Role played on all hosts, condition "when: 'group' in group_names" not correctly evaluated

Hi,

I am using Ansible 2.2.0 to configure network devices. I have a problem with the evaluation of a condition using "when: ‘group’ in group_names’.

The playbook is :

`

• name: Configure topologies
  hosts: “{{ TOPO }}”
  strategy: debug
  vars_files:
• “vars_file/{{TOPO}}.yml”
  roles:
• set_ce_bgp_params
• set_pe_bgp_params
• set_sw_vlan
• set_banner
  tags:
• config

`

Where TOPO is an extra vars I provide when I launch the play. Here TOPO is topo14. The host list contains the following items :

`

[ce]
rtr-site1
rtr-site2-1
rtr-site2-2
rtr-site2-tagin-1
rtr-site2-tagin-2
rtr-site3-1
rtr-site3-2
rtr-site4-1
rtr-site4-2
rtr-site5
rtr-site6

[pe]
rtr-ipsn
rtr-pe1
rtr-pe2

[topo14]
rtr-site6
rtr-site2-1
rtr-site2-2
rtr-pe1
rtr-pe2
sw-site1
sw-site3
ch-site2-qa-1
ch-site6-qa

`

I have a problem with this role :

`

• name: Update neighbor parameters
  connection: local
  ios_config:
  host: “{{ inventory_hostname }}”
  parents:
• “router bgp {{ bgp_as }}”
• “address-family ipv4 vrf {{ vrf }}”
  commands:
• “neighbor {{ item.value }} {{topo[rtr_site][rtr_index][‘bgp_actions’][item.key]}}”
  with_dict: bgp_neighbors
  when:
• “‘ce’ in group_names”
• not (
  (topo[rtr_site][rtr_index][‘bgp_actions’][item.key] is undefined) or
  (topo[rtr_site][rtr_index][‘bgp_actions’][item.key] | trim == “”)
  )
  notify: clear ip bgp
  `

The role is supposed to be used only on hosts belonging to the [ce] group, but when I launch the play here is the output :

`
PLAY [Configure topologies] ****************************************************

TASK [set_ce_bgp_params : Update neighbor parameters] **************************

fatal: [sw-site3]: FAILED! => {“failed”: true, “msg”: “with_dict expects a dict”}

fatal: [sw-site1]: FAILED! => {“failed”: true, “msg”: “with_dict expects a dict”}

fatal: [ch-site2-qa-1]: FAILED! => {“failed”: true, “msg”: “with_dict expects a dict”}

fatal: [ch-site6-qa]: FAILED! => {“failed”: true, “msg”: “with_dict expects a dict”}

fatal: [rtr-pe2]: FAILED! => {“failed”: true, “msg”: “with_dict expects a dict”}

fatal: [rtr-pe1]: FAILED! => {“failed”: true, “msg”: “with_dict expects a dict”}

changed: [rtr-site6] => (item={‘key’: u’ipsn’, ‘value’: u’57.0.0.9’})

skipping: [rtr-site6] => (item={‘key’: u’pe1’, ‘value’: u’10.16.11.2’})

changed: [rtr-site2-1] => (item={‘key’: u’ipsn’, ‘value’: u’57.0.0.9’})

changed: [rtr-site2-2] => (item={‘key’: u’ipsn’, ‘value’: u’57.0.0.9’})

skipping: [rtr-site2-2] => (item={‘key’: u’hsrp’, ‘value’: u’10.12.0.1’})

skipping: [rtr-site2-2] => (item={‘key’: u’pe2’, ‘value’: u’10.12.22.2’})

ok: [rtr-site6] => (item={‘key’: u’pe2’, ‘value’: u’10.16.12.2’})

ok: [rtr-site2-1] => (item={‘key’: u’pe1’, ‘value’: u’10.12.11.2’})

skipping: [rtr-site2-1] => (item={‘key’: u’pe2’, ‘value’: u’10.12.12.2’})

skipping: [rtr-site2-1] => (item={‘key’: u’hsrp’, ‘value’: u’10.12.0.2’})

`

The role is played even if rtr-pe1/rtr-pe2 and else are not in [ce] group.

What am I doing wrong? Can I do this in an other way?

Kind regards,

Valerie

a) you cannot make a role conditional, any ‘when’ is just applied to the tasks in the role
b) with_ runs before when: (so you can make execution conditional by item)
c) use |default({}) to skip the task and avoid the error

Thank you very much Brian!