playbook fails on --check

[patrickjahns]

Running a playbook with the role and --check currently fails as the deb package is not fetched

TASK [christiangda.amazon_cloudwatch_agent : Install amazon-cloudwatch-agent.deb] ***************************************************************************************************************************************************************************************
fatal: [local]: FAILED! => {"changed": false, "msg": "Unable to install package: E:Could not open file /tmp/amazon-cloudwatch-agent.deb - open (2: No such file or directory)"}

[christiangda]

Hi @patrickjahns , it is very important that you provided the following to understand your problem:

• Ansible version
• Operating Sistem where Ansible is executed (Full version and release name)
• Target Operating System (Full version and release name)

I recommend to you that read Check Mode (“Dry Run”)

Check mode is just a simulation, and if you have steps that use conditionals that depend on the results of prior commands, it may be less useful for you.

This ansible role is based on many conditionals, and I don't check trivial thing that needs to happen, for example, that the "package file was download before installing it", so, when you use --check with ansible-playbook command it doesn't download the package, accordingly fails when try to install.

add conditionals for every task you do in ansible will be complicated and generate a confusing code.

So, this is not a bug, it could be a feature to be added.

[patrickjahns]

Hello @christiangda

Thank you very much for the fast response - to answer your questions at first:

• Ansible version: 2.9.1
• Target operating system: Ubuntu 18.04

I understand that you are seeking full OS version numbers - but they won't make a difference in this scenario, as this issue is rooted in the behaviour of ansibles get_url

Steps to reproduce the error on a debian based system:

• have a freshly installed ubuntu 18.04
• create a minimal viable playbook to include the role

• hosts: all roles:
  • role: christiangda.amazon_cloudwatch_agent vars: cwa_agent_mode: "ec2" cwa_conf_json_file_content: "{{ lookup('file', 'files/CloudWatch.json') | from_json }}"

• run the playbook with --check
• see the playbook fail at https://github.com/christiangda/ansible-role-amazon-cloudwatch-agent/blob/88ebfca8e3a2ff84ca0f9b7c48dbbda96444eecf/tasks/install-debian.yml#L63-L68

As you've already mentioned, the problem is rooted in get_url, as it will not fetch the file when ansible is run with --check and thus the file will not exist in any further steps.

This is occurs during these circumstances: 1) running the role the first time with --check to validate that it will perform expected steps before rolling it out 2) running the role after a server reboot with --check ( as files saved in tmp will be gone )

Some of the reasons for me for using --check:

• First and foremost before executing a playbook/role towards a target system, I want to determine the changes a role is bound to make in order to gauge impact. Coming from terraform - I am thinking of --check similar to a terraform plan

• Secondly I opt for wanting to be able to permanently run playbooks with a --check in order to see when a configuration drift would occur and either roll back the configuration or fix it forward

add conditionals for every task you do in ansible will be complicated and generate a confusing code.

I concur - from my POV with the current tasks, it would only be required to skip the apt step when the file was not downloaded ( or skip the apt step with check_mode: no ). The gpg step will anyway not result in a failure, as it is explicitly looking for BAD in the output of the gpg command

If you are okay with this suggestion I would create a PR - let me know what you think 👍

[christiangda]

Hi @patrickjahns ,

Thanks again for your very good explanations, right now I'm going to take care of your ticket and I'll figure out how to make possible ansible --check.

Yesterday I released a new version of the role and I'll try to integrate the --check to this new branch version, so you need to take care of how to use the new version, because this new branch version 2.x.y is not compatible with branch version 1.x.y, read the documentation to understand how to use this new version.

As soon as I finished the "--check" functionality in the role I'll delivery the new version 2.0.2

[christiangda]

Hi @patrickjahns

After spend some time investigating the best way to do the role compatible with --check I found that the best way is adding ignore_errors: "{{ ansible_check_mode }}" to failing tasks, because is normal that fails, but it not normal that leave files and packages inside your system to avoid this errors when you run the playbook with --check.

I will deliver the next release soon

I tested it using my ansible-playground

---
- hosts: ubuntu1804, centos7, debian9
  become: true
  become_user: root
  gather_facts: True

  roles:
    - role: christiangda.epel_repo # If you don't have installed EPEL Repository
      when: >
        ansible_os_family == 'RedHat' and (
          ansible_distribution == 'CentOS' or
          ansible_distribution == 'RedHat' or
          ansible_distribution == 'Amazon'
        )
    - role: christiangda.awscli_configure # If you don't have configure AWS CLI Profiles
      vars:
        awscliconf_path: '/root'
        awscliconf_files:
          credentials:
            - AmazonCloudWatchAgent:
                aws_access_key_id: "AKIAIOSFODNN7EXAMPLE"
                aws_secret_access_key: "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
          config:
            - profile AmazonCloudWatchAgent:
                region: "eu-west-1"
    - role: christiangda.amazon_cloudwatch_agent
      vars:
        cwa_agent_mode: "onPremise"
        #cwa_conf_json_file_content: "{{ lookup('file', 'files/CloudWatch.yaml') | from_yaml }}"
        cwa_aws_region: "eu-west-1"
        cwa_profile: "AmazonCloudWatchAgent"

and after

ansible-playbook test-playbook.yaml --check

Output

TASK [christiangda.amazon_cloudwatch_agent : Install amazon-cloudwatch-agent.deb] ************************************************************************************************************************************************************
fatal: [ubuntu1804]: FAILED! => {"changed": false, "msg": "Unable to install package: E:Could not open file /tmp/amazon-cloudwatch-agent.deb - open (2: No such file or directory)"}
...ignoring

TASK [christiangda.amazon_cloudwatch_agent : Configure amazon-cloudwatch-agent] **************************************************************************************************************************************************************
included: /home/christian/git/github.com/christiangda/ansible-playground/roles/christiangda.amazon_cloudwatch_agent/tasks/configure.yml for ubuntu1804

TASK [christiangda.amazon_cloudwatch_agent : Check if /root/.aws/credentials exist] **********************************************************************************************************************************************************
ok: [ubuntu1804]

TASK [christiangda.amazon_cloudwatch_agent : Fails when AWS CLI profiles configuration doesn't exist] ****************************************************************************************************************************************
fatal: [ubuntu1804]: FAILED! => {
    "msg": "The variable 'cwa_agent_mode: 'onPremise'' is set or 'cwa_use_credentials is true' and you don't have configure the aws profile correctly, please check the value of 'cwa_profile' and 'cwa_agent_profile_path'\n"
}
...ignoring

You got an error but is ...ignoring

Christian