Adding upstream version 7.7.0+dfsg.upstream/7.7.0+dfsg

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

39 files changed, 918 insertions, 0 deletions

diff --git a/ansible_collections/cyberark/conjur/roles/conjur_host_identity/README.md b/ansible_collections/cyberark/conjur/roles/conjur_host_identity/README.md
new file mode 100644
index 000000000..138d549da
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/roles/conjur_host_identity/README.md
@@ -0,0 +1,8 @@
+# Conjur Ansible Role
+
+This Ansible role provides the ability to grant Conjur machine identity to a host.
+Once a host has an identity created by this role, secrets can be retrieved securely
+using the [Summon](https://github.com/cyberark/summon) tool.
+
+For full usage and installation instructions, please see our
+[collection documentation](https://github.com/cyberark/ansible-conjur-collection#installation).
diff --git a/ansible_collections/cyberark/conjur/roles/conjur_host_identity/defaults/main.yml b/ansible_collections/cyberark/conjur/roles/conjur_host_identity/defaults/main.yml
new file mode 100644
index 000000000..d04410d8b
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/roles/conjur_host_identity/defaults/main.yml
@@ -0,0 +1,6 @@
+summon:
+  version: 0.8.2
+  os: linux-amd64
+summon_conjur:
+  version: 0.5.3
+  os: linux-amd64
diff --git a/ansible_collections/cyberark/conjur/roles/conjur_host_identity/meta/main.yml b/ansible_collections/cyberark/conjur/roles/conjur_host_identity/meta/main.yml
new file mode 100644
index 000000000..1fc12ef18
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/roles/conjur_host_identity/meta/main.yml
@@ -0,0 +1,26 @@
+dependencies: []
+
+galaxy_info:
+  short_description: Grants Conjur machine identity
+  description: Grants Conjur machine identity to hosts
+  company: CyberArk
+  license: Apache
+  author:
+    - Cyberark Community and Integrations Team (@cyberark/community-and-integrations-team)
+
+  min_ansible_version: '2.9'
+
+  platforms:
+    - name: Ubuntu
+      versions:
+        - trusty
+        - xenial
+    - name: EL
+      versions:
+        - 7
+
+  galaxy_tags:
+    - identity
+    - cyberark
+    - conjur
+    - security
diff --git a/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tasks/identity.yml b/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tasks/identity.yml
new file mode 100644
index 000000000..c87f6e37b
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tasks/identity.yml
@@ -0,0 +1,73 @@
+---
+- name: Create group conjur
+  group:
+    name: conjur
+    state: present
+
+- block:
+  - name: Install "ca-certificates"
+    package:
+      name: ca-certificates
+    retries: 10
+    delay: 2
+
+  - name: Place Conjur public SSL certificate
+    copy:
+      dest: "{{ conjur_ssl_certificate_path }}"
+      content: "{{ conjur_ssl_certificate }}"
+      mode: 0644
+
+  - name: Symlink Conjur public SSL certificate into /etc/ssl/certs
+    file:
+      src: "{{ conjur_ssl_certificate_path }}"
+      dest: /etc/ssl/certs/conjur.crt
+      state: link
+    register: cert_symlink
+
+  - name: Install openssl-perl Package
+    yum:
+      name: openssl-perl
+    when:
+      ansible_os_family == 'RedHat'
+    retries: 10
+    delay: 2
+
+  - name: Rehash certs
+    command: 'c_rehash'
+    when: cert_symlink.changed
+  when: ssl_configuration
+
+- name: Render /etc/conjur.conf
+  template:
+    src: templates/conjur.conf.j2
+    dest: /etc/conjur.conf
+    mode: 0644
+
+- block:
+  - name: Warn against disabling cert validation
+    debug:
+      msg: "[WARNING]: Certificate validation has been disabled. Please enable with conjur_validate_certs variable."
+    when: not conjur_validate_certs
+
+  - name: Request identity from Conjur
+    uri:
+      url: "{{ conjur_appliance_url }}/host_factories/hosts"
+      method: POST
+      body: "id={{ conjur_host_name }}"
+      headers:
+        Authorization: Token token="{{ conjur_host_factory_token }}"
+        Content-Type: "application/x-www-form-urlencoded"
+      status_code: 201
+      validate_certs: "{{ conjur_validate_certs }}"
+    register: host_factory_response
+    retries: 3
+    delay: 10
+    until: host_factory_response.status == 201
+
+  - name: Place identity file /etc/conjur.identity
+    template:
+      src: templates/conjur.identity.j2
+      dest: /etc/conjur.identity
+      mode: 0640
+      group: conjur
+  when: not conjurized
diff --git a/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tasks/identity_check.yml b/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tasks/identity_check.yml
new file mode 100644
index 000000000..8661daf70
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tasks/identity_check.yml
@@ -0,0 +1,53 @@
+---
+- name: Check if /etc/conjur.identity already exists
+  stat:
+    path: /etc/conjur.identity
+  register: identity_file
+
+- name: Set fact "conjurized"
+  set_fact:
+    conjurized: "{{ identity_file.stat.exists|bool }}"
+
+- name: Ensure all required variables are set
+  fail: msg="Variable '{{ item }}' is not set!"
+  when: item is undefined
+  with_items:
+    - "{{ conjur_account }}"
+    - "{{ conjur_appliance_url }}"
+    - "{{ conjur_host_name }}"
+
+- name: Set fact "ssl_configuration"
+  set_fact:
+    ssl_configuration: "{{ 'https' in conjur_appliance_url }}"
+
+- block:
+  - name: Ensure all required ssl variables are set
+    fail: msg="Variable '{{ item }}' is not set!"
+    when: item is undefined
+    with_items:
+      - "{{ conjur_ssl_certificate }}"
+      - "{{ conjur_validate_certs }}"
+
+  - name: Set fact "ssl file path"
+    set_fact:
+      conjur_ssl_certificate_path: "/etc/conjur.pem"
+  when: ssl_configuration
+
+- block:
+  - name: Set fact "non ssl configuration"
+    set_fact:
+      conjur_ssl_certificate_path: ""
+      conjur_validate_certs: no
+
+  - name: Warn against using insecure connection schemes
+    debug:
+      msg: "[WARNING]: Provided Conjur URL uses insecure connection scheme. Please consider using HTTPS."
