Consistently access facts via the ansible_facts.* namespace

molecule/mysql_hardening/converge.yml

@@ -12,22 +12,22 @@
         mysql_python_package_debian: python3-pymysql
       when:
         - mysql_python_package_debian is not defined
-        - ansible_distribution == "Ubuntu"
-        - ansible_distribution_major_version|int > 19
+        - ansible_facts.distribution == "Ubuntu"
+        - ansible_facts.distribution_major_version|int > 19
 
     - name: Determine required MySQL Python libraries.
       ansible.builtin.set_fact:
         mysql_python_package_debian: "{% if 'python3' in ansible_python_interpreter | default('') %}python3-mysqldb{% else %}python-mysqldb{% endif %}"
       when:
         - mysql_python_package_debian is not defined
-        - ansible_distribution != "Ubuntu"
-        - ansible_distribution_major_version|int < 20
+        - ansible_facts.distribution != "Ubuntu"
+        - ansible_facts.distribution_major_version|int < 20
 
     - name: Use Python 3 on Suse
       ansible.builtin.set_fact:
         ansible_python_interpreter: /usr/bin/python3
       when:
-        - ansible_os_family == 'Suse'
+        - ansible_facts.os_family == 'Suse'
 
     - name: Include mysql_hardening role
       ansible.builtin.include_role:

molecule/mysql_hardening/molecule.yml

@@ -23,6 +23,7 @@ provisioner:
     defaults:
       interpreter_python: auto_silent
       callbacks_enabled: profile_tasks, timer, yaml
+      inject_facts_as_vars: false
 verifier:
   name: ansible
 

molecule/mysql_hardening/prepare.yml

@@ -17,25 +17,25 @@
       ansible.builtin.set_fact:
         ansible_python_interpreter: /usr/bin/python3
       when:
-        - ansible_distribution == 'Debian'
-        - ansible_distribution_major_version|int >= 11
+        - ansible_facts.distribution == 'Debian'
+        - ansible_facts.distribution_major_version|int >= 11
 
     - name: Use Python 3 on Suse
       ansible.builtin.set_fact:
         ansible_python_interpreter: /usr/bin/python3
       when:
-        - ansible_os_family == 'Suse'
+        - ansible_facts.os_family == 'Suse'
 
     - name: Run the equivalent of "apt-get update && apt-get upgrade"
       ansible.builtin.apt:
         upgrade: safe
         update_cache: true
-      when: ansible_os_family == 'Debian'
+      when: ansible_facts.os_family == 'Debian'
 
     - name: Install required python packages on Suse
       ansible.builtin.command: zypper -n install python311-rpm python311-PyMySQL
       changed_when: false
-      when: ansible_os_family == 'Suse'
+      when: ansible_facts.os_family == 'Suse'
 
     - name: Create missing directory
       ansible.builtin.file:
@@ -48,23 +48,23 @@
         mysql_python_package_debian: python3-pymysql
       when:
         - mysql_python_package_debian is not defined
-        - ansible_distribution == "Ubuntu"
-        - ansible_distribution_major_version|int > 19
+        - ansible_facts.distribution == "Ubuntu"
+        - ansible_facts.distribution_major_version|int > 19
 
     - name: Determine required MySQL Python libraries.
       ansible.builtin.set_fact:
         mysql_python_package_debian: "{% if 'python3' in ansible_python_interpreter | default('') %}python3-mysqldb{% else %}python-mysqldb{% endif %}"
       when:
         - mysql_python_package_debian is not defined
-        - ansible_distribution != "Ubuntu"
-        - ansible_distribution_major_version|int < 20
+        - ansible_facts.distribution != "Ubuntu"
+        - ansible_facts.distribution_major_version|int < 20
 
     - name: Install required MySQL Python libraries on RHEL
       ansible.builtin.dnf:
         name: "{% if 'python3' in ansible_python_interpreter | default('') %}python36-PyMySQL{% else %}python2-PyMySQL{% endif %}"
       when:
-        - ansible_os_family == "RedHat"
-        - ansible_distribution_major_version == "7"
+        - ansible_facts.os_family == "RedHat"
+        - ansible_facts.distribution_major_version == "7"
 
     - name: Install mysql with a generic Ansible role
       ansible.builtin.include_role:

molecule/mysql_hardening/verify.yml

@@ -11,14 +11,14 @@
       ansible.builtin.set_fact:
         ansible_python_interpreter: /usr/bin/python3
       when:
-        - ansible_os_family == 'Suse'
+        - ansible_facts.os_family == 'Suse'
 
     - name: Install procps for debian systems
       ansible.builtin.apt:
         name: procps
         state: present
         update_cache: true
-      when: ansible_distribution == 'Debian'
+      when: ansible_facts.distribution == 'Debian'
 
     - name: Include tests for the service
       ansible.builtin.include_tasks: verify_tasks/service.yml

molecule/nginx_hardening/molecule.yml

@@ -22,6 +22,7 @@ provisioner:
     defaults:
       interpreter_python: auto_silent
       callbacks_enabled: profile_tasks, timer, yaml
+      inject_facts_as_vars: false
 verifier:
   name: ansible
 

molecule/nginx_hardening/prepare.yml

@@ -16,7 +16,7 @@
     - name: Set correct distribution Version for Amazon Linux
       ansible.builtin.set_fact:
         ansible_distribution_major_version: 7
-      when: ansible_distribution == 'Amazon'
+      when: ansible_facts.distribution == 'Amazon'
 
     - name: Install nginx with a generic Ansible role
       ansible.builtin.include_role:

molecule/nginx_hardening/verify.yml

@@ -12,7 +12,7 @@
         name: procps
         state: present
         update_cache: true
-      when: ansible_distribution == 'Debian'
+      when: ansible_facts.distribution == 'Debian'
 
