How to mark AnsibleUnsafeText vetted?

maciek · December 5, 2024, 12:08pm

Hi Team,

I have a legacy tool scanning for configuration changes in our environment. In a nutshell, it generates a list of checks to be performed and feeds those checks to assert module. Although those values are vetted and considered trusted, some of them are marked unsafe.

Now, I need to migrate the tool from Ansible 2.9 where it is working fine to 2.16. The problem is that the newer version is more strict about AnsibleUnsafeText and assert module refuses to evaluate it. The snippet is what our problem boils down to (test.yml):

---
- hosts: localhost
  gather_facts: false
  vars:
    checklist:
      #Checks generation logic here
      - "1 == 1"
      - !unsafe "1 != 2"
  tasks:
  - assert:
      that: "{{ checklist }}"

In Ansible 2.9 it works fine:

$ansible-playbook -i localhost, -c local test.yml
PLAY [localhost] **********************************************************************************************************************************************

TASK [assert] *************************************************************************************************************************************************
ok: [localhost] => {
    "changed": false,
    "msg": "All assertions passed"
}

PLAY RECAP ****************************************************************************************************************************************************
localhost                  : ok=1    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

In Ansible 2.16 it fails:

$ansible-playbook -i localhost, -c local test.yml
PLAY [localhost] **********************************************************************************************************************************************

TASK [assert] *************************************************************************************************************************************************
fatal: [localhost]: FAILED! => {"msg": "The conditional check '1 == 1' failed. The error was: Conditional is marked as unsafe, and cannot be evaluated."}

PLAY RECAP ****************************************************************************************************************************************************
localhost                  : ok=0    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0

We are looking for a solution that would allow us to keep the assert module and the way the checks are generated. Is there a way to mark AnsibleUnsafeText vetted without a massive redesigning of the tool?

Thanks,
Maciek

Topic		Replies	Views
Opportunity to use signed playbook. Ansible Project	5	0	June 7, 2021
How to bypass (Conditional is marked as unsafe) Get Help	3	3127	March 22, 2024
How do you validate the Yaml file before Ansible it? Ansible Project ansible-project	1	0	March 12, 2016
How to syntax check list of tasks Ansible Project	3	1	September 21, 2018
Developers: Improvements to --check mode (pseudo dry run), now working for more module types, how to instrument the others... Ansible Project	1	0	February 17, 2013

How to mark AnsibleUnsafeText vetted?

Related topics