fix: resolve deprecation warnings and move become flag to required re…

…sources
Axione · Apr 16, 2019 · c404967 · c404967
1 parent d68c47a
commit c404967
Show file tree

Hide file tree

Showing 6 changed files with 20 additions and 7 deletions.
diff --git a/handlers/main.yml b/handlers/main.yml
@@ -2,4 +2,5 @@
 # handlers file for vault
 
 - name: Restart vault
+  become: true
   service: name=vault state=restarted
diff --git a/tasks/asserts.yml b/tasks/asserts.yml
@@ -11,28 +11,28 @@
     msg: "{{ ansible_distribution_version }} is not a supported version of {{ ansible_distribution }} for this role"
   when:
     - ansible_distribution in ['RedHat', 'CentOS']
-    - ansible_distribution_version|version_compare(7, '<')
+    - ansible_distribution_version is version(7, '<')
 
 - name: Fail if not a new release of Debian
   fail:
     msg: "{{ ansible_distribution_version }} is not a supported version of {{ ansible_distribution }} for this role"
   when:
     - ansible_distribution == "Debian"
-    - (ansible_distribution_version != 'buster/sid') and (ansible_distribution_version is version_compare(8.5, '<'))
+    - (ansible_distribution_version != 'buster/sid') and (ansible_distribution_version is version(8.5, '<'))
 
 - name: Fail if not a new release of FreeBSD
   fail:
     msg: "{{ ansible_distribution_version }} is not a supported version."
   when:
     - ansible_distribution == "FreeBSD"
-    - ansible_distribution_version|version_compare(10, '<')
+    - ansible_distribution_version is version(10, '<')
 
 - name: Fail if not a new release of Ubuntu
   fail:
     msg: "{{ ansible_distribution_version }} is not a supported version of {{ ansible_distribution }} for this role"
   when:
     - ansible_distribution == "Ubuntu"
-    - ansible_distribution_version|version_compare(13.04, '<')
+    - ansible_distribution_version is version(13.04, '<')
 
 - name: Check for vault_redirect_address usage
   debug:

diff --git a/tasks/install.yml b/tasks/install.yml
@@ -2,6 +2,7 @@
 # File: tasks/install.yml - package installation tasks for vault
 
 - name: OS packages
+  become: true
   package:
     name: "{{ item }}"
     state: present
@@ -16,7 +17,7 @@
   tags: installation
   when:
     - ansible_distribution == "Debian"
-    - (ansible_distribution_version == 'buster/sid') or (ansible_distribution_version is version_compare(8.5, '>'))
+    - (ansible_distribution_version == 'buster/sid') or (ansible_distribution_version is version(8.5, '>'))
 
 - name: Check Vault package checksum file (local)
   stat:
@@ -77,6 +78,7 @@
   delegate_to: 127.0.0.1
 
 - name: Install Vault
+  become: true
   copy:
     src: "{{ role_path }}/files/vault"
     dest: "{{ vault_bin_path }}"

diff --git a/tasks/main.yml b/tasks/main.yml
@@ -5,6 +5,7 @@
   include: asserts.yml
 
 - name: "Add Vault user"
+  become: true
   user:
     name: "{{ vault_user }}"
     comment: "Vault user"
@@ -57,16 +58,19 @@
     - installation_required | bool
 
 - name: Check Vault mlock capability
+  become: true
   command: "setcap -v cap_ipc_lock=+ep {{ vault_bin_path }}/vault"
   changed_when: false  # read-only task
   ignore_errors: true
   register: vault_mlock_capability
 
 - name: Enable non root mlock capability
+  become: true
   command: "setcap cap_ipc_lock=+ep {{ vault_bin_path }}/vault"
   when: vault_mlock_capability is failed
 
 - name: Create directories
+  become: true
   file:
     dest: "{{ item }}"
     state: directory
@@ -89,7 +93,7 @@
 
 - name: TLS configuration
   include: ../tasks/tls.yml
-  when: vault_tls_disable == 0
+  when: vault_tls_disable == 0 or vault_tls_gossip == 1
 
 - name: "Copy over GCP Credentials for Auto Unseal"
   copy:
@@ -101,6 +105,7 @@
   when: vault_gkms | bool
 
 - name: Listener configuration
+  become: true
   template:
     src: "{{ vault_listener_template }}"
     dest: "{{ vault_main_config }}"
@@ -157,6 +162,7 @@
   tags: skip_ansible_lint
 
 - name: systemd unit
+  become: true
   template:
     src: "{{ vault_systemd_template }}"
     dest: /lib/systemd/system/vault.service
@@ -171,6 +177,7 @@
     - systemd_version is defined
 
 - name: reload systemd
+  become: true
   systemd:
     daemon-reload: true
   when:
@@ -181,6 +188,7 @@
     - systemd_unit is changed
 
 - name: Start Vault
+  become: true
   service:
     name: vault
     state: started

diff --git a/tasks/tls.yml b/tasks/tls.yml
@@ -2,6 +2,7 @@
 # File: tasks/tls.yml - TLS tasks for Vault
 
 - name: Create TLS directory
+  become: true
   file:
     dest: "{{ item }}"
     state: directory
@@ -11,6 +12,7 @@
     - "{{ vault_tls_config_path }}"
 
 - name: Vault SSL Certificate and Key
+  become: true
   copy:
     remote_src: "{{ vault_tls_files_remote_src }}"
     src: "{{ item.src }}"

diff --git a/templates/vault_service_systemd.j2 b/templates/vault_service_systemd.j2
@@ -25,7 +25,7 @@ PrivateTmp=yes
 PrivateDevices=yes
 SecureBits=keep-caps
 Capabilities=CAP_IPC_LOCK+ep
-{% if systemd_version.stdout | version_compare('230', '>=') %}
+{% if systemd_version.stdout is version('230', '>=') %}
 AmbientCapabilities=CAP_SYSLOG CAP_IPC_LOCK
 {% endif %}
 CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK