move mysql install to prepare step to create a password-less user

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
2024-09-20 05:11:53 +00:00 · 2021-03-29 08:52:23 +02:00 · 2021-03-29 08:52:23 +02:00 · e1f0efb220
commit e1f0efb220
parent 73cdd973d7
3 changed files with 30 additions and 39 deletions
--- a/molecule/mysql_hardening/converge.yml
+++ b/molecule/mysql_hardening/converge.yml
@ -22,9 +22,6 @@
        - mysql_python_package_debian is not defined
        - ansible_distribution != "Ubuntu"
        - ansible_distribution_major_version|int < 20
-    - include_role:
-        name: dev-sec.mysql
-
    - include_role:
        name: mysql_hardening
  vars:
--- a/molecule/mysql_hardening/prepare.yml
+++ b/molecule/mysql_hardening/prepare.yml
@ -25,3 +25,33 @@
      file:
        path: "/etc/mysql/conf.d"
        state: directory
+
+    - name: Determine required MySQL Python libraries (Ubuntu Focal Fossa ++)
+      set_fact:
+        mysql_python_package_debian: "python3-pymysql"
+      when:
+        - mysql_python_package_debian is not defined
+        - ansible_distribution == "Ubuntu"
+        - ansible_distribution_major_version|int > 19
+
+    - name: Determine required MySQL Python libraries.
+      set_fact:
+        mysql_python_package_debian: "{% if 'python3' in ansible_python_interpreter|default('') %}python3-mysqldb{% else %}python-mysqldb{% endif %}"
+      when:
+        - mysql_python_package_debian is not defined
+        - ansible_distribution != "Ubuntu"
+        - ansible_distribution_major_version|int < 20
+    - include_role:
+        name: dev-sec.mysql
+
+    - name: create a user with an empty password
+      community.mysql.mysql_query:
+        query:
+          - "CREATE USER foo@bar;"
+        login_unix_socket: "{{ login_unix_socket | default(omit) }}"
+  vars:
+    overwrite_global_mycnf: false
+    mysql_root_password: iloverandompasswordsbutthiswilldo
+    mysql_user_password: iloverandompasswordsbutthiswilldo
+    mysql_config_file: /etc/mysql/mariadb.cnf
+    mysql_root_password_update: true
--- a/molecule/mysql_hardening/verify_additional_tests.yml
+++ b/molecule/mysql_hardening/verify_additional_tests.yml
@ -1,36 +0,0 @@
---
- name: check which mysql version is used
-  community.mysql.mysql_info:
-    filter: version
-    login_unix_socket: "{{ login_unix_socket | default(omit) }}"
-  register: mysql_version
-
- name: get all users that have no password or authentication_string on MySQL version >= 5.7.6
-  community.mysql.mysql_query:
-    query:
-      - select user,host,password from mysql.user where (length(password)=0 or password="") and (length(authentication_string)=0 or authentication_string="") and user NOT IN ('mysql.sys', 'mysqlxsys', 'mariadb.sys');
-    login_unix_socket: "{{ login_unix_socket | default(omit) }}"
-  register: mysql_users_wo_passwords_or_auth_string
-  when:
-    - mysql_version.version.full is version('5.7.6', '>=')
-
- name: assert that there are no users that have no password or authentication_string on MySQL version >= 5.7.6
-  assert:
-    that:
-      - users_wo_password_or_auth_string == ""
-
- name: get all users that have no password on MySQL version < 5.7.6
-  community.mysql.mysql_query:
-    query:
-      - select user,host,password from mysql.user where (length(password)=0 or password="") and user NOT IN ('mysql.sys', 'mysqlxsys', 'mariadb.sys');
-    login_unix_socket: "{{ login_unix_socket | default(omit) }}"
-  register: mysql_users_wo_passwords
-  when:
-    - mysql_version.version.full is version('5.7.6', '<')
-
- name: assert that there are no users that have no password on MySQL version < 5.7.6
-  assert:
-    that:
-      - users_wo_password == ""
-  when:
-    - mysql_version.version.full is version('5.7.6', '<')