Move molecule config for playbooks into playbooks/ folder

.github/workflows/molecule-install-xnat.yml

@@ -4,7 +4,8 @@ on:
     paths:
       - "roles/xnat/**"
       - "roles/xnat_container_service/**"
-      - ".github/workflows/molecule.yml"
+      - "playbooks/install_xnat.yml"
+      - "playbooks/install_container_service.yml"
       - ".github/workflows/molecule-install-xnat.yml"
   release:
     types: [published]
@@ -16,8 +17,8 @@ jobs:
       fail-fast: true
       matrix:
         scenario:
-          - centos7_install_xnat
-          - rocky9_install_xnat
+          - centos7_xnat
+          - rocky9_xnat
     env:
       PY_COLORS: 1
       ANSIBLE_FORCE_COLOR: 1
@@ -40,5 +41,5 @@ jobs:
 
       - name: Test with molecule
         run: |
-          cd ansible_collections/mirsg/infrastructure/tests
+          cd ansible_collections/mirsg/infrastructure/playbooks
           molecule converge --scenario-name  "${{ matrix.scenario }}"

.github/workflows/molecule-monitoring.yml

@@ -4,7 +4,6 @@ on:
     paths:
       - "roles/monitoring_client/**"
       - "roles/monitoring_server/**"
-      - ".github/workflows/molecule.yml"
       - ".github/workflows/molecule-monitoring.yml"
 
 jobs:
@@ -17,7 +16,6 @@ jobs:
           - centos7_monitoring
           - rocky9_monitoring
     env:
-      MOLECULE_RUN_TAGS: monitoring
       PY_COLORS: 1
       ANSIBLE_FORCE_COLOR: 1
 
@@ -48,5 +46,5 @@ jobs:
       - name: Test with molecule
         shell: bash
         run: |
-          cd ansible_collections/mirsg/infrastructure/tests
+          cd ansible_collections/mirsg/infrastructure/playbooks
           molecule test --scenario-name  ${{ matrix.scenario }}

.github/workflows/molecule.yml

@@ -9,7 +9,7 @@ on:
         required: true
         type: string
       base-config-path:
-        default: ../../tests/
+        default: ../../molecule_configs/
         type: string
 
 jobs:

README.md

@@ -82,7 +82,7 @@ of duplication in the setup for testing each role. There are two base configurat
 that correspond to two [Molecule
 scenarios](https://ansible.readthedocs.io/projects/molecule/getting-started/#molecule-scenarios)
 one for testing on CentOS 7 and another for testing on RockyLinux 9. The base configurations
-are in the `ansible_collections/mirsg/infrastructure/tests` folder.
+are in the `ansible_collections/mirsg/infrastructure/molecule_configs` folder.
 
 To run the tests for a specific role, first navigate the the role directory, e.g.
 
@@ -94,7 +94,7 @@ Then invoke Molecule with a base config and corresponding scenario. To run the
 tests on CentOS 7:
 
 ```shell
-molecule --base-config ../../tests/centos7_base_config.yml test --scenario centos7
+molecule --base-config ../../molecule_configs/centos7_base_config.yml test --scenario centos7
 ```
 
 This command will:
@@ -114,7 +114,7 @@ This command will:
 To run the tests on Rocky 9 instead:
 
 ```shell
-molecule --base-config ../../tests/rocky9_base_config.yml test --scenario rocky9
+molecule --base-config ../../molecule_configs/rocky9_base_config.yml test --scenario rocky9
 ```
 
 ### Inspecting the Container
@@ -127,7 +127,7 @@ If you would like to be able to access the test container, you should instead
 use the `molecule converge` command. To run this on CentOS 7:
 
 ```shell
-molecule --base-config ../../tests/centos7_base_config.yml converge --scenario centos7
+molecule --base-config ../../molecule_configs/centos7_base_config.yml converge --scenario centos7
 ```
 
