I needed to import different sets of vars (hosted remotely) depending on the playbook at runtime. slurp is too limited and no other in-house solution is flexible enough.
- name: Import user variables
charlesrocket.essential.remote_vars:
url: https://www.example.com/user_vars.yml
The plugin pulls YAML files from remote locations and injects its content into ansible_facts. It works flawlessly and allows me to do interesting things with this profiling system later. But it feels very hacky and I wonder if theres a better way to achieve this.
My initial thought was âwhy an action plugin and not just a module which returns factsâ, and then I saw in the code that you expland templates in the variables, which is a neat idea. I like it.
Allowing to evaluate templates provided by a remote system can be dangerous, you just need one lookup (or filter or test) plugin installed on the controller that can be tricked into executing arbitrary commands to give you an remote execution exploit that can be triggered from the remotes on your Ansible controller.
What would you recommend in this case? I was thinking profile validator with listst/etc. Storing profiles in the collection would probably improve the case but still, sloppy and does not feel right.
I donât remember right now, but probably due jinja2 in profiles not being evaluated at the right time. I remember looking for built-in solutions/roles and jinja2 was a big barrier in all cases.
Would it work with jinja tho? I could not get any solutions to work with template vars in profiles, not sure why. Iâll try to figure out why when get a chance but I guess its done on purpose (also why anybody would need Slurp if theres built-in module already).
What you might have an issue is that remote data is âunsafeâ aka untrusted by default, otherwise you open yourself to having the âmanagerâ aka controller be injected with code from any possibly compromised target, making 1 host compromised into ALL hosts compromised. So if you are bypassing this protection you are creating a CVE we already patched.
You mean rewriting the plugin as vars plugin and adding profiles to it? Is there a way to keep the same workflow or one would have to first turn on vars plugin? Currently I just install ansible with the collection and start the playbook with the profile env var.
I am trying to keep this functional in profiles as well:
Turned out I canât call vars plugin the same way so converting is not an option (I should try to activate it in cfg tho but this breaks the original workflow so outcome is completely irrelevant). Docs around plugins are very weak, canât even find anything about testing. Guess I need to research the inventory approach, but I have a feeling templating will not roll there. And where to store profiles with the inventory approach? Bloating userâs deployment with foreign profiles seems lazy and mean.