructions on how to install Molecule can be found in the [Molecule website](https://molecule.readthedocs.io/en/latest/installation.html). *You will also need to install the Molecule plugins package and the Docker Python SDK.*
-- To run any of the NGINX Plus Molecule tests, you must first copy your NGINX Plus license to the role's [`files/license`](https://github.com/nginxinc/ansible-role-nginx/blob/main/files/license/) directory.
+- To run any of the NGINX Plus Molecule tests, you must first copy your NGINX Plus license to the role's [`files/license`](/files/license/) directory.
 
   You can alternatively add your NGINX Plus repository certificate and key to the local environment. Run the following commands to export these files as base64-encoded variables and execute the Molecule tests:
 
@@ -292,44 +294,44 @@ Ubuntu:
 
 ## Role Variables
 
-This role has multiple variables. The descriptions and defaults for all these variables can be found in the **[`defaults/main/`](https://github.com/nginxinc/ansible-role-nginx/blob/main/defaults/main/)** directory in the following files:
+This role has multiple variables. The descriptions and defaults for all these variables can be found in the **[`defaults/main/`](/defaults/main/)** directory in the following files:
 
 | Name | Description |
 | ---- | ----------- |
-| **[`main.yml`](https://github.com/nginxinc/ansible-role-nginx/blob/main/defaults/main/main.yml)** | NGINX installation variables |
-| **[`agent.yml`](https://github.com/nginxinc/ansible-role-nginx/blob/main/defaults/main/agent.yml)** | NGINX Agent installation variables |
-| **[`amplify.yml`](https://github.com/nginxinc/ansible-role-nginx/blob/main/defaults/main/amplify.yml)** | NGINX Amplify agent installation variables |
-| **[`bsd.yml`](https://github.com/nginxinc/ansible-role-nginx/blob/main/defaults/main/bsd.yml)** | BSD installation variables |
-| **[`logrotate.yml`](https://github.com/nginxinc/ansible-role-nginx/blob/main/defaults/main/logrotate.yml)** | Logrotate configuration variables |
-| **[`selinux.yml`](https://github.com/nginxinc/ansible-role-nginx/blob/main/defaults/main/selinux.yml)** | SELinux configuration variables |
-| **[`systemd.yml`](https://github.com/nginxinc/ansible-role-nginx/blob/main/defaults/main/systemd.yml)** | Systemd configuration variables |
+| **[`main.yml`](/defaults/main/main.yml)** | NGINX installation variables |
+| **[`agent.yml`](/defaults/main/agent.yml)** | NGINX Agent installation variables |
+| **[`amplify.yml`](/defaults/main/amplify.yml)** | NGINX Amplify agent installation variables |
+| **[`bsd.yml`](/defaults/main/bsd.yml)** | BSD installation variables |
+| **[`logrotate.yml`](/defaults/main/logrotate.yml)** | Logrotate configuration variables |
+| **[`selinux.yml`](/defaults/main/selinux.yml)** | SELinux configuration variables |
+| **[`systemd.yml`](/defaults/main/systemd.yml)** | Systemd configuration variables |
 
-Similarly, descriptions and defaults for preset variables can be found in the **[`vars/`](https://github.com/nginxinc/ansible-role-nginx/blob/main/vars/)** directory in the following files:
+Similarly, descriptions and defaults for preset variables can be found in the **[`vars/`](/vars/)** directory in the following files:
 
 | Name | Description |
 | ---- | ----------- |
-| **[`main.yml`](https://github.com/nginxinc/ansible-role-nginx/blob/main/vars/main.yml)** | List of supported NGINX platforms, modules, and Linux installation variables |
+| **[`main.yml`](/vars/main.yml)** | List of supported NGINX platforms, modules, and Linux installation variables |
 
 ## Example Playbooks
 
-Working functional playbook examples can be found in the **[`molecule/`](https://github.com/nginxinc/ansible-role-nginx/blob/main/molecule/)** folder in the following files:
+Working functional playbook examples can be found in the **[`molecule/`](/molecule/)** folder in the following files:
 
