Consistently access facts via the ansible_facts.* namespace

Normo · Normo · commit 40e7b02f55fc · 2025-11-20T09:08:54.000+01:00
Signed-off-by: Norman Ziegner &lt;n.ziegner@hzdr.de&gt;
diff --git a/molecule/mysql_hardening/converge.yml b/molecule/mysql_hardening/converge.yml
@@ -12,22 +12,22 @@
         mysql_python_package_debian: python3-pymysql
       when:
         - mysql_python_package_debian is not defined
-        - ansible_distribution == "Ubuntu"
-        - ansible_distribution_major_version|int > 19
+        - ansible_facts.distribution == "Ubuntu"
+        - ansible_facts.distribution_major_version|int > 19
 
     - name: Determine required MySQL Python libraries.
       ansible.builtin.set_fact:
         mysql_python_package_debian: "{% if 'python3' in ansible_python_interpreter | default('') %}python3-mysqldb{% else %}python-mysqldb{% endif %}"
       when:
         - mysql_python_package_debian is not defined
-        - ansible_distribution != "Ubuntu"
-        - ansible_distribution_major_version|int < 20
+        - ansible_facts.distribution != "Ubuntu"
+        - ansible_facts.distribution_major_version|int < 20
 
     - name: Use Python 3 on Suse
       ansible.builtin.set_fact:
         ansible_python_interpreter: /usr/bin/python3
       when:
-        - ansible_os_family == 'Suse'
+        - ansible_facts.os_family == 'Suse'
 
     - name: Include mysql_hardening role
       ansible.builtin.include_role:
diff --git a/molecule/mysql_hardening/prepare.yml b/molecule/mysql_hardening/prepare.yml
@@ -17,25 +17,25 @@
       ansible.builtin.set_fact:
         ansible_python_interpreter: /usr/bin/python3
       when:
-        - ansible_distribution == 'Debian'
-        - ansible_distribution_major_version|int >= 11
+        - ansible_facts.distribution == 'Debian'
+        - ansible_facts.distribution_major_version|int >= 11
 
     - name: Use Python 3 on Suse
       ansible.builtin.set_fact:
         ansible_python_interpreter: /usr/bin/python3
       when:
-        - ansible_os_family == 'Suse'
+        - ansible_facts.os_family == 'Suse'
 
     - name: Run the equivalent of "apt-get update && apt-get upgrade"
       ansible.builtin.apt:
         upgrade: safe
         update_cache: true
-      when: ansible_os_family == 'Debian'
+      when: ansible_facts.os_family == 'Debian'
 
     - name: Install required python packages on Suse
       ansible.builtin.command: zypper -n install python311-rpm python311-PyMySQL
       changed_when: false
-      when: ansible_os_family == 'Suse'
+      when: ansible_facts.os_family == 'Suse'
 
     - name: Create missing directory
       ansible.builtin.file:
@@ -48,23 +48,23 @@
         mysql_python_package_debian: python3-pymysql
       when:
         - mysql_python_package_debian is not defined
-        - ansible_distribution == "Ubuntu"
-        - ansible_distribution_major_version|int > 19
+        - ansible_facts.distribution == "Ubuntu"
+        - ansible_facts.distribution_major_version|int > 19
 
     - name: Determine required MySQL Python libraries.
       ansible.builtin.set_fact:
         mysql_python_package_debian: "{% if 'python3' in ansible_python_interpreter | default('') %}python3-mysqldb{% else %}python-mysqldb{% endif %}"
       when:
         - mysql_python_package_debian is not defined
-        - ansible_distribution != "Ubuntu"
-        - ansible_distribution_major_version|int < 20
+        - ansible_facts.distribution != "Ubuntu"
+        - ansible_facts.distribution_major_version|int < 20
 
     - name: Install required MySQL Python libraries on RHEL
       ansible.builtin.dnf:
         name: "{% if 'python3' in ansible_python_interpreter | default('') %}python36-PyMySQL{% else %}python2-PyMySQL{% endif %}"
       when:
-        - ansible_os_family == "RedHat"
-        - ansible_distribution_major_version == "7"
+        - ansible_facts.os_family == "RedHat"
+        - ansible_facts.distribution_major_version == "7"
 
     - name: Install mysql with a generic Ansible role
       ansible.builtin.include_role:
diff --git a/molecule/mysql_hardening/verify.yml b/molecule/mysql_hardening/verify.yml
@@ -11,14 +11,14 @@
       ansible.builtin.set_fact:
         ansible_python_interpreter: /usr/bin/python3
       when:
-        - ansible_os_family == 'Suse'
+        - ansible_facts.os_family == 'Suse'
 
     - name: Install procps for debian systems
       ansible.builtin.apt:
         name: procps
         state: present
         update_cache: true
-      when: ansible_distribution == 'Debian'
+      when: ansible_facts.distribution == 'Debian'
 
