Global role variables

In DebOps there's a strictly controlled separation between Ansible roles. Different roles cannot use variables from another role directly 1 to allow mixing and matching of roles on the playbook level and preserve soft dependencies. The reason for that is that if a role is not included in the currently executed playbook, its variables are not available and this can lead to broken or not idempotent execution.

One place where users can define variables that are always guaranteed to be present is the Ansible inventory. However roles cannot modify the inventory directly because inventories come with many shapes and sizes - a YAML file, dynamic script, etc. But since inventory is always available, it can be used to define global variables that are shared between different Ansible roles.

The debops__ variable namespace has been designated to be used for global variables. Roles can reference the debops__* variables in their tasks and templates, however their presence is not guaranteed - a default should always be provided.

Below you can find a list of debops__* variables which are used across the DebOps roles and playbooks. The variables might not be used everywhere yet, however they will be added or will replace other variables in the future.

debops__no_log
Type

Boolean

Value

True, False

This boolean variable is meant to be used with the no_log Ansible keyword in tasks that might operate on sensitive information like passwords, encryption keys, and the like. Setting the value to True will prevent Ansible from logging the sensitive contents or displaying any changes made to the files in the --diff output.

For example, use the debops__no_log variable to control when a task can send log messages and diff output about its operation:

- name: Create an UNIX account
  user:
    name:     'example-user'
    password: '{{ "example-password" | password_hash('sha512") }}'
    state:    'present'
  no_log: '{{ debops__no_log | d(True) }}'

This is a similar case, but adds support for lists and automatically shows or hides task output depending on presence of a specific parameter:

- name: Create an UNIX account
  user:
    name:     '{{ item.name }}'
    password: '{{ item.password | d(omit) }}'
    state:    '{{ item.state    | d("present") }}'
  loop: '{{ users__accounts }}'
  no_log: '{{ debops__no_log
              | d(item.no_log
                  | d(True
                      if item.password | d()
                      else False)) }}'

An example use on the command line to debug an issue without changing the inventory variables:

ansible-playbook -i <inventory> -l <hostname> -e 'debops__no_log=false' play.yml
debops__unsafe_writes
Type

Boolean

Value

True

Many Ansible modules related to file operations support the unsafe_writes parameter to allow operations that might be dangerous or destructive in certain conditions, but allow Ansible to work in specific environments, like bind-mounted files or directories. The debops__unsafe_writes variable allows activation of this mode per-host using Ansible inventory, for all roles that implement it.

To have an effect, roles that depend on the unsafe writes to function, should use the parameter in relevant tasks, like this:

- name: Generate configuration file
  template:
    src: 'etc/application.conf.j2'
    dest: '/etc/application.conf'
    mode: '0644'
    unsafe_writes: '{{ debops__unsafe_writes | d(omit) }}'

Footnotes

1

There are exceptions like the debops.secret role; in this case the secret variable is used in Ansible lookup plugin paths and needs to be accessible in other roles.