Add linting Git workflow and local linting env (#11)

GavinHeff · m-bull · maxstack · web-flow · commit dfc169a005ce · 2025-06-23T15:20:29.000+01:00
* Add linter config

* Fix issues raised by linter

* Update sample-appliance.yml

Co-authored-by: Matt Anson &lt;matta@stackhpc.com&gt;

* Update deprecated load_balancer resource

* Fixes needed to run the sample appliance in an Azimuth dev env

Fixed yaml lint issues after running superlint

* Fix issues found by ansible-lint

* Add handlers to load balancer roles

---------

Co-authored-by: Matt Anson &lt;matta@stackhpc.com&gt;
Co-authored-by: Max Norton &lt;maxn@stackhpc.com&gt;
diff --git a/.ansible-lint.yml b/.ansible-lint.yml
@@ -0,0 +1,7 @@
+---
+skip_list:
+  - role-name
+
+exclude_paths:
+  - vendor/**
+  - .github/**
diff --git a/.checkov.yml b/.checkov.yml
@@ -0,0 +1,8 @@
+---
+skip-check:
+  # Requires all blocks to have rescue: - not considered appropriate
+  - CKV2_ANSIBLE_3
+  - CKV2_GHA_1
+skip-path:
+  - vendor/
+  - collections/
diff --git a/.github/linters/.checkov.yml b/.github/linters/.checkov.yml
@@ -0,0 +1 @@
+../../.checkov.yml
diff --git a/.github/linters/.yamllint.yml b/.github/linters/.yamllint.yml
@@ -0,0 +1 @@
+../../.yamllint.yml
diff --git a/.github/workflows/lint-workflow.yml b/.github/workflows/lint-workflow.yml
@@ -0,0 +1,65 @@
+name: Lint repository
+
+on:  # yamllint disable-line rule:truthy
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - ready_for_review
+      - reopened
+    branches:
+      - main
+    paths-ignore:
+      # Ignore any changes that are not actually code changes
+      - .gitignore
+      - LICENSE
+
+permissions:
+  contents: read
+  packages: write
+  # To report GitHub Actions status checks
+  statuses: write
+  security-events: write
+  id-token: write
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  lint:
+    name: Lint
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: read
+      # To report GitHub Actions status checks
+      statuses: write
+    if: github.repository == 'azimuth-cloud/azimuth-sample-appliance'
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          # super-linter needs the full git history to get the
+          # list of files that changed across commits
+          fetch-depth: 0
+          submodules: true
+
+      - name: Run ansible-lint
+        uses: ansible/ansible-lint@v25.4.0
+
+      - name: Load super-linter configuration
+        # Use grep inverse matching to exclude eventual comments in the .env file
+        # because the GitHub Actions command to set environment variables doesn't
+        # support comments.
+        # yamllint disable-line rule:line-length
+        # Ref: https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/workflow-commands-for-github-actions#setting-an-environment-variable
+        if: always()
+        run: grep -v '^#' super-linter.env >> "$GITHUB_ENV"
+
+      - name: Run super-linter
+        uses: super-linter/super-linter@v7.3.0
+        if: always()
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          VALIDATE_YAML: false
diff --git a/.yamllint.yml b/.yamllint.yml
@@ -0,0 +1,24 @@
+---
+extends: default
+
+rules:
+  brackets:
+    forbid: non-empty
+  comments:
+    # https://github.com/prettier/prettier/issues/6780
+    min-spaces-from-content: 1
+  # https://github.com/adrienverge/yamllint/issues/384
+  comments-indentation: false
+  document-start: disable
+  # 160 chars was the default used by old E204 rule, but
+  # you can easily change it or disable in your .yamllint file.
+  line-length:
+    max: 160
+  # We are adding an extra space inside braces as that's how prettier does it
+  # and we are trying not to fight other linters.
+  braces:
+    min-spaces-inside: 0 # yamllint defaults to 0
+    max-spaces-inside: 1 # yamllint defaults to 0
+  octal-values:
+    forbid-implicit-octal: true # yamllint defaults to false
+    forbid-explicit-octal: true # yamllint defaults to false
diff --git a/README.md b/README.md
@@ -96,19 +96,23 @@ Azimuth user interface. These are controlled by the cluster metadata file.
 
