Loop over group IP's - ansible

I have a group with hosts and to probe those with GlusterFS I need to turn the group into a list of IP's.
I have searched here and on Google and tried a lot of things to get this done, some include lots of code and others templates and regex and what not.
Currently I have not found a single solution to just list the IP's of a group of hosts.
This is what I made myself, it takes the group, turns this dict into a list and then loops over the list, great! But when I loop over it the results are strings (why?!) and I cannot get the IP's anymore.
- name: workit
vars:
main_nodes_ips: "{{ groups['glusterpeers'] | list }}"
loop: "{{ main_nodes_ips }}"
debug:
msg: "{{ item['hostvars'] }}"
I found this
- debug: var=hostvars[inventory_hostname]['ansible_default_ipv4']['address']
But how to turn it into this (example not working)
- debug: var=groups['glusterpeers']['ansible_default_ipv4']['address']
I do not understand why a list of hosts turns into a list of strings all of a sudden, but maybe I should not think of it as objects.
My Result
This is what I ended up with to probe all the peers for the GlusterFS. In the 'when' blocks I hard code the hostname of the first node, not great. I still wonder if there is not a more elegant way of probing the peers, it must be something all GlusterFS users do.
Als taking the second IP may give trouble when this order of IP's changes so hostname is probably better.
- hosts: all
gather_facts: true
tasks:
- set_fact:
main_nodes_ips: "{{ groups.zicluster|
map('extract', hostvars, 'ansible_all_ipv4_addresses')|
map(attribute='1')|
list }}"
run_once: true
- debug:
var: main_nodes_ips[1:]
when: inventory_hostname == 'zi01'
- name: probe the peers
gluster.gluster.gluster_peer:
state: present
nodes: "{{ main_nodes_ips[1:] }}"
when: inventory_hostname == 'zi01'

For example, the playbook below takes the first IP address of a remote host and creates the list
- hosts: glusterpeers
gather_facts: true
tasks:
- debug:
var: ansible_all_ipv4_addresses
- set_fact:
main_nodes_ips: "{{ groups.glusterpeers|
map('extract', hostvars, 'ansible_all_ipv4_addresses')|
map('first')|
list }}"
run_once: true
- debug:
var: main_nodes_ips
run_once: true
gives
PLAY [glusterpeers] ***************************************
TASK [Gathering Facts] ************************************
ok: [host02]
ok: [host01]
ok: [host03]
TASK [debug] **********************************************
ok: [host01] =>
ansible_all_ipv4_addresses:
- 10.1.0.61
ok: [host02] =>
ansible_all_ipv4_addresses:
- 10.1.0.62
ok: [host03] =>
ansible_all_ipv4_addresses:
- 10.1.0.63
TASK [set_fact] *******************************************
ok: [host01]
TASK [debug] **********************************************
ok: [host01] =>
main_nodes_ips:
- 10.1.0.61
- 10.1.0.62
- 10.1.0.63
Notes
If you want to take any other index from the list map attribute. For example, to get the 2nd item, replace
map('first')|
by
map(attribute='1')|
In your code, you remove the first IP from the list for a particular host. This can work for the first host only
- debug:
msg: "{{ main_nodes_ips[1:] }}"
when: inventory_hostname == 'host01'
Create a dictionary if you want to remove the IP for any host. e.g.
- set_fact:
main_nodes: "{{ dict(groups.glusterpeers|zip(main_nodes_ips)) }}"
run_once: true
gives
main_nodes:
host01: 10.1.0.61
host02: 10.1.0.62
host03: 10.1.0.63
Then, use this dictionary to remove the IP of the particular host from the list
- debug:
msg: "{{ main_nodes_ips|difference(main_nodes[inventory_hostname]) }}"
when: inventory_hostname == 'host01'
gives
TASK [debug] **************************************************
skipping: [host02]
skipping: [host03]
ok: [host01] =>
msg:
- 10.1.0.62
- 10.1.0.63

