Variables precedence in play and task

motorbass · July 29, 2024, 3:28pm

Hi
I’m struggling a bit with variables precedences in my play and in a task.
I’m using this play, which works great but I’ve add a last task to reboot my windows server BUT i have to use a special account (so a new ansible_user and ansible_password).
To do that, I was thinking to add a vars statement within my task. => This is currently working if I set them plaintext but every time I set other things like a vault lookup, it fails.

- name: Set Active Directory Settings and Accounts
  hosts: "{{ eth1_ip }}"
  vars_files:
    - vars.yml

  roles:
    - set-xxxx
    - set-yyyy

  tasks:
  - name: Reboot my server
    ansible.windows.win_reboot:
      post_reboot_delay: 60
      reboot_timeout: 180
      msg: Last reboot from Ansible
    vars: 
      ansible_user: "my_service_account"
      ansible_password: "its_password"

My vars.yml file is made of this,

ansible_connection: winrm
ansible_port: 5985

##### Vault Settings to retrieve account
windows_secrets_vault: "{{ lookup('community.hashi_vault.vault_kv2_get', 'windows_secrets', engine_mount_point='kv/', auth_method='approle', role_id=approle_id, secret_id=approle_secret_id) }}"

ansible_user: "{{ windows_secrets_vault.secret.template_admin_username }}"
ansible_password: "{{ windows_secrets_vault.secret.template_admin_password }}"

Now if I want to update my vars statement using lookups to retrieve another ansible_user, like this :

  tasks:
  - name: Reboot my server
    ansible.windows.win_reboot:
      post_reboot_delay: 60
      reboot_timeout: 180
      msg: Last reboot from Ansible
    vars: 
      windows_secrets_vault: "{{ lookup('community.hashi_vault.vault_kv2_get', 'windows_secrets', engine_mount_point='kv/', auth_method='approle', role_id=approle_id, secret_id=approle_secret_id) }}"
      ansible_user: "{{ windows_secrets_vault.secret.template_ANOTHER_username }}"
      ansible_password: "{{ windows_secrets_vault.secret.template_ANOTHER_password }}"

I got this kind of error

{
  "msg": "The field 'remote_user' has an invalid value, which includes an undefined variable. The error was: 'windows_secrets_vault' is undefined. 'windows_secrets_vault' is undefined. 'windows_secrets_vault' is undefined. 'windows_secrets_vault' is undefined",
  "_ansible_no_log": false
}

In my understanding of variable precedence and according to this I thought the vars_files is for the whole play (roles + tasks) and task vars are aware of what is defined in the vars.yml file.

So is it possible to base my task vars on vars.yml files (basically, use lookup in my vars statement) ?

bvitnik · August 2, 2024, 5:22pm

Hi. Your code looks OK to me and should (?) work. The usual cause for errors like these is typo but I don’t see any in your code.

What happens if you remove windows_secrets_vault from task vars? This should still use the value defined in vars.yml which is same.

It looks like lookup is returning undefined value instead of a valid value.

Note that ansible_user variable has a special treatment and that it is possible that it is templated in a context where lookup plugins are not available. To verify this, try to replace your win_reboot task with debug that prints ansible_user value like:

- name: Debug
    debug:
      msg: "{{ ansible_user }}"
    vars: 
      windows_secrets_vault: "{{ lookup('community.hashi_vault.vault_kv2_get', 'windows_secrets', engine_mount_point='kv/', auth_method='approle', role_id=approle_id, secret_id=approle_secret_id) }}"
      ansible_user: "{{ windows_secrets_vault.secret.template_ANOTHER_username }}"
      ansible_password: "{{ windows_secrets_vault.secret.template_ANOTHER_password }}"

and after that rename the variable ansible_user to something like ansible_user_blabla and print it’s value. If it works in second case but not in first case, then it is because of special treatment of ansible_user variable.

motorbass · August 5, 2024, 8:21am

Hi
At the moment If i add windows_secrets_vault lookup in the task’s vars, it works. If i remove it, it fails. It’s like task’s vars doesn’t rely on vars.yml.
I’ll give a try about the debug steps you gave me and let you know.

bvitnik · August 5, 2024, 10:50am

Interesting. By all means this looks to me like an unexpected behavior. You can also experiment by putting windows_secrets_vault in group_vars or host_hars just to see if that makes any difference.

bcoca · August 5, 2024, 3:24pm

vars_files are loaded into the task’s vars, they are processed right after vars plugins (the core host_group_vars plugin is the one that handles host_vars/ and group_vars/ directories’).

bvitnik · August 5, 2024, 4:59pm

Another idea is that maybe Ansible is picking wrong vars.yml if you have multiple in different directories.