test: ensure role gathers the facts it uses by having test clear_facts before include_role

richm · richm · commit ed6cfacfb959 · 2026-03-19T11:18:29.000-06:00
The role gathers the facts it uses.  For example, if the user uses
`ANSIBLE_GATHERING=explicit`, the role uses the `setup` module with the
facts and subsets it requires.

This change allows us to test this.  Before every role invocation, the test
will use `meta: clear_facts` so that the role starts with no facts.

Create a task file tests/tasks/run_role_with_clear_facts.yml to do the tasks
to clear the facts and run the role.  Note that this means we don't need to
use `gather_facts` for the tests.

Some vars defined using `ansible_facts` have been changed to be defined with
`set_fact` instead.  This is because of the fact that `vars` are lazily
evaluated - the var might be referenced when the facts have been cleared, and
will issue an error like `ansible_facts["distribution"] is undefined`.  This is
typically done for blocks that have a `when` condition that uses `ansible_facts`
and the block has a role invocation using run_role_with_clear_facts.yml
These have been rewritten to define the `when` condition using `set_fact`.  This
is because the `when` condition is evaluated every time a task is invoked in the
block, and if the facts are cleared, this will raise an undefined variable error.

Signed-off-by: Rich Megginson &lt;rmeggins@redhat.com&gt;
diff --git a/tests/tasks/run_role_with_clear_facts.yml b/tests/tasks/run_role_with_clear_facts.yml
@@ -0,0 +1,37 @@
+---
+# Task file: clear_facts, run linux-system-roles.crypto_policies.
+# Include this with include_tasks or import_tasks
+# Input:
+# - __sr_tasks_from: tasks_from to run - same as tasks_from in include_role
+# - __sr_public: export private vars from role - same as public in include_role
+# - __sr_failed_when: set to false to ignore role errors - same as failed_when in include_role
+- name: Clear facts
+  meta: clear_facts
+
+# note that you can use failed_when with import_role but not with include_role
+# so this simulates the __sr_failed_when false case
+# Q: Why do we need a separate task to run the role normally?  Why not just
+# run the role in the block and rethrow the error in the rescue block?
+# A: Because you cannot rethrow the error in exactly the same way as the role does.
+# It might be possible to exactly reconstruct ansible_failed_result but it's not worth the effort.
+- name: Run the role with __sr_failed_when false
+  when:
+    - __sr_failed_when is defined
+    - not __sr_failed_when
+  block:
+    - name: Run the role
+      include_role:
+        name: linux-system-roles.crypto_policies
+        tasks_from: "{{ __sr_tasks_from | default('main') }}"
+        public: "{{ __sr_public | default(false) }}"
+  rescue:
+    - name: Ignore the failure when __sr_failed_when is false
+      debug:
+        msg: Ignoring failure when __sr_failed_when is false
+
+- name: Run the role normally
+  include_role:
+    name: linux-system-roles.crypto_policies
+    tasks_from: "{{ __sr_tasks_from | default('main') }}"
+    public: "{{ __sr_public | default(false) }}"
+  when: __sr_failed_when | d(true)
diff --git a/tests/tests_bootc_e2e.yml b/tests/tests_bootc_e2e.yml
@@ -4,15 +4,13 @@
   hosts: all
   tags:
     - tests::bootc-e2e
-  gather_facts: false
 
   tasks:
     - name: Bootc image build preparation
       when: ansible_connection | d("") == "buildah"
       block:
         - name: Change crypto policy to FUTURE
-          include_role:
-            name: linux-system-roles.crypto_policies
+          include_tasks: tasks/run_role_with_clear_facts.yml
           vars:
             crypto_policies_policy: FUTURE
 
@@ -25,8 +23,7 @@
         - name: Restore policy to DEFAULT
           tags:
             - tests::cleanup
-          include_role:
-            name: linux-system-roles.crypto_policies
+          include_tasks: tasks/run_role_with_clear_facts.yml
           vars:
             crypto_policies_policy: DEFAULT
 
diff --git a/tests/tests_default.yml b/tests/tests_default.yml
@@ -2,10 +2,10 @@
 ---
 - name: Ensure that the role runs with default parameters
   hosts: all
-  roles:
-    - linux-system-roles.crypto_policies
-  gather_facts: false
   tasks:
+    - name: Run linux-system-roles.crypto_policies
+      include_tasks: tasks/run_role_with_clear_facts.yml
+
     - name: Verify the facts are correctly set
       block:
         - name: Flush handlers
diff --git a/tests/tests_include_vars_from_parent.yml b/tests/tests_include_vars_from_parent.yml
@@ -1,7 +1,6 @@
 ---
 - name: Test role include variable override
   hosts: all
-  gather_facts: true
   tasks:
     - name: Create var file in caller that can override the one in called role
       delegate_to: localhost
diff --git a/tests/tests_no_package_update.yml b/tests/tests_no_package_update.yml
@@ -13,8 +13,7 @@
       no_log: true
 