Related

Ansible Fact - Accessing the additional facts

I am doing a little research on Ansible facts. I am accessing facts in the debug module using something like: ansible_facts['mounts']. I noticed there are additional facts within the dictionary like "fstype" etc. However, when I try to access this like so ansible_facts['mounts']['fstype'] but I seems this is not the proper way to access this. I was testing a conditional with when to check for the fstype. Anyone know how to access this?
With everyone's help, here is the solution I came up with to assist with my research:
---
- name: Conditionals test
hosts: dev
tasks:
- name: Update the kernel if suff space
package:
name: kernel
state: latest
loop: "{{ ansible_facts['mounts'] }}"
when: item.mount == "/boot" and item.size_available > 20000000
I am looping through the ansible_facts list and checking for /boot and measuring the size. Thank you everyone!
To get a better understanding of the data structure of Ansible facts one can use the following example and test playbook.
---
- hosts: localhost
become: false
gather_facts: true
tasks:
- name: Show amount of mounts
debug:
msg:
- "{{ ansible_facts.mounts | type_debug }}"
- "{{ ansible_facts.mounts | length }}"
- name: Show mount type (sequence)
debug:
msg: "{{ ansible_facts.mounts[item | int].fstype }}"
loop: "{{ range(0, ansible_facts.mounts | length) | list }}"
- name: Show mount type (fact list)
debug:
msg: "{{ item.fstype }}"
loop: "{{ ansible_facts.mounts }}"
loop_control:
extended: true
label: "{{ ansible_loop.index0 }}"
it shows
That ansible_facts.mounts is mostly a list, how to get the data type and how to get the length of it
How to loop over a fact list with_sequence numbers
How to access the list element by index number (ansible_facts.mounts[item | int].fstype)
How to loop over a fact list and control the label
and resulting into an output of
TASK [Show mount type (sequence)] ******
ok: [localhost] => (item=0) =>
msg: ext4
ok: [localhost] => (item=1) =>
msg: ext4
ok: [localhost] => (item=2) =>
msg: ext4
ok: [localhost] => (item=3) =>
msg: vfat
TASK [Show mount type (fact list)] ******
ok: [localhost] => (item=0) =>
msg: ext4
ok: [localhost] => (item=1) =>
msg: ext4
ok: [localhost] => (item=2) =>
msg: ext4
ok: [localhost] => (item=3) =>
msg: vfat
Further Documentation
Ansible facts
with_sequence
Adding control to loops
I think your issue here is that you are trying to acces a list of mounts, you need to get one item from that list and get his fstype something like:
ansible_facts['mounts'][0]['fstype']
Or using a loop
- name: Print fstypes
debug:
var: "{{ item }}.fstype"
loop: "{{ ansible_facts.mounts }}"
or you can do this...
- name: Update the kernel if suff space
package:
name: kernel
state: latest
when: ansible_facts['mounts']|selectattr('mount','equalto','/boot')|map(attribute='size_available')|first > 20000000
rather than looping through the mounts at all.

How do you iterate/parse through a CSV file to use in Ansible playbook?