     - name: Include tests for the service
       ansible.builtin.include_tasks: verify_tasks/service.yml
diff --git a/molecule/nginx_hardening/prepare.yml b/molecule/nginx_hardening/prepare.yml
@@ -16,7 +16,7 @@
     - name: Set correct distribution Version for Amazon Linux
       ansible.builtin.set_fact:
         ansible_distribution_major_version: 7
-      when: ansible_distribution == 'Amazon'
+      when: ansible_facts.distribution == 'Amazon'
 
     - name: Install nginx with a generic Ansible role
       ansible.builtin.include_role:
diff --git a/molecule/nginx_hardening/verify.yml b/molecule/nginx_hardening/verify.yml
@@ -12,7 +12,7 @@
         name: procps
         state: present
         update_cache: true
-      when: ansible_distribution == 'Debian'
+      when: ansible_facts.distribution == 'Debian'
 
 - name: Verify
   hosts: localhost
diff --git a/molecule/os_hardening/prepare.yml b/molecule/os_hardening/prepare.yml
@@ -16,7 +16,7 @@
       ansible.builtin.apt:
         upgrade: safe
         update_cache: true
-      when: ansible_os_family == 'Debian'
+      when: ansible_facts.os_family == 'Debian'
 
     - name: Install required tools on SuSE
       # cannot use zypper module, since it depends on python-xml
diff --git a/molecule/os_hardening_vm/converge.yml b/molecule/os_hardening_vm/converge.yml
@@ -30,7 +30,7 @@
         os_mnt_var_options: rw,nosuid,nodev,compress=zstd:1,subvol=var
       when:
         - ansible_facts.distribution == 'Fedora'
-        - ansible_distribution_major_version|int == 40
+        - ansible_facts.distribution_major_version|int == 40
 
     - name: Include os_hardening role
       ansible.builtin.include_role:
diff --git a/molecule/os_hardening_vm/prepare.yml b/molecule/os_hardening_vm/prepare.yml
@@ -26,7 +26,7 @@
       ansible.builtin.dpkg_selections:
         name: grub-pc
         selection: hold
-      when: ansible_os_family == 'Debian'
+      when: ansible_facts.os_family == 'Debian'
 
     # we need to free up space, since the /boot partition in some Vagrant images is
     # pretty small and system updates might fail
@@ -35,20 +35,20 @@
         paths: /boot
         patterns: "initrd.img*"
       register: find_results
-      when: ansible_os_family == 'Debian'
+      when: ansible_facts.os_family == 'Debian'
 
     - name: Delete all initrd.img to free space on /boot
       ansible.builtin.file:
         path: "{{ item['path'] }}"
         state: absent
       with_items: "{{ find_results['files'] }}"
-      when: ansible_os_family == 'Debian'
+      when: ansible_facts.os_family == 'Debian'
 
     - name: Run the equivalent of "apt-get update && apt-get upgrade"
       ansible.builtin.apt:
         upgrade: safe
         update_cache: true
-      when: ansible_os_family == 'Debian'
+      when: ansible_facts.os_family == 'Debian'
 
     - name: Install required tools on fedora
       ansible.builtin.dnf:
diff --git a/roles/os_hardening/tasks/ctrlaltdel.yml b/roles/os_hardening/tasks/ctrlaltdel.yml
@@ -4,4 +4,4 @@
     name: ctrl-alt-del.target
     masked: true
     daemon_reload: true
-  when: ansible_service_mgr == "systemd"
+  when: ansible_facts.service_mgr == "systemd"
diff --git a/roles/os_hardening/tasks/limits.yml b/roles/os_hardening/tasks/limits.yml
@@ -37,7 +37,7 @@
         group: root
         mode: "0755"
         state: directory
-      when: ansible_service_mgr == "systemd"
+      when: ansible_facts.service_mgr == "systemd"
 
     - name: Create custom.conf for disabling coredumps
       ansible.builtin.template:
@@ -46,7 +46,7 @@
         owner: root
         group: root
         mode: "0644"
-      when: ansible_service_mgr == "systemd"
+      when: ansible_facts.service_mgr == "systemd"
       notify: Reload systemd
 
 - name: Enable coredumps
@@ -56,7 +56,7 @@
       ansible.builtin.file:
         path: /etc/systemd/coredump.conf.d
         state: absent
-      when: ansible_service_mgr == "systemd"
+      when: ansible_facts.service_mgr == "systemd"
       notify: Reload systemd
 
     - name: Remove 10.hardcore.conf config file
diff --git a/roles/os_hardening/tasks/sysctl.yml b/roles/os_hardening/tasks/sysctl.yml
@@ -9,7 +9,7 @@
   when: ansible_facts.os_family == 'RedHat'
 
 - name: Change sysctls
-  when: ansible_virtualization_type not in ['docker', 'lxc', 'openvz']
+  when: ansible_facts.virtualization_type not in ['docker', 'lxc', 'openvz']
   block:
     - name: Protect sysctl.conf
       ansible.builtin.file:
