Host_vars adjacent to playbook_dir for playbooks from a collection

tombosmansibm · November 16, 2023, 8:44am

I’m moving a bunch of playbooks to a collection, so I can share them across multiple projects.

And I’m running into something I did not expect:

I use vaults in host_vars and group_vars directories in the project directory, specifically to let Ansible Automation Platform (awx) handle them (for some reason, Red Hat thinks it should not be allowed to use encrypted vault files in your inventory, although you can use encryptString). Anyway, this works fine for me so far.

├── playbook.yml
├── collections
├── inventory
│   ├── inventory1
│   │   ├── group_vars
│   │   │   └── DEV
│   │   └── host_vars
│   │       └── server1
│   └── inventory2
── group_vars
│   ├── all
│   └── DEV
├── host_vars
│   └── server1
├── templates
├── roles
└── files

Unfortunately, this does not work for playbooks I run from the collections (I use FQDN to run the playbook).
So in this example, the playbook.yml would contain an import_playbook line.

- name: import playbook
  import_playbook: my.namespace.playbook1

The reason for the playbook importing a playbook from the collection , is also in AAP, where it’s not (yet) possible to start playbooks from a collection.

The reason is kinda obvious, the playbook_dir in the playbook in the collection, is not the playbook_dir for my project, but a directory in the collection. So it cannot locate my host_vars/group_vars directories with the encrypted vault files.

I would like to see an option where I can select what the playbook directory (as used by the host_group_vars plugin) needs to be when using playbooks from a collection (eg. something like PLAYBOOK_DIR_FROM_COLLECTION = false)

tombosmansibm · November 16, 2023, 9:59am

I’ve got a workaround now for this:

before running collection playbooks, I copy the host_vars and group_vars folders into the collection’s playbooks directory (using ansible copy).
the copied vaults are no longer encrypted in the copied location
debug shows that the secrets from the vaults are now visible
for some reason, I have to use set_fact to actually make the secrets available in roles (?)

~~I still have to verify this on awx/aap, though …~~

~~This does not work on AAP, though, atm.~~

Update

I’m now creating a symlink in the collection’s playbooks directory, and this works on both the Ansible CLI and in AAP.
So I’m symlinking {{ playbook_dir }}/group_vars using the file module to /runner/requirements_collections/ansible_collections/mynamespace/mycollection/playbooks/group_vars …
This works, but it’s pretty ugly.