I am new to Ansible and don't have much coding experience in general. I am trying to figure out how to provision RHEL servers using the DellEMC OpenManage modules.
The first step to this is figuring out how to parse a CSV, that we are putting necessary information for the later templating. (IP, hostname, MAC, etc. ...) I can get it to print the data in general, but cant figure out how to parse/iterate through it.
CSV Sample
server_name,idrac_ip,idrac_user,idrac_pwd,idrac_nw,idrac_gw,idrac_mac,mgmt_ip,mgmt_nw,mgmt_gw,mgmt_mac,bond0_100_ip,bond0_200_ip,dns_1,bond0_100_nw,bond0_100_gw,bond0_100_vip,bond0_200_nw,bond0_200_gw,bond0_200_vip,os,fs,sio_type,mdm_name
test1,1.1.1.10,root,Password1234,1.1.1.0/24,1.1.1.1,00:00:00:00:00:01,1.1.1.142,1.1.62.0/24,1.1.2.1,98:03:9B:46:25:B3,1.1.1.22,1.1.1.21,1.1.1.26,1.1.61.15/24,1.1.61.1,1.1.61.29,1.1.66.0/24,1.1.66.1,1.1.1.29,RHEL 7.6,1,Master,MDM-1
Here is my playbook to print the info in general.
---
- name: Parse
hosts: localhost
connection: local
tasks:
- name: Load CSV Data into object
read_csv:
path: 'Test_Lab_Servers.csv'
fieldnames: server_name,idrac_ip,idrac_user,idrac_pwd,idrac_nw,idrac_gw,idrac_mac,mgmt_ip,mgmt_nw,mgmt_gw,mgmt_mac,bond0_100_ip,bond0_200_ip,dns_1,bond0_100_nw,bond0_100_gw,bond0_100_vip,bond0_200_nw,bond0_200_gw,bond0_200_vip,os,fs,sio_type,mdm_name
delimiter: ','
register: csv_output
delegate_to: localhost
- name: Print data
debug:
msg: "{{ csv_output }}"
Any advice?
According the read_csv module parameter documentation fieldnames are
needed if the CSV does not have a header
only. Therefore you could remove it to get a list object which might be easier to parse.
- name: Print data
debug:
msg: "{{ csv_output.list }}"
As already mentioned within the comments, to iterate over the list elements you may use loop.
- name: Print data
debug:
msg: "{{ item }}"
loop: "{{ csv_output.list }}"
With extended loop variables you will have a better control about the loop output.
- name: Print data
debug:
msg: "{{ item }}"
loop: "{{ csv_output.list }}"
loop_control:
extended: yes
label: "{{ ansible_loop.index0 }}"
Resulting into an output of
TASK [Print data] ***************
ok: [localhost] => (item=0) =>
msg:
bond0_100_gw: 1.1.61.1
bond0_100_ip: 1.1.1.22
bond0_100_nw: 1.1.61.15/24
bond0_100_vip: 1.1.61.29
bond0_200_gw: 1.1.66.1
bond0_200_ip: 1.1.1.21
bond0_200_nw: 1.1.66.0/24
bond0_200_vip: 1.1.1.29
dns_1: 1.1.1.26
fs: '1'
idrac_gw: 1.1.1.1
idrac_ip: 1.1.1.10
idrac_mac: 00:00:00:00:00:01
idrac_nw: 1.1.1.0/24
idrac_pwd: Password1234
idrac_user: root
mdm_name: MDM-1
mgmt_gw: 1.1.2.1
mgmt_ip: 1.1.1.142
mgmt_mac: 98:03:9B:46:25:B3
mgmt_nw: 1.1.62.0/24
os: RHEL 7.6
server_name: test1
sio_type: Master
...
Specific items (fields) like server_name you could get simply by using
msg: "{{ item.server_name }}"
resulting into an output of
TASK [Print data] ************
ok: [localhost] => (item=0) =>
msg: test1
ok: [localhost] => (item=1) =>
msg: test2
ok: [localhost] => (item=2) =>
msg: test3
...

