debconf with variable is not really idempotent?

Hi,

I am using the following line in an Ansible playbook:

debconf: name={{ item.name }} question={{ item.question }} vtype={{
item.vtype }} value={{ item.value }}
with_items:
  - { name: "mariadb-server-10.0", question:
"mysql-server/root_password", vtype: "password", value:
"{{mysql_root_password}}"}
  - { name: "mariadb-server-10.0", question:
"mysql-server/root_password_again", vtype: "password", value:
"{{mysql_root_password}}"}

But the task is marked as "changed" at every execution. I would expect
it to be changed only if the values are different than the previous ones
and skipped otherwise.

Moreover, when the value is explicitly given (instead of referencing a
variable), the behaviour is as expected and the task is skipped if it
was already set.

Is it a bug or an expected feature?

Thanks!

passwords cannot be read, so they always appear as changed, this is a
limitation of debconf itself.

all other field types should work as you expect

Ok, I did not know about it. I confirm I only have this behavior with
password fields.

Thanks

Is there any way to work around that?

Not that i know of, debian's debconf deals with passwords this way,
probably to prevent possible security issues.

If someone figures out a way to compare all the passwords, I'm all
open. In the mysql case we can read the /etc/my.cnf, but ... really we
should not be doing that.

Sounds like all password fields are not treated this way.

Indeed, `debconf-get-selections` returns:
mariadb-server-10.0 mysql-server/root_password_again password THE_PASSWORD