     - name: Include role
-      include_role:
-        name: linux-system-roles.crypto_policies
+      include_tasks: tasks/run_role_with_clear_facts.yml
 
     - name: Refresh package facts
       package_facts:
diff --git a/tests/tests_reboot.yml b/tests/tests_reboot.yml
@@ -9,8 +9,7 @@
     - name: Run test
       block:
         - name: Ensure we can set crypto policy including reboot of the system
-          include_role:
-            name: linux-system-roles.crypto_policies
+          include_tasks: tasks/run_role_with_clear_facts.yml
           vars:
             crypto_policies_policy: FUTURE
             crypto_policies_reboot_ok: true
@@ -29,8 +28,7 @@
         - name: Restore policy to DEFAULT
           tags:
             - tests::cleanup
-          include_role:
-            name: linux-system-roles.crypto_policies
+          include_tasks: tasks/run_role_with_clear_facts.yml
           vars:
             crypto_policies_policy: DEFAULT
             crypto_policies_reboot_ok: true
diff --git a/tests/tests_reload.yml b/tests/tests_reload.yml
@@ -8,17 +8,15 @@
     - name: Run test
       block:
         - name: Run role to make sure all dependencies are installed
-          include_role:
-            name: linux-system-roles.crypto_policies
+          include_tasks: tasks/run_role_with_clear_facts.yml
 
         - name: Get SSHD pid before policy update
           slurp:
             src: /var/run/sshd.pid
           register: sshd_pid_before
 
         - name: Change policy from DEFAULT TO LEGACY (disable reload)
-          include_role:
-            name: linux-system-roles.crypto_policies
+          include_tasks: tasks/run_role_with_clear_facts.yml
           vars:
             crypto_policies_policy: LEGACY
             crypto_policies_reload: false
@@ -38,8 +36,7 @@
               - sshd_pid_before.content == sshd_pid_after_first.content
 
         - name: Change policy from LEGACY to DEFAULT (reload by default)
-          include_role:
-            name: linux-system-roles.crypto_policies
+          include_tasks: tasks/run_role_with_clear_facts.yml
           vars:
             crypto_policies_policy: DEFAULT
 
@@ -62,8 +59,7 @@
         - name: Restore policy to DEFAULT
           tags:
             - tests::cleanup
-          include_role:
-            name: linux-system-roles.crypto_policies
+          include_tasks: tasks/run_role_with_clear_facts.yml
           vars:
             crypto_policies_policy: DEFAULT
         - name: Check restoration
diff --git a/tests/tests_update.yml b/tests/tests_update.yml
@@ -6,8 +6,7 @@
     - name: Run test
       block:
         - name: Set correct base policy
-          include_role:
-            name: linux-system-roles.crypto_policies
+          include_tasks: tasks/run_role_with_clear_facts.yml
           vars:
             crypto_policies_policy: LEGACY
             crypto_policies_reload: false
@@ -26,8 +25,7 @@
               else 'DEFAULT:' ~ crypto_policies_available_subpolicies[0] }}"
 
         - name: Set correct base policy and subpolicy
-          include_role:
-            name: linux-system-roles.crypto_policies
+          include_tasks: tasks/run_role_with_clear_facts.yml
           vars:
             crypto_policies_policy: "{{ __policy_and_sub }}"
             crypto_policies_reload: false
@@ -40,8 +38,7 @@
         - name: Setting incorrect base policy should fail
           block:
             - name: Set incorrect base policy
-              include_role:
-                name: linux-system-roles.crypto_policies
+              include_tasks: tasks/run_role_with_clear_facts.yml
               vars:
                 crypto_policies_policy: NOEXIST
                 crypto_policies_reload: false
@@ -59,8 +56,7 @@
         - name: Setting incorrect subpolicy should fail
           block:
             - name: Set incorrect subpolicy
-              include_role:
-                name: linux-system-roles.crypto_policies
+              include_tasks: tasks/run_role_with_clear_facts.yml
               vars:
                 crypto_policies_policy: DEFAULT:NOEXIST
                 crypto_policies_reload: false
@@ -79,8 +75,7 @@
         - name: Restore policy to DEFAULT
           tags:
             - tests::cleanup
-          include_role:
-            name: linux-system-roles.crypto_policies
+          include_tasks: tasks/run_role_with_clear_facts.yml
           vars:
             crypto_policies_policy: DEFAULT
         - name: Check restoration