+  when: not ssl_configuration
+
+- block:
+  - name: Ensure "conjur_host_factory_token" is set (if node is not already conjurized)
+    fail: msg="Variable '{{ item }}' is not set!"
+    when: item is undefined
+    with_items:
+      - "{{ conjur_host_factory_token }}"
+  when: not conjurized
diff --git a/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tasks/install.yml b/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tasks/install.yml
new file mode 100644
index 000000000..a2fc9993f
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tasks/install.yml
@@ -0,0 +1,5 @@
+---
+- import_tasks: identity_check.yml  # registers variable 'conjurized'
+- import_tasks: identity.yml
+- import_tasks: summon.yml
+- import_tasks: summon-conjur.yml
diff --git a/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tasks/main.yml b/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tasks/main.yml
new file mode 100644
index 000000000..d7b94878f
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tasks/main.yml
@@ -0,0 +1,6 @@
+---
+- import_tasks: install.yml
+  when: state|default('present') == "present"
+
+- import_tasks: uninstall.yml
+  when: state|default('present') == "absent"
diff --git a/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tasks/summon-conjur.yml b/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tasks/summon-conjur.yml
new file mode 100644
index 000000000..2e003cd45
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tasks/summon-conjur.yml
@@ -0,0 +1,13 @@
+---
+- name: Create folder for Summon-Conjur to be installed into
+  file:
+    path: /usr/local/lib/summon
+    state: directory
+    recurse: yes
+
+- name: Download and unpack Summon-Conjur
+  unarchive:
+    src: https://github.com/cyberark/summon-conjur/releases/download/v{{ summon_conjur.version }}/summon-conjur-{{ summon_conjur.os }}.tar.gz
+    dest: /usr/local/lib/summon
+    remote_src: yes
+    creates: /usr/local/lib/summon/summon-conjur
diff --git a/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tasks/summon.yml b/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tasks/summon.yml
new file mode 100644
index 000000000..98ae0b82a
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tasks/summon.yml
@@ -0,0 +1,7 @@
+---
+- name: Download and unpack Summon
+  unarchive:
+    src: https://github.com/cyberark/summon/releases/download/v{{ summon.version }}/summon-{{ summon.os }}.tar.gz
+    dest: /usr/local/bin
+    remote_src: yes
+    creates: /usr/local/bin/summon
diff --git a/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tasks/uninstall.yml b/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tasks/uninstall.yml
new file mode 100644
index 000000000..17f7e3b05
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tasks/uninstall.yml
@@ -0,0 +1,35 @@
+---
+- block:
+  - name: Clean Summon binary
+    file:
+      path: /usr/local/bin/summon
+      state: absent
+  - name: Clean Summon library
+    file:
+      path: /usr/local/lib/summon/
+      state: absent
+
+- name: Clean conjur.identity
+  file:
+    path: /etc/conjur.identity
+    state: absent
+
+- name: Clean conjur.conf
+  file:
+    path: /etc/conjur.conf
+    state: absent
+
+- name: Clean Conjur SSL certificate Symlink
+  file:
+    path: /etc/ssl/certs/conjur.crt
+    state: absent
+
+- name: Clean Conjur SSL certificate
+  file:
+    path: /etc/conjur.pem
+    state: absent
+
+- name: Remove group conjur
+  group:
+    name: conjur
+    state: absent
diff --git a/ansible_collections/cyberark/conjur/roles/conjur_host_identity/templates/conjur.conf.j2 b/ansible_collections/cyberark/conjur/roles/conjur_host_identity/templates/conjur.conf.j2
new file mode 100644
index 000000000..cd1403ce7
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/roles/conjur_host_identity/templates/conjur.conf.j2
@@ -0,0 +1,5 @@
+account: {{conjur_account}}
+appliance_url: {{conjur_appliance_url}}
+cert_file: {{conjur_ssl_certificate_path}}
+netrc_path: /etc/conjur.identity
+plugins: []
diff --git a/ansible_collections/cyberark/conjur/roles/conjur_host_identity/templates/conjur.identity.j2 b/ansible_collections/cyberark/conjur/roles/conjur_host_identity/templates/conjur.identity.j2
new file mode 100644
index 000000000..7bde0ff2e
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/roles/conjur_host_identity/templates/conjur.identity.j2
@@ -0,0 +1,3 @@
+machine {{conjur_appliance_url}}/authn
+    login host/{{conjur_host_name}}
+    password {{host_factory_response.json.api_key}}
diff --git a/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/.dockerignore b/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/.dockerignore
new file mode 100644
index 000000000..5ed3ebd29
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/.dockerignore
@@ -0,0 +1 @@
+conjur-intro/
\ No newline at end of file
diff --git a/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/.pytest_cache/.gitignore b/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/.pytest_cache/.gitignore
new file mode 100644
index 000000000..bc1a1f616
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/.pytest_cache/.gitignore
@@ -0,0 +1,2 @@
+# Created by pytest automatically.
+*
diff --git a/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/.pytest_cache/CACHEDIR.TAG b/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/.pytest_cache/CACHEDIR.TAG
new file mode 100644
index 000000000..fce15ad7e
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/.pytest_cache/CACHEDIR.TAG
@@ -0,0 +1,4 @@
+Signature: 8a477f597d28d172789f06886806bc55
+# This file is a cache directory tag created by pytest.
+# For information about cache directory tags, see:
+#	https://bford.info/cachedir/spec.html
diff --git a/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/.pytest_cache/README.md b/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/.pytest_cache/README.md
new file mode 100644
index 000000000..b89018ced
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/.pytest_cache/README.md
@@ -0,0 +1,8 @@
+# pytest cache directory #
+
+This directory contains data from the pytest's cache plugin,
+which provides the `--lf` and `--ff` options, as well as the `cache` fixture.
+
+**Do not** commit this to version control.
