Have task which copies each user's key
- name: SSH Keys
authorized_key:
user: "{{ item.0.name }}"
key: "{{ item.0.ssh_key.0.key }}"
state: "{{ item.0.ssh_key.0.state }}"
when:
- item.1 == 'all' or item.1 in group_names or item.1 == inventory_hostname
with_subelements:
- "{{ users }}"
- servers
Var list:
users:
- name: user1
ssh_key:
- key:
- "key1.user1"
- "key2.user1"
- "key3.user1"
state: present
servers:
- server1
- name: user2
ssh_key:
- key:
- "key1.user2"
- "key2.user2"
state: present
servers:
- all
QUESTION: How can we allow users to copy multiple keys? Without deleting servers from with_subelements.
When starting the task, either the last key or an array with keys is copied, depending on how we write it in var list.
In this format copied last key.
- key: "key1.user1"
- key: "key2.user1"
- key: "key3.user1"
In this array.
- key:
- "key1"
- "key2"
Let's fit the structure of the data to this purpose. For example,
users:
- name: user1
ssh_key:
- "key1.user1"
- "key2.user1"
- "key3.user1"
state: present
servers:
- server1
...
It's possible to loop include_tasks. For example, create the task (test it with debug first)
shell> cat conf_authorized_key.yml
- name: SSH Keys
# authorized_key:
debug:
msg:
- "user: {{ item.0.name }}"
- "state: {{ item.0.state }}"
- "key: {{ iitem }}"
loop: "{{ item.0.ssh_key }}"
loop_control:
loop_var: iitem
Then include it in the playbook
shell> cat playbook.yml
- hosts: localhost
vars:
users:
- name: user1
ssh_key:
- "key1.user1"
- "key2.user1"
- "key3.user1"
state: present
servers:
- server1
- name: user2
ssh_key:
- "key1.user2"
- "key2.user2"
state: present
servers:
- all
tasks:
- name: Loop include_task
include_tasks: conf_authorized_key.yml
loop: "{{ users|subelements('servers') }}"
loop_control:
label: "{{ item.1 }}"
when: (item.1 == 'all') or
(item.1 in group_names) or
(item.1 == inventory_hostname)
gives
shell> ansible-playbook playbook.yml
PLAY [localhost] ****
TASK [Loop include_task] ****
skipping: [localhost] => (item=server1)
included: /export/scratch/tmp/conf_authorized_key.yml for localhost
TASK [SSH Keys] ****
ok: [localhost] => (item=key1.user2) => {
"msg": [
"user: user2",
"state: present",
"key: key1.user2"
]
}
ok: [localhost] => (item=key2.user2) => {
"msg": [
"user: user2",
"state: present",
"key: key2.user2"
]
}
PLAY RECAP ****
localhost: ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
Related
We're trying to fill an Palo Alto Object Group with multiple objects.
Our current script does run through all the items in the following line:
static_value: "{{ item[1].addressobjectname|join }}"
But only registers the last object.
For Example:
We have 3 objects in the list. So we expect to add object 1, 2, 3.
Instead the script only registers the 3 and 1 and 2 are overwritten in the process.
How should we fix this?
This is our code:
- name: Create object group
with_nested:
- "{{ tag_firewall# }}"
- "{{ addressobjects }}"
panos_address_group:
provider: "{{ palo_provider }}"
name: "Prisma-Unsecure"
static_value: "{{ item[1].addressobjectname|join }}"
tag: ["ansible_test_tag"]
device_group: "{{ item[0] }}"
description: "Created by ansible automation"
commit: 'no'
Thanks in advance!
As mentioned before we expect all items to be added to the group in stead of the last one in the list.
Hard to say without the precision asked by Vladimir in comments. Meanwhile it looks like you are creating an address group for each addressojects for each firewall definition. My guess at this stage is that the last one wins with the latest address.
