We are using Ansible in order to manipulate VM tags in vCenter, using the VMware Tag Manager module. It works ok, but it seems to authenticate against the vcenter anew with every invocation. For large tagging operations (hundreds of VMs), it is a not-insubstantial factor in runtime.
One factor is that we are dynamically resolving the particular vCenter a VM belongs to at module runtime.
Is there any way that this authentication to the vcenter can be re-used? Alternatively, is there a more efficient way to use this module to tag many VMs using just one or a few invocations?
Edit: Ah, I think I misunderstood the question. It sounded like you wanted to get rid of boilerplate throughout your play (which is what module_defaults helps with), but my suggestion won’t help reduce the number of authentications made.
I have seen some modules that have the ability to use cached credentials/tokens so they don’t have to reauthenticate with each invocation. Too bad I can’t remember where I saw that, maybe some networking related modules. The idea is to use one module for authentication and caching of auth tokens and subsequent modules use that cache to auth. VMware modules, including the new modules using the REST API, unfortunately seem to not have that ability.
On the other hand, are you sure reauth is what takes a significant percentage of module execution time? Module invocation itself is a rather heavy operation in Ansible. Module execution is usually quick but waiting for API call to vCenter to finish is much slower. I think that authentication takes small percentage of that time.
Also, unless vCenter API offers the ability to tag multiple objects with a single call, this is the only way it can be implemented. API call has to be made for each single object that is to be tagged.
there have been a number of partially-failed attempts in this area that have actually shipped as part of core over the years- most have been removed (accelerate, turbo). It’s not hard at all to get a persistent reusable module state process to hang around- the hard part is getting it to play nicely/safely. Common problems with previous attempts:
process lifetime management (control-node-only is much easier, hard-tied to control process lifetime, preventing process clog, multiple overlapping jobs, different concurrent versions of core/content)
robust pool key selection (eg, host/port/credential/?- making sure you don’t pick up the wrong one)
secure access to the cached process (esp where become is a factor)
Sounds like this is hard to implement in a safe / secure / (maybe?) stable way. Especially since each task is a separate process. I think this makes it complicated. We can’t use shared memory between threads, we need inter-process communication.