It's possible this can be explained via Ansible docs however looking for the solution to this has yielded different results, all of which have failed for me.
I am trying to setup an Ansible role to handle installation of Airflow on a remote AWS instance. I am using Ansible v2.9.11. Part of the role involves transferring a .cfg template file where sensitive values need to be plugged in from the Ansible vault, such as passwords.
Current ansible directory structure:
- repo_parent
\- group_vars
\- nonprod
|- plaintext (plaintext values)
|- vault (encrypted values)
\- roles
\- airflow
\- tasks
|- main.yml
|- install.yml
\- templates
|- airflow.cfg.j2
For this example, I'm going to reference airflow_conf_dir. The airflow.cfg.j2 template has the following line:
airflow_home = {{ airflow_conf_dir }}
airflow_conf_dir is defined in plaintext and vault as shown: (placeholder values)
airflow_conf_dir: x/y/airflow/conf
====================================================================================
When dry-running the playbook,
ansible-playbook test.yml --ask-vault-pass --user <USER_OMITTED> --key-file "~/.ssh/id_rsa" --tags "airflow" --check
I keep running into this error
failed: [<IP_OMITTED>] (item={'src': 'airflow.cfg.j2', 'dest': '/x/y/airflow/conf/airflow.cfg'}) => {"ansible_loop_var": "item", "changed": false, "item": {"dest": "/x/y/airflow/conf/airflow.cfg", "src": "airflow.cfg.j2"}, "msg": "AnsibleUndefinedVariable: 'airflow_conf_dir' is undefined"}
The only workaround for this is declaring the variables in the role directly. Ex:
- name: Create Airflow config files
template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
owner: user
group: group
vars:
airflow_conf_dir: x/y/airflow/conf
with_items:
- { src: 'airflow.cfg.j2', dest: '/x/y/airflow/conf/airflow.cfg' }
tags:
- airflow
- airflow_config
This is problematic because then I'm forced to store sensitive data openly in the tasks themselves. How do I reference values stored in vault/plaintext and apply them to the template?