Guess again: I believe you want to create one group with all adresses, something like the following (to be tested and adapted with your actual input data):
- name: Create object group
loop: "{{ tag_firewall# }}"
panos_address_group:
provider: "{{ palo_provider }}"
name: "Prisma-Unsecure"
static_value: "{{ addressobjects | map(attribute='addressobjectname') }}"
tag: ["ansible_test_tag"]
device_group: "{{ item }}"
description: "Created by ansible automation"
commit: 'no'
My guess is to remove the join filter. For example,
shell> cat pb.yml
- hosts: localhost
vars:
tag_firewall: [Prod1, Prod2]
addressobjects:
- addressobjectname: [Test-One, Test-Three]
- addressobjectname: [Test-Two, Test-Four]
tasks:
- debug:
msg: |
panos_address_group:
provider: Palo_provider_dict
name: Prisma-Unsecure
static_value: "{{ item.1.addressobjectname }}"
tag: Ansible_test_tag
device_group: "{{ item.0 }}"
description: Created by Ansible automation
commit: false
with_nested:
- "{{ tag_firewall }}"
- "{{ addressobjects }}"
shows the iteration
shell> ansible-playbook pb.yml
PLAY [localhost] *****************************************************************************
TASK [debug] *********************************************************************************
ok: [localhost] => (item=['Prod1', {'addressobjectname': ['Test-One', 'Test-Three']}]) =>
msg: |-
panos_address_group:
provider: Palo_provider_dict
name: Prisma-Unsecure
static_value: "['Test-One', 'Test-Three']"
tag: Ansible_test_tag
device_group: "Prod1"
description: Created by Ansible automation
commit: false
ok: [localhost] => (item=['Prod1', {'addressobjectname': ['Test-Two', 'Test-Four']}]) =>
msg: |-
panos_address_group:
provider: Palo_provider_dict
name: Prisma-Unsecure
static_value: "['Test-Two', 'Test-Four']"
tag: Ansible_test_tag
device_group: "Prod1"
description: Created by Ansible automation
commit: false
ok: [localhost] => (item=['Prod2', {'addressobjectname': ['Test-One', 'Test-Three']}]) =>
msg: |-
panos_address_group:
provider: Palo_provider_dict
name: Prisma-Unsecure
static_value: "['Test-One', 'Test-Three']"
tag: Ansible_test_tag
device_group: "Prod2"
description: Created by Ansible automation
commit: false
ok: [localhost] => (item=['Prod2', {'addressobjectname': ['Test-Two', 'Test-Four']}]) =>
msg: |-
panos_address_group:
provider: Palo_provider_dict
name: Prisma-Unsecure
static_value: "['Test-Two', 'Test-Four']"
tag: Ansible_test_tag
device_group: "Prod2"
description: Created by Ansible automation
commit: false
PLAY RECAP ***********************************************************************************
localhost: ok=1 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
I m trying to iterate over some variables in an ansible role. However, I want to ignore if the var is empty ex:ns3 from below code? I m trying when item length is greater than 0 but it seems not working? any ideas on how to do it?
---
- hosts: localhost
gather_facts: no
vars:
ns1: adm_analytics
ns2: adm_snap
ns3: ""
ns4: adm_eck
tasks:
- name: print namespace loop
with_items:
- "{{ ns1 }}"
- "{{ ns2 }}"
- "{{ ns3 }}"
- "{{ ns4 }}"
include_role:
name: verify_pod_status
vars:
NAMESPACE: "{{ item }}"
when: "{{ item | lenght > 0 }}"
You may have a look into the documentation about Conditionals.
There are some typos in your when clause.
