From 5891d7d831debb0dfdf19a90f59f29a5c1bd5dab Mon Sep 17 00:00:00 2001 From: Rich Megginson Date: Thu, 19 Mar 2026 15:42:41 -0600 Subject: [PATCH] test: ensure role gathers the facts it uses by having test clear_facts before include_role The role gathers the facts it uses. For example, if the user uses `ANSIBLE_GATHERING=explicit`, the role uses the `setup` module with the facts and subsets it requires. This change allows us to test this. Before every role invocation, the test will use `meta: clear_facts` so that the role starts with no facts. Create a task file tests/tasks/run_role_with_clear_facts.yml to do the tasks to clear the facts and run the role. Note that this means we don't need to use `gather_facts` for the tests. Some vars defined using `ansible_facts` have been changed to be defined with `set_fact` instead. This is because of the fact that `vars` are lazily evaluated - the var might be referenced when the facts have been cleared, and will issue an error like `ansible_facts["distribution"] is undefined`. This is typically done for blocks that have a `when` condition that uses `ansible_facts` and the block has a role invocation using run_role_with_clear_facts.yml These have been rewritten to define the `when` condition using `set_fact`. This is because the `when` condition is evaluated every time a task is invoked in the block, and if the facts are cleared, this will raise an undefined variable error. Signed-off-by: Rich Megginson --- tests/tasks/bind_slot_with_passphrase.yml | 5 ++- tests/tasks/run_role_with_clear_facts.yml | 37 ++++++++++++++++++++ tests/tasks/verify_idempotency.yml | 3 +- tests/tests_bind_high_availability.yml | 3 +- tests/tests_default.yml | 6 ++-- tests/tests_default_vars.yml | 6 ++-- tests/tests_error_handling.yml | 3 +- tests/tests_include_vars_from_parent.yml | 1 - tests/tests_key_rotation.yml | 6 ++-- tests/tests_passphrase_temporary.yml | 3 +- tests/tests_passphrase_temporary_keyfile.yml | 3 +- tests/tests_simple_bind.yml | 6 ++-- tests/tests_simple_bind_keyfile.yml | 3 +- tests/tests_simple_bind_unbind.yml | 3 +- tests/tests_simple_bind_unbind_keyfile.yml | 3 +- tests/tests_use_existing_binding.yml | 15 +++----- 16 files changed, 64 insertions(+), 42 deletions(-) create mode 100644 tests/tasks/run_role_with_clear_facts.yml diff --git a/tests/tasks/bind_slot_with_passphrase.yml b/tests/tasks/bind_slot_with_passphrase.yml index 1323eb1b..c7157c99 100644 --- a/tests/tasks/bind_slot_with_passphrase.yml +++ b/tests/tasks/bind_slot_with_passphrase.yml @@ -17,10 +17,9 @@ register: nbde_client_device_checksum_before - name: Perform binding with nbde_client role - include_role: - name: linux-system-roles.nbde_client - public: true + include_tasks: tasks/run_role_with_clear_facts.yml vars: + __sr_public: true nbde_client_bindings: - device: "{{ nbde_client_selected_device }}" slot: "{{ nbde_client_test_slot }}" diff --git a/tests/tasks/run_role_with_clear_facts.yml b/tests/tasks/run_role_with_clear_facts.yml new file mode 100644 index 00000000..d80b5323 --- /dev/null +++ b/tests/tasks/run_role_with_clear_facts.yml @@ -0,0 +1,37 @@ +--- +# Task file: clear_facts, run linux-system-roles.nbde_client. +# Include this with include_tasks or import_tasks +# Input: +# - __sr_tasks_from: tasks_from to run - same as tasks_from in include_role +# - __sr_public: export private vars from role - same as public in include_role +# - __sr_failed_when: set to false to ignore role errors - same as failed_when in include_role +- name: Clear facts + meta: clear_facts + +# note that you can use failed_when with import_role but not with include_role +# so this simulates the __sr_failed_when false case +# Q: Why do we need a separate task to run the role normally? Why not just +# run the role in the block and rethrow the error in the rescue block? +# A: Because you cannot rethrow the error in exactly the same way as the role does. +# It might be possible to exactly reconstruct ansible_failed_result but it's not worth the effort. +- name: Run the role with __sr_failed_when false + when: + - __sr_failed_when is defined + - not __sr_failed_when + block: + - name: