Using "changed_when" in a playbook?

Archives Ansible Project
1

Hi All,

I’m a relative noob to ansible, and I’ve only been using it for a couple of weeks, so maybe this is a dumb question, but I’d like to get this resolved. Here’s the back story: I’d like to be able to run an AIDE check to make sure that my system is in a known good state before I run a playbook on it, so I’ve created a role called “precheck” that simply runs the “aide --check” command. I put that role at the top of my role list and it will cause my playbook to fail if there are some changed files on my system, otherwise it will continue on and let the other roles be applied to my system. At the end of the list of roles, I’ll have a role called “aide_update” that will simply run the “aide --update” command and then copy the resulting database into the proper location. The theory is that I’ll be able to always know when changes are made to the system outside of my ansible scripts. Everything is working, and life is beautiful, except that the commands I’m running always show “changed” as the result, even though the return code for the “aide --check” command is 0. I’ve tried to add the “changed_when” directive to the ansible script, but it fails with the following output (which contains the script execution with a clean database and no changed_when directive, adding the changed_when directive, and trying to run the playbook again, followed lastly by the playbook contents that generate the error):

[jwalters@jenkins roles]$ ansible-playbook precheck.yml --sudo

PLAY [all] ********************************************************************

GATHERING FACTS ***************************************************************
ok: [127.0.0.1]

TASK: [precheck - verify AIDE clean status] ***********************************
changed: [127.0.0.1]

PLAY RECAP ********************************************************************
127.0.0.1 : ok=2 changed=1 unreachable=0 failed=0

[jwalters@jenkins roles]$ vi precheck/tasks/main.yml
[jwalters@jenkins roles]$ ansible-playbook precheck.yml --sudo
ERROR: changed_when is not a legal parameter in an Ansible task or handler
[jwalters@jenkins roles]$ cat precheck/tasks/main.yml

  • name: precheck - verify AIDE clean status
    shell: /usr/sbin/aide --check
    register: aide_check
    changed_when: “aide_check.rc != 0”

I’ve referred to this bit of documentation from the website, and I’m using ansible version 1.3, so I’m happy to hear about any ideas as to what I’m doing wrong:

Overriding Changed Result

New in version 1.3.

When a shell/command or other module runs it will typically report “changed” status based on whether it thinks it affected machine state.

Sometimes you will know, based on the return code or output that it did not make any changes, and wish to override the “changed” result such that it does not appear in report output or does not cause handlers to fire:

tasks:

  - shell: /usr/bin/billybass --mode="take me to the river"
    register: bass_result
    changed_when: "bass_result.rc != 2"

  # this will never report 'changed' status
  - shell: wall 'beep'

Thanks!

Jim Walters

2

Ok so you have this:

register: aide_check
changed_when: “aide_check.rc != 0”

That looks fine.

Can you please run and show your output with “-v” on the playbook command line?

3

I think the problem was a slightly older version of ansible on the machine. It looked like it was current to me, but I guess I didn’t know any better. When I cloned the repository and re-installed, it stopped complaining bout changed_when not being valid. I’ve still got other issues with aide’s output messing up my clean and beautiful results, but that’s a problem for another day! Thanks!