 This will install necessary Ansible roles and collections, create the test
@@ -140,14 +140,14 @@ Once the command has finished running, you can access the container using the
 name of the scenario. To access the container for the `centos7` scenario:
 
 ```shell
-molecule --base-config ../../tests/centos7_base_config.yml login --scenario centos7
+molecule --base-config ../../molecule_configs/centos7_base_config.yml login --scenario centos7
 ```
 
 If testing a role or playbook where Molecule creates multiple containers,
 individual hosts can be accessed using the `--host` flag:
 
 ```shell
-molecule --base-config ../../tests/centos7_base_config.yml login --scenario centos7_monitoring --host mserv
+molecule --base-config ../../molecule_configs/centos7_base_config.yml login --scenario centos7_monitoring --host mserv
 ```
 
 #### Destroy the container
@@ -157,36 +157,36 @@ container, network, and volumes yourself. You can do this using the `molecule
 destroy` command:
 
 ```shell
-molecule --base-config ../../tests/centos7_base_config.yml  destroy --scenario centos7
+molecule --base-config ../../molecule_configs/centos7_base_config.yml  destroy --scenario centos7
 ```
 
 ### Test a playbook
 
 Playbooks in the collection can also be tested using Molecule. The Molecule
 configuration for playbooks is in the
-`ansible_collections/mirsg/infrastructure/tests` folder.
+`ansible_collections/mirsg/infrastructure/playbooks/molecule` folder.
 
 An example of how to setup testing for a playbook can be seen by looking at
 the tests for the `mirsg.install_monitoring` playbook in this collection.
 This is tested on CentOS 7 and RockyLinux 9 using the
-[centos7_monitoring](./tests/molecule/centos7_monitoring/) and
-[rocky9_monitoring](./tests/molecule/rocky9_monitoring/) scenarios.
+[centos7_monitoring](./playbooks/molecule/centos7_monitoring/) and
+[rocky9_monitoring](./playbooks/molecule/rocky9_monitoring/) scenarios.
 
 An inventory
 and associated group variables can be found in
-[resources/monitoring/inventory](./tests/molecule/resources/monitoring/inventory/).
+[playbooks/molecule/resources/monitoring/inventory](./playbooks/molecule/resources/monitoring/inventory/).
 Testing the playbook also requires its own
-[converge.yml](./tests/molecule/resources/monitoring/converge.yml) playbook but
-it uses the shared [prepare.yml](./tests/molecule/resources/shared/prepare.yml)
-playbook. Running the tests then proceeds as with testing the roles:
+[converge.yml](./playbooks/molecule/resources/monitoring/converge.yml), and optional
+`prepare.yml` and `verify.yml` playbooks.
+Running the tests then proceeds as with testing the roles:
 
 ```shell
-molecule --base-config centos7_base_config.yml test --scenario centos7_monitoring
+molecule --base-config ../molecule_configs/centos7_base_config.yml test --scenario centos7_monitoring
 ```
 
 ### Integration tests
 
-When a PR that modifies a role is opened, the changes are
+When a PR that modifies a role or playbook is opened, the changes are
 [tested](.github/workflows/) by deploying that role using GitHub Actions. See
 the [`molecule-firewalld` workflow](.github/workflows/molecule-firewalld.yml)
 for an example.

molecule_configs/README.md

@@ -0,0 +1,12 @@
+# mirsg.infrastructure Molecule base configurations
+
+This folder contains base configurations for running tests with [Ansible
+Molecule](https://ansible.readthedocs.io/projects/molecule/).
+
+The base configuration is merged with - and can be overridden by - the scenario
+configuration. To use a base configuration, specify the path to one of the files
+in this directory. For example, to use the CentOS 7 base configuration:
+
+```
+molecule --base-config <path to molecule_configs>/centos7_base_config.yml
+```

