Extra_vars to Webhooks in AWX?


When a Webhook POSTed to AWX provides a payload containing extra_vars and other things, the values are made available in AWX as "{awx,tower}_webhook_payload". Is it by design that extra_vars isn’t merged with other variables for the job template run?

A payload of

{"hackby":"JPM", "extra_vars":{"drink":"coffee"}}

is made available in the playbook as

"awx_webhook_payload": {
    "hackby": "JPM",
    "extra_vars": {
      "drink": "coffee"

I had expected "drink" to not be nested like that, but it may be for security reasons. Is that so?

I can’t find any mention of payload parameters in the docs, nor have I found an open issue in ansible/awx.

From /api/v2/job_templats/<job_id>/launch/

In .description of the json options:
If any passwords, inventory, or extra variables (extra_vars) are required, they must be passed via POST data, with extra_vars given as a YAML or JSON string and escaped parentheses.

I don’t specifically see anything about webhooks in the API, but I suspect the payload may need to be formatted specially.

Looking at 25. Working with Webhooks — Ansible AWX community documentation though, it seems like the entire payload is considered an extra_vars variable. So, it seems the best you can do is {"drink": "coffee"} and it will be exposed to the playbook as

"awx_webhook_payload": {
  "drink": "coffee"

This is probably by design as a security conscious decision, so that webhooks aren’t able to intentionally hijack playbook behavior. Instead, you would design your webhooked playbooks around expected payload nested vars. This might also be related to why AWX doesn’t allow jinja in extra_vars by default.

Indeed, also demonstrated by hackby in my example above.

Yes, sounds legitimate, and that’s the conclusion I arrived at. Thank you.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.