sap_fapolicy and sap_rhsm: Refactor RHEL Specific roles

roles/sap_fapolicy/README.md

@@ -1,85 +1,113 @@
+<!-- BEGIN Title -->
 # sap_fapolicy Ansible Role
+<!-- END Title -->
+
+## Description
+<!-- BEGIN Description -->
+The Ansible Role `sap_rhsm` is used to update fapolicy configuration for SAP Systems. 
+<!-- END Description -->
+
+<!-- BEGIN Dependencies -->
+<!-- END Dependencies -->
+
+<!-- BEGIN Prerequisites -->
+## Prerequisites
+Managed nodes:
+- Supported Operating System: Red Hat
+<!-- END Prerequisites -->
+
+## Execution
+<!-- BEGIN Execution -->
+<!-- END Execution -->
+### Example
+<!-- BEGIN Execution Example -->
+Configuration with `sap_fapolicy_type` set to `generic`.
+```yaml
+---
+- hosts: all
+  become: true
+  tasks:
+    - name: Configure fapolicy
+      ansible.builtin.include_role:
+        name: community.sap_operations.sap_fapolicy
+      vars:
+        sap_fapolicy_type: "generic"
+```
+
+Configuration for all SAP Systems on managed node.
+```yaml
+---
+- hosts: all
+  become: true
+  tasks:
+    - name: Run sap_facts module to gather SAP facts
+      community.sap_operations.sap_facts:
+        param: "all"
+      register: sap_facts_register
+
+    - name: Fapolicy Update - SAP Users
+      vars:
+        sap_fapolicy_sid: "{{ item.Type }}"
+        sap_fapolicy_type: "{{ item.Type }}"
+      ansible.builtin.include_role:
+        name: community.sap_operations.sap_fapolicy
+      loop: "{{ sap_facts_register.sap_facts }}"
+```
+<!-- END Execution Example -->
 
-Ansible role for updating fapolicy entries based on SAP instance numbers
+<!-- BEGIN Role Tags -->
+<!-- END Role Tags -->
 
-- **Generic** - use the `generic` option to update entries directly by providing a list of users
-- **SAP NW** - use the `nw` option to update SAP NW entries
-- **SAP HANA** - use the `hana` option to update SAP HANA entries
+<!-- BEGIN Further Information -->
+<!-- END Further Information -->
 
-## Overview
+## License
+<!-- BEGIN License -->
+Apache 2.0
+<!-- END License -->
 
-Fapolicy entries will be updated to allow access to the following directories
-  - "/hana/"
-  - "/sapmnt/"
-  - "/usr/sap/"
-  - "/software/"
-  - "/var/tmp/"
-  - "/tmp/"
+## Maintainers
+<!-- BEGIN Maintainers -->
+- SAP LinuxLab
+<!-- END Maintainers -->
 
-![](/docs/diagrams/sap_fapolicy_workflow.svg)
+## Role Variables
+<!-- BEGIN Role Variables -->
+### sap_fapolicy_type
+- **Required**<br>
+- _Type:_ `string`<br>
+- _Default:_ `generic`<br>
 
-### Variables
+Select fapolicy type to configure. Options: `generic`, `nw`, `hana`.<br>
 
-| **Variable**        | **Info**                                    | **Default** | **Required**      |
-| :---                | :---                                        | :---        | :---              |
-| sap_fapolicy_type   | 'generic' / 'nw' / 'hana'                   | 'generic'   | yes               |
-| sap_fapolicy_user   | Unix user to include in fapolicy entries    | <none>      | if 'generic'      |
-| sap_fapolicy_sid    | SAP system SID                              | <none>      | if 'nw' / 'hana'  |
+### sap_fapolicy_user
+- _Type:_ `string`<br>
 
-### Input and Execution
+The user for fapolicy configuration.<br>
+Mandatory when `sap_fapolicy_type` is set to `generic`.<br>
+Automatically set as `sap_fapolicy_sid` + 'adm' if `sap_fapolicy_type` is `nw` or `hana`.<br>
 
-- Sample execution:
+### sap_fapolicy_uid
+- _Type:_ `string`<br>
 
-    ```bash
-    ansible-playbook --connection=local --limit localhost -i "localhost," sap-fapolicy-update.yml"
-    ```
+The User ID of provided user `sap_fapolicy_user`.<br>
+Automatically set if `sap_fapolicy_user` or `sap_fapolicy_sid` is provided.<br>
 
-- Sample playbook using `generic` option
+### sap_fapolicy_sid
+- _Type:_ `string`<br>
 
-    ```yaml
-    ---
-    - hosts: all
-      become: true
+The SAP System ID (3 letter String).<br>
+Mandatory when `sap_fapolicy_type` is set to `nw` or `hana`.<br>
 
-      vars:
-        sap_fapolicy_user_generic_list:
-          - "root"
-          - "sapadm"
-          - "uuidd"
-
-      tasks:
-
-      # Update fapolicy for generic users
-      - name: Fapolicy Update - generic
-        vars:
-          sap_fapolicy_type: "generic"
-        ansible.builtin.include_role:
-          name: community.sap_operations.sap_fapolicy
-        loop: "{{ sap_fapolicy_user_generic_list }}"
-        loop_control:
-          loop_var: sap_fapolicy_user
-    ```
-
-- Sample playbook using `sap_facts` module to get all SAP systems in the host
-
-    ```yaml
-    ---
-    - hosts: all
-      become: true
-
-      tasks:
-
-      - name: Run sap_facts module to gather SAP facts
-        community.sap_operations.sap_facts:
-            param: "all"
-        register: sap_facts_register
-
-      # Update fapolicy for SAP users
-      - name: Fapolicy Update - SAP Users
-        vars:
-          sap_fapolicy_sid: "{{ item.Type }}"
-          sap_fapolicy_type: "{{ item.Type }}"
-        ansible.builtin.include_role:
-          name: community.sap_operations.sap_fapolicy
-        loop: "{{ sap_facts_register.sap_facts }}"
-    ```
+### sap_fapolicy_directory_list
+- _Type:_ `list`<br>
+- _Default:_ `['/hana/', '/sapmnt/', '/usr/sap/', '/software/', '/var/tmp/', '/tmp/']`<br>
+
+The list of directories for fapolicy configuration.<br>
+
+### sap_fapolicy_rules_header
+- _Type:_ `string`<br>
+- _Default:_ `# Allow rules for SAP directories`<br>
+
+The header line to add to fapolicy rules.<br>
+<!-- END Role Variables -->