playbooks/README.md

@@ -0,0 +1,86 @@
+# mirsg.infrastructure playbooks
+
+This collection contains playbooks for deploying XNAT and setting up monitoring of servers.
+
+## Molecule setup
+
+This collection is tested using Ansible Molecule.
+
+Each playbook has its own Molecule configuration, which can be found in the
+`ansible_collections/mirsg/infrastructure/playbooks/molecule/` folder.
+Molecule base configurations are used to reduce to amount
+of duplication in the setup for testing each playbook. There are two base configurations
+that correspond to two [Molecule
+scenarios](https://ansible.readthedocs.io/projects/molecule/getting-started/#molecule-scenarios)
+one for testing on CentOS 7 and another for testing on RockyLinux 9. The base configurations
+are in the `ansible_collections/mirsg/infrastructure/molecule_configs` folder.
+
+## Adding a new playbook
+
+To add a new playbook to this collection, you will need to:
+
+1. add the playbook to the `playbooks/` folder
+2. add a molecule configuration for the playbook to the `playbooks/molecule/` folder
+3. add a workflow for the playbook to the `.github/workflows` folder
+
+### Add a new playbook to the playbooks folder
+
+The playbooks in an Ansible Collection are the same as any other playbook - no special
+setup is required. If you create a playbook
+`ansible_collections/mirsg/infrastructure/playbooks/my_playbook.yml`, you will be able to
+run the playbook using `ansible-playbook`:
+
+```bash
+ansible-playbook mirsg.infrastructure.my_playbook
+```
+
+or include it within another playbook:
+
+```yaml
+- name: Run my_playbook
+  ansible.builtin.import_playbook: mirsg.infrastructure.my_playbook
+```
+
+### Add a molecule configuration
+
+Create CentOS 7 and RockyLinux 9 scenarios for your playbook in
+`ansible_collections/mirsg/infrastructure/playbooks/molecule`. See
+the `mirsg.infrastructure.install_monitoring`
+[CentOS 7](./molecule/centos7_monitoring/) and
+[RockyLinux 9](./molecule/rocky9_monitoring/) scenarios for an example
+configuration.
+
+Add the `converge.yml` playbook to a shared `resources` subfolder:
+`molecule/resources/my_playbook/converge.yml`.
+
+If necessary, add inventory `group_vars` to the shared `resources` subfolder:
+`molecule/resources/my_playbook/inventory/group_vars`. for your playbook.
+
+You may also need to add `prepare` or `verify` playbooks. These can be added
+to the the same shared `resources` folder.
+
+You will need to update the `molecule.yml` configuration file with the correct paths
+to these playbooks.
+
+### Add a GitHub Workflow
+
+You should add a GitHub workflow for your new playbook to `.github/workflows/molecule-my-playbook.yml`.
+The workflow should follow this format:
+
+```yaml
+name: Test my_playbook
+on:
+  pull_request:
+    paths:
+      - "playbooks/my_playbook.yml"
+      - ".github/workflows/molecule-role-used-in-playbook.yml"
+
+jobs:
+  molecule-my_playbook:
+    uses: ./.github/workflows/molecule.yml
+    with:
+      tests-path: ansible_collections/mirsg/infrastructure/playbooks
+```
+
+This uses the [`.github/workflows/molecule.yml` reusable workflow](.github/workflows/molecule.yml) to run
+molecule on the relevant role.

tests/molecule/centos7_monitoring/molecule.yml → playbooks/molecule/centos7_monitoring/molecule.yml

@@ -25,6 +25,7 @@ platforms:
       - all
       - monitoring_client
       - monitoring_service
+      - centos7
     docker_networks:
       - name: monitoring
         ipam_config:
@@ -51,6 +52,7 @@ platforms:
       - all
       - monitoring_host
       - monitoring_service
+      - centos7
     networks:
       - name: monitoring
         ipv4_address: 192.168.56.3
@@ -75,7 +77,7 @@ provisioner:
       host_vars: ../resources/monitoring/inventory/host_vars/
   playbooks:
     converge: ../resources/monitoring/converge.yml
-    prepare: ../resources/shared/prepare.yml
+    prepare: ../resources/monitoring/prepare.yml
     verify: ../resources/monitoring/verify.yml
   env:
     ANSIBLE_VERBOSITY: "1"

tests/molecule/centos7_install_xnat/molecule.yml → playbooks/molecule/centos7_xnat/molecule.yml

