AWX provides a web-based user interface, REST API, and task engine built on top of Ansible. It is one of the upstream projects for Red Hat Ansible Automation Platform.
Other
13.92k
stars
3.41k
forks
source link
When module launches a binary that relies on environment variables, credential variables are not passed to it #1765
When I use e.g. terraform module with a binary that is downloaded in the same playbook, the credentials I have configured don't get passed to the binary it seems. The same playbook executed on my own machine with the exact same environment variables configured works just fine. In addition dynamic inventory script in AWX that uses the same credentials (OpenStack) also works..
ENVIRONMENT
AWX version: 1.0.5
AWX install method: docker on linux
Ansible version: 2.5
Operating System: CentOS
Web Browser: Google Chrome
STEPS TO REPRODUCE
Configure openstack credential type on AWX (Built in are broken, I had to create custom ones for it to work) with the following environment vars:
OS_USERNAME=user name (can be AD)
OS_PROJECT_NAME=project name
OS_USER_DOMAIN_NAME=user domain name
OS_PROJECT_DOMAIN_NAME=project domain name
OS_AUTH_URL=openstack auth url
OS_AUTH_TYPE=password
OS_IDENTITY_API_VERSION=3
OS_NO_CACHE=True
Put in your credentials
Write a playbook that deploys some infra using terraform with the following tasks:
- name: Download terraform
get_url:
url: https://releases.hashicorp.com/terraform/{{ terraform_version | default('0.11.7') }}/terraform_{{ terraform_version }}_linux_amd64.zip
dest: /tmp/terraform-{{terraform_version}}.zip
when: "'64' in ansible_architecture and 'Linux' == ansible_system and not stat_terraform.stat.exists and install_terraform"
name: Install unzip to unarchive terraform
package:
name: unzip
state: present
when: install_terraform and not stat_terraform.stat.exists
name: Unpack
unarchive:
dest: '{{playbook_dir}}'
src: /tmp/terraform-{{terraform_version}}.zip
mode: u+rwx
when: not stat_terraform.stat.exists and install_terraform
name: Check terraform again
stat:
path: '{{playbook_dir}}/terraform'
register: stat_terraform
when: install_terraform
failed_when: install_terraform and not stat_terraform.stat.exists
name: Init terraform if its downloaded (since force_init is broken in release currently)
shell: 'pushd {{terraform_path}}/{{infra}} && {{playbook_dir}}/terraform init && popd'
check_mode: no
when: not stat_tfmodules.stat.exists and install_terraform
name: Init terraform if its in path (since force_init is broken in release currently)
shell: 'pushd {{terraform_path}}/{{infra}} && terraform init && popd'
check_mode: no
when: not stat_tfmodules.stat.exists and not install_terraform
4. Deploy infra from your dev machine using the environment vars defined above. It should work.
5. Try to run the same playbook in AWX
##### EXPECTED RESULTS
ISSUE TYPE
COMPONENT NAME
SUMMARY
When I use e.g. terraform module with a binary that is downloaded in the same playbook, the credentials I have configured don't get passed to the binary it seems. The same playbook executed on my own machine with the exact same environment variables configured works just fine. In addition dynamic inventory script in AWX that uses the same credentials (OpenStack) also works..
ENVIRONMENT
STEPS TO REPRODUCE
name: Install unzip to unarchive terraform package: name: unzip state: present when: install_terraform and not stat_terraform.stat.exists
name: Unpack unarchive: dest: '{{playbook_dir}}' src: /tmp/terraform-{{terraform_version}}.zip mode: u+rwx when: not stat_terraform.stat.exists and install_terraform
name: Check terraform again stat: path: '{{playbook_dir}}/terraform' register: stat_terraform when: install_terraform failed_when: install_terraform and not stat_terraform.stat.exists
name: Lookup tfstate file stat: path: '{{terraform_path}}/{{infra}}/terraform.tfstate' register: stat_tfstate
name: Lookup .terraform directory stat: path: '{{terraform_path}}/{{infra}}/.terraform' register: stat_tfmodules
name: Init terraform if its downloaded (since force_init is broken in release currently) shell: 'pushd {{terraform_path}}/{{infra}} && {{playbook_dir}}/terraform init && popd' check_mode: no when: not stat_tfmodules.stat.exists and install_terraform
name: Init terraform if its in path (since force_init is broken in release currently) shell: 'pushd {{terraform_path}}/{{infra}} && terraform init && popd' check_mode: no when: not stat_tfmodules.stat.exists and not install_terraform
name: Run terraform terraform: binary_path: "{{install_terraform | ternary(playbook_dir+'/terraform', omit)}}" plan_file: '{{tf_plan | default(omit)}}' project_path: '{{terraform_path}}/{{infra}}' state_file: '{{stat_tfstate.stat.exists | ternary(stat_tfstate.stat.path, omit)}}' variables: '{{terraform_vars | default(omit)}}' register: tf_output environment:
This is not necessary, I think, it does the same thing regardless of me putting these manual lookups in
OS_USER_DOMAIN_NAME: "{{lookup('env', 'OS_USER_DOMAIN_NAME')}}" OS_PROJECT_NAME: "{{lookup('env', 'OS_PROJECT_NAME')}}" OS_IDENTITY_API_VERSION: "{{lookup('env', 'OS_IDENTITY_API_VERSION')}}" OS_PASSWORD: "{{lookup('env', 'OS_PASSWORD')}}" OS_AUTH_TYPE: "{{lookup('env', 'OS_AUTH_TYPE')}}" OS_AUTH_URL: "{{lookup('env', 'OS_AUTH_URL')}}" OS_USERNAME: "{{lookup('env', 'OS_USERNAME')}}" OS_NO_CACHE: "{{lookup('env', 'OS_NO_CACHE')}}" OS_PROJECT_DOMAIN_NAME: "{{lookup('env', 'OS_PROJECT_DOMAIN_NAME')}}"
Infra is deployed
ACTUAL RESULTS
provider.openstack: Authentication failed
ADDITIONAL INFORMATION
N/A