feat: add role fingerprints to syslog

[richm]

Feature: Add a fingerprint string to the system log to indicate when the role began
successfully, and when the role finished successfully. The fingerprint string indicates
the role name, a timestamp, and the platform.

Reason: Users can see when the role was used and if it was used successfully. This
information from the system log can be collected by log scanners and aggregators
for further analysis.

Result: The role logs fingerprints to the system log.

This also adds a test to check if the fingerprints were written upon a successful
role invocation.

Signed-off-by: Rich Megginson rmeggins@redhat.com

Summary by Sourcery

Add syslog fingerprinting for the PostgreSQL system role and verify it via journal inspection.

New Features:

• Introduce sr_fingerprint Ansible module to write timestamped fingerprint messages to syslog.
• Record role 'begin' and 'success' fingerprint messages for the PostgreSQL system role, including Ansible and platform metadata.

Tests:

• Add an integration test that checks the system journal for the expected begin and success fingerprint messages when the role runs.

[sourcery-ai]

Reviewer's Guide

Adds an sr_fingerprint Ansible module to write role begin/success markers to syslog, wires it into the postgresql system role, and introduces a journalctl-based test plus sanity ignore files for the new module.

Sequence diagram for syslog role fingerprinting on PostgreSQL role run

sequenceDiagram
    actor Administrator
    participant AnsibleController
    participant PostgresqlRole_set_vars as PostgresqlRole_set_vars.yml
    participant PostgresqlRole_main as PostgresqlRole_main.yml
    participant SrFingerprintModule as sr_fingerprint
    participant Syslog as System_log

    Administrator->>AnsibleController: Run postgresql role playbook
    AnsibleController->>PostgresqlRole_set_vars: Execute tasks in set_vars.yml
    PostgresqlRole_set_vars->>SrFingerprintModule: sr_fingerprint(sr_message="begin system_role:postgresql ...")
    SrFingerprintModule->>SrFingerprintModule: _local_iso8601_no_microseconds()
    SrFingerprintModule->>Syslog: module.log("begin system_role:postgresql ... <timestamp>")
    SrFingerprintModule-->>PostgresqlRole_set_vars: exit_json(changed=False)

    AnsibleController->>PostgresqlRole_main: Execute tasks in main.yml
    PostgresqlRole_main->>PostgresqlRole_main: Configure PostgreSQL
    PostgresqlRole_main->>SrFingerprintModule: sr_fingerprint(sr_message="success system_role:postgresql ...")
    SrFingerprintModule->>SrFingerprintModule: _local_iso8601_no_microseconds()
    SrFingerprintModule->>Syslog: module.log("success system_role:postgresql ... <timestamp>")
    SrFingerprintModule-->>PostgresqlRole_main: exit_json(changed=False)

    PostgresqlRole_main-->>AnsibleController: Role completed
    AnsibleController-->>Administrator: Report role finished successfully

Loading

Class diagram for sr_fingerprint Ansible module structure

classDiagram
    class SrFingerprintModule {
        +run_module()
        +main()
        -_local_iso8601_no_microseconds() str
    }

    class AnsibleModule {
        +params dict
        +check_mode bool
        +log(message)
        +exit_json(**kwargs)
    }

    class datetime {
        +datetime.now(tz)
        +timezone.utc
    }

    class time {
        +strftime(format, struct_time)
        +localtime()
    }

    SrFingerprintModule ..> AnsibleModule : uses
    SrFingerprintModule ..> datetime : uses
    SrFingerprintModule ..> time : fallback_uses

    SrFingerprintModule : +attribute sr_message
    SrFingerprintModule : +behavior log_fingerprint_message()

