AMW-365 Keycloak collection GitHub action molecule pipelines are breaking because of sudo permission issue

roles/keycloak_quarkus/tasks/bootstrapped.yml

@@ -1,6 +1,6 @@
 ---
 - name: Save ansible custom facts
-  become: true
+  become: "{{ keycloak_install_requires_become | default(true) }}"
   ansible.builtin.template:
     src: keycloak.fact.j2
     dest: /etc/ansible/facts.d/keycloak.fact

roles/keycloak_quarkus/tasks/config_store.yml

@@ -6,7 +6,7 @@
         value: "{{ keycloak_quarkus_db_pass }}"
 
 - name: "Initialize empty configuration key store"
-  become: true
+  become: "{{ keycloak_install_requires_become | default(true) }}"
   # keytool doesn't allow creating an empty key store, so this is a hacky way around it
   ansible.builtin.shell: | # noqa blocked_modules shell is necessary here
     set -o nounset   # abort on unbound variable
@@ -38,7 +38,7 @@
     echo {{ item.value | quote }} | keytool -noprompt -importpass -alias {{ item.key | quote }} -keystore {{ keycloak_quarkus_config_key_store_file | quote }} -storepass {{ keycloak_quarkus_config_key_store_password | quote }} -storetype PKCS12
   loop: "{{ store_items }}"
   no_log: true
-  become: true
+  become: "{{ keycloak_install_requires_become | default(true) }}"
   changed_when: true
   notify:
     - restart keycloak
@@ -49,4 +49,4 @@
     owner: "{{ keycloak.service_user }}"
     group: "{{ keycloak.service_group }}"
     mode: '0400'
-  become: true
+  become: "{{ keycloak_install_requires_become | default(true) }}"

roles/keycloak_quarkus/tasks/fastpackages.yml

@@ -13,7 +13,7 @@
   when: ansible_facts.os_family == "RedHat"
 
 - name: "Install packages: {{ packages_to_install }}"
-  become: true
+  become: "{{ keycloak_install_requires_become | default(true) }}"
   ansible.builtin.dnf:
     name: "{{ packages_to_install }}"
     state: present
@@ -22,7 +22,7 @@
     - ansible_facts.os_family == "RedHat"
 
 - name: "Install packages: {{ packages_list }}"
-  become: true
+  become: "{{ keycloak_install_requires_become | default(true) }}"
   ansible.builtin.package:
     name: "{{ packages_list }}"
     state: present

roles/keycloak_quarkus/tasks/firewalld.yml

@@ -6,14 +6,14 @@
       - firewalld
 
 - name: Enable and start the firewalld service
-  become: true
+  become: "{{ keycloak_install_requires_become | default(true) }}"
   ansible.builtin.systemd:
     name: firewalld
     enabled: true
     state: started
 
 - name: "Configure firewall for {{ keycloak.service_name }} ports"
-  become: true
+  become: "{{ keycloak_install_requires_become | default(true) }}"
   ansible.posix.firewalld:
     port: "{{ item }}"
     permanent: true

roles/keycloak_quarkus/tasks/install.yml

@@ -12,13 +12,13 @@
     quiet: true
 
 - name: Check for an existing deployment
-  become: true
+  become: "{{ keycloak_install_requires_become | default(true) }}"
   ansible.builtin.stat:
     path: "{{ keycloak.home }}"
   register: existing_deploy
 
 - name: "Create {{ keycloak.service_name }} service user/group"
-  become: true
+  become: "{{ keycloak_install_requires_become | default(true) }}"
   ansible.builtin.user:
     name: "{{ keycloak.service_user }}"
     home: /opt/keycloak
@@ -26,7 +26,7 @@
     create_home: false
 
 - name: "Create {{ keycloak.service_name }} install location"
-  become: true
+  become: "{{ keycloak_install_requires_become | default(true) }}"
   ansible.builtin.file:
     dest: "{{ keycloak_quarkus_dest }}"
     state: directory
@@ -35,7 +35,7 @@
     mode: '0750'
 
 - name: Create directory for ansible custom facts
-  become: true
+  become: "{{ keycloak_install_requires_become | default(true) }}"
   ansible.builtin.file:
     state: directory
     recurse: true
@@ -47,7 +47,7 @@
     archive: "{{ keycloak_quarkus_dest }}/{{ keycloak.bundle }}"
 