+
+See [the docs](https://docs.pytest.org/en/stable/how-to/cache.html) for more information.
diff --git a/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/.pytest_cache/v/cache/nodeids b/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/.pytest_cache/v/cache/nodeids
new file mode 100644
index 000000000..ffadcb1be
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/.pytest_cache/v/cache/nodeids
@@ -0,0 +1,22 @@
+[
+  "test_cases/cleanup-conjur-identity/tests/test_default.py::test_hosts_file[docker://jenkinscyberarkansibleconjurcollectionv1201conjurhostidentity_test_app_centos_1]",
+  "test_cases/cleanup-conjur-identity/tests/test_default.py::test_hosts_file[docker://jenkinscyberarkansibleconjurcollectionv1201conjurhostidentity_test_app_centos_2]",
+  "test_cases/cleanup-conjur-identity/tests/test_default.py::test_hosts_file[docker://jenkinscyberarkansibleconjurcollectionv1201conjurhostidentity_test_app_ubuntu_1]",
+  "test_cases/cleanup-conjur-identity/tests/test_default.py::test_hosts_file[docker://jenkinscyberarkansibleconjurcollectionv1201conjurhostidentity_test_app_ubuntu_2]",
+  "test_cases/cleanup-conjur-identity/tests/test_default.py::test_is_not_conjurized[docker://jenkinscyberarkansibleconjurcollectionv1201conjurhostidentity_test_app_centos_1]",
+  "test_cases/cleanup-conjur-identity/tests/test_default.py::test_is_not_conjurized[docker://jenkinscyberarkansibleconjurcollectionv1201conjurhostidentity_test_app_centos_2]",
+  "test_cases/cleanup-conjur-identity/tests/test_default.py::test_is_not_conjurized[docker://jenkinscyberarkansibleconjurcollectionv1201conjurhostidentity_test_app_ubuntu_1]",
+  "test_cases/cleanup-conjur-identity/tests/test_default.py::test_is_not_conjurized[docker://jenkinscyberarkansibleconjurcollectionv1201conjurhostidentity_test_app_ubuntu_2]",
+  "test_cases/configure-conjur-identity/tests/test_default.py::test_hosts_file[docker://jenkinscyberarkansibleconjurcollectionv1201conjurhostidentity_test_app_centos_1]",
+  "test_cases/configure-conjur-identity/tests/test_default.py::test_hosts_file[docker://jenkinscyberarkansibleconjurcollectionv1201conjurhostidentity_test_app_centos_2]",
+  "test_cases/configure-conjur-identity/tests/test_default.py::test_hosts_file[docker://jenkinscyberarkansibleconjurcollectionv1201conjurhostidentity_test_app_ubuntu_1]",
+  "test_cases/configure-conjur-identity/tests/test_default.py::test_hosts_file[docker://jenkinscyberarkansibleconjurcollectionv1201conjurhostidentity_test_app_ubuntu_2]",
+  "test_cases/configure-conjur-identity/tests/test_default.py::test_is_conjurized[docker://jenkinscyberarkansibleconjurcollectionv1201conjurhostidentity_test_app_centos_1]",
+  "test_cases/configure-conjur-identity/tests/test_default.py::test_is_conjurized[docker://jenkinscyberarkansibleconjurcollectionv1201conjurhostidentity_test_app_centos_2]",
+  "test_cases/configure-conjur-identity/tests/test_default.py::test_is_conjurized[docker://jenkinscyberarkansibleconjurcollectionv1201conjurhostidentity_test_app_ubuntu_1]",
+  "test_cases/configure-conjur-identity/tests/test_default.py::test_is_conjurized[docker://jenkinscyberarkansibleconjurcollectionv1201conjurhostidentity_test_app_ubuntu_2]",
+  "test_cases/configure-conjur-identity/tests/test_default.py::test_retrieve_secret_with_summon[docker://jenkinscyberarkansibleconjurcollectionv1201conjurhostidentity_test_app_centos_1]",
+  "test_cases/configure-conjur-identity/tests/test_default.py::test_retrieve_secret_with_summon[docker://jenkinscyberarkansibleconjurcollectionv1201conjurhostidentity_test_app_centos_2]",
+  "test_cases/configure-conjur-identity/tests/test_default.py::test_retrieve_secret_with_summon[docker://jenkinscyberarkansibleconjurcollectionv1201conjurhostidentity_test_app_ubuntu_1]",
+  "test_cases/configure-conjur-identity/tests/test_default.py::test_retrieve_secret_with_summon[docker://jenkinscyberarkansibleconjurcollectionv1201conjurhostidentity_test_app_ubuntu_2]"
+]
\ No newline at end of file
diff --git a/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/.pytest_cache/v/cache/stepwise b/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/.pytest_cache/v/cache/stepwise
new file mode 100644
index 000000000..0637a088a
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/.pytest_cache/v/cache/stepwise
@@ -0,0 +1 @@
+[]
\ No newline at end of file
diff --git a/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/Dockerfile b/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/Dockerfile
new file mode 100644
index 000000000..3985b12ad
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/Dockerfile
@@ -0,0 +1,39 @@
+FROM ubuntu:20.04
+
+ENV DEBIAN_FRONTEND=noninteractive
+
+WORKDIR /cyberark
+
+# install python 3
+RUN apt-get update && \
+    apt-get install -y python3-pip && \
+    pip3 install --upgrade pip
+
+ARG ANSIBLE_VERSION
+# install ansible and its test tool
+RUN pip3 install ansible==${ANSIBLE_VERSION}.* pytest-testinfra
+
+# install docker installation requirements
+RUN apt-get update && \
+    apt-get install -y apt-transport-https \
+                       ca-certificates \
+                       curl \
+                       software-properties-common
+
+# install docker
+RUN curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add -
+RUN add-apt-repository \
+       "deb [arch=amd64] https://download.docker.com/linux/ubuntu \
+       $(lsb_release -cs) \
+       stable"
+
+RUN apt-get update && \
+    apt-get -y install docker-ce
+
+# NOTE: Everything above is copied from REPO_ROOT/tests/conjur_variable/Dockerfile. It defines a
+# standard container image for running ansible tests
+
+# install ruby
+RUN apt-get update && apt-get install -y gcc build-essential
+RUN apt-add-repository -y ppa:brightbox/ruby-ng && apt-get update && apt-get install -y ruby2.7 ruby2.7-dev
+RUN gem install conjur-cli
\ No newline at end of file
diff --git a/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/Dockerfile_nginx b/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/Dockerfile_nginx
new file mode 100644
index 000000000..d9f18c7bd
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/Dockerfile_nginx
@@ -0,0 +1,16 @@
+FROM nginx:1.13.3
+
+RUN export DEBIAN_FRONTEND=noninteractive && \
+    apt-get update && \
+    apt-get install -y iputils-ping procps openssl && \
+    rm -rf /var/lib/apt/lists/*
+
+WORKDIR /etc/nginx/
+
+COPY proxy/ssl.conf /etc/ssl/openssl.cnf
+
+RUN openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
+    -config /etc/ssl/openssl.cnf -extensions v3_ca \
+    -keyout cert.key -out cert.crt
+
+COPY proxy/default.conf /etc/nginx/conf.d/default.conf
diff --git a/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/ansible.cfg b/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/ansible.cfg
new file mode 100644
index 000000000..56026b775
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/ansible.cfg
@@ -0,0 +1,8 @@
+[defaults]
+display_skipped_hosts = False
+host_key_checking = False
+error_on_undefined_vars = True
+timeout = 60
+inventory = inventory.tmp
+roles_path = /cyberark
+remote_tmp = /tmp
diff --git a/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/docker-compose.yml b/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/docker-compose.yml
new file mode 100644
index 000000000..832655687
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/docker-compose.yml
@@ -0,0 +1,84 @@
+version: '3'
+services:
+  ansible:
+    build:
+      context: .
