Lookup Plugin and Remote-Execution

Hello everyone

I have to encrypt content in some configuration files on a target host by using encryption utilities provided by middleware (JBoss, Openliberty). The nicest solution would be, to encrypt the text while the template (for the config file) is being processed.

All that is needed is something like the “pipe” lookup plugin, just executed on the target machine of the current task. I know that lookup plugins are executed on the Ansible controller, but nothing should stop me from writing my own lookup-plugin which does the remote execution. Of course this would drastically slow down the template processing but it would be worth it.

My question is, is this feasible at all? Or is there some logic in how the lookup plugin is called which prevent us from doing something like this?
What I dont want to do is to roll a custom “ssh connect-here-logic”, since our envrionments are quite complex so I hoped that a potential plugin could use some runtime information and just execute a remote command somehow.

Of course the other solution is to write the password from the template with some prefex and then replace those things on the target machine using some facts.

regards
Marc

Hello,

and what about running a command on target host, save the output on a
fact and then use in template: module?

Luca

shell/command/raw modules do on hte remote what the 'pip lookup' does
locally, just register the output and use that variable in the
template.

Thats what I thought first but unfortunately my password are within a list of multiple elements, sometimes also deeper in a list of dicts. Since all of them are processed by the template registering a fact and then selecting the correct fact is (from my perspective) impossible.