sandwich/Ansible-Bootstrap
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
89e366d0f0d5ff6fc256033e4656d5e928ced009
Ansible-Bootstrap/roles/cis/tasks/_normalize.yml

26 lines
1.0 KiB
YAML
Raw Blame History

---
- name: Determine CIS profile
ansible.builtin.set_fact:
cis_profile: "{{ system_cfg.features.cis.profile | default('default') }}"
- name: Validate CIS profile selection
ansible.builtin.assert:
that: cis_profile in cis_profiles
fail_msg: >-
system.features.cis.profile '{{ cis_profile }}' is unknown
(valid: {{ cis_profiles.keys() | list | join(', ') }}).
quiet: true
- name: Resolve CIS rules and parameters
vars:
_cis: "{{ system_cfg.features.cis | default({}) }}"
ansible.builtin.set_fact:
cis_effective_rules: "{{ cis_profiles[cis_profile] | combine(_cis.rules | default({})) }}"
cis_cfg: >-
{{ cis_param_defaults
| combine(cis_profile_params[cis_profile] | default({}), recursive=True)
| combine(_cis.params | default({}), recursive=True) }}
# l1/l2 add the stricter CIS-server controls on top of the legacy `default`
# baseline; gate those tasks on this so `default` stays byte-for-byte unchanged.
cis_strict: "{{ cis_profile in ['l1', 'l2'] }}"
Reference in New Issue View Git Blame Copy Permalink