+      dockerfile: Dockerfile
+      args:
+        ANSIBLE_VERSION: ${ANSIBLE_VERSION}
+    command: /bin/sleep 1d
+    environment:
+      CONJUR_APPLIANCE_URL: ${CONJUR_APPLIANCE_URL}
+      CONJUR_ACCOUNT: ${CONJUR_ACCOUNT}
+      CONJUR_AUTHN_LOGIN: ${CONJUR_AUTHN_LOGIN}
+      CONJUR_AUTHN_API_KEY: ${ANSIBLE_CONJUR_AUTHN_API_KEY}
+      CONJUR_CUSTOM_AUTHN_API_KEY: ${CUSTOM_CONJUR_AUTHN_API_KEY}
+      COMPOSE_PROJECT_NAME: ${COMPOSE_PROJECT_NAME}
+      # NOTE: Explicitly setting the ANSIBLE_CONFIG envvar avoids Ansible ignoring
+      # the configuration because it is in a world-writable working directory,
+      # see https://docs.ansible.com/ansible/latest/reference_appendices/config.html#avoiding-security-risks-with-ansible-cfg-in-the-current-directory.
+      ANSIBLE_CONFIG: ./ansible.cfg
+    networks:
+      - "${DOCKER_NETWORK}"
+    volumes:
+      - ..:/cyberark/cyberark.conjur.conjur-host-identity/
+      - .:/cyberark/tests/
+      - /var/run/docker.sock:/var/run/docker.sock
+  pg:
+    image: postgres:9.3
+
+  conjur:
+    image: cyberark/conjur
+    command: server -a cucumber -p 3000
+    environment:
+      CONJUR_APPLIANCE_URL: http://localhost:3000
+      DATABASE_URL: postgres://postgres@pg/postgres
+      CONJUR_DATA_KEY: "W0BuL8iTr/7QvtjIluJbrb5LDAnmXzmcpxkqihO3dXA="
+    networks:
+      - default
+    links:
+      - pg
+
+  conjur_cli:
+    image: cyberark/conjur-cli:5-latest
+    entrypoint: []
+    command: sleep infinity
+    environment:
+      CONJUR_APPLIANCE_URL: http://conjur:3000
+      CONJUR_ACCOUNT: cucumber
+      CONJUR_AUTHN_LOGIN: admin
+      CONJUR_AUTHN_API_KEY: ${CLI_CONJUR_AUTHN_API_KEY}
+    volumes:
+      - ./policy:/policy
+    links:
+      - conjur
+
+  test_app_ubuntu:
+    build: ./test_app_ubuntu
+    entrypoint: sleep
+    command: infinity
+    networks:
+      - "${DOCKER_NETWORK}"
+
+  test_app_centos:
+    build: ./test_app_centos
+    entrypoint: sleep
+    command: infinity
+    networks:
+      - "${DOCKER_NETWORK}"
+
+  conjur-proxy-nginx:
+    build:
+      context: .
