Is there an elegant way to ensure that pip dependencies are installed when writing Ansible lookup plugins?

I’m writing an Ansible lookup plugin that pulls secrets from a secret source and inserts them as variables into Ansible playbooks. I was trying to figure out if there’s a way to have any of the pip dependencies installed automatically for the user before they try to run the plugin.

For instance, the top of my plugin looks something like this:

# [...licence stuff...]
from __future__ import absolute_import, division, print_function

__metaclass__ = type

from ansible.plugins.lookup import LookupBase
from ansible.errors import AnsibleError

import some_super_niche_sdk

I’d like to have some_super_niche_sdk automatically installed so that the plugin just works when they run a playbook that uses it.

I’ve searched the developer docs as well as the singular and plural form of “dependency” here in the Ansible forums and wasn’t able to find an answer.

Based the lack of an affirmative answer for simple dependency handling at install-time, I’m guessing that the user is just expected to read the “module not found” error from Python and install the dependency manually, but I wanted to see if this problem has been solved by a more experienced Ansible dev before packaging the plugin with that assumption.

Thanks in advance.

1 Like

I had been wondering the same thing. From what I can tell after following a lot of the same path you did is that there is no Ansible secret sauce to do it.

The general recommendation is to not use dependencies where possible, but practically speaking you of course need to at times.

You could use pip as a library to install the dependency you need inside your lookup plugin. Probably not something that would be accepted into one of the large collections but if it’s for internal use only it should do the trick.

Another option would be to simply use the pip Ansible module to install the library when missing ahead of the lookup plugin call.

Thanks, @DBAverage.

Yeah. I would love to avoid using this dep, but the SDK that I am working with is for the secrets provider and handles various encryption & decryption operations, and their API endpoints, so maintaining it within the plugin itself probably wouldn’t be practical.

I intend to publish this plugin on Ansible Galaxy eventually, so I’ll avoid doing anything the average Ansible user would find to be invasive, so short of an officially-supported Ansible way to do it, I’ll avoid baking in the pip installation in the script.

Plugins themselves right now have no ways of doing that. (Neither have collections.) Users always have to manually install required dependencies, resp. make sure they are installed somehow.

The only exception are collections in Execution Environments (EEs). You can declare Python and system dependencies for EEs (see the ansible-builder docs), which are then installed by ansible-builder when an EE is built with that collection in it.

(Also somewhat related is Create guidelines for collection python requirements · Issue #224 · ansible-community/community-topics · GitHub. That’s right now far from a solution though.)

See import — Ansible Documentation for how to properly import third-party code in plugins. (The sanity tests for collections will also tell you to do that.)

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.