Merge "Resolve Ansible variable precedence issue with include_vars"

2018-03-04 21:44:57 +00:00 · 2018-03-04 21:44:57 +00:00 · 285d47bfe6
parent adfe9d574e 4d7a824070
commit 285d47bfe6
8 changed files with 30 additions and 7 deletions
--- a/roles/configure-unbound/tasks/main.yaml
+++ b/roles/configure-unbound/tasks/main.yaml
@ -41,9 +41,9 @@
 - name: Include OS-specific variables
  include_vars: "{{ item }}"
  with_first_found:
-    - "{{ role_path }}/vars/{{ ansible_distribution }}.yaml"
-    - "{{ role_path }}/vars/{{ ansible_os_family }}.yaml"
-    - "{{ role_path }}/vars/default.yaml"
+    - "{{ ansible_distribution }}.yaml"
+    - "{{ ansible_os_family }}.yaml"
+    - "default.yaml"

 - name: Ensure Unbound conf.d directory exists
  become: yes
--- a/tests/multi-node-firewall-persistence.yaml
+++ b/tests/multi-node-firewall-persistence.yaml
@ -7,13 +7,15 @@
    # it again -- we're testing here that both are persisted properly.
    - { role: multi-node-bridge, bridge_authorize_internal_traffic: true }
  post_tasks:
+    # NOTE (dmsimard): Using with_first_found and include_vars can yield
+    # unexpected results, see multinode_firewall_persistence_vars/README.rst
    - name: Include OS-specific variables
      include_vars: "{{ item }}"
      with_first_found:
-        - "{{ ansible_distribution }}_{{ ansible_distribution_release }}.yaml"
-        - "{{ ansible_distribution }}.yaml"
-        - "{{ ansible_os_family }}.yaml"
-        - "default.yaml"
+        - "multinode_firewall_persistence_vars/{{ ansible_distribution }}_{{ ansible_distribution_release }}.yaml"
+        - "multinode_firewall_persistence_vars/{{ ansible_distribution }}.yaml"
+        - "multinode_firewall_persistence_vars/{{ ansible_os_family }}.yaml"
+        - "multinode_firewall_persistence_vars/default.yaml"

    - name: Flush iptables rules
      become: yes
--- a/tests/multinode_firewall_persistence_vars/Debian.yaml
+++ b/tests/multinode_firewall_persistence_vars/Debian.yaml
--- a/tests/multinode_firewall_persistence_vars/README.rst
+++ b/tests/multinode_firewall_persistence_vars/README.rst
@ -0,0 +1,21 @@
+multinode_firewall_persistence_vars
+===================================
+
+This directory is meant to contain distribution specific variables used in
+integration tests for the ``multinode_firewall_persistence`` role.
+
+The behavior of the ``with_first_found`` lookup used with the ``include_vars``
+module will make it search for the ``vars`` directory in the "usual" order of
+precedence which means if there is a ``vars`` directory inside the playbook
+directory, it will search there first.
+
+This can result in one of two issues:
+
+1. If you try to prepend ``{{ role_path }}`` to workaround this issue with the
+   variable file paths, Zuul will deny the lookup if you are running an
+   untrusted playbook because the role was prepared in a trusted location and
+   Ansible is trying to search outside the work root as a result.
+2. The variables included are the wrong ones -- the ones from
+   ``playbooks/vars`` are loaded instead of ``path/to/<role>/vars``
+
+This is why this directory is called ``multinode_firewall_persistence_vars``.
--- a/tests/multinode_firewall_persistence_vars/RedHat.yaml
+++ b/tests/multinode_firewall_persistence_vars/RedHat.yaml
--- a/tests/multinode_firewall_persistence_vars/Suse.yaml
+++ b/tests/multinode_firewall_persistence_vars/Suse.yaml
--- a/tests/multinode_firewall_persistence_vars/Ubuntu_trusty.yaml
+++ b/tests/multinode_firewall_persistence_vars/Ubuntu_trusty.yaml
--- a/tests/multinode_firewall_persistence_vars/default.yaml
+++ b/tests/multinode_firewall_persistence_vars/default.yaml