sovereign/roles/wazuh/molecule/default/verify.yml

---
- name: Verify wazuh role
  hosts: localhost
  gather_facts: false
  vars:
    wazuh_data_dir: /tmp/sovereign_test/wazuh
    wazuh_domain: wazuh.test.example.com
    wazuh_admin_password: test_wazuh_admin
    wazuh_version: "4.9.0"
    tenant_name: Test Corp

  tasks:
    - name: Check wazuh data directory exists
      ansible.builtin.stat:
        path: "/tmp/sovereign_test/wazuh"
      register: data_dir_stat

    - name: Assert wazuh data directory is present
      ansible.builtin.assert:
        that: data_dir_stat.stat.isdir
        fail_msg: "Data directory /tmp/sovereign_test/wazuh was not created"

    - name: Check config subdirectory exists
      ansible.builtin.stat:
        path: "/tmp/sovereign_test/wazuh/config"
      register: config_dir_stat

    - name: Assert config subdirectory is present
      ansible.builtin.assert:
        that: config_dir_stat.stat.isdir
        fail_msg: "Config directory /tmp/sovereign_test/wazuh/config was not created"

    - name: Check dashboard-config subdirectory exists
      ansible.builtin.stat:
        path: "/tmp/sovereign_test/wazuh/dashboard-config"
      register: dashboard_config_dir_stat

    - name: Assert dashboard-config subdirectory is present
      ansible.builtin.assert:
        that: dashboard_config_dir_stat.stat.isdir
        fail_msg: "Dashboard-config directory /tmp/sovereign_test/wazuh/dashboard-config was not created"

    - name: Check opensearch_dashboards.yml exists
      ansible.builtin.stat:
        path: "/tmp/sovereign_test/wazuh/dashboard-config/opensearch_dashboards.yml"
      register: dashboards_config_stat

    - name: Assert opensearch_dashboards.yml was rendered
      ansible.builtin.assert:
        that: dashboards_config_stat.stat.exists
        fail_msg: "dashboard-config/opensearch_dashboards.yml was not rendered for wazuh"

    - name: Read opensearch_dashboards.yml
      ansible.builtin.slurp:
        src: "/tmp/sovereign_test/wazuh/dashboard-config/opensearch_dashboards.yml"
      register: dashboards_config_raw

    - name: Set dashboards config content fact
      ansible.builtin.set_fact:
        dashboards_config: "{{ dashboards_config_raw.content | b64decode }}"

    - name: Assert dashboards config contains tenant branding title
      ansible.builtin.assert:
        that: "'Test Corp Security' in dashboards_config"
        fail_msg: "opensearch_dashboards.yml does not contain 'Test Corp Security'"

    - name: Assert dashboards config contains admin password
      ansible.builtin.assert:
        that: "'test_wazuh_admin' in dashboards_config"
        fail_msg: "opensearch_dashboards.yml does not contain test_wazuh_admin password"

    - name: Check docker-compose.yml exists
      ansible.builtin.stat:
        path: "/tmp/sovereign_test/wazuh/docker-compose.yml"
      register: compose_stat

    - name: Assert docker-compose.yml was rendered
      ansible.builtin.assert:
        that: compose_stat.stat.exists
        fail_msg: "docker-compose.yml was not rendered for wazuh"

    - name: Read docker-compose.yml
      ansible.builtin.slurp:
        src: "/tmp/sovereign_test/wazuh/docker-compose.yml"
      register: compose_raw

    - name: Set compose content fact
      ansible.builtin.set_fact:
        compose: "{{ compose_raw.content | b64decode }}"

    - name: Assert wazuh-manager image with version is present
      ansible.builtin.assert:
        that: "'wazuh/wazuh-manager:4.9.0' in compose"
        fail_msg: "wazuh/wazuh-manager:4.9.0 image not found in docker-compose.yml"

    - name: Assert wazuh-dashboard image with version is present
      ansible.builtin.assert:
        that: "'wazuh/wazuh-dashboard:4.9.0' in compose"
        fail_msg: "wazuh/wazuh-dashboard:4.9.0 image not found in docker-compose.yml"

    - name: Assert wazuh domain traefik rule is present
      ansible.builtin.assert:
        that: "'Host(`wazuh.test.example.com`)' in compose"
        fail_msg: "Traefik rule for wazuh.test.example.com not found in docker-compose.yml"

    - name: Assert admin password is present in compose
      ansible.builtin.assert:
        that: "'test_wazuh_admin' in compose"
        fail_msg: "wazuh_admin_password not found in docker-compose.yml"

    - name: Assert GELF logging address is present
      ansible.builtin.assert:
        that: "'udp://127.0.0.1:12201' in compose"
        fail_msg: "GELF logging address udp://127.0.0.1:12201 not found in docker-compose.yml"

    - name: Assert sovereign network is external
      ansible.builtin.assert:
        that: "'external: true' in compose"
        fail_msg: "external: true not found in docker-compose.yml networks section"