How to match/search a substring from a dict attribute that is a list

Here's the scenario:
a playbook that calls a role to create users in multiple servers, including a VM Scale Set (where ansible_hostnames can't be predicted) - inventory is already being dynamically generated and works fine and not the issue
a users dict variable will provide the user list as well as a series of attributes for each
one of these attributes is a server list named target_servers - this variable's attribute is the actual issue
target_servers is used by the playbook to decide if the user will be present/absent on that particular server - it complements ansible's inventory
target_servers might include only the starting name of a particular target host, a sub-string, like "vmss" as a "vmss*" wildcard, but also fixed hostnames server12345, server12346, etc.
so, dynamic inventory tells ansible which servers to connect to, but the variable tells it whether the user should be created or removed from that particular servers (i.e. servers have different users)
Objective(s):
Have a conditional that checks if a target_server list element content matches the ansible_hostname (i.e. if the substring found in the target_servers list (from the users dict) matches, then we provision the user; additionally, off course, if the list provides the entire hostname, it should match and the users also be provisioned)
Here's the code:
---
- hosts: all
become: yes
vars:
users:
user1:
is_sudo: no
is_chrooted: yes
auth_method: hvault
sa_homedir: firstname1lastname1
state: present
target_servers:
- vmss
- ubuntu
user2:
is_sudo: no
is_chrooted: yes
auth_method: hvault
sa_homedir: firstname2lastname2
state: present
target_servers:
- vmss
- ubuntu18
tasks:
- debug:
msg: "{{ ansible_hostname }}"
- debug:
msg: "{{ item.value.target_servers }}"
loop: "{{ lookup('dict', users|default({})) }}"
# This is just to exemplify what I'm trying to achieve as it is not supposed to work
- debug:
msg: "ansible_hostname is in target_servers of {{ item.key }}"
loop: "{{ lookup('dict', users|default({})) }}"
when: ansible_hostname is match(item.value.target_servers)
Here's the output showing that the match string test cannot be applied to a list (as expected):
TASK [debug] ************************************************************************************************************************************************
ok: [ubuntu18] =>
msg: ubuntu18
TASK [debug] ************************************************************************************************************************************************
ok: [ubuntu18] => (item={'key': 'user1', 'value': {'is_sudo': False, 'is_chrooted': True, 'auth_method': 'hvault', 'sa_homedir': 'firstname1lastname1', 'state': 'present', 'target_servers': ['vmss', 'ubuntu']}}) =>
msg:
- vmss
- ubuntu
ok: [ubuntu18] => (item={'key': 'user2', 'value': {'is_sudo': False, 'is_chrooted': True, 'auth_method': 'hvault', 'sa_homedir': 'firstname2lastname2', 'state': 'present', 'target_servers': ['vmss', 'ubuntu18']}}) =>
msg:
- vmss
- ubuntu18
TASK [debug] ************************************************************************************************************************************************
fatal: [ubuntu18]: FAILED! =>
msg: |-
The conditional check 'ansible_hostname is match(item.value.target_servers)' failed. The error was: Unexpected templating type error occurred on ({% if ansible_hostname is match(item.value.target_servers) %} True {% else %} False {% endif %}): unhashable type: 'list'
The error appears to be in 'test-play-users-core.yml': line 32, column 5, but may
be elsewhere in the file depending on the exact syntax problem.
The offending line appears to be:
- debug:
^ here
Already tried researching about selectattr, json_query and subelements but I currently lack the understanding on how to make them work to match a substring inside a dict attribute that is a list.
In the example above, by changing from is match() to in, exact hostnames work fine, but that is not the goal. I need to match both exact hostnames and sub-strings for these hostnames.
Any help on how to accomplish this or suggestions about alternate methods will be greatly appreciated.
The example here might work if I could find a way to run it against a list (target_servers) after having already looped through the entire dictionary (are nested loops possible?): https://docs.ansible.com/ansible/latest/user_guide/playbooks_tests.html#testing-strings
I guess I've just found what I needed: https://docs.ansible.com/ansible/latest/collections/ansible/builtin/subelements_lookup.html
Will try and provide an update soon.
Update: yes, subelements work! Here's the code needed:
- name: test 1
debug:
msg: "{{ item.1 }} matches {{ ansible_hostname }}"
with_subelements:
- "{{ users }}"
- target_servers
when: >
ansible_hostname is match(item.1)
You can use the select filter to apply the in test to all the elements of your users' target_servers list.
This would be your debug task:
- debug:
msg: "hostname is in target_servers of {{ item.key }}"
loop: "{{ users | dict2items }}"
loop_control:
label: "{{ item.key }}"
when: >-
item.value.target_servers
| select('in', inventory_hostname)
| length > 0
Given the playbook:
- hosts: all
gather_facts: false
vars:
_hostname: ubuntu18
users:
user1:
target_servers:
- vmss
- ubuntu
user2:
target_servers:
- vmss
- ubuntu18
tasks:
- debug:
msg: "hostname is in target_servers of {{ item.key }}"
loop: "{{ users | dict2items }}"
loop_control:
label: "{{ item.key }}"
when: >-
item.value.target_servers
| select('in', inventory_hostname)
| length > 0
This yields:
ok: [ubuntu18] => (item=user1) =>
msg: hostname is in target_servers of user1
ok: [ubuntu18] => (item=user2) =>
msg: hostname is in target_servers of user2
Doing it with subelements instead:
- hosts: all
gather_facts: false
vars:
_hostname: ubuntu18
users:
user1:
target_servers:
- vmss
- ubuntu
user2:
target_servers:
- vmss
- ubuntu18
tasks:
- debug:
msg: "hostname is in target_servers of {{ item.0.key }}"
loop: "{{ users | dict2items | subelements('value.target_servers') }}"
loop_control:
label: "{{ item.0.key }}"
when: item.1 in inventory_hostname
Will yield:
skipping: [ubuntu18] => (item=user1)
ok: [ubuntu18] => (item=user1) =>
msg: hostname is in target_servers of user1
skipping: [ubuntu18] => (item=user2)
ok: [ubuntu18] => (item=user2) =>
msg: hostname is in target_servers of user2

In Ansible, how to query hostvars to get a specific value of a key from a list item based on the value of a different key?