---
- hosts: localhost
gather_facts: false
vars:
ns1: adm_analytics
ns2: adm_snap
ns3: ""
ns4: adm_eck
tasks:
- name: Print namespace loop
debug:
msg: "{{ item }}"
when: item | length > 0
with_items:
- "{{ ns1 }}"
- "{{ ns2 }}"
- "{{ ns3 }}"
- "{{ ns4 }}"
result into an output of
TASK [Print namespace loop] **************
ok: [localhost] => (item=adm_analytics) =>
msg: adm_analytics
ok: [localhost] => (item=adm_snap) =>
msg: adm_snap
ok: [localhost] => (item=adm_eck) =>
msg: adm_eck
when: condition is expanded by default. Fix the syntax
when: item|length > 0
Make your life easier and put the ns* variables into a dictionary. Then you can simply reference the values in the loop instead of listing the variables again. For example, the playbook
shell> cat playbook.yml
- hosts: localhost
gather_facts: no
vars:
ns:
ns1: adm_analytics
ns2: adm_snap
ns3: ""
ns4: adm_eck
tasks:
- name: print namespace loop
include_role:
name: verify_pod_status
loop: "{{ ns.values()|list }}"
vars:
NAMESPACE: "{{ item }}"
when: item|length > 0
and the role
shell> cat roles/verify_pod_status/tasks/main.yml
- debug:
var: NAMESPACE
give (abridged)
TASK [verify_pod_status : debug] ***********************************
skipping: [localhost] => (item=)
TASK [verify_pod_status : debug] ***********************************
ok: [localhost] =>
NAMESPACE: adm_analytics
TASK [verify_pod_status : debug] ***********************************
ok: [localhost] =>
NAMESPACE: adm_snap
TASK [verify_pod_status : debug] ***********************************
ok: [localhost] =>
NAMESPACE: adm_eck
Practice:
I have the file files.yml with a list of files and their respective md5_sum hash, like:
files:
- name: /opt/file_compare1.tar
hash: 9cd599a3523898e6a12e13ec787da50a /opt/file_compare1.tar
- name: /opt/file_compare2tar.gz
hash: d41d8cd98f00b204e9800998ecf8427e /opt/file_compare2.tar.gz
I need to create a playbook to check this list of files if the current hash is the same or if it was changed, the playbook should have a debug message like below:
---
- hosts: localhost
connection: local
vars_files:
- files.yml
tasks:
- name: Use md5 to calculate checksum
stat:
path: "{{ item.name }}"
checksum_algorithm: md5
register: hash_check
with_items:
- "{{ files }}"
- name: Debug files - Different
debug:
msg: |
"Hash changed: {{ item.name }}"
when:
- item.hash != hash_check
with_items:
- "{{ files }}"
- name: Debug files - Equal
debug:
msg: |
"Hash NOT changed: {{ item.name }}"
when:
- item.hash == hash_check
with_items:
- "{{ files }}"
- debug:
msg: |
- "{{ hash_check }} {{ item.name }}"
with_items:
- "{{ files }}"
For example, given the files
files:
- name: /scratch/file_compare1.tar
hash: 4f8805b4b64dcc575547ec1c63793aec /scratch/file_compare1.tar
- name: /scratch/file_compare2.tar.gz
hash: 2dc4f1e9ca4081cc49d25195627982ef /scratch/file_compare2.tar.gz
the tasks below
- name: Use md5 to calculate checksum
stat:
path: "{{ item.name }}"
checksum_algorithm: md5
register: hash_check
loop: "{{ files }}"
- name: Debug files - Different
debug:
msg: |
Hash NOT changed: {{ item.0.name }}
{{ item.0.hash.split()|first }}
{{ item.1 }}
with_together:
- "{{ files }}"
- "{{ hash_check.results|map(attribute='stat.checksum')|list }}"
when: item.0.hash.split()|first == item.1
give
msg: |-
Hash NOT changed: /scratch/file_compare1.tar
4f8805b4b64dcc575547ec1c63793aec
4f8805b4b64dcc575547ec1c63793aec
msg: |-
Hash NOT changed: /scratch/file_compare2.tar.gz
2dc4f1e9ca4081cc49d25195627982ef
2dc4f1e9ca4081cc49d25195627982ef
A more robust option would be to create a dictionary with the calculated hashes
- name: Use md5 to calculate checksum
stat:
path: "{{ item.name }}"
checksum_algorithm: md5
register: hash_check
loop: "{{ files }}"
- set_fact:
path_hash: "{{ dict(_path|zip(_hash)) }}"
vars:
_path: "{{ hash_check.results|map(attribute='stat.path')|list }}"
_hash: "{{ hash_check.results|map(attribute='stat.checksum')|list }}"
gives
path_hash:
/scratch/file_compare1.tar: 4f8805b4b64dcc575547ec1c63793aec
/scratch/file_compare2.tar.gz: 2dc4f1e9ca4081cc49d25195627982ef
Then use this dictionary to compare the hashes. For example, the task below gives the same results
- name: Debug files - Different
debug:
msg: |
Hash NOT changed: {{ item.name }}
{{ item.hash.split()|first }}
{{ path_hash[item.name] }}
loop: "{{ files }}"