Run the role + include_role: + name: linux-system-roles.nbde_client + tasks_from: "{{ __sr_tasks_from | default('main') }}" + public: "{{ __sr_public | default(false) }}" + rescue: + - name: Ignore the failure when __sr_failed_when is false + debug: + msg: Ignoring failure when __sr_failed_when is false + +- name: Run the role normally + include_role: + name: linux-system-roles.nbde_client + tasks_from: "{{ __sr_tasks_from | default('main') }}" + public: "{{ __sr_public | default(false) }}" + when: __sr_failed_when | d(true) diff --git a/tests/tasks/verify_idempotency.yml b/tests/tasks/verify_idempotency.yml index 653b356c..3cfb9e1c 100644 --- a/tests/tasks/verify_idempotency.yml +++ b/tests/tasks/verify_idempotency.yml @@ -1,7 +1,6 @@ --- - name: Use nbde_client role - idempotency check - include_role: - name: linux-system-roles.nbde_client + include_tasks: tasks/run_role_with_clear_facts.yml - name: Verify idempotency of clevis operations assert: diff --git a/tests/tests_bind_high_availability.yml b/tests/tests_bind_high_availability.yml index 088faa4c..e44b9a99 100644 --- a/tests/tests_bind_high_availability.yml +++ b/tests/tests_bind_high_availability.yml @@ -16,8 +16,7 @@ - name: Run the test block: - name: Use nbde_client role - include_role: - name: linux-system-roles.nbde_client + include_tasks: tasks/run_role_with_clear_facts.yml - name: Attempt to unlock device include_tasks: tasks/verify_unlock_device.yml diff --git a/tests/tests_default.yml b/tests/tests_default.yml index 4c3cb515..42146161 100644 --- a/tests/tests_default.yml +++ b/tests/tests_default.yml @@ -1,8 +1,8 @@ --- - name: Ensure that the role runs with default parameters hosts: all - gather_facts: false - roles: - - linux-system-roles.nbde_client + tasks: + - name: Run nbde_client role + include_tasks: tasks/run_role_with_clear_facts.yml # vim:set ts=2 sw=2 et: diff --git a/tests/tests_default_vars.yml b/tests/tests_default_vars.yml index 4da22673..e1a4ed45 100644 --- a/tests/tests_default_vars.yml +++ b/tests/tests_default_vars.yml @@ -5,8 +5,10 @@ - name: Run test block: - name: Import role - import_role: - name: linux-system-roles.nbde_client + include_tasks: tasks/run_role_with_clear_facts.yml + vars: + __sr_public: true + - name: Assert that the role declares all parameters in defaults assert: that: diff --git a/tests/tests_error_handling.yml b/tests/tests_error_handling.yml index fe94213f..13d35b4c 100644 --- a/tests/tests_error_handling.yml +++ b/tests/tests_error_handling.yml @@ -16,8 +16,7 @@ - name: Run the test block: - name: Use nbde_client role - include_role: - name: linux-system-roles.nbde_client + include_tasks: tasks/run_role_with_clear_facts.yml rescue: - name: Extract the result set_fact: diff --git a/tests/tests_include_vars_from_parent.yml b/tests/tests_include_vars_from_parent.yml index 1fdeab8f..da91e2d3 100644 --- a/tests/tests_include_vars_from_parent.yml +++ b/tests/tests_include_vars_from_parent.yml @@ -1,7 +1,6 @@ --- - name: Test role include variable override hosts: all - gather_facts: true tasks: - name: Create var file in caller that can override the one in called role delegate_to: localhost diff --git a/tests/tests_key_rotation.yml b/tests/tests_key_rotation.yml index fa3fc0c5..fd8972fd 100644 --- a/tests/tests_key_rotation.yml +++ b/tests/tests_key_rotation.yml @@ -15,8 +15,7 @@ - name: Run the test block: - name: Use nbde_client role - include_role: - name: linux-system-roles.nbde_client + include_tasks: tasks/run_role_with_clear_facts.yml - name: Attempt to unlock device include_tasks: tasks/verify_unlock_device.yml @@ -34,8 +33,7 @@ include_tasks: tasks/rotate_keys.yml - name: Use nbde_client role - idempotency check - change expected - include_role: - name: linux-system-roles.nbde_client + include_tasks: tasks/run_role_with_clear_facts.yml - name: Assert change happened after key rotation assert: diff --git a/tests/tests_passphrase_temporary.yml b/tests/tests_passphrase_temporary.yml index b7b11e7d..b595f359 100644 --- a/tests/tests_passphrase_temporary.yml +++ b/tests/tests_passphrase_temporary.yml @@ -19,8 +19,7 @@ - name: Run the test block: - name: Use