onepassword.connect.generic_item task is not being executed when executing playbook with tags

I have a MySQL Ansible role with 2 tags: configure_mysql_users and configure_mysql_databases. Those tags are used for subsequent deployments of databases and users.

Here is a sample playbook for my test server:

---
- hosts: somehost
  gather_facts: yes
  become: yes
  environment:
    OP_VAULT: "<snip>"
    OP_CONNECT_HOST: "<snip>"
    OP_CONNECT_TOKEN: "<snip>"
  collections:
    - onepassword.connect
  pre_tasks:
    - onepassword.connect.generic_item:
        vault_id: "snip"
        title: somehost
        state: present
        fields:
          - label: root_username
            value: "root"
            section: "MYSQL (root)"
          - label: root_password
            generate_value: on_create
            section: "MYSQL (root)"
            field_type: concealed
            generator_recipe:
                length: 16
                include_symbols: no
          - label: testuser_username
            value: "testuser"
            section: "MYSQL (testdb)"
          - label: testuser_password
            generate_value: on_create
            section: "MYSQL (testdb)"
            field_type: concealed
            generator_recipe:
                length: 16
                include_symbols: no
    - name: Get root password
      tags: [ 'always' ]
      item_info:
        item: somehost
        vault: Ansible 
        field: root_password
      no_log: true
      register: root_password
    - name: Get testuser password
      tags: [ 'always' ]
      item_info:
        item: somehost
        vault: Ansible 
        field: testuser_password
      no_log: true
      register: testuser_password
  vars_files:
    - host_vars/somehost/mysql.yml
  roles: 
    - roles/role-deploy-mysql

Initially, I've deployed a server with root user only, and it all went well.
However, I wanted to add a new user called testuser, so I've added a new item inside pre_tasks block that should first create a new entry in 1Password, and then fetch that value and assign it to a variable. The playbook above is after those changes.

However, if I run this playbook using the following command:

ansible-playbook -i inv_production somehost.yml -t "configure_mysql_users,configure_mysql_databases" --vault-password-file=.vault --ask-become-pass

It won't create a new entry in 1Password vault for the testuser, but it will try to fetch the value which does not exist, and then my playbook execution is going to fail.
If I'm to run this playbook without tags, everything will be fine, a new entry will be made inside 1Password vault and the deployment of a new user will succeed.

So, it looks like onepassword.connect.generic_item is not being executed when playbook is running using tags. I've tried to add an always tag to it, but it didn't matter too much.

Any ideas how to overcome this issue?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided

Comments

  • David_agDavid_ag

    Team Member

    First, thank you for providing those detailed reproduction steps! I was able to reproduce this issue locally. I've included the localized version I ran at the end of this post.

    I believe this issue is actually with how Ansible handles pre-tasks and tags.

    Reproducing the Issue

    Here's what I tried and what I saw:
    I ran the playbook with the -t "configure_mysql_users,configure_mysql_databases" flag.
    Result =>: setup item NOT created; item_info steps failed

    I ran playbook without the -t flag.
    Result: setup item created :+1:

    I added tags: ['always'] to the generic_item task in pre_tasks.
    Result => setup_item executed, item_info found the requested fields.

    Next Steps

    I suggest adding tags: ['always'] to the setup_item task. The generic_item module is idempotent and won't overwrite the generated fields when you specify generate_value: on_create for the field.

    I found this old post in an Ansible mailing list discussing the issue, but it seems like the behavior still isn't well documented: https://groups.google.com/g/ansible-project/c/VxD39ABi1z4

    Let us know if that takes care of the issue!


    My local version of your playbook:

    ---
    - hosts: localhost
      environment:
        OP_VAULT: "<snip>"
        OP_CONNECT_HOST: "http://localhost:8080"
        OP_CONNECT_TOKEN: "<snip>"
      collections:
        - onepassword.connect
      pre_tasks:
        - name: setup item
          onepassword.connect.generic_item:
            vault_id: "<snip>" # make sure this is the same as `OP_VAULT` in the environment block!
            title: somehost
            state: present
            fields:
              - label: root_username
                value: "root"
                section: "MYSQL (root)"
              - label: root_password
                generate_value: on_create
                section: "MYSQL (root)"
                field_type: concealed
                generator_recipe:
                  length: 16
                  include_symbols: no
              - label: testuser_username
                value: "testuser"
                section: "MYSQL (testdb)"
              - label: testuser_password
                generate_value: on_create
                section: "MYSQL (testdb)"
                field_type: concealed
                generator_recipe:
                  length: 16
                  include_symbols: no
        - name: Get root password
          tags: [ 'always' ]
          item_info:
            item: somehost
            vault: Ansible
            field: root_password
    
          register: root_password
        - name: Get testuser password
          tags: [ 'always' ]
          item_info:
            item: somehost
            vault: Ansible
            field: testuser_password
          register: testuser_password
    
  • Hey @David_ag thanks for the reply!

    At first, I was not sure how you managed to make it work with added always tag, especially since I tried the same thing, and it didn't work. Then I realized that I was adding tags in a wrong place. Instead of :

      pre_tasks:
        - name: setup items
          tags: [ 'always' ]
          onepassword.connect.generic_item:
    

    I was doing this:

      pre_tasks:
          - onepassword.connect.generic_item:
            tags: [ 'always' ]
    

    But yeah, it works now 🎉

  • David_agDavid_ag

    Team Member

    That's great to hear! Thanks for confirming the fix :)

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file