 | Name | Description |
 | ---- | ----------- |
-| **[`agent/converge.yml`](https://github.com/nginxinc/ansible-role-nginx/blob/main/molecule/agent/converge.yml)** | Install and configure NGINX Agent to connect to the NGINX One SaaS control plane on F5 Distributed Cloud |
-| **[`amplify/converge.yml`](https://github.com/nginxinc/ansible-role-nginx/blob/main/molecule/amplify/converge.yml)** | Install and configure the NGINX Amplify agent |
-| **[`default/converge.yml`](https://github.com/nginxinc/ansible-role-nginx/blob/main/molecule/default/converge.yml)** | Install a specific version of NGINX, install various NGINX supported modules, tweak systemd and set up logrotate |
-| **[`distribution/converge.yml`](https://github.com/nginxinc/ansible-role-nginx/blob/main/molecule/distribution/converge.yml)** | Install NGINX from the distribution's package repository instead of NGINX's package repository |
-| **[`downgrade/converge.yml`](https://github.com/nginxinc/ansible-role-nginx/blob/main/molecule/downgrade/converge.yml)** | Downgrade to a specific version of NGINX |
-| **[`downgrade-plus/converge.yml`](https://github.com/nginxinc/ansible-role-nginx/blob/main/molecule/downgrade-plus/converge.yml)** | Downgrade to a specific version of NGINX Plus |
-| **[`plus/converge.yml`](https://github.com/nginxinc/ansible-role-nginx/blob/main/molecule/plus/converge.yml)** | Install NGINX Plus and various NGINX Plus supported modules |
-| **[`source/converge.yml`](https://github.com/nginxinc/ansible-role-nginx/blob/main/molecule/source/converge.yml)** | Install NGINX from source |
-| **[`stable/converge.yml`](https://github.com/nginxinc/ansible-role-nginx/blob/main/molecule/stable/converge.yml)** | Install NGINX using the latest stable release |
-| **[`uninstall/converge.yml`](https://github.com/nginxinc/ansible-role-nginx/blob/main/molecule/uninstall/converge.yml)** | Uninstall NGINX |
-| **[`uninstall-plus/converge.yml`](https://github.com/nginxinc/ansible-role-nginx/blob/main/molecule/uninstall-plus/converge.yml)** | Uninstall NGINX Plus |
-| **[`upgrade/converge.yml`](https://github.com/nginxinc/ansible-role-nginx/blob/main/molecule/upgrade/converge.yml)** | Upgrade NGINX |
-| **[`upgrade-plus/converge.yml`](https://github.com/nginxinc/ansible-role-nginx/blob/main/molecule/upgrade-plus/converge.yml)** | Upgrade NGINX Plus |
-| **[`version/converge.yml`](https://github.com/nginxinc/ansible-role-nginx/blob/main/molecule/version/converge.yml)** | Install a specific version of NGINX and various NGINX modules |
+| **[`agent/converge.yml`](/molecule/agent/converge.yml)** | Install and configure NGINX Agent to connect to the NGINX One SaaS control plane on F5 Distributed Cloud |
+| **[`amplify/converge.yml`](/molecule/amplify/converge.yml)** | Install and configure the NGINX Amplify agent |
+| **[`default/converge.yml`](/molecule/default/converge.yml)** | Install a specific version of NGINX, install various NGINX supported modules, tweak systemd and set up logrotate |
+| **[`distribution/converge.yml`](/molecule/distribution/converge.yml)** | Install NGINX from the distribution's package repository instead of NGINX's package repository |
+| **[`downgrade/converge.yml`](/molecule/downgrade/converge.yml)** | Downgrade to a specific version of NGINX |
+| **[`downgrade-plus/converge.yml`](/molecule/downgrade-plus/converge.yml)** | Downgrade to a specific version of NGINX Plus |
+| **[`plus/converge.yml`](/molecule/plus/converge.yml)** | Install NGINX Plus and various NGINX Plus supported modules |
+| **[`source/converge.yml`](/molecule/source/converge.yml)** | Install NGINX from source |
+| **[`stable/converge.yml`](/molecule/stable/converge.yml)** | Install NGINX using the latest stable release |
+| **[`uninstall/converge.yml`](/molecule/uninstall/converge.yml)** | Uninstall NGINX |
+| **[`uninstall-plus/converge.yml`](/molecule/uninstall-plus/converge.yml)** | Uninstall NGINX Plus |
+| **[`upgrade/converge.yml`](/molecule/upgrade/converge.yml)** | Upgrade NGINX |
+| **[`upgrade-plus/converge.yml`](/molecule/upgrade-plus/converge.yml)** | Upgrade NGINX Plus |
+| **[`version/converge.yml`](/molecule/version/converge.yml)** | Install a specific version of NGINX and various NGINX modules |
 
 > [!NOTE]
 > If you install this repository via Ansible Galaxy, you will need to replace the `include_role` variable in the example playbooks from `ansible-role-nginx` to `nginxinc.nginx`.
@@ -346,7 +348,7 @@ You can find the Ansible NGINX Unit role to install NGINX Unit [here](https://gi
 
 ## License
 
-[Apache License, Version 2.0](https://github.com/nginxinc/ansible-role-nginx/blob/main/LICENSE)
+[Apache License, Version 2.0](/LICENSE)
 
 ## Author Information
 
diff --git a/tasks/main.yml b/tasks/main.yml
@@ -1,5 +1,5 @@
 ---
-- name: Validate distribution and role variables
+- name: Validate Ansible/Jinja2 version, role variables, and supported distributions
   ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate/validate.yml"
   tags: nginx_validate
 
diff --git a/tasks/validate/validate.yml b/tasks/validate/validate.yml
diff --git a/vars/main.yml b/vars/main.yml