 - name: Check download archive path
-  become: true
+  become: "{{ keycloak_install_requires_become | default(true) }}"
   ansible.builtin.stat:
     path: "{{ archive }}"
   register: archive_path
@@ -148,13 +148,13 @@
     - not archive_path.stat.exists
     - local_archive_path.stat is defined
     - local_archive_path.stat.exists
-  become: true
+  become: "{{ keycloak_install_requires_become | default(true) }}"
 
 - name: "Check target directory: {{ keycloak.home }}/bin/"
   ansible.builtin.stat:
     path: "{{ keycloak.home }}/bin/"
   register: path_to_workdir
-  become: true
+  become: "{{ keycloak_install_requires_become | default(true) }}"
 
 - name: "Extract Keycloak archive on target" # noqa no-handler need to run this here
   ansible.builtin.unarchive:
@@ -164,7 +164,7 @@
     creates: "{{ keycloak.home }}/bin/"
     owner: "{{ keycloak.service_user }}"
     group: "{{ keycloak.service_group }}"
-  become: true
+  become: "{{ keycloak_install_requires_become | default(true) }}"
   when:
     - (not path_to_workdir.stat.exists) or new_version_downloaded.changed
   notify:
@@ -183,7 +183,7 @@
     owner: "{{ keycloak.service_user }}"
     group: "{{ keycloak.service_group }}"
     mode: '0640'
-  become: true
+  become: "{{ keycloak_install_requires_become | default(true) }}"
   when:
     - keycloak_quarkus_https_key_file_enabled is defined and keycloak_quarkus_https_key_file_enabled
     - keycloak_quarkus_key_file_copy_enabled is defined and keycloak_quarkus_key_file_copy_enabled
@@ -196,7 +196,7 @@
     owner: "{{ keycloak.service_user }}"
     group: "{{ keycloak.service_group }}"
     mode: '0644'
-  become: true
+  become: "{{ keycloak_install_requires_become | default(true) }}"
   when:
     - keycloak_quarkus_https_key_file_enabled is defined and keycloak_quarkus_https_key_file_enabled
     - keycloak_quarkus_cert_file_copy_enabled is defined and keycloak_quarkus_cert_file_copy_enabled
@@ -215,7 +215,7 @@
     owner: "{{ keycloak.service_user }}"
     group: "{{ keycloak.service_group }}"
     mode: '0640'
-  become: true
+  become: "{{ keycloak_install_requires_become | default(true) }}"
   loop: "{{ keycloak_quarkus_providers }}"
   when: item.url is defined and item.url | length > 0
   notify: "{{ ['invalidate keycloak theme cache', 'rebuild keycloak config', 'restart keycloak'] if not item.restart is defined or item.restart else [] }}"
@@ -244,7 +244,7 @@
     owner: "{{ keycloak.service_user }}"
     group: "{{ keycloak.service_group }}"
     mode: '0640'
-  become: true
+  become: "{{ keycloak_install_requires_become | default(true) }}"
   loop: "{{ keycloak_quarkus_providers }}"
   when: item.maven is defined
   no_log: "{{ item.maven.password is defined and item.maven.password | length > 0 | default(false) }}"
@@ -256,7 +256,7 @@
     owner: "{{ keycloak.service_user }}"
     group: "{{ keycloak.service_group }}"
     mode: '0640'
-  become: true
+  become: "{{ keycloak_install_requires_become | default(true) }}"
   loop: "{{ keycloak_quarkus_providers }}"
   when: item.local_path is defined
   notify: "{{ ['invalidate keycloak theme cache', 'rebuild keycloak config', 'restart keycloak'] if not item.restart is defined or item.restart else [] }}"
@@ -268,7 +268,7 @@
     owner: "{{ keycloak.service_user }}"
     group: "{{ keycloak.service_group }}"
     mode: '0750'
-  become: true
+  become: "{{ keycloak_install_requires_become | default(true) }}"
   loop: "{{ keycloak_quarkus_supported_policy_types }}"
 
