Do I have too many Jinja magic going on in my inventory?

Thulium-Drake · December 5, 2024, 9:33pm

Hi folks,

So here I was, coding away and minding my own business, when I noticed that one of my tasks (rendering apache config files from a list, but that’s not important) wasn’t running as expected…

And it’s completely breaking my brain, I don’t understand what is going on. I wrote the following playbook:

---
- name: 'Ehh, wha?'
  hosts: 'target'
  tasks:
    - name: 'Show as is'
      ansible.builtin.debug:
        var: apache_apps

    - name: 'Force rendering'
      ansible.builtin.set_fact:
        apache_apps:
          - name: "{{ ansible_facts['fqdn'] }}"
            upstream: "http://localhost:8080"
            type: "simple-krb"
            cert: "/etc/ssl/ipa/{{ ansible_facts['fqdn'] }}/{{ ansible_facts['fqdn'] }}.crt"
            key: "/etc/ssl/ipa/{{ ansible_facts['fqdn'] }}/{{ ansible_facts['fqdn'] }}.key"
            extra_config_after_auth: |
              # Allow specific endpoints to bypass authentication
              <LocationMatch "^/(assets|cli|instance-identity|jnlpJars|static-files|whoAmI|wsagents)(/.*)?$">
                Require all granted
              </LocationMatch>
              RequestHeader set X-Forwarded-Host "{{ ansible_facts['fqdn'] }}"
              RequestHeader set X-Forwarded-Port "443"
            hsts: false
            encoded_slashes: "NoDecode"
            krb_passwd: true
            krb_strip_realm: true
            hbac_service: "jenkins"
            state: "present"

    - name: 'Show after rendering'
      ansible.builtin.debug:
        var: apache_apps

This is the variable in question (it’s a lab system, so I didn’t bother censoring anything):

apache_apps:
  - name: "{{ ansible_facts['fqdn'] }}"
    upstream: 'http://localhost:8080'
    type: 'simple-krb'
    cert: "/etc/ssl/ipa/{{ ansible_facts['fqdn'] }}/{{ ansible_facts['fqdn'] }}.crt"
    key: "/etc/ssl/ipa/{{ ansible_facts['fqdn'] }}/{{ ansible_facts['fqdn'] }}.key"
    extra_config_after_auth: |
      # Allow specific endpoints to bypass authentication
      <LocationMatch "^/(assets|cli|instance-identity|jnlpJars|static-files|whoAmI|wsagents)(/.*)?$">
        Require all granted
      </LocationMatch>
      RequestHeader set X-Forwarded-Host "{{ app['name'] }}"
      RequestHeader set X-Forwarded-Port "443"
    hsts: false
    encoded_slashes: 'NoDecode'
    krb_passwd: true
    krb_strip_realm: true
    hbac_service: 'jenkins'
    state: 'present'

And here’s the full output:

PLAY [Ehh, wha?] ****************************************************************************************

TASK [Show as is] ***************************************************************************************
task path: /opt/ansible/projects/rhlab/playbooks/.2163630.bla.yml:60
ok: [m-a18-01.rh.lab] => 
  apache_apps: 'VARIABLE IS NOT DEFINED!: [{''name'': "{{ ansible_facts[''fqdn''] }}", ''upstream'': ''http://localhost:8080'', ''type'': ''simple-krb'', ''cert'': "/etc/ssl/ipa/{{ ansible_facts[''fqdn''] }}/{{ ansible_facts[''fqdn''] }}.crt", ''key'': "/etc/ssl/ipa/{{ ansible_facts[''fqdn''] }}/{{ ansible_facts[''fqdn''] }}.key", ''extra_config_after_auth'': ''# Allow specific endpoints to bypass authentication\n<LocationMatch "^/(assets|cli|instance-identity|jnlpJars|static-files|whoAmI|wsagents)(/.*)?$">\n  Require all granted\n</LocationMatch>\nRequestHeader set X-Forwarded-Host "{{ app[\''name\''] }}"\nRequestHeader set X-Forwarded-Port "443"\n'', ''hsts'': False, ''encoded_slashes'': ''NoDecode'', ''krb_passwd'': True, ''krb_strip_realm'': True, ''hbac_service'': ''jenkins'', ''state'': ''present''}]: ''app'' is undefined. ''app'' is undefined. [{''name'': "{{ ansible_facts[''fqdn''] }}", ''upstream'': ''http://localhost:8080'', ''type'': ''simple-krb'', ''cert'': "/etc/ssl/ipa/{{ ansible_facts[''fqdn'']
    }}/{{ ansible_facts[''fqdn''] }}.crt", ''key'': "/etc/ssl/ipa/{{ ansible_facts[''fqdn''] }}/{{ ansible_facts[''fqdn''] }}.key", ''extra_config_after_auth'': ''# Allow specific endpoints to bypass authentication\n<LocationMatch "^/(assets|cli|instance-identity|jnlpJars|static-files|whoAmI|wsagents)(/.*)?$">\n  Require all granted\n</LocationMatch>\nRequestHeader set X-Forwarded-Host "{{ app[\''name\''] }}"\nRequestHeader set X-Forwarded-Port "443"\n'', ''hsts'': False, ''encoded_slashes'': ''NoDecode'', ''krb_passwd'': True, ''krb_strip_realm'': True, ''hbac_service'': ''jenkins'', ''state'': ''present''}]: ''app'' is undefined. ''app'' is undefined'