when: item.hash.split()|first == path_hash[item.name]
The next option is to create a dictionary with the original hashes and both lists of original and calculated hashes
- name: Use md5 to calculate checksum
stat:
path: "{{ item.name }}"
checksum_algorithm: md5
register: hash_check
loop: "{{ files }}"
- set_fact:
hash_name: "{{ dict(_hash|zip(_name)) }}"
hash_orig: "{{ _hash }}"
hash_stat: "{{ hash_check.results|map(attribute='stat.checksum')|list }}"
vars:
_hash: "{{ files|map(attribute='hash')|map('split')|map('first')|list }}"
_name: "{{ files|map(attribute='name')|list }}"
gives
hash_name:
2dc4f1e9ca4081cc49d25195627982ef: /scratch/file_compare2.tar.gz
4f8805b4b64dcc575547ec1c63793aec: /scratch/file_compare1.tar
hash_orig:
- 4f8805b4b64dcc575547ec1c63793aec
- 2dc4f1e9ca4081cc49d25195627982ef
hash_stat:
- 4f8805b4b64dcc575547ec1c63793aec
- 2dc4f1e9ca4081cc49d25195627982ef
Then calculate the difference of the lists and use it to extract both lists of changed and unchanged files
- set_fact:
files_diff: "{{ _diff|map('extract', hash_name)|list }}"
files_orig: "{{ _orig|map('extract', hash_name)|list }}"
vars:
_diff: "{{ hash_orig|difference(hash_stat) }}"
_orig: "{{ hash_orig|difference(_diff) }}"
- name: Debug files changed
debug:
var: files_diff
- name: Debug files NOT changed
debug:
var: files_orig
gives
files_diff: []
files_orig:
- /scratch/file_compare1.tar
- /scratch/file_compare2.tar.gz
I used your suggestion to complement the playbook, it's working now.
The idea is to get a list of files, read each one and compare with both hash, file, and current hash.
---
- hosts: localhost
connection: local
gather_facts: false
vars_files:
- files3.yml
tasks:
- stat:
path: "{{ item.file }}"
checksum_algorithm: md5
loop: "{{ files }}"
register: stat_results
- name: NOT changed files
debug:
msg: "NOT changed: {{ item.stat.path }}"
when: item.stat.checksum == item.item.checksum.split()|first
loop: "{{ stat_results.results }}"
loop_control:
label: "{{ item.stat.path }}"
- name: Changed files
debug:
msg: "CHANGED: {{ item.stat.path }}"
when: item.stat.checksum != item.item.checksum.split()|first
loop: "{{ stat_results.results }}"
loop_control:
label: "{{ item.stat.path }}"
Result:
>> ansible-playbook playbooks/check-file3.yml
PLAY [localhost] ********************************************************************************************************************************************************************************************************************
TASK [stat] *************************************************************************************************************************************************************************************************************************
ok: [localhost] => (item={'file': '/opt/file_compare1.tar', 'checksum': '9cd599a3523898e6a12e13ec787da50a /opt/file_compare1.tar'})
ok: [localhost] => (item={'file': '/opt/file_compare2.tar.gz', 'checksum': 'd41d8cd98f00b204e9800998ecf8427e /opt/file_compare2.tar.gz'})
TASK [NOT changed files] ************************************************************************************************************************************************************************************************************
skipping: [localhost] => (item=/opt/file_compare1.tar)
ok: [localhost] => (item=/opt/file_compare2.tar.gz) => {
"msg": "NOT changed: /opt/file_compare2.tar.gz"
}
TASK [Changed files] ****************************************************************************************************************************************************************************************************************
ok: [localhost] => (item=/opt/file_compare1.tar) => {
"msg": "CHANGED: /opt/file_compare1.tar"
}
skipping: [localhost] => (item=/opt/file_compare2.tar.gz)
PLAY RECAP **************************************************************************************************************************************************************************************************************************
localhost : ok=3 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
I have got multiple yaml files on remote machine. I would like to parse those files in order to get information about names for each kind (Deployment, Configmap, Secret) of object, For example:
...
kind: Deployment
metadata:
name: pr1-dep
...
kind: Secret
metadata:
name: pr1
...