EDIT-UPDATE:
I found a way to achieve what was trying to do, using the index_of plugin. The following code outputs what I need.
---
- hosts: CASPOSR1BDAT003
connection: local
gather_facts: no
become: false
tasks:
- ansible.builtin.set_fact:
mac_address: "{{ hostvars[inventory_hostname]['interfaces'][int_idx|int]['mac_address'] }}"
vars:
int_name: 'PCI1.1'
int_idx: "{{ lookup('ansible.utils.index_of', hostvars[inventory_hostname]['interfaces'], 'eq', int_name, 'name') }}"
- debug:
var: mac_address
Output:
PLAY [CASPOSR1BDAT003] ***********************************************************************************************************************************************************************************************
TASK [ansible.builtin.set_fact] **************************************************************************************************************************************************************************************
ok: [CASPOSR1BDAT003]
TASK [debug] *********************************************************************************************************************************************************************************************************
ok: [CASPOSR1BDAT003] =>
mac_address: 20:67:7C:00:36:A0
What I am trying to do:
Use the Netbox dynamic inventory plugin (this works, brings back all the info I need)
Query hostvars for a particular host, and get the value of the MAC address for a particular interface called PCI1.1
What I have tried:
Converting the hostvars to JSON and using json_query: this hasn't worked, and having looked at some issues on GitHub, hostvars isn't a "normal" dictionary. I've logged a couple of issues anyway (https://github.com/ansible/ansible/issues/76289 and https://github.com/ansible-collections/community.general/issues/3706).
Use a sequence loop and conditional "when" to get the value - this sort of works when using the debug module, but still not just returning the value
What works:
I have tried the following, which outputs the mac_address variable as expected. The length of the list is found, and then the conditional matches the name. I do get an warning about using jinja2 templating delimiters but that's not the target of this question.
---
- hosts: CASPOSR1BDAT003
connection: local
gather_facts: no
become: false
tasks:
- debug:
var: hostvars[inventory_hostname]['interfaces'][{{ item }}]['mac_address']
with_sequence: start=0 end="{{ end_at }}"
vars:
- end_at: "{{ (hostvars[inventory_hostname]['interfaces'] | length) - 1 }}"
when: hostvars[inventory_hostname]['interfaces'][{{ item }}]['name'] == "PCI1.1"
The result is:
TASK [debug] *************************************************************************************************************************************
[WARNING]: conditional statements should not include jinja2 templating delimiters such as {{ }} or {% %}. Found:
hostvars[inventory_hostname]['interfaces'][{{ item }}]['name'] == "PCI1.1"
skipping: [CASPOSR1BDAT003] => (item=0)
skipping: [CASPOSR1BDAT003] => (item=1)
skipping: [CASPOSR1BDAT003] => (item=2)
skipping: [CASPOSR1BDAT003] => (item=3)
skipping: [CASPOSR1BDAT003] => (item=4)
ok: [CASPOSR1BDAT003] => (item=5) =>
ansible_loop_var: item
hostvars[inventory_hostname]['interfaces'][5]['mac_address']: 20:67:7C:00:36:A0
item: '5'
skipping: [CASPOSR1BDAT003] => (item=6)
skipping: [CASPOSR1BDAT003] => (item=7)
skipping: [CASPOSR1BDAT003] => (item=8)
skipping: [CASPOSR1BDAT003] => (item=9)
I'm trying to use set_fact to store this mac_address variable as I need to use it in a couple of different ways. However, I am unable to use set_fact on this (or any other hostvars data, it seems). For example, the following:
---
- hosts: CASPOSR1BDAT003
connection: local
gather_facts: no
become: false
tasks:
- ansible.builtin.set_fact:
interfaces: "{{ hostvars[inventory_hostname]['interfaces'][item]['mac_address'] }}"
