Commit 0085716b authored by Pierre Smeyers's avatar Pierre Smeyers
Browse files

Merge branch 'feat/sast-cascading-policy' into 'master' 

feat(sast): run ansible-lint against cascading environments

See merge request to-be-continuous/ansible!36
parents d99a90d2 186802ad

templates/gitlab-ci-ansible.yml

+28 −50
Original line number Diff line number Diff line
@@ -483,7 +483,7 @@ stages: 
    name: "$ANSIBLE_IMAGE"

    entrypoint: [""]



.ansible-lint-base:

ansible-lint:

  extends: .ansible-base

  interruptible: true

  stage: build
@@ -492,6 +492,18 @@ stages: 
    entrypoint: [""]

  script:

    - ansible-lint main.yml

  parallel:

    matrix:

      - ENV_PREFIX: REVIEW

      - ENV_PREFIX: INTEG

      - ENV_PREFIX: STAGING

      - ENV_PREFIX: PROD

  script:

    - mkdir -p -m 777 reports

    - env_name=$(echo "$ENV_PREFIX" | tr '[:upper:]' '[:lower:]')

    - playbook_file=$(eval echo "\$ANSIBLE_${ENV_PREFIX}_PLAYBOOK_FILE")

    - ansible-lint "$playbook_file" -f codeclimate > reports/ansible-lint-${env_name}.codeclimate.json || true

    - ansible-lint "$playbook_file"

  artifacts:

    name: "$CI_JOB_NAME artifacts from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG"

    expire_in: 1 day
@@ -501,64 +513,30 @@ stages: 
        - "$ANSIBLE_PROJECT_DIR/reports/ansible-lint-*.codeclimate.json"

    paths:

      - "$ANSIBLE_PROJECT_DIR/reports/ansible-lint-*.codeclimate.json"



ansible-lint-review:

  extends: .ansible-lint-base

  script:

    - mkdir -p -m 777 reports

    - ansible-lint "$ANSIBLE_REVIEW_PLAYBOOK_FILE" -f codeclimate > reports/ansible-lint-review.codeclimate.json || true

    - ansible-lint "$ANSIBLE_REVIEW_PLAYBOOK_FILE"

  rules:

    # exclude when $ANSIBLE_LINT_DISABLED is set

    - if: '$ANSIBLE_LINT_DISABLED == "true"'

      when: never

    # else: allow is $ANSIBLE_REVIEW_PLAYBOOK_FILE is set

    - if: '$ANSIBLE_REVIEW_PLAYBOOK_FILE == null || $ANSIBLE_REVIEW_PLAYBOOK_FILE == ""'

    # exclude tags

    - if: $CI_COMMIT_TAG

      when: never

    - !reference [.test-policy, rules]



ansible-lint-integration:

  extends: .ansible-lint-base

  script:

    - mkdir -p -m 777 reports

    - ansible-lint "$ANSIBLE_INTEG_PLAYBOOK_FILE" -f codeclimate > reports/ansible-lint-integration.codeclimate.json || true

    - ansible-lint "$ANSIBLE_INTEG_PLAYBOOK_FILE"

  rules:

    # exclude when $ANSIBLE_LINT_DISABLED is set

    - if: '$ANSIBLE_LINT_DISABLED == "true"'

      when: never

    # else: allow is $ANSIBLE_INTEG_PLAYBOOK_FILE is set

    - if: '$ANSIBLE_INTEG_PLAYBOOK_FILE == null || $ANSIBLE_INTEG_PLAYBOOK_FILE == ""'

    # exclude review if $ANSIBLE_REVIEW_PLAYBOOK_FILE unset

    - if: '$ENV_PREFIX == "REVIEW" && ($ANSIBLE_REVIEW_PLAYBOOK_FILE == null || $ANSIBLE_REVIEW_PLAYBOOK_FILE == "")'

      when: never

    - !reference [.test-policy, rules]



ansible-lint-staging:

  extends: .ansible-lint-base

  script:

    - mkdir -p -m 777 reports

    - ansible-lint "$ANSIBLE_STAGING_PLAYBOOK_FILE" -f codeclimate > reports/ansible-lint-staging.codeclimate.json || true

    - ansible-lint "$ANSIBLE_STAGING_PLAYBOOK_FILE"

  rules:

    # exclude when $ANSIBLE_LINT_DISABLED is set

    - if: '$ANSIBLE_LINT_DISABLED == "true"'

    # exclude review on integration or prod branch

    - if: '$ENV_PREFIX == "REVIEW" && ($CI_COMMIT_REF_NAME =~ $INTEG_REF || $CI_COMMIT_REF_NAME =~ $PROD_REF)'

      when: never

    # else: allow is $ANSIBLE_INTEG_PLAYBOOK_FILE is set

    - if: '$ANSIBLE_STAGING_PLAYBOOK_FILE == null || $ANSIBLE_STAGING_PLAYBOOK_FILE == ""'

    # exclude integration if $ANSIBLE_INTEG_PLAYBOOK_FILE unset

    - if: '$ENV_PREFIX == "INTEG" && ($ANSIBLE_INTEG_PLAYBOOK_FILE == null || $ANSIBLE_INTEG_PLAYBOOK_FILE == "")'

      when: never

    - !reference [.test-policy, rules]



ansible-lint-prod:

  extends: .ansible-lint-base

  script:

    - mkdir -p -m 777 reports

    - ansible-lint "$ANSIBLE_PROD_PLAYBOOK_FILE" -f codeclimate > reports/ansible-lint-prod.codeclimate.json || true

    - ansible-lint "$ANSIBLE_PROD_PLAYBOOK_FILE"

  rules:

    # exclude when $ANSIBLE_LINT_DISABLED is set

    - if: '$ANSIBLE_LINT_DISABLED == "true"'

    # exclude integration on prod branch

    - if: '$ENV_PREFIX == "INTEG" && $CI_COMMIT_REF_NAME =~ $PROD_REF'

      when: never

    # else: allow is $ANSIBLE_PROD_PLAYBOOK_FILE is set

    - if: '$ANSIBLE_PROD_PLAYBOOK_FILE == null || $ANSIBLE_PROD_PLAYBOOK_FILE == ""'

    # exclude staging if $ANSIBLE_STAGING_PLAYBOOK_FILE unset

    - if: '$ENV_PREFIX == "STAGING" && ($ANSIBLE_STAGING_PLAYBOOK_FILE == null || $ANSIBLE_STAGING_PLAYBOOK_FILE == "")'

      when: never

    # exclude production if $ANSIBLE_PROD_PLAYBOOK_FILE unset

    - if: '$ENV_PREFIX == "PROD" && ($ANSIBLE_PROD_PLAYBOOK_FILE == null || $ANSIBLE_PROD_PLAYBOOK_FILE == "")'

      when: never

    - !reference [.test-policy, rules]