feat: add role fingerprint to system journal

richm · richm · commit f72d6b5fee44 · 2026-04-16T15:03:32.000-06:00
Feature: Add role fingerprint to system journal as the first task in the role.

Reason: The journal is often exported to reporting systems making it easy to
tell if the role is being used, and when.

Result: Users can get information in their reporting and log aggregation systems
of role usage.
diff --git a/library/sr_fingerprint.py b/library/sr_fingerprint.py
@@ -0,0 +1,80 @@
+#!/usr/bin/python
+
+from __future__ import absolute_import, division, print_function
+
+__metaclass__ = type
+
+DOCUMENTATION = '''
+---
+module: sr_fingerprint
+short_description: Write a message string to syslog
+description:
+    - Writes the given string to the system log using Python's C{syslog} library.
+    - Intended for role-internal or diagnostic use.
+author: Linux System Roles
+options:
+    sr_message:
+        description: Text to record in syslog.
+        type: str
+        required: true
+'''
+
+EXAMPLES = '''
+- name: Record a fingerprint message in syslog
+  sr_fingerprint:
+    sr_message: "system_role:ROLENAME"
+'''
+
+RETURN = '''
+changed:
+    description: C(true) when the message was written to syslog (not in check mode).
+    type: bool
+message:
+    description: Short status text.
+    type: str
+'''
+
+import syslog
+
+from ansible.module_utils.basic import AnsibleModule
+
+
+def run_module():
+    module_args = dict(
+        sr_message=dict(type='str', required=True),
+    )
+
+    module = AnsibleModule(
+        argument_spec=module_args,
+        supports_check_mode=True,
+    )
+
+    text = module.params['sr_message']
+
+    if module.check_mode:
+        module.exit_json(
+            changed=False,
+            message='Check mode: message not written to syslog',
+        )
+
+    try:
+        syslog.openlog('ansible-sr_fingerprint', syslog.LOG_PID, syslog.LOG_USER)
+        try:
+            syslog.syslog(syslog.LOG_INFO, text)
+        finally:
+            syslog.closelog()
+    except Exception as exc:
+        module.fail_json(msg='Failed to write to syslog: {0}'.format(exc))
+
+    module.exit_json(
+        changed=True,
+        message='Message written to syslog',
+    )
+
+
+def main():
+    run_module()
+
+
+if __name__ == '__main__':
+    main()
diff --git a/tasks/main.yml b/tasks/main.yml
@@ -1,4 +1,9 @@
 ---
+- name: Record storage role fingerprint in syslog
+  sr_fingerprint:
+    sr_message: "system_role:storage"
+  changed_when: false
+
 - name: Set platform/version specific variables
   include_tasks: tasks/set_vars.yml
 
diff --git a/tests/tests_default.yml b/tests/tests_default.yml
@@ -4,3 +4,13 @@
   tasks:
     - name: Run the role
       include_tasks: tasks/run_role_with_clear_facts.yml
+
+    # look for the exact module invocation, not some other message that might contain the string
+    - name: Check system journal contains role fingerprint
+      shell: >-
+        set -eo pipefail;
+        journalctl --since "-1 hour" --no-pager SYSLOG_IDENTIFIER=ansible-sr_fingerprint |
+        grep "ansible-sr_fingerprint.*: system_role:storage"
+      args:
+        executable: /bin/bash
+      changed_when: false