with_sequence: start=0 end="{{ end_at }}"
vars:
- end_at: "{{ (hostvars[inventory_hostname]['interfaces'] | length) - 1 }}"
when: hostvars[inventory_hostname]['interfaces'][{{ item }}]['name'] == "PCI1.1"
- debug:
var: interfaces
results in:
fatal: [CASPOSR1BDAT003]: FAILED! =>
msg: |-
The task includes an option with an undefined variable. The error was: 'list object' has no attribute '5'
The error appears to be in '/Users/kivlint/Documents/GitHub/vmware-automation/ansible/prepare-pxe.yml': line 19, column 7, but may
be elsewhere in the file depending on the exact syntax problem.
The offending line appears to be:
# when: hostvars[inventory_hostname]['interfaces'][{{ item }}]['name'] == "PCI1.1"
- ansible.builtin.set_fact:
^ here
If I hard-code the number 5 in, it works fine:
TASK [ansible.builtin.set_fact] ******************************************************************************************************************
ok: [CASPOSR1BDAT003]
TASK [debug] *************************************************************************************************************************************
ok: [CASPOSR1BDAT003] =>
interfaces: 20:67:7C:00:36:A0
If I use '5' as a var for the task, it also works.
---
- hosts: CASPOSR1BDAT003
connection: local
gather_facts: no
become: false
tasks:
- ansible.builtin.set_fact:
interfaces: "{{ hostvars[inventory_hostname]['interfaces'][int_index]['mac_address'] }}"
vars:
- int_index: 5
So I'm wondering, is this a "bug/feature" in how set_fact does or doesn't work with loops (meaning, the same loop worked fine with debug? Or do I need to re-think the approach and consider trying to use set_fact to set a variable with the index of the list (e.g. 5 in the above example)? Or something else?
There's a lot going on in your code, and achieving the result you want is simpler than you've made it.
Firstly, don't use hostvars[inventory_hostname]; plain variables are the ones belonging to the current host, and going through hostvars introduces some exciting opportunities for things to go wrong. hostvars is for accessing variables belonging to other hosts.
Secondly, using Jinja's built-in filtering capabilities avoids the need to worry about the index of the item that you want.
- hosts: CASPOSR1BDAT003
connection: local
gather_facts: no
become: false
vars:
int_name: PCI1.1
mac_address: "{{ interfaces | selectattr('name', 'eq', int_name) | map(attribute='mac_address') | first }}"
tasks:
- debug:
var: mac_address
there is a confusion between the [5] (6th item of a list) and ['5'] (a key named "5") ,
you see in your error: The error was: 'list object' has no attribute '5'.
with the module debug you have not error because [{{item}}] is replaced by [5] and not by ['5']. Its not the same thing with set_fact.
its the reason you have to use filter int to clarify the situation.
- ansible.builtin.set_fact:
interfaces: "{{ hostvars[inventory_hostname]['interfaces'][item|int]['mac_address'] }}"
with_sequence: start=0 end="{{ end_at }}"
vars:
end_at: "{{ (hostvars[inventory_hostname]['interfaces'] | length) - 1 }}"
when: hostvars[inventory_hostname]['interfaces'][item|int]['name'] == "PCI1.1"
so i suggest you to use loop instead with_sequence:
- ansible.builtin.set_fact:
interfaces: "{{ hostvars[inventory_hostname]['interfaces'][item]['mac_address'] }}"
loop: "{{ range(0, end_at|int, 1)|list }}"
vars:
end_at: "{{ hostvars[inventory_hostname]['interfaces'] | length }}"
when: hostvars[inventory_hostname]['interfaces'][item]['name'] == "PCI1.1"
set_fact works with loops, but not in a way you expect.
This example constructs list with loop from lists of dicts:
- set_fact:
foo: '{{ foo|d([]) + [item.value] }}'
loop:
- value: 1
- value: 2
Basically, each execution of set_fact creates a fact. You may refer to the same fact in jinja expression for set_fact, but you can't expect it to automatically build lists or something like that.

