From 2d15529786b7d743347a36bcbdbdee1fcc01d2d2 2024-09-03 14:06:29
From: Branko Majic <branko@majic.rs>
Date: 2024-09-03 14:06:29
Subject: [PATCH] MAR-218: Fix linting errors related to commands doing unconditional changes:

- Tasks run during the prepare stage of test runs do not matter.
- Some of the role tasks are already effectively running only when
  change _will_ happen (when it is detected via variable registered by
  a previous task).

---

diff --git a/roles/backup_client/handlers/main.yml b/roles/backup_client/handlers/main.yml
index c57817491461e335815c09258d5cabb75ff5de8f..0b13694ad16178a674ac4f1c911308a109854571 100644
--- a/roles/backup_client/handlers/main.yml
+++ b/roles/backup_client/handlers/main.yml
@@ -24,6 +24,10 @@
   #   after interrupted runs.
   command: "gpg --no-tty --homedir /etc/duply/main/gnupg --import /etc/duply/main/private_keys.asc"
 
-- name: Import public keys
+- name: Import public keys  # noqa no-changed-when
+  # [no-changed-when] Commands should not change things if nothing needs doing
+  #   This task is invoked only if user is very specific about requiring to
+  #   run the handlers manually as a way to bring the system to consistency
+  #   after interrupted runs.
   command: "gpg --no-tty --homedir /etc/duply/main/gnupg --import /etc/duply/main/public_keys.asc"
   when: backup_additional_encryption_keys | length > 0
diff --git a/roles/common/molecule/default/prepare.yml b/roles/common/molecule/default/prepare.yml
index 89d70e19002bf8f9524d57712ff0258eee9ad6ed..4563b65b26a9b63dbc131e22148e8a709809a912 100644
--- a/roles/common/molecule/default/prepare.yml
+++ b/roles/common/molecule/default/prepare.yml
@@ -112,7 +112,9 @@
         - ip6table_security
         - ip6table_raw
 
-    - name: Create some custom legacy iptables chains for testing their removal (max chain name length is 29)
+    - name: Create some custom legacy iptables chains for testing their removal (max chain name length is 29)  # noqa no-changed-when
+      # [no-changed-when] Commands should not change things if nothing needs doing
+      #   Does not matter in test prepare stage.
       command: "iptables-legacy -t '{{ item }}' -N '{{ (ansible_date_time.iso8601_micro | to_uuid)[:28] }}'"
       with_items:
         - filter
@@ -121,7 +123,9 @@
         - security
         - raw
 
-    - name: Create some custom legacy ip6tables chains for testing their removal (max chain name length is 29)
+    - name: Create some custom legacy ip6tables chains for testing their removal (max chain name length is 29)  # noqa no-changed-when
+      # [no-changed-when] Commands should not change things if nothing needs doing
+      #   Does not matter in test prepare stage.
       command: "ip6tables-legacy -t '{{ item }}' -N '{{ (ansible_date_time.iso8601_micro | to_uuid)[:28] }}'"
       with_items:
         - filter
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
index f0b916a68afdee3f286f30bef95e26fb7c7ab058..8a7516cc3966e2153c3b0468bc185bf2f69c271d 100644
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -57,6 +57,7 @@
   #   should end-up with correct permissions straight away.
   command: "/usr/sbin/pam-auth-update --package"
   when: pam_umask.changed
+  changed_when: true  # Always results in change due to task logic.
 
 - name: Set login UMASK
   lineinfile:
@@ -211,6 +212,7 @@
   #   validate server/client certificates.
   command: "/usr/sbin/update-ca-certificates --fresh"
   when: deploy_ca_certificates_result.changed
+  changed_when: true  # Always results in change due to task logic.
 
 - name: Set-up file diversions for custom files that overrride package-provided ones
   command: "dpkg-divert --divert '{{ item }}.original' --rename '{{ item }}'"
diff --git a/roles/ldap_server/tasks/main.yml b/roles/ldap_server/tasks/main.yml
index 5ee0f991ea83930246c317c68c15706e48f36ee5..0bdb3a227199bc1665c837553d790274f2929422 100644
--- a/roles/ldap_server/tasks/main.yml
+++ b/roles/ldap_server/tasks/main.yml
@@ -72,6 +72,7 @@
 - name: Deploy LDAP misc schema
   command: "ldapadd -H ldapi:/// -Q -Y EXTERNAL -f /etc/ldap/schema/misc.ldif"
   when: not ldap_misc_schema_present.stdout
+  changed_when: true  # Always results in change due to task logic.
 