@@ -103,14 +103,14 @@ provisioner:
   config_options:
     defaults:
       callbacks_enabled: profile_tasks, timer, yaml
-      vault_password_file: ${MOLECULE_SCENARIO_DIRECTORY}/../resources/install_xnat/.vault_password
+      vault_password_file: ${MOLECULE_SCENARIO_DIRECTORY}/../resources/xnat/.vault_password
   inventory:
     links:
-      hosts: ../resources/install_xnat/inventory/hosts.yml
-      group_vars: ../resources/install_xnat/inventory/group_vars/
+      hosts: ../resources/xnat/inventory/hosts.yml
+      group_vars: ../resources/xnat/inventory/group_vars/
   playbooks:
-    prepare: ../resources/install_xnat/prepare.yml
-    converge: ../resources/install_xnat/converge.yml
+    prepare: ../resources/xnat/prepare.yml
+    converge: ../resources/xnat/converge.yml
   env:
     ANSIBLE_VERBOSITY: 1
 

playbooks/molecule/resources/monitoring/converge.yml

@@ -0,0 +1,12 @@
+---
+- name: Create monitoring server certs
+  hosts: monitoring_host
+  become: true
+  gather_facts: true
+  roles:
+    - role: mirsg.infrastructure.ssl_certificates
+      vars:
+        ssl_certificate: "{{ monitoring_server_ssl_certificate }}"
+
+- name: Install Monitoring Service
+  ansible.builtin.import_playbook: mirsg.infrastructure.install_monitoring

playbooks/molecule/resources/monitoring/inventory/group_vars/all.yml

@@ -0,0 +1,8 @@
+---
+ansible_cache_dir: "{{ lookup('env', 'HOME') }}/ansible_persistent_files"
+
+external_storage_drive: "/storage/molecule"
+selinux_enabled: false
+
+# mirsg.infrastructure.provision
+server_locale: "en_GB.UTF-8"

playbooks/molecule/resources/monitoring/prepare.yml

@@ -0,0 +1,15 @@
+---
+- name: Setup for the firewall
+  hosts: all
+  gather_facts: true
+  tasks:
+    - name: Install firewalld
+      ansible.builtin.package:
+        name: firewalld
+        state: present
+
+    - name: Change firewalld backend to iptables
+      ansible.builtin.lineinfile:
+        path: /etc/firewalld/firewalld.conf
+        regexp: "^FirewallBackend="
+        line: FirewallBackend=iptables

playbooks/molecule/resources/monitoring/verify.yml

@@ -0,0 +1,40 @@
+---
+- name: Check monitoring host
+  hosts: monitoring_host
+  become: true
+  gather_facts: true
+  vars:
+    container_names:
+      - alertmanager
+      - blackbox-exporter
+      - cadvisor
+      - grafana
+      - nginx
+      - prometheus
+  tasks:
+    - name: Get container info
+      community.docker.docker_container_info:
+        name: "{{ item }}"
+      loop: "{{ container_names }}"
+      register: container_info
+
+    - name: Check containers exist and are running
+      ansible.builtin.assert:
+        that:
+          - item.exists
+          - item.container.State.Running
+      loop: "{{ container_info.results }}"
+
+- name: Check monitoring client
+  hosts: monitoring_client
+  become: true
+  gather_facts: true
+  tasks:
+    - name: Populate service facts
+      ansible.builtin.service_facts:
+
+    - name: Ensure that node exporter has started
+      ansible.builtin.assert:
+        that:
+          - "{{ 'node_exporter.service' in ansible_facts.services }}"
+          - ansible_facts.services['node_exporter.service'].state == "running"

playbooks/molecule/resources/xnat/inventory/group_vars/centos7.yml

@@ -0,0 +1,12 @@
+---
+# mirsg.infrastructure.install_python
+install_python:
+  version: "2"
+  pip_version: "20.3.4"
+  pip_executable: "pip"
+  system_packages:
+    - python
+    - python-pip
+    - python-setuptools
+  pip_packages:
+    - cryptography