Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Conditional execution managed by variables #62

Open
jtyr opened this issue Jun 9, 2016 · 4 comments
Open

Conditional execution managed by variables #62

jtyr opened this issue Jun 9, 2016 · 4 comments

Comments

@jtyr
Copy link
Contributor

jtyr commented Jun 9, 2016
edited
Loading

It would be really great if I could specify what to run as a variable instead of as a tag. For example if I want to always run only audit tasks, I would specify:

rhel6stig_run:
  - audit

and if the task has the following tags:

  tags:
      - cat1
      - high
      - V-38701
      - patch
      - tftp
      - tftp-server
      - unsecure_services

the when: condition would look like this:

when: >
  rhel6stig_run | length == 0 or
  rhel6stig_run in ['cat1', 'high', 'V-38701', 'patch', 'tftp', 'tftp-server', 'unsecure_services']

The above could be extended by rhel6stig_ignore variable which would allow to ignore certain subset of the rhel6stig_run. For example if I would like to run all audit tasks but the V-38701, the rhel6stig_ignore variable would look like this:

rhel6stig_ignore:
  - V-38701

and the when: condition in the task like this:

when: >
  rhel6stig_run | length == 0 or (
    rhel6stig_run in ['cat1', 'high', 'V-38701', 'patch', 'tftp', 'tftp-server', 'unsecure_services'] and
    intersect(['cat1', 'high', 'V-38701', 'patch', 'tftp', 'tftp-server', 'unsecure_services'], rhel6stig_ignore) | len == 0
  )

Of course the rhel6stig_run as well as the rhel6stig_ignore can have more than one item:

# Expressing: 'audit' in tasks AND 'high' in tasks
rhel6stig_run:
  - audit
  - high

# Expressing: 'ssh' in tasks OR 'rlogin' in tasks OR ''v-38668' in tasks
rhel6stig_ignore:
  - ssh
  - rlogin
  - V-38668

That would run all tasks marked as audit AND high and ignore all tasks marked as ssh, rlogin and V-38668 tasks.
@juliedavila
Copy link

I think for this to work we would need a jinja2 filter that is the equivalent of the python all() and any() builtin methods. This is true for situations where rhel6stig_run/ignore have multiple elements.

For example
where a = [1,2] and b = [1,2,3]
a in b returns False

@jtyr
Copy link
Contributor Author

jtyr commented Jul 3, 2016

Such filters exist and I have used it in the example above.

@juliedavila
Copy link

Yes, I'm aware of our combinatorial filters, the OCD side of me is just bothered by the verboseness in how it would need to be implemented. I think it'd be cleaner to see smth like

when: rhel6stig_run | length == 0 or (any(tag in 38701_tags for tag in rhel6stig_run) and not any(ignore_tag in 38701_tags for ignor_tag in rhel6stig_ignore)

@jamescassell
Copy link
Collaborator

I think this is mostly implemented in the RHEL7-STIG role...

@shepdelacreme shepdelacreme mentioned this issue Nov 29, 2018
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jtyr @juliedavila @jamescassell