feat: add role fingerprints to syslog

[richm]

Feature: Add a fingerprint string to the system log to indicate when the role began
successfully, and when the role finished successfully. The fingerprint string indicates
the role name, a timestamp, and the platform.

Reason: Users can see when the role was used and if it was used successfully. This
information from the system log can be collected by log scanners and aggregators
for further analysis.

Result: The role logs fingerprints to the system log.

This also adds a test to check if the fingerprints were written upon a successful
role invocation.

Signed-off-by: Rich Megginson rmeggins@redhat.com

Summary by Sourcery

Add a reusable fingerprinting mechanism that logs ssh system role lifecycle events to syslog and verify its presence via tests.

New Features:

• Introduce the sr_fingerprint Ansible module to write structured fingerprint messages to syslog.
• Record role begin and success fingerprints for the ssh system role including Ansible and platform information.

Tests:

• Extend default role tests to validate that begin and success fingerprint messages are written to the system journal when syslog is available.

Chores:

• Add Ansible sanity ignore configuration files for multiple supported Ansible versions and supporting test role library wiring.

[sourcery-ai]

Reviewer's Guide

Adds a new sr_fingerprint Ansible module and wires it into the ssh role to emit begin/success fingerprints to syslog, plus a journal-based test and supporting sanity/compatibility files.

Sequence diagram for sr_fingerprint role begin/success logging

sequenceDiagram
    actor DevOpsEngineer
    participant AnsibleController
    participant ManagedHost
    participant ssh_role
    participant sr_fingerprint_module
    participant SyslogDaemon
    participant Journal

    DevOpsEngineer->>AnsibleController: run ansible_playbook with ssh_role
    AnsibleController->>ManagedHost: execute ssh_role tasks

    rect rgb(235,235,255)
        ssh_role->>sr_fingerprint_module: begin sr_message
        sr_fingerprint_module->>sr_fingerprint_module: _local_iso8601_no_microseconds()
        alt check_mode
            sr_fingerprint_module-->>ssh_role: exit_json changed=false
        else normal_mode
            sr_fingerprint_module->>SyslogDaemon: module.log(begin message timestamp)
            SyslogDaemon->>Journal: write begin entry
            SyslogDaemon-->>sr_fingerprint_module: ok
            sr_fingerprint_module-->>ssh_role: exit_json changed=false
        end
    end

    ssh_role->>ssh_role: perform ssh configuration tasks

    rect rgb(235,255,235)
        ssh_role->>sr_fingerprint_module: success sr_message
        sr_fingerprint_module->>sr_fingerprint_module: _local_iso8601_no_microseconds()
        alt check_mode
            sr_fingerprint_module-->>ssh_role: exit_json changed=false
        else normal_mode
            sr_fingerprint_module->>SyslogDaemon: module.log(success message timestamp)
            SyslogDaemon->>Journal: write success entry
            SyslogDaemon-->>sr_fingerprint_module: ok
            sr_fingerprint_module-->>ssh_role: exit_json changed=false
        end
    end

    ManagedHost-->>AnsibleController: task results
    AnsibleController-->>DevOpsEngineer: play recap and logs

Loading

Class diagram for sr_fingerprint Ansible module structure

classDiagram
    class sr_fingerprint {
        +run_module()
        +_local_iso8601_no_microseconds()
        +main()
    }

    class AnsibleModule {
        +AnsibleModule(argument_spec, supports_check_mode)
        +log(message)
        +exit_json(changed, message)
    }

    class datetime {
        +datetime
        +timezone
        +now()
    }

    class time {
        +strftime(format, struct_time)
        +localtime()
    }

    sr_fingerprint ..> AnsibleModule : uses
    sr_fingerprint ..> datetime : uses
    sr_fingerprint ..> time : uses

    sr_fingerprint : sr_message str
    sr_fingerprint : log_message str

Loading

File-Level Changes

Change	Details	Files
Introduce sr_fingerprint Ansible module to write fingerprint messages to syslog without reporting changes.	Create custom module that accepts an sr_message string and appends a local ISO-8601 timestamp. Implement timezone-aware timestamp helper compatible with older Python versions. Use AnsibleModule with check mode support; in check mode only report what would be logged. Log via module.log and always exit with changed=false so fingerprints do not affect task idempotency or change reporting.	library/sr_fingerprint.py
Emit role begin/success fingerprints from the ssh system role using the new module.	Record a 'begin system_role:ssh' fingerprint early in set_vars, including Ansible version and distro/version in the message. Record a 'success system_role:ssh' fingerprint at the end of main tasks, with the same contextual fields. Ensure fingerprints are pure logging side-effects and do not change existing role behavior or outputs.	tasks/set_vars.yml tasks/main.yml
Add an integration-style test that validates fingerprints are written to the system journal when syslog is available.	Stat /dev/log and conditionally run fingerprint checks only when syslog socket exists. Capture a start timestamp fact before running the role to scope the journal search window. Use journalctl combined with grep filtering to assert presence of both begin and success fingerprints while excluding generic 'Invoked with' messages. Mark the shell-based check as not changing state and gate it on syslog availability.	tests/tests_default.yml
Add ancillary files for Ansible sanity/compatibility and local library wiring for tests.	Introduce per-ansible-version sanity ignore files needed for the new custom module. Create a tests role library directory so the sr_fingerprint module is available during tests.	.sanity-ansible-ignore-2.14.txt .sanity-ansible-ignore-2.16.txt .sanity-ansible-ignore-2.17.txt .sanity-ansible-ignore-2.18.txt .sanity-ansible-ignore-2.19.txt .sanity-ansible-ignore-2.20.txt .sanity-ansible-ignore-2.21.txt .sanity-ansible-ignore-2.22.txt tests/roles/linux-system-roles.ssh/library

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[richm]

[citest]

[sourcery-ai]

Hey - I've left some high level feedback:

• The Check system journal contains role fingerprints task relies on a long shell pipeline with grep; consider switching to the command module plus register and assert to avoid shell parsing issues and make the checks easier to maintain.
• The _local_iso8601_no_microseconds function reimplements timestamp formatting logic; if there is an existing utility in your collection or standard libs you can reuse, it would simplify the module and reduce the chance of subtle datetime bugs.
• The .sanity-ansible-ignore-* files are added but empty in the diff; if they are meant to suppress specific sanity rules, consider adding a short comment or the explicit rule names so future maintainers understand why they exist.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The `Check system journal contains role fingerprints` task relies on a long `shell` pipeline with `grep`; consider switching to the `command` module plus `register` and `assert` to avoid shell parsing issues and make the checks easier to maintain.
- The `_local_iso8601_no_microseconds` function reimplements timestamp formatting logic; if there is an existing utility in your collection or standard libs you can reuse, it would simplify the module and reduce the chance of subtle datetime bugs.
- The `.sanity-ansible-ignore-*` files are added but empty in the diff; if they are meant to suppress specific sanity rules, consider adding a short comment or the explicit rule names so future maintainers understand why they exist.

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}