 The following system variables are provided by Azimuth:
 
+<!-- markdownlint-disable -->
+
 | Variable name                     | Description                                                                                                                                                                                                                                                                                                                                                                                                              |
 | --------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
 | `cluster_id`                      | The ID of the cluster. Should be used in the [Terraform state key](./group_vars/openstack.yml#L2).                                                                                                                                                                                                                                                                                                                       |
 | `cluster_name`                    | The name of the cluster as given by the user.                                                                                                                                                                                                                                                                                                                                                                            |
 | `cluster_type`                    | The name of the cluster type.                                                                                                                                                                                                                                                                                                                                                                                            |
 | `cluster_user_ssh_public_key`     | The SSH public key of the user that deployed the cluster.                                                                                                                                                                                                                                                                                                                                                                |
 | `cluster_deploy_ssh_public_key`   | A cluster-specific SSH public key generated by the CaaS operator.                                                                                                                                                                                                                                                                                                                                                        |
-| `cluster_ssh_private_key_file`    | The path to a file containing the private key corresponding to `cluster_deploy_ssh_public_key`.<br>This is consumed by the `azimuth_cloud.terraform.infra` role.                                                                                                                                                                                                                                                              |
+| `cluster_ssh_private_key_file`    | The path to a file containing the private key corresponding to `cluster_deploy_ssh_public_key`.<br>This is consumed by the `azimuth_cloud.terraform.infra` role.                                                                                                                                                                                                                                                         |
 | `cluster_network`                 | The name of the project internal network onto which cluster nodes should be placed.                                                                                                                                                                                                                                                                                                                                      |
 | `cluster_floating_network`        | The name of the floating network where floating IPs can be allocated.                                                                                                                                                                                                                                                                                                                                                    |
 | `cluster_upgrade_system_packages` | This variable is set when a PATCH operation is requested.<br>If given and `true`, it indicates that system packages should be upgraded. If not given, it should be assumed to be `false`.<br>The mechanism for acheiving this is appliance-specific, but it is expected to be a disruptive operation (e.g. rebuilding nodes).<br>If not given or set to `false`, disruptive operations should be avoided where possible. |
 | `cluster_state`                   | This variable is set when a DELETE operation is requested.<br>If given and set to `absent` all cluster resources should be deleted, otherwise cluster resources should be updated as normal.                                                                                                                                                                                                                             |
 
+<!-- markdownlint-enable -->
+
 ## Cluster metadata
 
 Each CaaS appliance has a playbook (which may call other playbooks, roles, etc.) and a
@@ -182,3 +186,19 @@ To do this, just use a `debug` task with the variable `outputs` set to a diction
 
 For example, this appliance
 [uses the cluster outputs to return the allocated floating IP](./sample-appliance.yml#L29-L34).
+
+## Developing locally
+
+Locally run the linters that are run in GitHub Actions using:
+
+```sh
+docker run --rm \
+    -e RUN_LOCAL=true \
+    --env-file "super-linter.env" \
+    -v "$(pwd)":/tmp/lint \
+    ghcr.io/super-linter/super-linter:v7.3.0
+```
+
+```sh
+ansible-lint -c .ansible-lint.yml ansible/
+```
diff --git a/group_vars/openstack.yml b/group_vars/openstack.yml
@@ -1,3 +1,4 @@
+---
 # The default Terraform state key for backends that support it
 terraform_state_key: "cluster/{{ cluster_id }}/tfstate"
 
diff --git a/requirements.yml b/requirements.yml
@@ -1,3 +1,4 @@
+---
 collections:
   - name: https://github.com/azimuth-cloud/ansible-collection-terraform
     type: git
diff --git a/roles/backend/tasks/main.yml b/roles/backend/tasks/main.yml
@@ -1,24 +1,26 @@
 ---
-
 - name: Ensure HTML directory exists
-  file:
+  ansible.builtin.file:
     path: /opt/sample-appliance/html
     state: directory
+    mode: '0755'
 
