os-hardening: yum gpg-check fails if gpg-check already set

[frankbranham]

Describe the bug I get a failure when trying to set gpg-check to yum.conf

Expected behavior Task exits cleanly

Actual behavior

    amazon-ebs.greenlight: TASK [dev-sec.os-hardening : activate gpg-check for config files] **************
    amazon-ebs.greenlight: failed: [default] (item=/etc/yum.conf) => {"ansible_loop_var": "item", "changed": false, "failed_when_result": true, "item": "/etc/yum.conf", "msg": "", "rc": 0}
    amazon-ebs.greenlight: ok: [default] => (item=/etc/dnf/dnf.conf)
    amazon-ebs.greenlight: ok: [default] => (item=/etc/yum/pluginconf.d/rhnplugin.conf)

Example Playbook

OS / Environment

Amazon Linux 2. Current image (08/03/2022)

Ansible Version

  config file = None
  configured module search path = ['/Users/frank.branham/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/Cellar/ansible/6.1.0/libexec/lib/python3.10/site-packages/ansible
  ansible collection location = /Users/frank.branham/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/local/bin/ansible
  python version = 3.10.5 (main, Jun 23 2022, 17:15:25) [Clang 13.1.6 (clang-1316.0.21.2.5)]
  jinja version = 3.1.2
  libyaml = True

Role Version

Additional context Add any other context about the problem here.

[schurzi]

Hi @frankbranham, thank you for the bug report.

Wich version of our collection are you using?

[ghost]

We are unpinned for our builds, so taking the latest. (7.15.1). I've tried 7.15.0 as well.

I've tried since messing with gpg-check with packer and debug, and I cannot at all figure out why that task keeps failing for yum.conf.

[schurzi]

This is very puzzling. We hat a matching bug, that was resolved in 7.15.0 (#549). Can you run Ansible in debug mode and double check that you are not using an old version by accident?