 # Technically, the only thing this does is pick the size of DH
 # parameters to use, with GnuTLS (against which slapd is linked
diff --git a/roles/mail_forwarder/molecule/default/prepare.yml b/roles/mail_forwarder/molecule/default/prepare.yml
index 1d54b9fd723b49a1719b966263953741e2b30b7e..c5ccacceaaaec1b90204c81f24b8ffc2a0453add 100644
--- a/roles/mail_forwarder/molecule/default/prepare.yml
+++ b/roles/mail_forwarder/molecule/default/prepare.yml
@@ -95,7 +95,9 @@
 
   handlers:
 
-    - name: Update CA certificate cache
+    - name: Update CA certificate cache  # noqa no-changed-when
+      # [no-changed-when] Commands should not change things if nothing needs doing
+      #   Does not matter in test prepare stage.
       command: /usr/sbin/update-ca-certificates --fresh
 
 - name: Prepare, helpers
@@ -161,7 +163,9 @@
 
   handlers:
 
-    - name: Update CA certificate cache
+    - name: Update CA certificate cache  # noqa no-changed-when
+      # [no-changed-when] Commands should not change things if nothing needs doing
+      #   Does not matter in test prepare stage.
       command: /usr/sbin/update-ca-certificates --fresh
 
     - name: Restart Postfix
diff --git a/roles/mail_server/molecule/default/prepare.yml b/roles/mail_server/molecule/default/prepare.yml
index 1db7dea13111381d035df96598b679064e1b11b8..a1c5ead800cb195659dac0677f037d61a1ae47a0 100644
--- a/roles/mail_server/molecule/default/prepare.yml
+++ b/roles/mail_server/molecule/default/prepare.yml
@@ -120,12 +120,16 @@
         group: vagrant
         mode: 0755
 
-    - name: Configure default location for storing ClamAV database files
+    - name: Configure default location for storing ClamAV database files  # noqa no-changed-when
+      # [no-changed-when] Commands should not change things if nothing needs doing
+      #   Does not matter in test prepare step.
       become: true
       become_user: vagrant
       command: "/var/lib/cvdupdate/bin/cvd config set --dbdir /vagrant/clamav-database/"
 
-    - name: Download/update the ClamAV database files
+    - name: Download/update the ClamAV database files  # noqa no-changed-when
+      # [no-changed-when] Commands should not change things if nothing needs doing
+      #   Does not matter in test prepare stage.
       become: true
       become_user: vagrant
       command: "/var/lib/cvdupdate/bin/cvd update"
@@ -330,8 +334,10 @@
 
   handlers:
 
-    - name: Update CA certificate cache
+    - name: Update CA certificate cache  # noqa no-changed-when
       command: /usr/sbin/update-ca-certificates --fresh
+      # [no-changed-when] Commands should not change things if nothing needs doing
+      #   Does not matter in test prepare stage.
 
     - name: Restart Postfix
       service:
diff --git a/roles/php_website/molecule/default/prepare.yml b/roles/php_website/molecule/default/prepare.yml
index 7c284cf492336ff3983e3f2e031525b7e6edb44b..020b223c349afcac324b015b6b29228d7f5b7554 100644
--- a/roles/php_website/molecule/default/prepare.yml
+++ b/roles/php_website/molecule/default/prepare.yml
@@ -116,5 +116,7 @@
         name: postfix
         state: restarted
 
-    - name: Generate aliases database
+    - name: Generate aliases database  # noqa no-changed-when
       command: "/usr/bin/newaliases"
+      # [no-changed-when] Commands should not change things if nothing needs doing
+      #   Does not matter in test prepare stage.
diff --git a/roles/web_server/molecule/default/prepare.yml b/roles/web_server/molecule/default/prepare.yml
index 4b6039e3e89142d7773bd011e505ec30662c2cc4..21e3c3a55967f9d91f35b6ee3033ace8cb0d69d3 100644
--- a/roles/web_server/molecule/default/prepare.yml
+++ b/roles/web_server/molecule/default/prepare.yml
@@ -130,5 +130,7 @@
 
   handlers:
 
-    - name: Update CA certificate cache
+    - name: Update CA certificate cache  # noqa no-changed-when
       command: /usr/sbin/update-ca-certificates --fresh
+      # [no-changed-when] Commands should not change things if nothing needs doing
+      #   Does not matter in test prepare stage.
diff --git a/roles/wsgi_website/molecule/default/prepare.yml b/roles/wsgi_website/molecule/default/prepare.yml
index 576b25f7ade46c2e578b0f3fb24e3828f5af047a..7112f12c9130fab03c04f342c5a42f006914d07d 100644
--- a/roles/wsgi_website/molecule/default/prepare.yml
+++ b/roles/wsgi_website/molecule/default/prepare.yml
@@ -132,5 +132,7 @@
         name: postfix
         state: restarted
 
-    - name: Generate aliases database
+    - name: Generate aliases database  # noqa no-changed-when
       command: "/usr/bin/newaliases"
+      # [no-changed-when] Commands should not change things if nothing needs doing
+      #   Does not matter in test prepare stage.
diff --git a/roles/xmpp_server/molecule/default/prepare.yml b/roles/xmpp_server/molecule/default/prepare.yml
index 9a18e4048d553a8d0dc0cd80983793ef418faf6a..3565f16c730c0e26cf1ff9e6ab1ec3af786b59e8 100644
--- a/roles/xmpp_server/molecule/default/prepare.yml
+++ b/roles/xmpp_server/molecule/default/prepare.yml
@@ -184,8 +184,10 @@
 
   handlers:
 
-    - name: Update CA certificate cache
+    - name: Update CA certificate cache  # noqa no-changed-when
       command: /usr/sbin/update-ca-certificates --fresh
+      # [no-changed-when] Commands should not change things if nothing needs doing
+      #   Does not matter in test prepare stage.
 
 - name: Prepare, helpers
   hosts: ldap-server