From fa68e035174afa5ee92a5257a3ceda72b990a747 Mon Sep 17 00:00:00 2001
From: Mark Bolwell <mark.bollyuk@gmail.com>
Date: Tue, 1 Feb 2022 09:39:13 +0000
Subject: [PATCH] Updated OS checks and conditionals

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
---
 defaults/main.yml |  3 +++
 tasks/main.yml    | 23 ++++++++++++-----------
 vars/main.yml     |  2 ++
 3 files changed, 17 insertions(+), 11 deletions(-)

diff --git a/defaults/main.yml b/defaults/main.yml
index 9f3df3e..c9ac20d 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -8,6 +8,9 @@ container_vars_file: is_container.yml
 # system_is_ec2 toggle will disable tasks that fail on Amazon EC2 instances. Set true to skip and false to run tasks
 system_is_ec2: false
 
+# Run the OS validation check
+os_check: true
+
 rhel9cis_notauto: false
 rhel9cis_section1: true
 rhel9cis_section2: true
diff --git a/tasks/main.yml b/tasks/main.yml
index d487d0a..3a9426b 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -1,23 +1,24 @@
 ---
 # tasks file for RHEL9-CIS
+
 - name: Check OS version and family
   assert:
-      that:
-          - (ansible_os_family == 'RedHat' or ansible_os_family == "Rocky")
-          - ansible_distribution_major_version |int >= 8
-      fail_msg: "This role can only be run against RHEL 8 or 9. {{ ansible_distribution }} {{ ansible_distribution_major_version }} is not supported."
-      success_msg: "Supported OS release and version"
+      that: (ansible_os_family == 'RedHat' or ansible_os_family == "Rocky") and ansible_distribution_major_version is version_compare('8', '==')
+      fail_msg: "This role can only be run against RHEL8 family OSs. {{ ansible_distribution }} {{ ansible_distribution_major_version }} is not supported."
+      success_msg: "This role is running against a supported OS {{ ansible_distribution }} {{ ansible_distribution_major_version }}"
+  when: 
+    - os_check
+    - not system_is_ec2
   tags:
-  - always
+      - always
 
 - name: Check ansible version
   assert:
-      that:
-          - "ansible_version.full is version_compare ('2.9', '>=')"
-      fail_msg: "You must use ansible 2.9 or greater"
-      success_msg: "Supported ansible_version"
+      that: ansible_version.full is version_compare(min_ansible_version, '>=')
+      fail_msg: "You must use Ansible {{ min_ansible_version }} or greater"
+      success_msg: "This role is running a supported version of ansible {{ ansible_version.full }} >= {{ min_ansible_version }}"
   tags:
-  - always
+      - always
 
 - name: Setup rules if container
   block:
diff --git a/vars/main.yml b/vars/main.yml
index 83b0489..b18097b 100644
--- a/vars/main.yml
+++ b/vars/main.yml
@@ -1,5 +1,7 @@
 ---
 # vars file for RHEL9-CIS
+
+min_ansible_version: 2.9
 rhel9cis_allowed_crypto_policies:
     - 'FUTURE'
     - 'FIPS'