IBM-Security / isam-ansible-roles

DEPRECATED Ansible Custom Modules, Handlers and Tasks for ISAM. Requires "ibmsecurity" python package.
Apache License 2.0
24 stars 43 forks source link

execute_pdadmin error handling #47

Closed sygilber closed 6 years ago

sygilber commented 6 years ago

When executing a pdadmin cmd with the execute_pdadmin role and an error is captured, I obtained a syntax execution error because the ret_obj['data'] is undefined.

TASK [execute_pdadmin : Output of PDAdmin command execution] *** fatal: [stha9n0fw.iad.ca.inet]: FAILED! => {"msg": "The conditional check '(ret_obj is defined and 'result' in ret_obj['data'] and ret_obj|succeeded and (not ansible_check_mode))' failed. The error was: error while evaluating conditional ((ret_obj is defined and 'result' in ret_obj['data'] and ret_obj|succeeded and (not ansible_check_mode))): Unable to look up a name or access an attribute in template string ({% if (ret_obj is defined and 'result' in ret_obj['data'] and ret_obj|succeeded and (not ansible_check_mode)) %} True {% else %} False {% endif %}).\nMake sure your variable name does not contain invalid characters like '-': argument of type 'StrictUndefined' is not iterable\n\nThe error appears to have been in '/home/sygilber/isam_home/ansible/roles/isam-ansible-roles/execute_pdadmin/tasks/main.yml': line 22, column 3, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n- name: Output of PDAdmin command execution\n ^ here\n"}

When making some change in the play named "Output of PDAdmin command execution" to refer to ret_obj instead of ret_obj['data'] then the execution error is cleared.

Here is a summary of what would look like the modification if I would create a pull request.

diff --git a/execute_pdadmin/tasks/main.yml b/execute_pdadmin/tasks/main.yml index 2e07353..997bf12 100644 --- a/execute_pdadmin/tasks/main.yml +++ b/execute_pdadmin/tasks/main.yml @@ -14,8 +14,8 @@ register: ret_obj

But before I do that, I am looking for advise/comments if this is the right thing. Or it is possible that depending of the appliance version, the returned object is not structured the same way, or the version of ansible introcuces changes ? Here are details about the ansible stack we are running:

ansible 2.4.0.0 python version = 2.7.5 (default, May 3 2017, 07:55:04) [GCC 4.8.5 20150623 (Red Hat 4.8.5-14)]

ram-ibm commented 6 years ago
- name: Output of PDAdmin command execution
  debug: msg="{{ ret_obj['data']['result'].split('\n') }}"
  when: (ret_obj is defined and 'data' in ret_obj and 'result' in ret_obj['data'] and ret_obj|succeeded and (not ansible_check_mode) and (not execute_pdadmin_suppress_output))

This maybe a better fix.

sygilber commented 6 years ago

The proposed fix is OK as long as the variable "execute_pdadmin_suppress_output" is removed from the "when" condition since it is defined nowhere in the role implementation currently available.

- name: Output of PDAdmin command execution debug: msg="{{ ret_obj['data']['result'].split('\n') }}" when: (ret_obj is defined and 'data' in ret_obj and 'result' in ret_obj['data'] and ret_obj|succeeded and (not ansible_check_mode))

sygilber commented 6 years ago

Resolved by https://github.com/IBM-Security/isam-ansible-roles/pull/49