 - name: Verify
   hosts: localhost

molecule/os_hardening/molecule.yml

@@ -18,6 +18,7 @@ provisioner:
     defaults:
       interpreter_python: auto_silent
       callbacks_enabled: profile_tasks, timer, yaml
+      inject_facts_as_vars: false
 verifier:
   name: ansible
 

molecule/os_hardening/prepare.yml

@@ -16,7 +16,7 @@
       ansible.builtin.apt:
         upgrade: safe
         update_cache: true
-      when: ansible_os_family == 'Debian'
+      when: ansible_facts.os_family == 'Debian'
 
     - name: Install required tools on SuSE
       # cannot use zypper module, since it depends on python-xml

molecule/os_hardening_vm/converge.yml

@@ -30,7 +30,7 @@
         os_mnt_var_options: rw,nosuid,nodev,compress=zstd:1,subvol=var
       when:
         - ansible_facts.distribution == 'Fedora'
-        - ansible_distribution_major_version|int == 40
+        - ansible_facts.distribution_major_version|int == 40
 
     - name: Include os_hardening role
       ansible.builtin.include_role:

molecule/os_hardening_vm/molecule.yml

@@ -27,6 +27,7 @@ provisioner:
       callbacks_enabled: profile_tasks, timer, yaml
       # Workaround for https://github.com/ansible-community/molecule-plugins/issues/301
       library: "${MOLECULE_PROJECT_DIRECTORY}/plugins/modules:/usr/share/ansible:${MOLECULE_VAGRANT_PLUGIN_DIR}"
+      inject_facts_as_vars: false
 verifier:
   name: ansible
   env:

molecule/os_hardening_vm/prepare.yml

@@ -26,7 +26,7 @@
       ansible.builtin.dpkg_selections:
         name: grub-pc
         selection: hold
-      when: ansible_os_family == 'Debian'
+      when: ansible_facts.os_family == 'Debian'
 
     # we need to free up space, since the /boot partition in some Vagrant images is
     # pretty small and system updates might fail
@@ -35,20 +35,20 @@
         paths: /boot
         patterns: "initrd.img*"
       register: find_results
-      when: ansible_os_family == 'Debian'
+      when: ansible_facts.os_family == 'Debian'
 
     - name: Delete all initrd.img to free space on /boot
       ansible.builtin.file:
         path: "{{ item['path'] }}"
         state: absent
       with_items: "{{ find_results['files'] }}"
-      when: ansible_os_family == 'Debian'
+      when: ansible_facts.os_family == 'Debian'
 
     - name: Run the equivalent of "apt-get update && apt-get upgrade"
       ansible.builtin.apt:
         upgrade: safe
         update_cache: true
-      when: ansible_os_family == 'Debian'
+      when: ansible_facts.os_family == 'Debian'
 
     - name: Install required tools on fedora
       ansible.builtin.dnf:

molecule/ssh_hardening/molecule.yml

@@ -18,6 +18,7 @@ provisioner:
     defaults:
       interpreter_python: auto_silent
       callbacks_enabled: profile_tasks, timer, yaml
+      inject_facts_as_vars: false
   inventory:
     host_vars:
       # https://molecule.readthedocs.io/en/latest/examples.html#docker-with-non-privileged-user

molecule/ssh_hardening_bsd/molecule.yml

@@ -23,6 +23,7 @@ provisioner:
       callbacks_enabled: profile_tasks, timer, yaml
       # Workaround for https://github.com/ansible-community/molecule-plugins/issues/301
       library: "${MOLECULE_PROJECT_DIRECTORY}/plugins/modules:/usr/share/ansible:${MOLECULE_VAGRANT_PLUGIN_DIR}"
+      inject_facts_as_vars: false
 verifier:
   name: ansible
   env:

molecule/ssh_hardening_custom_tests/molecule.yml

@@ -18,6 +18,7 @@ provisioner:
     defaults:
       interpreter_python: auto_silent
       callbacks_enabled: profile_tasks, timer, yaml
+      inject_facts_as_vars: false
 verifier:
   name: ansible
 

roles/os_hardening/tasks/ctrlaltdel.yml

@@ -4,4 +4,4 @@
     name: ctrl-alt-del.target
     masked: true
     daemon_reload: true
-  when: ansible_service_mgr == "systemd"
+  when: ansible_facts.service_mgr == "systemd"

roles/os_hardening/tasks/limits.yml

@@ -37,7 +37,7 @@
         group: root
         mode: "0755"
         state: directory
-      when: ansible_service_mgr == "systemd"
+      when: ansible_facts.service_mgr == "systemd"
 
     - name: Create custom.conf for disabling coredumps
       ansible.builtin.template:
@@ -46,7 +46,7 @@
         owner: root
         group: root
         mode: "0644"
-      when: ansible_service_mgr == "systemd"
+      when: ansible_facts.service_mgr == "systemd"
       notify: Reload systemd
 
 - name: Enable coredumps
@@ -56,7 +56,7 @@
       ansible.builtin.file:
         path: /etc/systemd/coredump.conf.d
         state: absent
-      when: ansible_service_mgr == "systemd"
+      when: ansible_facts.service_mgr == "systemd"
       notify: Reload systemd
 
     - name: Remove 10.hardcore.conf config file

roles/os_hardening/tasks/sysctl.yml

@@ -9,7 +9,7 @@
   when: ansible_facts.os_family == 'RedHat'
 
 - name: Change sysctls
-  when: ansible_virtualization_type not in ['docker', 'lxc', 'openvz']
+  when: ansible_facts.virtualization_type not in ['docker', 'lxc', 'openvz']
   block:
     - name: Protect sysctl.conf
       ansible.builtin.file: