Fix all ansible-lint warnings at production profile

.ansible-lint

@@ -9,14 +9,11 @@ exclude_paths:
 
 warn_list:
   - experimental
-  - jinja[spacing]
   - key-order[task]
   - name[casing]
   - name[missing]
   - package-latest
-  - risky-shell-pipe
   - schema[meta]
-  - var-naming[no-role-prefix]
 
 skip_list:
   - command-instead-of-module

molecule/beats_advanced/converge.yml

@@ -54,6 +54,13 @@
     # Queue configuration (disk queue)
     beats_queue_type: disk
     beats_queue_disk_max_size: 512MB
+    # Extra inputs (verify rendering of beats_filebeat_extra_inputs)
+    beats_filebeat_extra_inputs:
+      - type: filestream
+        enabled: true
+        id: extra-test
+        paths:
+          - /var/log/extra-test.log
   tasks:
     - name: Include Elastic repos role
       ansible.builtin.include_role:

molecule/beats_advanced/verify.yml

@@ -60,6 +60,19 @@
           - "'journald' in (filebeat_yml.content | b64decode)"
         fail_msg: "Journald input not found in filebeat.yml"
 
+    - name: Verify log level is debug
+      ansible.builtin.assert:
+        that:
+          - "'level: debug' in (filebeat_yml.content | b64decode)"
+        fail_msg: "Logging level not set to debug in filebeat.yml"
+
+    - name: Verify extra input is rendered
+      ansible.builtin.assert:
+        that:
+          - "'extra-test' in (filebeat_yml.content | b64decode)"
+          - "'extra-test.log' in (filebeat_yml.content | b64decode)"
+        fail_msg: "beats_filebeat_extra_inputs not rendered in filebeat.yml"
+
     - name: Verify file output is configured
       ansible.builtin.assert:
         that:
@@ -107,6 +120,12 @@
           - "'metricbeat.config.modules' in (metricbeat_yml.content | b64decode)"
         fail_msg: "Module config path not found in metricbeat.yml"
 
+    - name: Verify metricbeat output is logstash
+      ansible.builtin.assert:
+        that:
+          - "'output.logstash' in (metricbeat_yml.content | b64decode)"
+        fail_msg: "Metricbeat output not set to logstash"
+
     - name: Verify system module is enabled
       ansible.builtin.stat:
         path: /etc/metricbeat/modules.d/system.yml

molecule/elasticsearch_custom/converge.yml

@@ -42,6 +42,8 @@
     elasticsearch_pamlimits: true
     # Memory lock
     elasticsearch_memory_lock: true
+    # Managed logging (verify log4j2.properties is deployed)
+    elasticsearch_manage_logging: true
   tasks:
     - name: Include Elastic repos
       ansible.builtin.include_role:

molecule/elasticsearch_custom/verify.yml

@@ -154,18 +154,35 @@
           - "'auto_create_index' in es_yml.content | b64decode"
         fail_msg: "action.auto_create_index from elasticsearch_extra_config not found"
 
-    - name: Assert snapshot repo path is configured
-      ansible.builtin.assert:
-        that:
-          - "'/mnt/es-snapshots' in es_yml.content | b64decode"
-        fail_msg: "Snapshot repo path /mnt/es-snapshots not found in elasticsearch.yml"
-
     - name: Assert indices.recovery.max_bytes_per_sec from extra_config
       ansible.builtin.assert:
         that:
           - "'indices.recovery.max_bytes_per_sec' in es_yml.content | b64decode"
         fail_msg: "indices.recovery.max_bytes_per_sec not found (should come from elasticsearch_extra_config)"
 
+    # ── Heap dump path ──────────────────────────────────────────────
+
+    - name: Read JVM paths options
+      ansible.builtin.slurp:
+        src: /etc/elasticsearch/jvm.options.d/50-paths.options
+      register: jvm_paths
+
+    - name: Verify heap dump path is set to custom location
+      ansible.builtin.assert:
+        that:
+          - "'-XX:HeapDumpPath=/data/elasticsearch' in jvm_paths.content | b64decode"
+        fail_msg: "HeapDumpPath not set to /data/elasticsearch"
+
+    # ── Snapshot repo directory ──────────────────────────────────
+
+    - name: Verify snapshot repo path in elasticsearch.yml
+      ansible.builtin.assert:
+        that:
+          - "'path' in es_yml.content | b64decode"
+          - "'repo' in es_yml.content | b64decode"
+          - "'/mnt/es-snapshots' in es_yml.content | b64decode"
+        fail_msg: "Snapshot repo path /mnt/es-snapshots not configured correctly"
+
     # ── Config backup ─────────────────────────────────────────────
 
     - name: Verify config backup was created
@@ -174,9 +191,11 @@
         patterns: "elasticsearch.yml.*"
       register: backups
 
-    - name: Report backup status
-      ansible.builtin.debug:
-        msg: "Found {{ backups.files | length }} config backup(s)"
+    - name: Assert at least one backup exists
+      ansible.builtin.assert:
+        that:
+          - backups.files | length > 0
+        fail_msg: "No elasticsearch.yml backup found despite elasticsearch_config_backup: true"
 
     # ── ML setting ────────────────────────────────────────────────
 
@@ -349,3 +368,22 @@
           - "'xpack.security.transport.ssl.enabled: true' in es_yml.content | b64decode"
           - "'xpack.security.http.ssl.enabled: true' in es_yml.content | b64decode"
         fail_msg: "Security/TLS settings missing from elasticsearch.yml"
+
+    # ── Managed logging (log4j2.properties) ──────────────────────
+
+    - name: Check log4j2.properties exists
+      ansible.builtin.stat:
+        path: /etc/elasticsearch/log4j2.properties
+      register: es_log4j2
+
+    - name: Assert log4j2.properties is deployed
+      ansible.builtin.assert:
+        that:
+          - es_log4j2.stat.exists
+        fail_msg: "log4j2.properties not found (elasticsearch_manage_logging: true)"
+
+    - name: Verify log4j2.properties is owned by elasticsearch group
+      ansible.builtin.assert:
+        that:
+          - es_log4j2.stat.gr_name == 'elasticsearch'
+        fail_msg: "log4j2.properties not owned by elasticsearch group"

molecule/elasticstack_default/converge.yml

@@ -25,7 +25,7 @@
     beats_metricbeat: true
     beats_fields:
       - "testbed: molecule"
-    kibana_extra_config: |-
+    kibana_extra_config:
       ops.interval: 5000
   tasks:
     - name: Enable Elastic installation on RHEL 9

molecule/elasticstack_default/verify.yml

@@ -115,6 +115,18 @@
               - kibana_status.json.status.overall.level == 'available'
             fail_msg: "Kibana status: {{ kibana_status.json.status.overall.level | default('unknown') }}"
 
+        - name: Read kibana.yml
+          ansible.builtin.slurp:
+            src: /etc/kibana/kibana.yml
+          register: kibana_yml
+
+        - name: Verify kibana extra_config is rendered
+          ansible.builtin.assert:
+            that:
+              - "'ops.interval' in (kibana_yml.content | b64decode)"
+              - "'5000' in (kibana_yml.content | b64decode)"
+            fail_msg: "kibana_extra_config (ops.interval: 5000) not found in kibana.yml"
+
     - name: Run Beats checks
       when: "'beats' in group_names"
       block:
@@ -134,6 +146,29 @@
           register: metricbeat_svc
           failed_when: metricbeat_svc.changed
 
+        - name: Read filebeat.yml
+          ansible.builtin.slurp:
+            src: /etc/filebeat/filebeat.yml
+          register: filebeat_yml
+
+        - name: Verify beats_fields is rendered in filebeat.yml
+          ansible.builtin.assert:
+            that:
+              - "'testbed' in (filebeat_yml.content | b64decode)"
+              - "'molecule' in (filebeat_yml.content | b64decode)"
+            fail_msg: "beats_fields (testbed: molecule) not found in filebeat.yml"
+
+        - name: Verify system module is enabled
+          ansible.builtin.stat:
+            path: /etc/filebeat/modules.d/system.yml
+          register: _fb_system_module
+
+        - name: Assert filebeat system module file exists
+          ansible.builtin.assert:
+            that:
+              - _fb_system_module.stat.exists
+            fail_msg: "Filebeat system module not enabled despite beats_filebeat_modules: [system]"
+
         - name: Check auditbeat package is installed
           ansible.builtin.package:
             name: auditbeat

molecule/logstash_advanced/verify.yml

@@ -123,6 +123,40 @@
           - "'config.reload.automatic: true' in (logstash_yml.content | b64decode)"
         fail_msg: "Config autoreload not enabled"
 
+    - name: Verify pipeline.unsafe_shutdown is set
+      ansible.builtin.assert:
+        that:
+          - "'pipeline.unsafe_shutdown' in (logstash_yml.content | b64decode)"
+        fail_msg: "pipeline.unsafe_shutdown not found in logstash.yml"
+
+    # --- JVM heap verification ---
+
+    - name: Read Logstash JVM options
+      ansible.builtin.slurp:
+        src: /etc/logstash/jvm.options
+      register: logstash_jvm
+
+    - name: Verify Logstash heap is set to 512m
+      ansible.builtin.assert:
+        that:
+          - "'-Xms512m' in (logstash_jvm.content | b64decode)"
+          - "'-Xmx512m' in (logstash_jvm.content | b64decode)"
+        fail_msg: "Logstash heap not set to 512m"
+
+    # --- Ident field name verification ---
+
+    - name: Verify exact ident field name
+      ansible.builtin.assert:
+        that:
+          - "'[logstash][instance]' in (filter_content.content | b64decode)"
+        fail_msg: "Ident field name [logstash][instance] not found in 50-filter.conf"
+
+    - name: Verify exact pipeline identifier field name
+      ansible.builtin.assert:
+        that:
+          - "'[logstash][pipeline]' in (filter_content.content | b64decode)"
+        fail_msg: "Pipeline identifier field name [logstash][pipeline] not found in 50-filter.conf"
+
     # --- Pipelines.yml verification (queue settings are per-pipeline) ---
 
     - name: Read pipelines.yml
@@ -204,6 +238,14 @@
           ansible.builtin.fail:
             msg: "Logstash port 5044 did not open within timeout."
 
+    # --- HTTP extra input port check ---
+
+    - name: Check Logstash HTTP input is listening on port 8080
+      ansible.builtin.wait_for:
+        port: 8080
+        timeout: 30
+        state: started
+
     # --- Config syntax validation ---
 
     - name: Get installed Logstash version

molecule/logstash_centralized_pipelines/verify.yml

@@ -76,6 +76,20 @@
           - "'monitoring.enabled: false' in logstash_config"
         fail_msg: "Monitoring not disabled"
 
+    # --- HTTP API binding ---
+
+    - name: Verify HTTP host is set
+      ansible.builtin.assert:
+        that:
+          - "'api.http.host: 127.0.0.1' in logstash_config"
+        fail_msg: "api.http.host not set to 127.0.0.1 in logstash.yml"
+
+    - name: Verify HTTP port is set
+      ansible.builtin.assert:
+        that:
+          - "'api.http.port: 9600' in logstash_config"
+        fail_msg: "api.http.port not set to 9600 in logstash.yml"
+
     # --- Extra config ---
 