 - name: Install HTML index file
-  template:
+  ansible.builtin.template:
     src: index.html.j2
     dest: /opt/sample-appliance/html/index.html
+    mode: '0644'
   register: html_index
 
 - name: Install Nginx site config
-  template:
+  ansible.builtin.template:
     src: nginx.conf.j2
     dest: /etc/nginx/conf.d/sample-appliance.conf
+    mode: '0644'
   register: nginx_conf
 
 - name: Restart Nginx if required
-  service:
+  ansible.builtin.service:
     name: nginx
     state: restarted
   when: html_index is changed or nginx_conf is changed
diff --git a/roles/cluster_infra/tasks/main.yml b/roles/cluster_infra/tasks/main.yml
@@ -1,31 +1,33 @@
 ---
-
 - name: Install Terraform binary
-  include_role:
+  ansible.builtin.include_role:
     name: azimuth_cloud.terraform.install
 
 - name: Make Terraform project directory
-  file:
+  ansible.builtin.file:
     path: "{{ terraform_project_path }}"
     state: directory
+    mode: '0755'
 
 - name: Write backend configuration
-  copy:
+  ansible.builtin.copy:
     content: |
       terraform {
         backend "{{ terraform_backend_type }}" { }
       }
     dest: "{{ terraform_project_path }}/backend.tf"
+    mode: '0644'
 
 - name: Template Terraform files into project directory
-  template:
+  ansible.builtin.template:
     src: "{{ item }}.j2"
     dest: "{{ terraform_project_path }}/{{ item }}"
+    mode: '0644'
   loop:
     - outputs.tf
     - providers.tf
     - resources.tf
 
 - name: Provision infrastructure
-  include_role:
+  ansible.builtin.include_role:
     name: azimuth_cloud.terraform.infra
diff --git a/roles/cluster_infra/templates/outputs.tf.j2 b/roles/cluster_infra/templates/outputs.tf.j2
@@ -6,7 +6,7 @@ output "cluster_image" {
 
 output "cluster_gateway_ip" {
   description = "The IP address of the gateway used to contact the cluster nodes"
-  value       = "${openstack_networking_floatingip_v2.load_balancer.address}"
+  value       = "${openstack_networking_floatingip_v2.lb_fip.address}"
 }
 
 output "cluster_nodes" {
diff --git a/roles/cluster_infra/templates/resources.tf.j2 b/roles/cluster_infra/templates/resources.tf.j2
@@ -113,11 +113,16 @@ resource "openstack_compute_instance_v2" "backend" {
 ##### Floating IP and association for load balancer
 #####
 
-resource "openstack_networking_floatingip_v2" "load_balancer" {
+resource "openstack_networking_floatingip_v2" "lb_fip" {
   pool = "{{ cluster_floating_network }}"
 }
 
-resource "openstack_compute_floatingip_associate_v2" "load_balancer" {
-  floating_ip = "${openstack_networking_floatingip_v2.load_balancer.address}"
-  instance_id = "${openstack_compute_instance_v2.load_balancer.id}"
+data "openstack_networking_port_v2" "lb_port" {
+  device_id  = "${openstack_compute_instance_v2.load_balancer.id}"
+  network_id = "${openstack_compute_instance_v2.load_balancer.network.0.uuid}"
+}
+
+resource "openstack_networking_floatingip_associate_v2" "fip_associate" {
+  floating_ip = "${openstack_networking_floatingip_v2.lb_fip.address}"
+  port_id     = data.openstack_networking_port_v2.lb_port.id
 }
diff --git a/roles/load_balancer/tasks/main.yml b/roles/load_balancer/tasks/main.yml
@@ -1,13 +1,7 @@
 ---
-
 - name: Install Nginx site config
-  template:
+  ansible.builtin.template:
     src: nginx.conf.j2
     dest: /etc/nginx/conf.d/sample-appliance.conf
-  register: nginx_conf
-
-- name: Restart Nginx if required
-  service:
-    name: nginx
-    state: restarted
-  when: nginx_conf is changed
+    mode: '0644'
+  notify: Restart Nginx
diff --git a/roles/nginx_install/tasks/main.yml b/roles/nginx_install/tasks/main.yml
@@ -1,28 +1,27 @@
 ---
-
 - name: Update apt cache
-  apt:
-    update_cache: yes
+  ansible.builtin.apt:
+    update_cache: true
 
