search

hashicorp / packer-plugin-ansible

Packer plugin for Ansible Provisioner
https://www.packer.io/docs/provisioners/ansible
Mozilla Public License 2.0
47 stars 32 forks source link

Different values from group_vars between plain and Packer Ansible runs #193

Open palacsint opened 4 days ago

palacsint commented 4 days ago

Overview of the Issue

When using Ansible with Packer's Ansible provisioner, overridden values in group_vars are not applied correctly, causing potential security risks.

Reproduction Steps

Consider the following Ansible inventory (inventory-testing/inventory.yml):

---
all:
  children:
    jenkins:
      hosts:
        jenkinsserver1:
        jenkinsserver2:
    testing:
      children:
        jenkins:
      hosts:
        testserver1:
        testserver2:

And two group_vars:

inventory-testing/group_vars/jenkins.yml:

---
auth: "jenkins_auth_value"

inventory-testing/group_vars/testing.yml:

---
auth: "testing_auth_value"

A playbook which prints the auth variable:

---
- name: Print auth variable for all hosts
  hosts: all
  gather_facts: no
  tasks:
    - name: Print the auth variable
      delegate_to: localhost
      debug:
        msg: "The value of auth is: {{ auth }}"

When I run

ansible-playbook -i inventory-testing/ print_auth.yml

it prints the overridden jenkins_auth_value for the jenkins hosts properly:

ok: [jenkinsserver1 -> localhost] => {
    "msg": "The value of auth is: jenkins_auth_value"
}
ok: [jenkinsserver2 -> localhost] => {
    "msg": "The value of auth is: jenkins_auth_value"
}
ok: [testserver1 -> localhost] => {
    "msg": "The value of auth is: testing_auth_value"
}
ok: [testserver2 -> localhost] => {
    "msg": "The value of auth is: testing_auth_value"
}

So far, so good.

Now, let's create a packer-ansible inventory file, similar to one which is used by Packer Ansible plugin:

default 

[jenkins]
default

[testing]
default

As far as I see the Ansible Packer provisioner does not support group hierarchies (and I would not like to duplicate our group hierarchy in the HCL too).

According to output of Packer the Ansible Packer provisioner runs a similar command for Ansible with the additional inventory file:

ansible-playbook -i inventory-testing/packer-ansible-inventory print_auth.yml

It uses the inventory file (not the whole inventory directory). This prints:

ok: [default -> localhost] => {
    "msg": "The value of auth is: testing_auth_value"
}

I would expect jenkins_auth_value here.

While using the whole inventory directory:

ansible-playbook -i inventory-testing/ --limit=default print_auth.yml

prints the correct jenkins_auth_value value:

ok: [default -> localhost] => {
    "msg": "The value of auth is: jenkins_auth_value"
}

Plugin and Packer version

    ansible = {
      version = ">= 1.1.1"
      source = "github.com/hashicorp/ansible"
    }

Potential Impact

It is concerning that overridden values in group_vars are not respected when using the Packer Ansible provisioner. I'm afraid this issue can lead to significant security risks, such as users gaining unintended access to servers due to incorrect variable values. For instance, a user might gain access to a server that was meant to be inaccessible based on the intended configuration in the group_vars hierarchy.

Additionally, this discrepancy can result in inconsistencies between servers created with Packer and those configured with plain Ansible, making debugging and maintaining infrastructure more challenging. Any insights or suggestions on how to address this issue would be greatly appreciated.

Might be related issues

palacsint commented 3 days ago

I've found a workaround, although it's not very convenient:

This approach leverages the fact that ansible-playbook can handle multiple inventories correctly. In this setup, Packer runs a command similar to:

ansible-playbook [...] -i inventory-testing --limit=default [...] \
    -i /tmp/packer-provisioner-ansible412187266 [...]_container.yml

This ensures that the inventory hierarchy is respected and the variable values are correctly overridden as intended.