Unexpected reported change for credentials role in combination with GUI

juliaschindler commented 6 days ago

Summary

Setting up a credential in the AAP GUI and then running the credentials role with the same credential configured in controller_credentials and using "update_secrets: false" reports back "changed" on the first run, "ok" on rerun.

Issue Type

Bug Report

Ansible, Collection, Controller details

ansible --version
ansible [core 2.16.11]
  config file = /home/juliaschindler/.ansible.cfg
  configured module search path = ['/home/juliaschindler/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.12/site-packages/ansible
  ansible collection location = /home/juliaschindler/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/juliaschindler/.local/bin/ansible
  python version = 3.12.6 (main, Sep  9 2024, 00:00:00) [GCC 14.2.1 20240801 (Red Hat 14.2.1-1)] (/usr/bin/python3)
  jinja version = 3.1.4
  libyaml = True

ansible-galaxy collection list
# /home/juliaschindler/.ansible/collections/ansible_collections
Collection                     Version
------------------------------ -------
ansible.controller             4.5.12 
infra.controller_configuration 2.10.3 

Controller version
Ansible Automation Platform Controller 4.5.6

ansible installation method: OS package

Desired Behavior

Setting up a credential in the AAP GUI and then running the credentials role with the same credential configured in controller_credentials and using "update_secrets: false" reports back "ok" on any run. This is the experienced behaviour with the users role, that has the same "update_secrets" parameter.

Actual Behavior

Setting up a credential in the AAP GUI and then running the credentials role with the same credential configured in controller_credentials and using "update_secrets: false" reports back "changed" on the first run, "ok" on rerun.

playbook: see steps to reproduce
configuration file / list: credentials to set up in {{ playbook_dir }}/controller/credentials.yml, see steps to reproduce; connections variables like controller_hostname set up in {{ playbook_dir }}/aaps_secrets.yml
Unexpected behavior:

First playbook run after setting up the credential already in the AAP GUI:

$ ansible-playbook --ask-vault-pass credentials_play.yml
Vault password: 

PLAY [localhost] ***************************************************************

TASK [Gathering Facts] *********************************************************
ok: [localhost]

TASK [Include vars from configs directory] *************************************
ok: [localhost]

TASK [infra.controller_configuration.meta_dependency_check : Check awx.awx is installed] ***
ok: [localhost]

TASK [infra.controller_configuration.meta_dependency_check : Check ansible.controller is installed] ***
ok: [localhost]

TASK [infra.controller_configuration.meta_dependency_check : Ensure one is installed] ***
skipping: [localhost]

TASK [infra.controller_configuration.credentials : Validating arguments against arg spec 'main' - An Ansible Role to create credentials on Ansible Controller.] ***
ok: [localhost]

TASK [infra.controller_configuration.credentials : Managing Credentials] *******
ok: [localhost] => (item=Create/Update Credential Test credential)

TASK [infra.controller_configuration.credentials : Flag for errors (check mode only)] ***
skipping: [localhost]

TASK [infra.controller_configuration.credentials : Managing Controller Credentials | Wait for finish the credential management] ***
FAILED - RETRYING: [localhost]: Managing Controller Credentials | Wait for finish the credential management (30 retries left).
FAILED - RETRYING: [localhost]: Managing Controller Credentials | Wait for finish the credential management (29 retries left).
changed: [localhost] => (item=Create/Update Credential Test credential | Wait for finish the credential creation)

PLAY RECAP *********************************************************************
localhost                  : ok=7    changed=1    unreachable=0    failed=0    skipped=2    rescued=0    ignored=0

On further runs:

$ ansible-playbook --ask-vault-pass credentials_play.yml
[...]
TASK [infra.controller_configuration.credentials : Managing Controller Credentials | Wait for finish the credential management] ***
FAILED - RETRYING: [localhost]: Managing Controller Credentials | Wait for finish the credential management (30 retries left).
ok: [localhost] => (item=Create/Update Credential Test credential | Wait for finish the credential creation)

PLAY RECAP *********************************************************************
localhost                  : ok=7    changed=0    unreachable=0    failed=0    skipped=2    rescued=0    ignored=0

STEPS TO REPRODUCE

Create a Machine credential with name, organization, username and password set in the AAP GUI.
Run a playbook calling the credentials role that sets up the same credential and have "update_secrets: false" set.
See that a changed task is reported, even though nothing of the credential configuration has changed.
Rerun the playbook, see that no change is reported.