 - name: "Install custom policies"
@@ -278,7 +278,7 @@
     owner: "{{ keycloak.service_user }}"
     group: "{{ keycloak.service_group }}"
     mode: '0640'
-  become: true
+  become: "{{ keycloak_install_requires_become | default(true) }}"
   loop: "{{ keycloak_quarkus_policies }}"
   when: item.url is defined and item.url | length > 0
   notify: "restart keycloak"

roles/keycloak_quarkus/tasks/invalidate_theme_cache.yml

@@ -8,4 +8,4 @@
   ansible.builtin.file:
     path: "{{ keycloak.home }}/data/tmp/kc-gzip-cache"
     state: absent
-  become: true
+  become: "{{ keycloak_install_requires_become | default(true) }}"

roles/keycloak_quarkus/tasks/iptables.yml

@@ -6,7 +6,7 @@
       - iptables
 
 - name: "Configure firewall ports for {{ keycloak.service_name }}"
-  become: true
+  become: "{{ keycloak_install_requires_become | default(true) }}"
   ansible.builtin.iptables:
     destination_port: "{{ item }}"
     action: "insert"

roles/keycloak_quarkus/tasks/jdbc_driver.yml

@@ -17,6 +17,6 @@
     url_password: "{{ keycloak_quarkus_jdbc_download_pass | default(omit) }}"
     validate_certs: "{{ keycloak_quarkus_jdbc_download_validate_certs | default(omit) }}"
     mode: '0640'
-  become: true
+  become: "{{ keycloak_install_requires_become | default(true) }}"
   notify:
     - restart keycloak

roles/keycloak_quarkus/tasks/main.yml

@@ -53,7 +53,7 @@
     owner: "{{ keycloak.service_user }}"
     group: "{{ keycloak.service_group }}"
     mode: '0640'
-  become: true
+  become: "{{ keycloak_install_requires_become | default(true) }}"
   loop:
     - keycloak.conf
     - quarkus.properties
@@ -69,7 +69,7 @@
     owner: "{{ keycloak.service_user }}"
     group: "{{ keycloak.service_group }}"
     mode: '0775'
-  become: true
+  become: "{{ keycloak_install_requires_become | default(true) }}"
 
 - name: Flush pending handlers
   ansible.builtin.meta: flush_handlers
@@ -83,7 +83,7 @@
     src: "{{ keycloak.log.file | dirname }}"
     dest: "{{ keycloak_quarkus_log_target }}"
     force: true
-  become: true
+  become: "{{ keycloak_install_requires_become | default(true) }}"
 
 - name: Check service status
   ansible.builtin.systemd_service:

roles/keycloak_quarkus/tasks/rebuild_config.yml

@@ -6,5 +6,5 @@
   environment:
     PATH: "{{ keycloak_quarkus_java_home | default(keycloak_quarkus_pkg_java_home, true) }}/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
     JAVA_HOME: "{{ keycloak_quarkus_java_home | default(keycloak_quarkus_pkg_java_home, true) }}"
-  become: true
+  become: "{{ keycloak_install_requires_become | default(true) }}"
   changed_when: true

roles/keycloak_quarkus/tasks/restart.yml

@@ -5,7 +5,7 @@
     enabled: true
     state: restarted
     daemon_reload: true
-  become: true
+  become: "{{ keycloak_install_requires_become | default(true) }}"
 
 - name: "Wait until {{ keycloak.service_name }} service becomes active {{ keycloak.health_url }}"
   ansible.builtin.uri:

roles/keycloak_quarkus/tasks/restart/serial_then_parallel.yml

@@ -16,5 +16,5 @@
         enabled: true
         state: restarted
         daemon_reload: true
-      become: true
+      become: "{{ keycloak_install_requires_become | default(true) }}"
       when: inventory_hostname != ansible_play_hosts | first

roles/keycloak_quarkus/tasks/start.yml

@@ -5,7 +5,7 @@
     enabled: true
     state: started
     daemon_reload: true
-  become: true
+  become: "{{ keycloak_install_requires_become | default(true) }}"
 
 - name: "Wait until {{ keycloak.service_name }} becomes active {{ keycloak.health_url }}"
   ansible.builtin.uri:

roles/keycloak_quarkus/tasks/systemd.yml

@@ -1,6 +1,6 @@
 ---
 - name: "Configure sysconfig file for {{ keycloak.service_name }} service"
-  become: true
+  become: "{{ keycloak_install_requires_become | default(true) }}"
   ansible.builtin.template:
     src: keycloak-sysconfig.j2
     dest: "{{ keycloak_quarkus_sysconf_file }}"
@@ -19,7 +19,7 @@
     owner: root
     group: root
     mode: '0644'
-  become: true
+  become: "{{ keycloak_install_requires_become | default(true) }}"
   register: systemdunit
   notify:
     - restart keycloak