Separation of config data and logic

Hi,

As I build more complex playbooks that will be used by other teams that
have zero knowledge of Ansible (read: big corporation), I started to
migrate much of the configuration data to variable files. The idea was
to enforce certain things in the playbooks (thing that won't ever
change and are standards -- famous last words) and let these users
change the moving parts through variables.

Initially it was nice because I was asking them to fill in a variable
named "oracle_sid" and I would use it throughout the plays in all sorts
of ways. The "users" didn't have to mess with Jinja filters, get the
chance to break the logic, etc.

Then it got weird when I was creating lists of dictionaries for users
that should exist for a given role, like this:

oracle_users:
  - name: userX
    group: groupX
    groups: groupY,groupZ
    home: /home/userX
- name: userY
   group: ....
  
The YAML file with these variables is _almost_ like the playbook file
itself and I'm just looping over the list creating users with _almost_
all parameters defined by the end-user through that vars file.

So I got stuck thinking if I should be radical and not allow any
configuration data in the playbooks, only get it from variables. Or if I
should let these other operation teams mess directly with the playbooks.

I'm really divided about this and really appreciate any feedback.

Giovanni

Hey Giovanni,

It’s good that you want to separate your data from your logic. It’s a design pattern you won’t regret, now and going forward. Here’s how I see your problem resolved.

A simple Playbook for looping over the data, adding groups (first) and users:

`

Hi Michael,

Thanks for the insights, certainly helpful! I will review my playbooks
and incorporate more of these ideas.

Giovanni