bare variables deprecated, what am I suppose to use instead?

So first I’ll point out that we probably aren’t using this the standard way. I get that. But please tell me another way of doing this without as much user interaction which gets rid of these deprecation warnings and we’ll try that too.

We use ansible with cloudformation over multiple accounts.
One of our playbooks is to setup security procedures over all accounts. In the end it will have to be run by security not by a build server, which would have made this easier. Instead what I did was create a playbook which iterates over all of them. using the security role as a trusted entity to the account that is running the script.

My playbook:

  • hosts: our-security-rules
    roles:
  • buckets
  • zipfile
  • ststoken

group_vars/all.yml:

aws:
accounts:

  • 123456789101
  • 234567891011
    ACCOUNT_ROLE: security

buckets role:

  • name: Manage Lambda Bucket CloudFormation Stack
    cloudformation:
    aws_access_key: “{{ assumed_role.sts_creds.access_key }}”
    aws_secret_key: “{{ assumed_role.sts_creds.secret_key }}”
    security_token: “{{ assumed_role.sts_creds.session_token }}”

    register: buckets_stack_{{ACCOUNT_ID}}

zipfile role (as the example):
main.yml:

  • name: prepare the zipfile
    include: zipfile.yml ACCOUNT_ID={{ item }}
    with_items: “{{aws.accounts}}”

zipfile.yml:

  • name: Assume the sts role
    sts_assume_role:
    role_arn: “arn:aws:iam::{{ ACCOUNT_ID }}:role/{{ACCOUNT_ROLE}}”
    role_session_name: “stsSessionRole”
    region: “{{ region }}”
    register: assumed_role

  • name: find all zip files
    find:
    paths: “./rendered_templates/lambda/”
    patterns: “*.zip”
    register: find_zips

  • set_fact: buckets_name=“[ ‘buckets_stack_’, {{ACCOUNT_ID}}, ‘.stack_outputs.LambdaStorageBucket’]”

  • set_fact: bn=“{{buckets_name[0]}}{{buckets_name[1]}}{{buckets_name[2]}}”

I’m creating the variable name here as the bucket name comes in the form eg: buckets_stack_123456789101.stack_outputs.LambdaStorageBucket

  • name: s3 sync the folder to the selected environment
    s3:
    aws_access_key: “{{ assumed_role.sts_creds.access_key }}”
    aws_secret_key: “{{ assumed_role.sts_creds.secret_key }}”
    security_token: “{{ assumed_role.sts_creds.session_token }}”
    bucket: “{{ item[1] }}”
    object: “/{{ item[0].path|basename }}”
    overwrite: different
    src: “{{ item[0].path }}”
    mode: put
    with_nested:
  • “{{find_zips.files}}”
  • “{{bn}}”

So basically what’s happening here, is I build the variable name into bn using set_fact. Then on the zipfile role with with_nested I use the variable to pass the variable name into the s3 put to be used as the bucket and file name.

this allows me to hand this off to security where they only have to run the one playbook and it iterates through all the different accounts setting up config rules and lambda functions. But it gives me this nice big warning:

[DEPRECATION WARNING]: Using bare variables is deprecated. Update your playbooks so that the environment
value uses the full variable syntax (‘{{buckets_stack_123456789101.stack_outputs.LambdaStorageBucket}}’).
This feature will be removed in a future release. Deprecation warnings can be disabled by setting
deprecation_warnings=False in ansible.cfg.

So now I’m worried that upgrading ansible within the next 2 major releases this script will stop working.

What should we replace this with?

(My current backup plan is just to use a shell script to do a for loop over the accounts and then call the ansible-playbook multiple times with an ACCOUNT_ID variable)