roles/sap_fapolicy/defaults/main.yml

@@ -1,18 +1,24 @@
-# https://access.redhat.com/discussions/3936201
+# SPDX-License-Identifier: Apache-2.0
+---
+# RHEL 7 KB Note: https://access.redhat.com/discussions/3936201
 
-sap_fapolicy_sid:
-sap_fapolicy_type: "generic"
+# Select fapolicy type to configure. Options: 'generic', 'nw', 'hana'.
+sap_fapolicy_type: 'generic'
 
-sap_fapolicy_user:
-sap_fapolicy_uid:
+# The user for fapolicy configuration.
+# Mandatory when `sap_fapolicy_type` is set to 'generic'.
+# Automatically set as `sap_fapolicy_sid` + 'adm' if `sap_fapolicy_type` is 'nw' or 'hana'.
+sap_fapolicy_user: ''
 
-# sap_fapolicy_user_list:
-#   - "root"
-#   - "sapadm"
-#   - "uuidd"
+# The User ID of provided user `sap_fapolicy_user`.
+# Automatically set if `sap_fapolicy_user` or `sap_fapolicy_sid` is provided.
+sap_fapolicy_uid: ''
 
-# sap_fapolicy_uid_list: []
+# The SAP System ID (3 letter String).
+# Mandatory when `sap_fapolicy_type` is set to 'nw' or 'hana'.
+sap_fapolicy_sid: ''
 
+# The list of directories for fapolicy configuration.
 sap_fapolicy_directory_list:
   - "/hana/"
   - "/sapmnt/"
@@ -21,4 +27,5 @@ sap_fapolicy_directory_list:
   - "/var/tmp/"
   - "/tmp/"
 
+# The header line to add to fapolicy rules.
 sap_fapolicy_rules_header: "# Allow rules for SAP directories"

roles/sap_fapolicy/tasks/enable_fapolicy.yml

@@ -1,5 +1,6 @@
+# SPDX-License-Identifier: Apache-2.0
 ---
-- name: SAP Faplocy - Service fapolicy state - start & enable
+- name: Enable - Start and enable fapolicyd service
   ansible.builtin.systemd:
     state: started
     name: fapolicyd

roles/sap_fapolicy/tasks/main.yml

@@ -1,39 +1,43 @@
+# SPDX-License-Identifier: Apache-2.0
 ---
-- name: SAP Fapolicy - Gathering Package Facts
+- name: Assert that the Operating System of Managed node is Red Hat
+  ansible.builtin.assert:
+    that:
+      - ansible_os_family == "RedHat"
+    fail_msg: |
+      Ensure that the role is executed on supported managed node operating system Red Hat.
+      Detected: {{ ansible_os_family }}
+      Expected: RedHat
+
+
+- name: Gather Package Facts
   ansible.builtin.package_facts:
     manager: auto
 
-- name: SAP Fapolicy - Setup
+- name: Block to execute SAP fapolicy configuration
+  when:
+    - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
+    - '"fapolicyd" in ansible_facts.packages'
   block:
-    - name: Get sidadm user of SID
-      ansible.builtin.include_tasks: get_sidadm_user.yml
-      when:
-        - "'generic' not in sap_fapolicy_type"
-        - sap_fapolicy_user is defined
-
-    # # At this point, we should have all sidadm user + the default users
-    # - debug:
-    #     msg:
-    #       - "{{ sap_fapolicy_user_list }}"
+    - name: Assert that the variable 'sap_fapolicy_type' is valid
+      ansible.builtin.assert:
+        that:
+          - sap_fapolicy_type is defined
+          - sap_fapolicy_type is string
+          - sap_fapolicy_type | trim | length > 0
+          - sap_fapolicy_type in ['generic', 'nw', 'hana']
+        fail_msg: |
+          The variable 'sap_fapolicy_type' is undefined or invalid!
+          Available options: generic, nw, hana
 
-    # Get UIDs of users
-    # List is stored in sap_fapolicy_uid_list
-    - name: Get UID of user
-      vars:
-        passed_user: "{{ sap_fapolicy_user | lower }}"
-      ansible.builtin.include_tasks: get_user_uid.yml
+    - name: Set fapolicy variables
+      ansible.builtin.include_tasks:
+        file: "set_vars.yml"
 
-    # # At this point, we should have all uids
-    # - debug:
-    #     msg:
-    #       - "{{ sap_fapolicy_uid_list }}"
+    - name: Enable SAP fapolicy
+      ansible.builtin.include_tasks:
+        file: "enable_fapolicy.yml"
 
-    - name: SAP Fapolicy - Enable Fapolicy
-      ansible.builtin.include_tasks: "enable_fapolicy.yml"
-
-    - name: SAP Fapolicy - Update Fapolicy
-      ansible.builtin.include_tasks: "update_fapolicy.yml"
-
-  when:
-    - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker"
-    - '"fapolicyd" in ansible_facts.packages'
+    - name: Update SAP fapolicy
+      ansible.builtin.include_tasks:
+        file: "update_fapolicy.yml"