nbde_client role - include_role: - name: linux-system-roles.nbde_client + include_tasks: tasks/run_role_with_clear_facts.yml - name: Attempt to unlock device include_tasks: tasks/verify_unlock_device.yml diff --git a/tests/tests_passphrase_temporary_keyfile.yml b/tests/tests_passphrase_temporary_keyfile.yml index 6a6c14ff..3358b5d0 100644 --- a/tests/tests_passphrase_temporary_keyfile.yml +++ b/tests/tests_passphrase_temporary_keyfile.yml @@ -19,8 +19,7 @@ - name: Run the test block: - name: Use nbde_client role - include_role: - name: linux-system-roles.nbde_client + include_tasks: tasks/run_role_with_clear_facts.yml - name: Attempt to unlock device include_tasks: tasks/verify_unlock_device.yml diff --git a/tests/tests_simple_bind.yml b/tests/tests_simple_bind.yml index ae371c11..eb398f88 100644 --- a/tests/tests_simple_bind.yml +++ b/tests/tests_simple_bind.yml @@ -15,9 +15,9 @@ - name: Run the test block: - name: Use nbde_client role - include_role: - name: linux-system-roles.nbde_client - public: true + include_tasks: tasks/run_role_with_clear_facts.yml + vars: + __sr_public: true - name: Check ansible_managed, fingerprint in generated files include_tasks: tasks/check_header.yml diff --git a/tests/tests_simple_bind_keyfile.yml b/tests/tests_simple_bind_keyfile.yml index b8a6216b..14ae026d 100644 --- a/tests/tests_simple_bind_keyfile.yml +++ b/tests/tests_simple_bind_keyfile.yml @@ -15,8 +15,7 @@ - name: Run the test block: - name: Use nbde_client role - include_role: - name: linux-system-roles.nbde_client + include_tasks: tasks/run_role_with_clear_facts.yml - name: Attempt to unlock device include_tasks: tasks/verify_unlock_device.yml diff --git a/tests/tests_simple_bind_unbind.yml b/tests/tests_simple_bind_unbind.yml index 0fda1016..14ac34e8 100644 --- a/tests/tests_simple_bind_unbind.yml +++ b/tests/tests_simple_bind_unbind.yml @@ -18,8 +18,7 @@ - name: Run the test block: - name: Use nbde_client role - include_role: - name: linux-system-roles.nbde_client + include_tasks: tasks/run_role_with_clear_facts.yml - name: Attempt to unlock device include_tasks: tasks/verify_unlock_device.yml diff --git a/tests/tests_simple_bind_unbind_keyfile.yml b/tests/tests_simple_bind_unbind_keyfile.yml index 353155b8..531415a2 100644 --- a/tests/tests_simple_bind_unbind_keyfile.yml +++ b/tests/tests_simple_bind_unbind_keyfile.yml @@ -18,8 +18,7 @@ - name: Run the test block: - name: Use nbde_client role - include_role: - name: linux-system-roles.nbde_client + include_tasks: tasks/run_role_with_clear_facts.yml - name: Attempt to unlock device include_tasks: tasks/verify_unlock_device.yml diff --git a/tests/tests_use_existing_binding.yml b/tests/tests_use_existing_binding.yml index d13d1e55..7891f2ba 100644 --- a/tests/tests_use_existing_binding.yml +++ b/tests/tests_use_existing_binding.yml @@ -8,8 +8,7 @@ include_tasks: tasks/setup_test.yml - name: Add binding to slot 1 - include_role: - name: linux-system-roles.nbde_client + include_tasks: tasks/run_role_with_clear_facts.yml vars: nbde_client_bindings: - device: "{{ nbde_client_test_device }}" @@ -19,8 +18,7 @@ - http://localhost - name: Add binding to slot 2 without providing encryption_password - include_role: - name: linux-system-roles.nbde_client + include_tasks: tasks/run_role_with_clear_facts.yml vars: nbde_client_bindings: - device: "{{ nbde_client_test_device }}" @@ -29,8 +27,7 @@ - http://localhost - name: Remove binding from slot 1 - include_role: - name: linux-system-roles.nbde_client + include_tasks: tasks/run_role_with_clear_facts.yml vars: nbde_client_bindings: - device: "{{ nbde_client_test_device }}" @@ -86,8 +83,7 @@ state: absent - name: Add binding to slot 2 without providing encryption_password - include_role: - name: linux-system-roles.nbde_client + include_tasks: tasks/run_role_with_clear_facts.yml vars: nbde_client_bindings: - device: "{{ nbde_client_test_device }}" @@ -96,8 +92,7 @@ - http://localhost - name: Remove binding from slot 1 - include_role: - name: linux-system-roles.nbde_client + include_tasks: tasks/run_role_with_clear_facts.yml vars: nbde_client_bindings: - device: "{{ nbde_client_test_device }}"