+      dockerfile: Dockerfile_nginx
+    entrypoint: nginx-debug -g 'daemon off;'
+    environment:
+        TERM: xterm
+    depends_on:
+      - conjur
+      - conjur_cli
+
+networks:
+  dap_net:
+    name: dap_net
+    external: true
diff --git a/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/inventory-playbook-v2.yml b/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/inventory-playbook-v2.yml
new file mode 100644
index 000000000..d47081cbe
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/inventory-playbook-v2.yml
@@ -0,0 +1,6 @@
+---
+- name: Compile inventory template locally
+  hosts: localhost
+  tasks:
+    - name: compile inventory template
+      template: src=inventory-v2.j2 dest=/cyberark/tests/inventory.tmp
diff --git a/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/inventory-playbook.yml b/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/inventory-playbook.yml
new file mode 100644
index 000000000..91d44fcb8
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/inventory-playbook.yml
@@ -0,0 +1,6 @@
+---
+- name: Compile inventory template locally
+  hosts: localhost
+  tasks:
+    - name: compile inventory template
+      template: src=inventory.j2 dest=/cyberark/tests/inventory.tmp
diff --git a/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/inventory-v2.j2 b/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/inventory-v2.j2
new file mode 100644
index 000000000..4a004fb13
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/inventory-v2.j2
@@ -0,0 +1,6 @@
+[testapp]
+{{ lookup('env','COMPOSE_PROJECT_NAME') }}-test_app_ubuntu-[1:2] ansible_connection=docker
+{{ lookup('env','COMPOSE_PROJECT_NAME') }}-test_app_centos-[1:2] ansible_connection=docker
+
+[ansible]
+{{ lookup('env','COMPOSE_PROJECT_NAME') }}-ansible-1 ansible_connection=docker
diff --git a/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/inventory.j2 b/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/inventory.j2
new file mode 100644
index 000000000..62d48ef82
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/inventory.j2
@@ -0,0 +1,6 @@
+[testapp]
+{{ lookup('env','COMPOSE_PROJECT_NAME') }}_test_app_ubuntu_[1:2] ansible_connection=docker
+{{ lookup('env','COMPOSE_PROJECT_NAME') }}_test_app_centos_[1:2] ansible_connection=docker
+
+[ansible]
+{{ lookup('env','COMPOSE_PROJECT_NAME') }}_ansible_1 ansible_connection=docker
diff --git a/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/junit/cleanup-conjur-identity b/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/junit/cleanup-conjur-identity
new file mode 100644
index 000000000..d1372eaea
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/junit/cleanup-conjur-identity
@@ -0,0 +1 @@
+<?xml version="1.0" encoding="utf-8"?><testsuites><testsuite name="pytest" errors="0" failures="0" skipped="0" tests="8" time="4.102" timestamp="2022-09-09T15:12:54.260298" hostname="3ef34ba116db"><testcase classname="test_cases.cleanup-conjur-identity.tests.test_default" name="test_hosts_file[docker://jenkinscyberarkansibleconjurcollectionv1201conjurhostidentity_test_app_centos_1]" time="0.681" /><testcase classname="test_cases.cleanup-conjur-identity.tests.test_default" name="test_is_not_conjurized[docker://jenkinscyberarkansibleconjurcollectionv1201conjurhostidentity_test_app_centos_1]" time="0.198" /><testcase classname="test_cases.cleanup-conjur-identity.tests.test_default" name="test_hosts_file[docker://jenkinscyberarkansibleconjurcollectionv1201conjurhostidentity_test_app_centos_2]" time="0.687" /><testcase classname="test_cases.cleanup-conjur-identity.tests.test_default" name="test_is_not_conjurized[docker://jenkinscyberarkansibleconjurcollectionv1201conjurhostidentity_test_app_centos_2]" time="0.201" /><testcase classname="test_cases.cleanup-conjur-identity.tests.test_default" name="test_hosts_file[docker://jenkinscyberarkansibleconjurcollectionv1201conjurhostidentity_test_app_ubuntu_1]" time="0.698" /><testcase classname="test_cases.cleanup-conjur-identity.tests.test_default" name="test_is_not_conjurized[docker://jenkinscyberarkansibleconjurcollectionv1201conjurhostidentity_test_app_ubuntu_1]" time="0.213" /><testcase classname="test_cases.cleanup-conjur-identity.tests.test_default" name="test_hosts_file[docker://jenkinscyberarkansibleconjurcollectionv1201conjurhostidentity_test_app_ubuntu_2]" time="0.702" /><testcase classname="test_cases.cleanup-conjur-identity.tests.test_default" name="test_is_not_conjurized[docker://jenkinscyberarkansibleconjurcollectionv1201conjurhostidentity_test_app_ubuntu_2]" time="0.190" /></testsuite></testsuites>
\ No newline at end of file
diff --git a/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/junit/configure-conjur-identity b/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/junit/configure-conjur-identity
new file mode 100644
index 000000000..d982cbaa2
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/junit/configure-conjur-identity
@@ -0,0 +1 @@
+<?xml version="1.0" encoding="utf-8"?><testsuites><testsuite name="pytest" errors="0" failures="0" skipped="0" tests="12" time="5.511" timestamp="2022-09-09T15:14:31.194874" hostname="3ef34ba116db"><testcase classname="test_cases.configure-conjur-identity.tests.test_default" name="test_hosts_file[docker://jenkinscyberarkansibleconjurcollectionv1201conjurhostidentity_test_app_centos_1]" time="0.691" /><testcase classname="test_cases.configure-conjur-identity.tests.test_default" name="test_is_conjurized[docker://jenkinscyberarkansibleconjurcollectionv1201conjurhostidentity_test_app_centos_1]" time="0.412" /><testcase classname="test_cases.configure-conjur-identity.tests.test_default" name="test_retrieve_secret_with_summon[docker://jenkinscyberarkansibleconjurcollectionv1201conjurhostidentity_test_app_centos_1]" time="0.133" /><testcase classname="test_cases.configure-conjur-identity.tests.test_default" name="test_hosts_file[docker://jenkinscyberarkansibleconjurcollectionv1201conjurhostidentity_test_app_centos_2]" time="0.710" /><testcase classname="test_cases.configure-conjur-identity.tests.test_default" name="test_is_conjurized[docker://jenkinscyberarkansibleconjurcollectionv1201conjurhostidentity_test_app_centos_2]" time="0.384" /><testcase