Open palacsint opened 4 days ago
I've found a workaround, although it's not very convenient:
inventory_directory
setting.extra_arguments
parameter: "-i", "inventory-testing"
.--limit
to the extra_arguments
parameter as well: "--limit=default"
. (!) Be careful, without this Ansible could run on other hosts.This approach leverages the fact that ansible-playbook
can handle multiple inventories correctly. In this setup, Packer runs a command similar to:
ansible-playbook [...] -i inventory-testing --limit=default [...] \
-i /tmp/packer-provisioner-ansible412187266 [...]_container.yml
This ensures that the inventory hierarchy is respected and the variable values are correctly overridden as intended.
Overview of the Issue
When using Ansible with Packer's Ansible provisioner, overridden values in group_vars are not applied correctly, causing potential security risks.
Reproduction Steps
Consider the following Ansible inventory (
inventory-testing/inventory.yml
):And two group_vars:
inventory-testing/group_vars/jenkins.yml
:inventory-testing/group_vars/testing.yml
:A playbook which prints the
auth
variable:When I run
it prints the overridden
jenkins_auth_value
for the jenkins hosts properly:So far, so good.
Now, let's create a packer-ansible inventory file, similar to one which is used by Packer Ansible plugin:
As far as I see the Ansible Packer provisioner does not support group hierarchies (and I would not like to duplicate our group hierarchy in the HCL too).
According to output of Packer the Ansible Packer provisioner runs a similar command for Ansible with the additional inventory file:
It uses the inventory file (not the whole inventory directory). This prints:
I would expect
jenkins_auth_value
here.While using the whole inventory directory:
prints the correct
jenkins_auth_value
value:Plugin and Packer version
Potential Impact
It is concerning that overridden values in
group_vars
are not respected when using the Packer Ansible provisioner. I'm afraid this issue can lead to significant security risks, such as users gaining unintended access to servers due to incorrect variable values. For instance, a user might gain access to a server that was meant to be inaccessible based on the intended configuration in the group_vars hierarchy.Additionally, this discrepancy can result in inconsistencies between servers created with Packer and those configured with plain Ansible, making debugging and maintaining infrastructure more challenging. Any insights or suggestions on how to address this issue would be greatly appreciated.
Might be related issues