onepassword.connect.generic_item task is not being executed when executing playbook with tags
I have a MySQL Ansible role with 2 tags: configure_mysql_users and configure_mysql_databases. Those tags are used for subsequent deployments of databases and users.
Here is a sample playbook for my test server:
---
- hosts: somehost
gather_facts: yes
become: yes
environment:
OP_VAULT: "<snip>"
OP_CONNECT_HOST: "<snip>"
OP_CONNECT_TOKEN: "<snip>"
collections:
- onepassword.connect
pre_tasks:
- onepassword.connect.generic_item:
vault_id: "snip"
title: somehost
state: present
fields:
- label: root_username
value: "root"
section: "MYSQL (root)"
- label: root_password
generate_value: on_create
section: "MYSQL (root)"
field_type: concealed
generator_recipe:
length: 16
include_symbols: no
- label: testuser_username
value: "testuser"
section: "MYSQL (testdb)"
- label: testuser_password
generate_value: on_create
section: "MYSQL (testdb)"
field_type: concealed
generator_recipe:
length: 16
include_symbols: no
- name: Get root password
tags: [ 'always' ]
item_info:
item: somehost
vault: Ansible
field: root_password
no_log: true
register: root_password
- name: Get testuser password
tags: [ 'always' ]
item_info:
item: somehost
vault: Ansible
field: testuser_password
no_log: true
register: testuser_password
vars_files:
- host_vars/somehost/mysql.yml
roles:
- roles/role-deploy-mysql
Initially, I've deployed a server with root user only, and it all went well.
However, I wanted to add a new user called testuser, so I've added a new item inside pre_tasks block that should first create a new entry in 1Password, and then fetch that value and assign it to a variable. The playbook above is after those changes.
However, if I run this playbook using the following command:
ansible-playbook -i inv_production somehost.yml -t "configure_mysql_users,configure_mysql_databases" --vault-password-file=.vault --ask-become-pass
It won't create a new entry in 1Password vault for the testuser, but it will try to fetch the value which does not exist, and then my playbook execution is going to fail.
If I'm to run this playbook without tags, everything will be fine, a new entry will be made inside 1Password vault and the deployment of a new user will succeed.
So, it looks like onepassword.connect.generic_item is not being executed when playbook is running using tags. I've tried to add an always tag to it, but it didn't matter too much.
Any ideas how to overcome this issue?
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Comments
-
First, thank you for providing those detailed reproduction steps! I was able to reproduce this issue locally. I've included the localized version I ran at the end of this post.
I believe this issue is actually with how Ansible handles pre-tasks and tags.
Reproducing the Issue
Here's what I tried and what I saw:
I ran the playbook with the-t "configure_mysql_users,configure_mysql_databases"flag.
Result =>:setup itemNOT created;item_infosteps failedI ran playbook without the
-tflag.
Result:setup itemcreated :+1:I added
tags: ['always']to the generic_item task inpre_tasks.
Result => setup_item executed, item_info found the requested fields.Next Steps
I suggest adding
tags: ['always']to the setup_item task. Thegeneric_itemmodule is idempotent and won't overwrite the generated fields when you specifygenerate_value: on_createfor the field.I found this old post in an Ansible mailing list discussing the issue, but it seems like the behavior still isn't well documented: https://groups.google.com/g/ansible-project/c/VxD39ABi1z4
Let us know if that takes care of the issue!
My local version of your playbook:
--- - hosts: localhost environment: OP_VAULT: "<snip>" OP_CONNECT_HOST: "http://localhost:8080" OP_CONNECT_TOKEN: "<snip>" collections: - onepassword.connect pre_tasks: - name: setup item onepassword.connect.generic_item: vault_id: "<snip>" # make sure this is the same as `OP_VAULT` in the environment block! title: somehost state: present fields: - label: root_username value: "root" section: "MYSQL (root)" - label: root_password generate_value: on_create section: "MYSQL (root)" field_type: concealed generator_recipe: length: 16 include_symbols: no - label: testuser_username value: "testuser" section: "MYSQL (testdb)" - label: testuser_password generate_value: on_create section: "MYSQL (testdb)" field_type: concealed generator_recipe: length: 16 include_symbols: no - name: Get root password tags: [ 'always' ] item_info: item: somehost vault: Ansible field: root_password register: root_password - name: Get testuser password tags: [ 'always' ] item_info: item: somehost vault: Ansible field: testuser_password register: testuser_password0 -
Hey @David_ag thanks for the reply!
At first, I was not sure how you managed to make it work with added
alwaystag, especially since I tried the same thing, and it didn't work. Then I realized that I was adding tags in a wrong place. Instead of :pre_tasks: - name: setup items tags: [ 'always' ] onepassword.connect.generic_item:I was doing this:
pre_tasks: - onepassword.connect.generic_item: tags: [ 'always' ]But yeah, it works now 🎉
0 -
That's great to hear! Thanks for confirming the fix :)
0
