Build, find, and test Ansible per-rule playbooks

[mildas]

Per-rule playbooks, used by console dot are in different package and located in different path than profile playbooks shipped by scap-security-guide. For built content: Profile playbooks

$ ls build/ansible
all-profile-playbooks-rhel9                 rhel9-playbook-ccn_intermediate.yml    rhel9-playbook-hipaa.yml
rhel9-playbook-anssi_bp28_enhanced.yml      rhel9-playbook-cis_server_l1.yml       rhel9-playbook-ism_o.yml
rhel9-playbook-anssi_bp28_high.yml          rhel9-playbook-cis_workstation_l1.yml  rhel9-playbook-ospp.yml
rhel9-playbook-anssi_bp28_intermediary.yml  rhel9-playbook-cis_workstation_l2.yml  rhel9-playbook-pci-dss.yml
rhel9-playbook-anssi_bp28_minimal.yml       rhel9-playbook-cis.yml                 rhel9-playbook-stig_gui.yml
rhel9-playbook-ccn_advanced.yml             rhel9-playbook-cui.yml                 rhel9-playbook-stig.yml
rhel9-playbook-ccn_basic.yml                rhel9-playbook-e8.yml

Rule playbooks (there are profile directories, but all should contain all rules from datastream):

$ ls build/rhel9/playbooks/all/ | tail -n5
zipl_page_alloc_shuffle_argument.yml
zipl_page_poison_argument.yml
zipl_slub_debug_argument.yml
zipl_systemd_debug-shell_argument_absent.yml
zipl_vsyscall_argument.yml

RPM: scap-security-guide

# rpm -ql scap-security-guide | grep .yml
/usr/share/scap-security-guide/ansible/rhel9-playbook-anssi_bp28_enhanced.yml
/usr/share/scap-security-guide/ansible/rhel9-playbook-anssi_bp28_high.yml
/usr/share/scap-security-guide/ansible/rhel9-playbook-anssi_bp28_intermediary.yml
/usr/share/scap-security-guide/ansible/rhel9-playbook-anssi_bp28_minimal.yml
/usr/share/scap-security-guide/ansible/rhel9-playbook-ccn_advanced.yml
/usr/share/scap-security-guide/ansible/rhel9-playbook-ccn_basic.yml
/usr/share/scap-security-guide/ansible/rhel9-playbook-ccn_intermediate.yml
/usr/share/scap-security-guide/ansible/rhel9-playbook-cis.yml
/usr/share/scap-security-guide/ansible/rhel9-playbook-cis_server_l1.yml
/usr/share/scap-security-guide/ansible/rhel9-playbook-cis_workstation_l1.yml
/usr/share/scap-security-guide/ansible/rhel9-playbook-cis_workstation_l2.yml
/usr/share/scap-security-guide/ansible/rhel9-playbook-cui.yml
/usr/share/scap-security-guide/ansible/rhel9-playbook-e8.yml
/usr/share/scap-security-guide/ansible/rhel9-playbook-hipaa.yml
/usr/share/scap-security-guide/ansible/rhel9-playbook-ism_o.yml
/usr/share/scap-security-guide/ansible/rhel9-playbook-ospp.yml
/usr/share/scap-security-guide/ansible/rhel9-playbook-pci-dss.yml
/usr/share/scap-security-guide/ansible/rhel9-playbook-stig.yml
/usr/share/scap-security-guide/ansible/rhel9-playbook-stig_gui.yml

scap-security-guide-rule-playbooks

# rpm -ql scap-security-guide-rule-playbooks | grep /all/ | tail -n5
/usr/share/scap-security-guide/ansible/rule_playbooks/rhel9/all/zipl_page_alloc_shuffle_argument.yml
/usr/share/scap-security-guide/ansible/rule_playbooks/rhel9/all/zipl_page_poison_argument.yml
/usr/share/scap-security-guide/ansible/rule_playbooks/rhel9/all/zipl_slub_debug_argument.yml
/usr/share/scap-security-guide/ansible/rule_playbooks/rhel9/all/zipl_systemd_debug-shell_argument_absent.yml
/usr/share/scap-security-guide/ansible/rule_playbooks/rhel9/all/zipl_vsyscall_argument.yml

Previous approach _find_playbooks(root).rglob('*') worked for RPM - it traversed all /usr/share/scap-security-guide/ansible/ directories and searched for .yml. However, it was not efficient as it checked syntax for same playbook multiple times (for each profile directory where a playbook was). It didn't work for built content thus even if we would have built it in productization, the playbooks would not be yield by iter_playbooks. Newly implemented option --playbook-per-rule builds per-rule playbooks via ./build_product and no need for cmake - https://github.com/ComplianceAsCode/content/pull/12105

[mildas]

Will this build regular playbooks in addition to per-rule ones? ... Is there some build time penalty?

Yes, regular profile playbooks are still there. They are built by default. Regarding build time penalty, there is some. During my testing it was few seconds (~10s). Not a big deal.

Does this change work with tests that use "fat" playbooks (ie. /hardening/*/ansible) when used with CONTEST_CONTENT ? .. Notice that once content is built (as detected by content_is_built(), it is not rebuilt, not even for a different test.

No. All profile playbooks are still the same on the same place with or without --playbook-per-rule option. Only changes are in iter_playbooks(). But the function is used only in /static-checks/ansible/syntax-check, so /hardening/s are fine.

[comps]

Testing passed, with the exception of /hardening/image-builder, which I had to re-run manually after 4 errored runs, but it passed on a 5th run, so presumably not a regression caused by this PR.