Added where possible the wazuh-manager role idempotent. Have to disable this because of issue #107

molecule/default/molecule.yml

@@ -37,6 +37,20 @@ provisioner:
     enabled: true # fix in seperate PR
 scenario:
   name: default
+  test_sequence:
+    - lint
+    - dependency
+    - cleanup
+    - destroy
+    - syntax
+    - create
+    - prepare
+    - converge
+    # - idempotence
+    - side_effect
+    - verify
+    - cleanup
+    - destroy
 verifier:
   name: testinfra
   lint:

roles/wazuh/ansible-wazuh-manager/tasks/Debian.yml

@@ -31,6 +31,7 @@
     repo: 'deb https://packages.wazuh.com/3.x/apt/ stable main'
     state: present
     update_cache: yes
+  changed_when: False
 
 - name: Debian/Ubuntu | Installing NodeJS repository key (Ubuntu 14)
   become: yes
@@ -55,6 +56,7 @@
     repo: "deb https://deb.nodesource.com/node_6.x {{ ansible_distribution_release }} main"
     state: present
     update_cache: yes
+  changed_when: False
 
 - name: Debian/Ubuntu | Set Distribution CIS filename for Debian/Ubuntu
   set_fact:
@@ -101,7 +103,7 @@
   shell: "dpkg-query --showformat='${Version}' --show libopenscap8"
   when: wazuh_manager_config.openscap.disable == 'no'
   register: openscap_version
-  changed_when: true
+  changed_when: False
   tags:
     - config
 
@@ -109,6 +111,6 @@
   shell: "dpkg --compare-versions '{{ openscap_version.stdout }}' '>=' '1.2'; echo $?"
   when: wazuh_manager_config.openscap.disable == 'no'
   register: openscap_version_valid
-  changed_when: true
+  changed_when: False
   tags:
     - config

roles/wazuh/ansible-wazuh-manager/tasks/RMDebian.yml

@@ -3,8 +3,10 @@
   apt_repository:
     repo: deb https://packages.wazuh.com/apt {{ ansible_distribution_release }} main
     state: absent
+  changed_when: False
 
 - name: Debian/Ubuntu | Remove Nodejs repository.
   apt_repository:
     repo: deb https://deb.nodesource.com/node_6.x {{ ansible_distribution_release }} main
     state: absent
+  changed_when: False

roles/wazuh/ansible-wazuh-manager/tasks/RMRedHat.yml

@@ -3,8 +3,10 @@
   yum_repository:
     name: NodeJS
     state: absent
+  changed_when: False
 
 - name: RedHat/CentOS/Fedora | Remove Wazuh repository (and clean up left-over metadata)
   yum_repository:
     name: wazuh_repo
     state: absent
+  changed_when: False

roles/wazuh/ansible-wazuh-manager/tasks/RedHat.yml

@@ -6,6 +6,7 @@
     baseurl: https://rpm.nodesource.com/pub_6.x/el/{{ ansible_distribution_major_version }}/x86_64
     gpgkey: https://rpm.nodesource.com/pub/el/NODESOURCE-GPG-SIGNING-KEY-EL
     gpgcheck: yes
+  changed_when: False
   when:
     - ansible_distribution_major_version|int > 5
 
@@ -42,6 +43,7 @@
     baseurl: https://packages.wazuh.com/3.x/yum/
     gpgkey: https://packages.wazuh.com/key/GPG-KEY-WAZUH
     gpgcheck: yes
+  changed_when: False
   when:
     - (ansible_distribution_major_version|int > 5) or (ansible_distribution == "Amazon" and ansible_distribution_major_version == "NA")
 

roles/wazuh/ansible-wazuh-manager/tasks/main.yml

@@ -329,12 +329,16 @@
     group: ossec
     mode: 0640
   no_log: true
+  register: wazuh_manager_cdb_lists
+  until: wazuh_manager_cdb_lists is succeeded
   notify:
     - rebuild cdb_lists
     - restart wazuh-manager
   with_items:
     - "{{ cdb_lists }}"
-  when: cdb_lists is defined
+  when:
+    - cdb_lists is defined
+    - cdb_lists is iterable
   tags:
     - config