classname="test_cases.configure-conjur-identity.tests.test_default" name="test_retrieve_secret_with_summon[docker://jenkinscyberarkansibleconjurcollectionv1201conjurhostidentity_test_app_centos_2]" time="0.126" /><testcase classname="test_cases.configure-conjur-identity.tests.test_default" name="test_hosts_file[docker://jenkinscyberarkansibleconjurcollectionv1201conjurhostidentity_test_app_ubuntu_1]" time="0.727" /><testcase classname="test_cases.configure-conjur-identity.tests.test_default" name="test_is_conjurized[docker://jenkinscyberarkansibleconjurcollectionv1201conjurhostidentity_test_app_ubuntu_1]" time="0.383" /><testcase classname="test_cases.configure-conjur-identity.tests.test_default" name="test_retrieve_secret_with_summon[docker://jenkinscyberarkansibleconjurcollectionv1201conjurhostidentity_test_app_ubuntu_1]" time="0.155" /><testcase classname="test_cases.configure-conjur-identity.tests.test_default" name="test_hosts_file[docker://jenkinscyberarkansibleconjurcollectionv1201conjurhostidentity_test_app_ubuntu_2]" time="0.719" /><testcase classname="test_cases.configure-conjur-identity.tests.test_default" name="test_is_conjurized[docker://jenkinscyberarkansibleconjurcollectionv1201conjurhostidentity_test_app_ubuntu_2]" time="0.387" /><testcase classname="test_cases.configure-conjur-identity.tests.test_default" name="test_retrieve_secret_with_summon[docker://jenkinscyberarkansibleconjurcollectionv1201conjurhostidentity_test_app_ubuntu_2]" time="0.143" /></testsuite></testsuites>
\ No newline at end of file
diff --git a/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/policy/root.yml b/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/policy/root.yml
new file mode 100644
index 000000000..0309cf702
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/policy/root.yml
@@ -0,0 +1,32 @@
+---
+- !policy
+  id: ansible
+  annotations:
+    description: Policy for Ansible master and remote hosts
+  body:
+
+  - !host
+    id: ansible-master
+    annotations:
+      description: Host for running Ansible on remote targets
+
+  - !layer &remote_hosts_layer
+    id: remote_hosts
+    annotations:
+      description: Layer for Ansible remote hosts
+
+  - !host-factory
+    id: ansible-factory
+    annotations:
+      description: Factory to create new hosts for ansible
+    layer: [ *remote_hosts_layer ]
+
+  - !variable
+    id: target-password
+    annotations:
+      description: Password needed by the Ansible remote machine
+
+  - !permit
+    role: *remote_hosts_layer
+    privileges: [ execute ]
+    resources: [ !variable target-password ]
diff --git a/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/proxy/default.conf b/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/proxy/default.conf
new file mode 100644
index 000000000..db2153a71
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/proxy/default.conf
@@ -0,0 +1,33 @@
+server {
+    listen 80;
+    return 301 https://conjur$request_uri;
+}
+
+server {
+    listen       443;
+    server_name  localhost;
+    ssl_certificate           /etc/nginx/cert.crt;
+    ssl_certificate_key       /etc/nginx/cert.key;
+
+    ssl on;
+    ssl_session_cache  builtin:1000  shared:SSL:10m;
+    ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
+    ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
+    ssl_prefer_server_ciphers on;
+
+    access_log            /var/log/nginx/access.log;
+
+    location / {
+      proxy_pass http://conjur:3000;
+    }
+
+    #error_page  404              /404.html;
+
+    # redirect server error pages to the static page /50x.html
+    #
+    error_page   500 502 503 504  /50x.html;
+    location = /50x.html {
+        root   /usr/share/nginx/html;
+    }
+
+}
diff --git a/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/proxy/ssl.conf b/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/proxy/ssl.conf
new file mode 100644
index 000000000..e78716b27
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/proxy/ssl.conf
@@ -0,0 +1,39 @@
+[req]
+default_bits = 2048
+prompt = no
+default_md = sha256
+req_extensions = req_ext
+distinguished_name = dn
+x509_extensions = v3_ca # The extentions to add to the self signed cert
+req_extensions  = v3_req
+x509_extensions = usr_cert
+
+[ dn ]
+C=IL
+ST=Israel
+L=TLV
+O=Onyx
+OU=CyberArk
+CN=conjur-proxy-nginx
+
+[ usr_cert ]
+basicConstraints=CA:FALSE
+nsCertType                      = client, server, email
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection
+nsComment                       = "OpenSSL Generated Certificate"
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+[ v3_req ]
+extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+subjectAltName = @alt_names
+
+[ alt_names ]
+DNS.1 = localhost
+DNS.2 = conjur-proxy-nginx
+IP.1 = 127.0.0.1
diff --git a/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/test.sh b/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/test.sh
new file mode 100755
index 000000000..9a54cb8b9
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/test.sh
@@ -0,0 +1,249 @@
+#!/bin/bash -eu
+
+set -o pipefail
+
+# normalises project name by filtering non alphanumeric characters and transforming to lowercase
+declare -x COMPOSE_PROJECT_NAME=''
+declare -x ENTERPRISE_PROJECT='conjur-intro-host'
+declare -x ANSIBLE_PROJECT=''
+
+declare -x ANSIBLE_CONJUR_AUTHN_API_KEY=''
+declare -x CLI_CONJUR_AUTHN_API_KEY=''
+declare -x DOCKER_NETWORK="default"
+declare -x ANSIBLE_VERSION="${ANSIBLE_VERSION:-6}"
+
+declare cli_cid=''
+declare ansible_cid=''
+declare enterprise='false'
+declare test_dir=''
+
+  ANSIBLE_PROJECT=$(echo "${BUILD_TAG:-ansible-plugin-testing}-conjur-host-identity" | sed -e 's/[^[:alnum:]]//g' | tr '[:upper:]' '[:lower:]')
+  test_dir="$(pwd)"
+
+function clean {
+  echo 'Removing test environment'
+  echo '---'
+
+  # Escape conjur-intro dir if Enterprise setup fails
+  cd "${test_dir}"
+
+  if [[ -d conjur-intro ]]; then
+    pushd conjur-intro
+      COMPOSE_PROJECT_NAME="${ENTERPRISE_PROJECT}"
+      ./bin/dap --stop
+    popd
+    rm -rf conjur-intro
+  fi
+
+  COMPOSE_PROJECT_NAME="${ANSIBLE_PROJECT}"
+  docker-compose down -v
+  rm -rf inventory.tmp \
+         conjur.pem
+}
+function finish {
+  rv=$?