How to generate single reusable random password with ansible

That is to say: How to evaluate the password lookup only once?
- name: Demo
hosts: localhost
gather_facts: False
vars:
my_pass: "{{ lookup('password', '/dev/null length=15 chars=ascii_letters') }}"
tasks:
- debug:
msg: "{{ my_pass }}"
- debug:
msg: "{{ my_pass }}"
- debug:
msg: "{{ my_pass }}"
each debug statement will print out a different value, e.g:
PLAY [Demo] *************
TASK [debug] ************
ok: [localhost] => {
"msg": "ZfyzacMsqZaYqwW"
}
TASK [debug] ************
ok: [localhost] => {
"msg": "mKcfRedImqxgXnE"
}
TASK [debug] ************
ok: [localhost] => {
"msg": "POpqMQoJWTiDpEW"
}
PLAY RECAP ************
localhost : ok=3 changed=0 unreachable=0 failed=0
ansible 2.3.2.0
Use set_fact to assign permanent fact:
- name: Demo
hosts: localhost
gather_facts: False
vars:
pwd_alias: "{{ lookup('password', '/dev/null length=15 chars=ascii_letters') }}"
tasks:
- set_fact:
my_pass: "{{ pwd_alias }}"
- debug:
msg: "{{ my_pass }}"
- debug:
msg: "{{ my_pass }}"
- debug:
msg: "{{ my_pass }}"
I've been doing it this way and never had an issue.
- name: Demo
hosts: localhost
gather_facts: False
tasks:
- set_fact:
my_pass: "{{ lookup('password', '/dev/null length=15 chars=ascii_letters') }}"
- debug:
msg: "{{ my_pass }}"
The lookup password is nice, but what if you have password specification, like it have to contain specific characters, or must not contain uppercase... the lookup also does not guarantee that the password will have special characters if needed to have...
I have ended with custom jinja filter, that might help somebody ( works fine for me :) )
https://gitlab.privatecloud.sk/vladoportos/custom-jinja-filters
The problem is that you are using the password module wrong, or at least according to the latest documentation (maybe this a new feature on 2.5):
Generates a random plaintext password and stores it in a file at a given filepath.
By definition,the lookup password generates a random password AND stores it on the specified path for subsequent lookups. So, first time it checks if the specified path exists, and if not generates a random password and stores it on that path, subsequent lookups will just retrieve it. Because you are using /dev/null as store path, you are forcing ansible to generate a new random password because everytime it checks for existence it finds nothing.
If you want to have a random password per host + client or whatever
all you need to do to is use some templating and set the store path based on those parameters.
For example:
---
- name: Password test
connection: local
hosts: localhost
tasks:
- name: create a mysql user with a random password
ansible.builtin.debug:
msg: "{{ lookup('password', 'credentials/' + item.host + '/' + item.user + '/mysqlpassword length=15') }}"
with_items:
- user: joe
host: atlanta
- user: jim
host: london
- name: Another task that uses the password of joe
ansible.builtin.debug:
msg: "{{ lookup('password', 'credentials/atlanta/joe/mysqlpassword length=15') }}"
- name: Another task that uses the password of jim
ansible.builtin.debug:
msg: "{{ lookup('password', 'credentials/london/jim/mysqlpassword length=15') }}"
And this is the task execution, as you can see, the three tasks are getting the right generated passwords:
TASK [Gathering Facts] ***********************************************************************************************
ok: [localhost]
TASK [create a mysql user with a random password] ********************************************************************
ok: [localhost] => (item={'user': 'joe', 'host': 'atlanta'}) => {
"msg": "niwPf4tk9HWHhNc"
}
ok: [localhost] => (item={'user': 'jim', 'host': 'london'}) => {
"msg": "dHJdg,OjOEqdyrW"
}
TASK [Another task that uses the password of joe] ********************************************************************
ok: [localhost] => {
"msg": "niwPf4tk9HWHhNc"
}
TASK [Another task that uses the password of jim] ********************************************************************
ok: [localhost] => {
"msg": "dHJdg,OjOEqdyrW"
}
This has the advantage that, even if you play fails and you have to re-execute you will not get the same previous random password,that you can then store on a key-chain or just delete them.

Resources