TASK [Force rendering] **********************************************************************************
task path: /opt/ansible/projects/rhlab/playbooks/.2163630.bla.yml:64
ok: [m-a18-01.rh.lab] => changed=false 
  ansible_facts:
    apache_apps:
    - cert: /etc/ssl/ipa/m-a18-01.rh.lab/m-a18-01.rh.lab.crt
      encoded_slashes: NoDecode
      extra_config_after_auth: |-
        # Allow specific endpoints to bypass authentication
        <LocationMatch "^/(assets|cli|instance-identity|jnlpJars|static-files|whoAmI|wsagents)(/.*)?$">
          Require all granted
        </LocationMatch>
        RequestHeader set X-Forwarded-Host "m-a18-01.rh.lab"
        RequestHeader set X-Forwarded-Port "443"
      hbac_service: jenkins
      hsts: false
      key: /etc/ssl/ipa/m-a18-01.rh.lab/m-a18-01.rh.lab.key
      krb_passwd: true
      krb_strip_realm: true
      name: m-a18-01.rh.lab
      state: present
      type: simple-krb
      upstream: http://localhost:8080

TASK [Show after rendering] *****************************************************************************
task path: /opt/ansible/projects/rhlab/playbooks/.2163630.bla.yml:86
ok: [m-a18-01.rh.lab] => 
  apache_apps:
  - cert: /etc/ssl/ipa/m-a18-01.rh.lab/m-a18-01.rh.lab.crt
    encoded_slashes: NoDecode
    extra_config_after_auth: |-
      # Allow specific endpoints to bypass authentication
      <LocationMatch "^/(assets|cli|instance-identity|jnlpJars|static-files|whoAmI|wsagents)(/.*)?$">
        Require all granted
      </LocationMatch>
      RequestHeader set X-Forwarded-Host "m-a18-01.rh.lab"
      RequestHeader set X-Forwarded-Port "443"
    hbac_service: jenkins
    hsts: false
    key: /etc/ssl/ipa/m-a18-01.rh.lab/m-a18-01.rh.lab.key
    krb_passwd: true
    krb_strip_realm: true
    name: m-a18-01.rh.lab
    state: present
    type: simple-krb
    upstream: http://localhost:8080

PLAY RECAP **********************************************************************************************
m-a07-01.rh.lab            : ok=6    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0   
m-a18-01.rh.lab            : ok=3    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

But what in the hell is going here?

ok: [m-a18-01.rh.lab] => 
  apache_apps: 'VARIABLE IS NOT DEFINED!: [{''name'': "{{ ans.......

Is this the result of too many Jinja magics in my inventory? I did a quick and dirty grep, there’s 247 lines that contain at least one {{, which doesn’t seem like a lot…

Denney-tech · December 5, 2024, 10:03pm

In the extra_config_after_auth key, your initial variable has an undefined "{{ app['name'] }}" variable, while your set_fact step uses "{{ ansible_facts['fqdn'] }}" instead.

Thulium-Drake · December 5, 2024, 10:14pm

Oh wow… That’s dumb

Fixed! Thanks for lending me your eyes!

Topic		Views
Lots of new stuff Ansible Project	0	February 25, 2012
silly trick: you can use variables in the "- name:" part of a playbook Ansible Project	2	August 10, 2016
Ansible 2.2.1 and 2.1.4 FINAL have been released! Ansible Project	1	January 17, 2017
Weird behaviour when embedding ansible Ansible Project	1	September 12, 2013
jinja2 conditional help Ansible Project	2	November 27, 2023

Do I have too many Jinja magic going on in my inventory?

Related topics