Expose history of run roles as a variable

[nkakouros]

Proposal:

Author: Nikolaos Kakouros <@tterranigma>

Date: 2018-09-20

• Status: New
• Proposal type: (core design)
• Targeted release: future release
• Associated PR: None
• Estimated time to implement: None

Motivation

Now that we have import_role and include_role which can be used with conditionals, it would be nice to have a way to access the history of run roles.

Problems

What problems exist that this proposal will solve?

• A long playbook could be provided with many import_role statements and a subset of them could be chosen based on conditionals (eg os_family, cli provided variables, etc). Having the list of already executed roles would allow execution scenarios that role dependencies alone cannot provide. For instance, if these role A executed but not B, then also run this third one afterwards.

• Also, at the end of the playbook, some cleanup or other task might need to know what roles have previously run, without the need to repeat each and every conditional that each include/import_role tasks has.

• Another use case (which I admit is probably specific to me only :-)) is random selection of roles. I am using ansible to create instances online for an ethical hacking course. Students are allocated to groups and each group has its own network to attack. Each network has random passwords, addresses, etc. But also "random" services running. There is a scenario.yml file specific to each network that describes the roles (ie vulnerabilities) that a network will accommodate. It would be great to have this file be created by ansible at the end of a long playbook run where random roles are selected, instead of creating manually first and then feeding it to ansible.

Solution proposal

- import_role: name=role1
  when: condition1
- import_role: name=role2
  when: condition2
- import_role: name=role3
  when:
    - condition3
    - 'role1' in ansible_executed_roles
    - 'role2' not in ansible_executed_roles
- import_role: name=role4
  when:
    - 'role3' not in ansible_executed_roles
- copy:
    content: "{{ ansible_executed_role }}"
    dest: scenario.yml
  delegate_to: localhost

This could be achieved now also by creating long when lists.

An issue might be how to do this, per playbook, per play or both.

[webknjaz]

cc @bcoca

[bcoca]

A few considerations;

• import_role CANNOT be made conditional, only include_role can, the when in your example above will be applied to the tasks imported, but the import still happens, this defines vars and handlers.
• roles are currently per play, I'm not sure it makes sense to track per playbook
• roles are currently tracked for 'allow duplicates' purposes, but this is not based only on role name but 'role + invocation signature' to determine 'uniqueness'
• Something similar is already achievable by creating a 'per role unique variable' (i.e rolename_ran) and check for those, either use set_fact to do it 'per host' or vars declared by the role to do it 'per play'.

[sivel]

Also, it should be mentioned that any use of import_role or roles specified under roles would immediately be listed as executed, as they are preprocessors that are expanded at parse time.

I'm not sure how useful of a feature this would be. I agree with @bcoca that if you need this type of functionality, using set_fact is probably the most reliable way of making this determination.

[nkakouros]

I don't think I have a use case for this anymore, so closing this as you have described the limited use and the difficulties with sth like that.