+  clean || true
+  exit $rv
+}
+trap finish EXIT
+
+while getopts 'e' flag; do
+  case "${flag}" in
+    e) enterprise="true" ;;
+    *) exit 1 ;;
+   esac
+done
+
+clean
+
+function setup_admin_api_key {
+  if [[ "$enterprise" == "true" ]]; then
+    docker exec "${cli_cid}" \
+      conjur user rotate_api_key
+  else
+    docker-compose exec -T conjur \
+      conjurctl role retrieve-key "${CONJUR_ACCOUNT}:user:admin"
+  fi
+}
+
+function setup_ansible_api_key {
+  docker exec "${cli_cid}" \
+    conjur host rotate_api_key --host ansible/ansible-master
+}
+
+function hf_token {
+  docker exec "${cli_cid}" bash -c "conjur hostfactory tokens create --duration-days=5 ansible/ansible-factory | jq -r '.[0].token'"
+}
+
+function setup_conjur_resources {
+  echo "---- setting up conjur ----"
+  policy_path="root.yml"
+  if [[ "${enterprise}" == "false" ]]; then
+    policy_path="/policy/${policy_path}"
+  fi
+
+  docker exec "${cli_cid}" bash -ec "
+    conjur policy load root ${policy_path}
+    conjur variable values add ansible/target-password target_secret_password
+  "
+}
+
+function run_test_cases {
+  for test_case in test_cases/*; do
+    teardown_and_setup
+    run_test_case "$(basename -- "$test_case")"
+  done
+}
+
+function run_test_case {
+  echo "---- testing ${test_case} ----"
+  local test_case=$1
+  if [ -n "$test_case" ]; then
+    docker exec "${ansible_cid}" \
+      env HFTOKEN="$(hf_token)" \
+      env CONJUR_ACCOUNT="${CONJUR_ACCOUNT}" \
+      env CONJUR_APPLIANCE_URL="${CONJUR_APPLIANCE_URL}" \
+      bash -ec "
+        cd tests
+        ansible-playbook test_cases/${test_case}/playbook.yml
+      "
+    if [ -d "${test_dir}/test_cases/${test_case}/tests/" ]; then
+      docker exec "${ansible_cid}" bash -ec "
+        cd tests
+        py.test --junitxml=./junit/${test_case} --connection docker -v test_cases/${test_case}/tests/test_default.py
+      "
+    fi
+  else
+    echo ERROR: run_test called with no argument 1>&2
+    exit 1
+  fi
+}
+
+function teardown_and_setup {
+  docker-compose up -d --force-recreate --scale test_app_ubuntu=2 test_app_ubuntu
+  docker-compose up -d --force-recreate --scale test_app_centos=2 test_app_centos
+}
+
+function wait_for_server {
+  # shellcheck disable=SC2016
+  docker exec "${cli_cid}" bash -ec '
+    for i in $( seq 20 ); do
+      curl -o /dev/null -fs -X OPTIONS ${CONJUR_APPLIANCE_URL} > /dev/null && echo "server is up" && break
+      echo "."
+      sleep 2
+    done
+  '
+}
+
+function fetch_ssl_cert {
+  echo "Fetching SSL certs"
+  service_id="conjur-proxy-nginx"
+  cert_path="cert.crt"
+  if [[ "${enterprise}" == "true" ]]; then
+    service_id="conjur-master.mycompany.local"
+    cert_path="/etc/ssl/certs/ca.pem"
+  fi
+
+  (docker-compose exec -T "${service_id}" cat "${cert_path}") > conjur.pem
+}
+
+function generate_inventory {
+  # Use a different inventory file for docker-compose v1 and v2 or later
+  playbook_file="inventory-playbook-v2.yml"
+  compose_ver=$(docker-compose version --short)
+  if [[ $compose_ver == "1"* ]]; then
+    playbook_file="inventory-playbook.yml"
+  fi
+
+  # uses .j2 template to generate inventory prepended with COMPOSE_PROJECT_NAME
+  docker-compose exec -T ansible bash -ec "
+    cd tests
+    ansible-playbook $playbook_file
+  "
+
+  cat inventory.tmp
+}
+
+function setup_conjur_open_source() {
+  docker-compose up -d --build
+
+  cli_cid="$(docker-compose ps -q conjur_cli)"
+
+  fetch_ssl_cert
+  wait_for_server
+
+  echo "Recreating Conjur CLI with admin credentials"
+  CLI_CONJUR_AUTHN_API_KEY=$(setup_admin_api_key)
+  docker-compose up -d conjur_cli
+  cli_cid=$(docker-compose ps -q conjur_cli)
+
+  setup_conjur_resources
+}
+
+function setup_conjur_enterprise() {
+  git clone --single-branch --branch main https://github.com/conjurdemos/conjur-intro.git
+  pushd ./conjur-intro
+
+    echo "Provisioning Enterprise leader and follower"
+    ./bin/dap --provision-master
+    ./bin/dap --provision-follower
+
+    cp ../policy/root.yml .
+
+    # Run 'sleep infinity' in the CLI container, so the scripts
+    # have access to an alive and authenticated CLI until the script terminates
+    cli_cid="$(docker-compose run -d \
+      -w /src/cli \
+      --entrypoint sleep client infinity)"
+
+    echo "Authenticate Conjur CLI container"
+    docker exec "${cli_cid}" \
+      /bin/bash -c "
+        if [ ! -e /root/conjur-demo.pem ]; then
+          yes 'yes' | conjur init -u ${CONJUR_APPLIANCE_URL} -a ${CONJUR_ACCOUNT}
+        fi
+        conjur authn login -u admin -p MySecretP@ss1
+        hostname -I
+      "
+
+    fetch_ssl_cert
+    setup_conjur_resources
+
+    echo "Relocate credential files"
+    mv conjur.pem ../.