     - name: Verify extra_config settings are rendered

molecule/logstash_default/verify.yml

@@ -226,3 +226,23 @@
         that:
           - "'config.reload.automatic: true' in (logstash_yml.content | b64decode)"
         fail_msg: "Config autoreload not found in logstash.yml"
+
+    - name: Verify pipeline.unsafe_shutdown is set
+      ansible.builtin.assert:
+        that:
+          - "'pipeline.unsafe_shutdown' in (logstash_yml.content | b64decode)"
+        fail_msg: "pipeline.unsafe_shutdown not found in logstash.yml"
+
+    # --- JVM heap verification ---
+
+    - name: Read Logstash JVM options
+      ansible.builtin.slurp:
+        src: /etc/logstash/jvm.options
+      register: logstash_jvm
+
+    - name: Verify Logstash heap is set to 512m
+      ansible.builtin.assert:
+        that:
+          - "'-Xms512m' in (logstash_jvm.content | b64decode)"
+          - "'-Xmx512m' in (logstash_jvm.content | b64decode)"
+        fail_msg: "Logstash heap not set to 512m"

molecule/plugins/converge.yml

@@ -15,7 +15,7 @@
     - name: Debug
       ansible.builtin.debug:
         msg: "{{ test }}"
-    - name: Test required parameters (missing path)
+    - name: Test required parameters (missing path)  # noqa: args[module]
       oddly.elasticstack.cert_info:
         passphrase: PleaseChangeMe
       failed_when: false
@@ -37,6 +37,6 @@
       oddly.elasticstack.cert_info:
         path: files/es-ca/elastic-stack-ca.p12
       failed_when: false
-    - name: Test no parameters
+    - name: Test no parameters  # noqa: args[module]
       oddly.elasticstack.cert_info:
       failed_when: false

roles/beats/defaults/main.yml

@@ -35,6 +35,12 @@ beats_logging_permissions: "0644"
 
 # === TLS Certificates ===
 
+# @var beats_ca_dir:description: >
+#   Directory where Beat TLS certificates are stored. Auto-set to
+#   /etc/beats/certs in full_stack mode or /opt/ca otherwise.
+# @end
+beats_ca_dir: "/etc/beats/certs"
+
 # @var beats_tls_key:description: Path to the Beat TLS private key file
 beats_tls_key: "{{ beats_ca_dir }}/{{ inventory_hostname }}-beats.key"
 # @var beats_tls_cert:description: Path to the Beat TLS certificate file
@@ -152,14 +158,13 @@ beats_filebeat_extra_inputs: []
 
 # @var beats_filebeat_mysql_slowlog_input:description: Enable MySQL slow query log input with multiline parsing
 beats_filebeat_mysql_slowlog_input: false
-# @var beats_filebeat_modules:description: List of Filebeat modules to enable
+# @var beats_filebeat_modules:description: List of Filebeat modules to enable. Leave empty to disable module management
 # @var beats_filebeat_modules:example: >
 # beats_filebeat_modules:
 #   - system
 #   - nginx
 # @end
-# beats_filebeat_modules:
-#   - system
+beats_filebeat_modules: []
 
 # === Auditbeat Configuration ===
 

roles/beats/tasks/auditbeat.yml

@@ -1,11 +1,11 @@
 ---
 
-- name: Install Auditbeat
+- name: auditbeat | Install Auditbeat
   ansible.builtin.include_tasks: beat-install.yml
   vars:
     _beat_name: auditbeat
 
-- name: Configure Auditbeat
+- name: auditbeat | Configure Auditbeat
   ansible.builtin.template:
     src: auditbeat.yml.j2
     dest: /etc/auditbeat/auditbeat.yml
@@ -19,7 +19,7 @@
     - beats_auditbeat_configuration
     - beats_configuration
 
-- name: Setup Auditbeat in Elasticsearch
+- name: auditbeat | Setup Auditbeat in Elasticsearch
   ansible.builtin.shell: >
     /usr/bin/auditbeat setup --pipelines --index-management &&
     /usr/bin/auditbeat version > /etc/auditbeat/pipeline_created
@@ -33,7 +33,7 @@
     - beats_auditbeat_setup | bool
     - beats_auditbeat_output == "elasticsearch"
 
-- name: Start Auditbeat
+- name: auditbeat | Start Auditbeat
   ansible.builtin.service:
     name: auditbeat
     state: started