search

ansible / ansible-policy

ansible-policy is a prototype implementation which allows us to define and set constraints to the Ansible project in OPA Rego language.
Apache License 2.0
20 stars 10 forks source link

Boolean conditional #39

Closed pharriso closed 1 month ago

pharriso commented 2 months ago

Is it possible to have a conditional for boolean value?

Example playbook:

---

- hosts: all
  tasks:
  - name: uri fails because we didn't validate certs
    ansible.builtin.uri:
      validate_certs: false
      url: http://example.com
    delegate_to: localhost

Here I want to validate module_options to make sure validate_certs is not set to false.

---
- name: check validate_certs is not set to false
  hosts: localhost 
  policies:
    - name: validate_certs should not be false
      target: task
      condition: input._agk.task.module_options.validate_certs == 'false'
      actions:
        - deny:
            msg: validate_certs must be true

Because the value is a boolean it does not match:

{ "url": "http://example.com", "validate_certs": false }

Would expect something like this to work for boolean = true:

---
- name: check validate_certs is not set to false
  hosts: localhost 
  policies:
    - name: validate_certs should not be false
      target: task
      condition: input._agk.task.module_options.validate_certs
      actions:
        - deny:
            msg: validate_certs must be true

And this for false:

---
- name: check validate_certs is not set to false
  hosts: localhost 
  policies:
    - name: validate_certs should not be false
      target: task
      condition: not input._agk.task.module_options.validate_certs
      actions:
        - deny:
            msg: validate_certs must be true

Am I missing something? Is there a way to check boolean currently?

hirokuni-kitahara commented 1 month ago

Thank you @pharriso, this issue has been fixed with the PR https://github.com/ansible/ansible-policy/pull/48 . I am closing this.