....
kind: ConfigMap
metadata:
name: cm-pr1
....
Ecpected result:
3 variables:
deployments = [pr1-dep]
secrets = [pr1]
configmaps = [cm-pr1]
I started with:
- shell: cat "{{ item.desc }}"
with_items:
- "{{ templating_register.results }}"
register: objs
but i have no idea how to correctly parse item.stdout from objs
Ansible has a from_yaml filter that takes YAML text as input and outputs an Ansible data structure. So for example you can write something like this:
- hosts: localhost
gather_facts: false
tasks:
- name: Read objects
command: "cat {{ item }}"
register: objs
loop:
- deployment.yaml
- configmap.yaml
- secret.yaml
- debug:
msg:
- "kind: {{ obj.kind }}"
- "name: {{ obj.metadata.name }}"
vars:
obj: "{{ item.stdout | from_yaml }}"
loop: "{{ objs.results }}"
loop_control:
label: "{{ item.item }}"
Given your example files, this playbook would output:
PLAY [localhost] ***************************************************************
TASK [Read objects] ************************************************************
changed: [localhost] => (item=deployment.yaml)
changed: [localhost] => (item=configmap.yaml)
changed: [localhost] => (item=secret.yaml)
TASK [debug] *******************************************************************
ok: [localhost] => (item=deployment.yaml) => {
"msg": [
"kind: Deployment",
"name: pr1-dep"
]
}
ok: [localhost] => (item=configmap.yaml) => {
"msg": [
"kind: ConfigMap",
"name: pr1-cm"
]
}
ok: [localhost] => (item=secret.yaml) => {
"msg": [
"kind: Secret",
"name: pr1"
]
}
PLAY RECAP *********************************************************************
localhost : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
Creating the variables you've asked for is a little trickier. Here's
one option:
- hosts: localhost
gather_facts: false
tasks:
- name: Read objects
command: "cat {{ item }}"
register: objs
loop:
- deployment.yaml
- configmap.yaml
- secret.yaml
- name: Create variables
set_fact:
names: >-
{{
names|combine({
obj.kind.lower(): [obj.metadata.name]
}, list_merge='append')
}}
vars:
names: {}
obj: "{{ item.stdout | from_yaml }}"
loop: "{{ objs.results }}"
loop_control:
label: "{{ item.item }}"
- debug:
var: names
This creates a single variable named names that at the end of the
playbook will contain:
{
"configmap": [
"pr1-cm"
],
"deployment": [
"pr1-dep"
],
"secret": [
"pr1"
]
}
The key to the above playbook is our use of the combine filter, which can be used to merge dictionaries and, when we add list_merge='append', handles keys that resolve to lists by appending to the existing list, rather than replacing the existing key.
Include the dictionaries from the files into the new variables, e.g.
- include_vars:
file: "{{ item }}"
name: "objs_{{ item|splitext|first }}"
register: result
loop:
- deployment.yaml
- configmap.yaml
- secret.yaml
This will create dictionaries objs_deployment, objs_configmap, and objs_secret. Next, you can either use the dictionaries
- set_fact:
objs: "{{ objs|d({})|combine({_key: _val}) }}"
loop: "{{ query('varnames', 'objs_') }}"
vars:
_obj: "{{ lookup('vars', item) }}"
_key: "{{ _obj.kind }}"
_val: "{{ _obj.metadata.name }}"
, or the registered data
- set_fact:
objs: "{{ dict(_keys|zip(_vals)) }}"
vars:
_query1: '[].ansible_facts.*.kind'
_keys: "{{ result.results|json_query(_query1)|flatten }}"
_query2: '[].ansible_facts.*.metadata[].name'
_vals: "{{ result.results|json_query(_query2)|flatten }}"
Both options give
objs:
ConfigMap: cm-pr1
Deployment: pr1-dep
Secret: pr1
How declare two prompt variables for hosts in ansible playbook, I tried below Playbook but without luck.