---
# playbook credentials_play.yml
- hosts: localhost
  connection: local
  vars_files:
    - ./aaps_secrets.yml

  collections:
    - ansible.controller
    - infra.controller_configuration

  pre_tasks:
    - name: Include vars from configs directory
      include_vars:
        dir: ./controller
        extensions:
          - yml
      tags:
        - always

  roles:
    - role: credentials
      when: controller_credentials is defined
      tags: credentials

---
# variable file {{ playbook_dir }}/controller/credentials.yml
controller_credentials:
  - name: Test credential
    state: present
    credential_type: Machine
    organization: myorg
    inputs:
      username: myuser
      password: test1234
    update_secrets: false

djdanielsson commented 6 days ago

if you turn off no_log and turn up verbosity it should show what it sees as a change

juliaschindler commented 6 days ago

Thanks, I tried using -vvvvv and controller_configuration_credentials_secure_logging: false on two runs, but I was not able to see differences:

First run:

changed: [localhost] => (item=Create/Update Credential Test credential | Wait for finish the credential creation) => {
    "__credentials_job_async_results_item": {
        "__controller_credentials_item": {
            "credential_type": "Machine",
            "inputs": {
                "password": "test1234",
                "username": "myuser"
            },
            "name": "Test credential",
            "organization": "myorg",
            "state": "present",
            "update_secrets": false
        },
        "ansible_job_id": "j519626111530.45220",
        "ansible_loop_var": "__controller_credentials_item",
        "changed": false,
        "failed": 0,
        "finished": 0,
        "results_file": "/home/juliaschindler/.ansible_async/j519626111530.45220",
        "started": 1
    },
    "ansible_job_id": "j519626111530.45220",
    "ansible_loop_var": "__credentials_job_async_results_item",
    "attempts": 3,
    "changed": true,
    "finished": 1,
    "id": 14,
    "invocation": {
        "module_args": {
            "controller_config_file": null,
            "controller_host": "<hostname>",
            "controller_oauthtoken": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "controller_password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "controller_username": "<adminuser>",
            "copy_from": null,
            "credential_type": "Machine",
            "description": null,
            "inputs": {
                "password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
                "username": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER"
            },
            "name": "Test credential",
            "new_name": null,
            "organization": "myorg",
            "request_timeout": null,
            "state": "present",
            "team": null,
            "user": null,
            "validate_certs": false
        }
    },
    "results_file": "/home/juliaschindler/.ansible_async/j519626111530.45220",
    "started": 1,
    "stderr": "",
    "stderr_lines": [],
    "stdout": "",
    "stdout_lines": []
}

second run:

ok: [localhost] => (item=Create/Update Credential Test credential | Wait for finish the credential creation) => {
    "__credentials_job_async_results_item": {
        "__controller_credentials_item": {
            "credential_type": "Machine",
            "inputs": {
                "password": "test1234",
                "username": "myuser"
            },
            "name": "Test credential",
            "organization": "myorg",
            "state": "present",
            "update_secrets": false
        },
        "ansible_job_id": "j98685813622.45642",
        "ansible_loop_var": "__controller_credentials_item",
        "changed": false,
        "failed": 0,
        "finished": 0,
        "results_file": "/home/juliaschindler/.ansible_async/j98685813622.45642",
        "started": 1
    },
    "ansible_job_id": "j98685813622.45642",
    "ansible_loop_var": "__credentials_job_async_results_item",
    "attempts": 3,
    "changed": false,
    "finished": 1,
    "id": 14,
    "invocation": {
        "module_args": {
            "controller_config_file": null,
            "controller_host": "<hostname>",
            "controller_oauthtoken": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "controller_password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "controller_username": "<adminuser>",
            "copy_from": null,
            "credential_type": "Machine",
            "description": null,
            "inputs": {
                "password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
                "username": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER"
            },
            "name": "Test credential",
            "new_name": null,
            "organization": "myorg",
            "request_timeout": null,
            "state": "present",
            "team": null,
            "user": null,
            "validate_certs": false
        }
    },
    "results_file": "/home/juliaschindler/.ansible_async/j98685813622.45642",
    "started": 1,
    "stderr": "",
    "stderr_lines": [],
    "stdout": "",
    "stdout_lines": []
}

redhat-cop / infra.aap_configuration