Loading

File-Level Changes

Change	Details	Files
Introduce sr_fingerprint Ansible module to log fingerprint messages with timestamps to syslog without marking tasks as changed.	Create custom module sr_fingerprint with sr_message parameter and documentation/usage examples. Implement local ISO8601 timestamp helper supporting older Python/Ansible environments. Use module.log to emit combined message and timestamp, and ensure check mode is supported and changed is always false.	library/sr_fingerprint.py
Emit role begin and success fingerprints from the postgresql role including role name, Ansible version, and distribution info.	Record begin fingerprint early in role execution using distribution and version facts. Record success fingerprint at end of main task sequence after configuration tasks complete. Include ansible_version.full and distribution/distribution_version in the fingerprint message format.	tasks/set_vars.yml tasks/main.yml
Add test coverage to validate that role fingerprints are written to the system journal when syslog is available.	Detect presence of /dev/log to gate fingerprint/journal tests. Capture start time fact prior to role execution to bound journalctl queries. Use journalctl plus grep filters to assert presence of begin and success fingerprints while ignoring generic 'Invoked with' log entries and keeping the test idempotent.	tests/tests_default.yml
Adjust repo tooling to accommodate the new custom module in multiple Ansible versions.	Add Ansible sanity ignore files for various supported Ansible core versions to avoid sanity issues for the custom module. Create tests/roles/linux-system-roles.postgresql/library path (likely a symlink or placeholder) to expose the module to the test harness.	.sanity-ansible-ignore-2.14.txt .sanity-ansible-ignore-2.16.txt .sanity-ansible-ignore-2.17.txt .sanity-ansible-ignore-2.18.txt .sanity-ansible-ignore-2.19.txt .sanity-ansible-ignore-2.20.txt .sanity-ansible-ignore-2.21.txt .sanity-ansible-ignore-2.22.txt tests/roles/linux-system-roles.postgresql/library

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[richm]

[citest]

[sourcery-ai]

Hey - I've found 1 issue, and left some high level feedback:

• The begin/success fingerprint messages are duplicated in set_vars.yml and main.yml; consider factoring the common format (role name, ansible version, distro/version) into a variable or helper to keep them consistent and easier to update.
• The journalctl-based test relies on a shell pipeline and unanchored grep; using ansible.builtin.command/ansible.builtin.shell with failed_when plus stricter matching (e.g. grep -F or clearer patterns) would make the check more robust and easier to debug.
• The test currently only checks for /dev/log before using journalctl; you may want to also gate it on ansible_service_mgr == 'systemd' or verify that journalctl is available to avoid failures on non-systemd or minimal environments.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The begin/success fingerprint messages are duplicated in set_vars.yml and main.yml; consider factoring the common format (role name, ansible version, distro/version) into a variable or helper to keep them consistent and easier to update.
- The journalctl-based test relies on a shell pipeline and unanchored grep; using `ansible.builtin.command`/`ansible.builtin.shell` with `failed_when` plus stricter matching (e.g. `grep -F` or clearer patterns) would make the check more robust and easier to debug.
- The test currently only checks for /dev/log before using journalctl; you may want to also gate it on `ansible_service_mgr == 'systemd'` or verify that journalctl is available to avoid failures on non-systemd or minimal environments.

## Individual Comments

### Comment 1
<location path="library/sr_fingerprint.py" line_range="28" />
<code_context>
+    sr_message: "system_role:ROLENAME"
+"""
+
+RETURN = r""" # """
+
+from ansible.module_utils.basic import AnsibleModule
</code_context>
<issue_to_address>
**issue (bug_risk):** RETURN spec is not valid YAML and may break ansible-doc / sanity checks.

Using `RETURN = r""" # """` produces invalid YAML for Ansible’s docs parser and can cause `ansible-doc` and sanity checks to fail (or require suppression via ignore files). Either provide a minimal valid YAML structure (e.g. an empty mapping) or drop the `RETURN` variable entirely if you don’t need documented return fields, so tooling continues to work without relying on ignores.
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[sourcery-ai]

issue (bug_risk): RETURN spec is not valid YAML and may break ansible-doc / sanity checks.

Using RETURN = r""" # """ produces invalid YAML for Ansible’s docs parser and can cause ansible-doc and sanity checks to fail (or require suppression via ignore files). Either provide a minimal valid YAML structure (e.g. an empty mapping) or drop the RETURN variable entirely if you don’t need documented return fields, so tooling continues to work without relying on ignores.