............................................................................................................................................................
Thank you in advance.
---
- name: MD5 File Check
gather_facts: false
hosts: "{{ cluster_host_1 }}", "{{cluster_host_2 }}"
hosts: localhost
remote_user: sv_operator
vars_prompt:
- name: "file_1"
prompt: "File name"
private: no
- name: "cluster_host_1"
prompt: "Enter 1st Host name"
private: no
- name: "cluster_host_2"
prompt: "Enter 2nd Host Name"
private: no
tasks:
- stat:
path: "/tmp/{{ file_1 }}"
checksum_algorithm: sha256
register: output
delegate_to: "{{ cluster_host_1 }}"
- debug:
msg: "{{ output.stat.checksum }}"
- stat:
path: "/tmp/{{ file_2 }}"
checksum_algorithm: sha256
register: output_
delegate_to: "{{ cluster_host_2 }}"
- debug:
msg: "{{ output_.stat.checksum }}"
Given the remote hosts and /tmp/file1
shell> ssh admin#test_01 sha256 /tmp/file1
SHA256 (/tmp/file1) = e2611a1fac7fc2ab99d2e792ad84f34e66740d6a3d77b97b4da39a3758357da0
shell> ssh admin#test_02 sha256 /tmp/file1
SHA256 (/tmp/file1) = 109f60103192b5c8f4e33c26b4f9c7b94489bf8de0325497b7f5a0668dc1a402
The playbook below
shell> cat playbook.yml
- name: SHA256 File Check
hosts: localhost
gather_facts: false
vars_prompt:
- name: "file_1"
prompt: "File name"
private: no
- name: "cluster_host_1"
prompt: "Enter 1st Host name"
private: no
- name: "cluster_host_2"
prompt: "Enter 2nd Host Name"
private: no
tasks:
- stat:
path: "/tmp/{{ file_1 }}"
checksum_algorithm: sha256
register: output
delegate_to: "{{ cluster_host_1 }}"
- debug:
msg: "{{ output.stat.checksum }}"
- stat:
path: "/tmp/{{ file_1 }}"
checksum_algorithm: sha256
register: output_
delegate_to: "{{ cluster_host_2 }}"
- debug:
msg: "{{ output_.stat.checksum }}"
works as expected
shell> ansible-playbook playbook.yml
File name: file1
Enter 1st Host name: test_01
Enter 2nd Host Name: test_02
PLAY [SHA256 File Check] ****
TASK [stat] ****
ok: [localhost -> test_01]
TASK [debug] ****
ok: [localhost] =>
msg: e2611a1fac7fc2ab99d2e792ad84f34e66740d6a3d77b97b4da39a3758357da0
TASK [stat] ****
ok: [localhost -> test_02]
TASK [debug] ****
ok: [localhost] =>
msg: 109f60103192b5c8f4e33c26b4f9c7b94489bf8de0325497b7f5a0668dc1a402
PLAY RECAP ****
localhost: ok=4 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
If you want your play to run on two hosts, declared through variables. You have two options.
Option 1:
Since your target hosts are comma separated, you might as well input them that way.
- hosts: '{{ my_hosts }}'
gather_facts: false
remote_user: 'sv_operator'
vars_prompt:
- name: 'my_hosts'
prompt: 'Comma separated list of hosts'
private: no
Then when prompted:
Comma separated list of hosts: host1.local,host2.local
Option 2:
Capture each host in individual variable like host_1 and host_2, then call it as a list in a play.
- hosts:
- '{{ host_1 }}'
- '{{ host_2 }}'
gather_facts: false
remote_user: 'sv_operator'
vars_prompt:
- name: 'host_1'
prompt: 'First host'
private: no
- name: 'host_2'
prompt: 'Second host'
private: no
Then when prompted:
First host: host1.local
Second host: host2.local