-- name: Install Nginx
-  package:
+- name: Install Nginx  # noqa package-latest
+  ansible.builtin.package:
     name: nginx
     state: latest
   register: nginx_package
 
 - name: Remove default site
-  file:
+  ansible.builtin.file:
     path: /etc/nginx/sites-enabled/default
     state: absent
   register: nginx_default_site
 
 - name: Start and enable Nginx service
-  service:
+  ansible.builtin.service:
     name: nginx
     state: >-
       {{-
         'restarted'
         if nginx_package is changed or nginx_default_site is changed
         else 'started'
       }}
-    enabled: yes
+    enabled: true
diff --git a/sample-appliance.yml b/sample-appliance.yml
@@ -1,34 +1,40 @@
 ---
-
 # Provision the infrastructure
 # The CaaS puts hosts for accessing the OpenStack API into the 'openstack' group
-- hosts: openstack
+- name: Provision the infrastructure
+  hosts: openstack
   roles:
     - cluster_infra
 
-
 # All the hosts get Nginx
-- hosts: cluster
-  become: yes
+# need to set a version for Nginx
+- name: Install Nginx
+  hosts: cluster
+  become: true
   roles:
     - nginx_install
 
 # Configure the backends
-- hosts: backends
-  become: yes
+- name: Configure backends
+  hosts: backends
+  become: true
   roles:
     - backend
 
 # Configure the load-balancer
-- hosts: load_balancers
-  become: yes
+- name: Configure load-balancer
+  hosts: load_balancers
+  become: true
   roles:
     - load_balancer
 
 # Write the outputs as the final task
-- hosts: localhost
+- name: Write outputs
+  hosts: localhost
   tasks:
-    - debug: var=outputs
+    - name: Write outputs
+      ansible.builtin.debug:
+        var: outputs
       vars:
-        outputs: 
+        outputs:
           cluster_access_ip: "{{ hostvars[groups['openstack'][0]].cluster_gateway_ip }}"
diff --git a/super-linter.env b/super-linter.env
@@ -0,0 +1,19 @@
+# Exclude vendor submodules
+FILTER_REGEX_EXCLUDE=.*vendor/.*
+
+# Detect tha tthe default branch is main when running locally
+DEFAULT_BRANCH=main
+
+# Don't validate JSCPD
+VALIDATE_JSCPD=false
+
+# Don't validate JS standard because it conflicts with JS prettier
+VALIDATE_JAVASCRIPT_STANDARD=false
+
+# Don't validate Ansible because ansible-lint is more flexible
+VALIDATE_ANSIBLE=false
+
+# Don't validate YAML prettier because yamllint is sufficient
+VALIDATE_YAML_PRETTIER=false
+
+YAML_CONFIG_FILE=.yamllint.yml
diff --git a/ui-meta/sample-appliance.yml b/ui-meta/sample-appliance.yml

Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,4 @@`
	`1`	`+---`
`1`	`2`	`# The default Terraform state key for backends that support it`
`2`	`3`	`terraform_state_key: "cluster/{{ cluster_id }}/tfstate"`
`3`	`4`
Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,4 @@`
	`1`	`+---`
`1`	`2`	`collections:`
`2`	`3`	`- name: https://github.com/azimuth-cloud/ansible-collection-terraform`
`3`	`4`	`type: git`