+  popd
+}
+
+function main() {
+  if [[ "${enterprise}" == "true" ]]; then
+    echo "Deploying Conjur Enterprise"
+
+    export DOCKER_NETWORK="dap_net"
+    export CONJUR_APPLIANCE_URL="https://conjur-master.mycompany.local"
+    export CONJUR_ACCOUNT="demo"
+    COMPOSE_PROJECT_NAME="${ENTERPRISE_PROJECT}"
+    DOCKER_NETWORK="dap_net"
+
+    setup_conjur_enterprise
+  else
+    echo "Deploying Conjur Open Source"
+
+    export CONJUR_APPLIANCE_URL="https://conjur-proxy-nginx"
+    export CONJUR_ACCOUNT="cucumber"
+    COMPOSE_PROJECT_NAME="${ANSIBLE_PROJECT}"
+
+    setup_conjur_open_source
+  fi
+
+  echo "Preparing Ansible for test run"
+  COMPOSE_PROJECT_NAME="${ANSIBLE_PROJECT}"
+  ANSIBLE_CONJUR_AUTHN_API_KEY=$(setup_ansible_api_key)
+  docker-compose up -d ansible
+  ansible_cid=$(docker-compose ps -q ansible)
+  generate_inventory
+
+  echo "Running tests"
+  run_test_cases
+}
+
+main
\ No newline at end of file
diff --git a/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/test_app_centos/Dockerfile b/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/test_app_centos/Dockerfile
new file mode 100644
index 000000000..ee474e7bf
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/test_app_centos/Dockerfile
@@ -0,0 +1,4 @@
+FROM centos:7
+
+# Install Python so Ansible can run against node
+RUN yum update -y && yum install -y python3
diff --git a/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/test_app_ubuntu/Dockerfile b/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/test_app_ubuntu/Dockerfile
new file mode 100644
index 000000000..ce919aa57
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/test_app_ubuntu/Dockerfile
@@ -0,0 +1,4 @@
+FROM ubuntu:20.04
+
+# Install Python so Ansible can run against node
+RUN apt-get update -y && apt-get install -y python3-minimal
diff --git a/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/test_cases/cleanup-conjur-identity/playbook.yml b/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/test_cases/cleanup-conjur-identity/playbook.yml
new file mode 100644
index 000000000..dfdbe2804
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/test_cases/cleanup-conjur-identity/playbook.yml
@@ -0,0 +1,17 @@
+---
+- name: Configuring Conjur identity on remote hosts
+  hosts: testapp
+  roles:
+    - role: "cyberark.conjur.conjur-host-identity"
+      conjur_account: "{{lookup('env', 'CONJUR_ACCOUNT')}}"
+      conjur_appliance_url: "{{lookup('env', 'CONJUR_APPLIANCE_URL')}}"
+      conjur_host_factory_token: "{{lookup('env', 'HFTOKEN')}}"
+      conjur_host_name: "conjur_{{ ansible_hostname }}"
+      conjur_ssl_certificate: "{{lookup('file', '../../conjur.pem')}}"
+      conjur_validate_certs: yes
+
+- name: Revoke Conjur identity from remote hosts
+  hosts: testapp
+  roles:
+    - role: "cyberark.conjur.conjur-host-identity"
+      state: absent
diff --git a/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/test_cases/cleanup-conjur-identity/tests/test_default.py b/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/test_cases/cleanup-conjur-identity/tests/test_default.py
new file mode 100644
index 000000000..9139ea87a
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/test_cases/cleanup-conjur-identity/tests/test_default.py
@@ -0,0 +1,23 @@
+from __future__ import (absolute_import, division, print_function)
+__metaclass__ = type
+
+import testinfra.utils.ansible_runner
+
+testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
+    '/cyberark/tests/inventory.tmp').get_hosts('testapp')
+
+
+def test_hosts_file(host):
+    f = host.file('/etc/hosts')
+
+    assert f.exists
+    assert f.user == 'root'
+    assert f.group == 'root'
+
+
+def test_is_not_conjurized(host):
+    identity_file = host.file('/etc/conjur.identity')
+    assert not identity_file.exists
+
+    conf_file = host.file('/etc/conjur.conf')
+    assert not conf_file.exists
diff --git a/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/test_cases/configure-conjur-identity/playbook.yml b/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/test_cases/configure-conjur-identity/playbook.yml
new file mode 100644
index 000000000..2f1ec4556
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/test_cases/configure-conjur-identity/playbook.yml
@@ -0,0 +1,11 @@
+---
+- name: Configuring Conjur identity on remote hosts
+  hosts: testapp
+  roles:
+    - role: "cyberark.conjur.conjur-host-identity"
+      conjur_account: "{{lookup('env', 'CONJUR_ACCOUNT')}}"
+      conjur_appliance_url: "{{lookup('env', 'CONJUR_APPLIANCE_URL')}}"
+      conjur_host_factory_token: "{{lookup('env', 'HFTOKEN')}}"
+      conjur_host_name: "conjur_{{ ansible_hostname }}"
+      conjur_ssl_certificate: "{{lookup('file', '../../conjur.pem')}}"
+      conjur_validate_certs: yes
diff --git a/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/test_cases/configure-conjur-identity/tests/test_default.py b/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/test_cases/configure-conjur-identity/tests/test_default.py
new file mode 100644
index 000000000..80513230a
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/test_cases/configure-conjur-identity/tests/test_default.py
@@ -0,0 +1,33 @@
+from __future__ import (absolute_import, division, print_function)
+__metaclass__ = type
+
+import testinfra.utils.ansible_runner
+
+testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
+    '/cyberark/tests/inventory.tmp').get_hosts('testapp')
+
+
+def test_hosts_file(host):
+    f = host.file('/etc/hosts')
+
+    assert f.exists
+    assert f.user == 'root'
+    assert f.group == 'root'
+
+
+def test_is_conjurized(host):
+    identity_file = host.file('/etc/conjur.identity')
+
+    assert identity_file.exists
+    assert identity_file.user == 'root'
+
+    conf_file = host.file('/etc/conjur.conf')
+
+    assert conf_file.exists
+    assert conf_file.user == 'root'
+
+
+def test_retrieve_secret_with_summon(host):
+    result = host.check_output("summon --yaml 'DB_USERNAME: !var ansible/target-password' bash -c 'printenv DB_USERNAME'", shell=True)
+
+    assert result == "target_secret_password"
diff --git a/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/test_cases/misconfig-conjur-identity/playbook.yml b/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/test_cases/misconfig-conjur-identity/playbook.yml
new file mode 100644
index 000000000..2ae9ec144
--- /dev/null
+++ b/ansible_collections/cyberark/conjur/roles/conjur_host_identity/tests/test_cases/misconfig-conjur-identity/playbook.yml
@@ -0,0 +1,22 @@
+---
+- name: Configuring Conjur identity on remote hosts fails when missing required variable
+  hosts: testapp
+  tasks:
+    - name: Attempt to configure Conjur identity
+      block:
+        - import_role:
+            name: "cyberark.conjur.conjur-host-identity"
+          vars:
+            conjur_account: cucumber
+            # conjur_appliance_url: "https://conjur-proxy-nginx"
+            conjur_host_factory_token: "{{lookup('env', 'HFTOKEN')}}"
+            conjur_host_name: "conjur_{{ ansible_hostname }}"
+            conjur_ssl_certificate: "{{lookup('file', '../../conjur.pem')}}"
+            conjur_validate_certs: yes
+      rescue:
+        - name: Confirm Role setup fails
+          assert:
+            that: ansible_failed_result.failed == true
+        - name: Confirm error message
+          assert:
+            that: ansible_failed_result.msg == "'conjur_appliance_url' is undefined"