Scribd
Upload
49 views

Ansible Variables

Here are the steps to encrypt and manage secrets using Ansible Vault: 1. Create an encrypted file containing secrets: ansible-vault create secrets.yml 2. View the encrypted file: ansible-vault view secrets.yml 3. Edit an existing encrypted file: ansible-vault edit secrets.yml 4. Decrypt the file permanently: ansible-vault decrypt secrets.yml 5. Change the encryption password of the file: ansible-vault rekey secrets.yml 6. Use a vault password file for authentication: ansible-vault encrypt --vault-password-file=.vault_pass.txt secrets.yml Let me know if any of these steps need

Uploaded by

mbala_mail7813
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
49 views

Ansible Variables

Here are the steps to encrypt and manage secrets using Ansible Vault: 1. Create an encrypted file containing secrets: ansible-vault create secrets.yml 2. View the encrypted file: ansible-vault view secrets.yml 3. Edit an existing encrypted file: ansible-vault edit secrets.yml 4. Decrypt the file permanently: ansible-vault decrypt secrets.yml 5. Change the encryption password of the file: ansible-vault rekey secrets.yml 6. Use a vault password file for authentication: ansible-vault encrypt --vault-password-file=.vault_pass.txt secrets.yml Let me know if any of these steps need

Uploaded by

mbala_mail7813
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 37

Ansible Variables

Balasubramanian M
Sakthimurugan A
Goal: Write playbooks that use variables,
sensitive variables (password and etc.) and facts
to simplify management of the playbook and facts
to reference information about the managed
Managing hosts

Variables Objectives:
• Create and reference variables
• Encrypt sensitive variables
• Using Facts and configuring Custom Facts

Ansible Variables - DevSecOps Quick Bytes 1


Create once and use it throughout the
playbook

Dynamically assign value during run-time

Why
variables? Reduces manual error in the cases of repeat
usage

Users to create
Packages to install
Example
Services to restart
such as: Files to remove
Archives to retrieve from the internet

Ansible Variables - DevSecOps Quick Bytes 2


Ansible Variables - DevSecOps Quick Bytes 3
Variable Scope in Ansible

Global scope: Variables Host scope: Variables set


set from the command Play scope: Variables set on host groups and
line or Ansible in the play and related individual hosts by the
configuration. structures. inventory, fact gathering,
or registered tasks.

Ansible Variables - DevSecOps Quick Bytes 4


vars
Playbook
Variables
(Play scope)
vars_files

Note: vars_files are used to separate important variable being


packaged in playbook.
Ansible Variables - DevSecOps Quick Bytes 5
Defining Variables in Playbook
• There two ways to define
• vars: section
- hosts: all
vars:
user: joe
home: /home/joe

File contents are in YAML syntax


• vars_files: section
- hosts: all Space
vars_files:
- vars/users.yml
<name>: <value>

user: joe
home: /home/joe
Relative path is
good enough

Ansible Variables - DevSecOps Quick Bytes 6


Using Variables
• After variables have been declared, administrators can use the variables in
tasks.
• Variables are referenced by placing the variable name in double curly braces
({{}}).
• Ansible substitutes the variable with its value when the task is executed.

Example:
vars:
user: joe
tasks: # This line will read: Creates the user joe
- name: Creates the user {{ user }}
user: # This line will create the user named Joe
name: "{{ user }}"

Ansible Variables - DevSecOps Quick Bytes 7


Error Handling

Ansible Variables - DevSecOps Quick Bytes 8


Exercise

• Declare variable under vars and


vars_files in playbook and execute
• Use debug module to print the
variables

Ansible Variables - DevSecOps Quick Bytes 9


Host & Group
Variables
(host scope)
INVENTORY VARIABLES GROUP_VARS &
HOST_VARS DIRECTORIES

Ansible Variables - DevSecOps Quick Bytes 10


Declared in inventory file
(ex: /etc/ansible/inventory)
Inventory
Variables
Host variables: Group variables:
applies to a applies to a
specific host specific group

Note:
• Host variable takes precedence than group variable
• Playbook variable takes precedence than these two
• Command-line variable takes precedence than these three
Ansible Variables - DevSecOps Quick Bytes 11
Defining Variables in Inventory file
Defining the “user” as group variable
Defining the “user” as host variable in inventory file for multiple groups of hosts

Defining the “user” as group variable in inventory file

Ansible Variables - DevSecOps Quick Bytes 12


Using
group_vars
and host_vars To define host variables for a particular host
Directories • create a YAML file named <host-name> under
host_vars directory

To define group variables for the servers group


• create a YAML file named <group> under
group_vars directory

Note:
• Contents of that file would set variables to values using the same syntax as in a playbook
• <group> is the group / nested groups defined in inventory file
• <host-name> is the hosts listed in inventory file
Ansible Variables - DevSecOps Quick Bytes 13
Using group_vars and host_vars Directories

Ansible Variables - DevSecOps Quick Bytes 14


Command line Variable

Note: Command line variables also known as extra variables in Ansible takes highest precedence of all

Ansible Variables - DevSecOps Quick Bytes 15


Variables and Arrays
General vars: users ”array”:

Using ”users” variable Alternate & Recommended way of using ”users” variable

Note: Variables in Ansible are defined as Python dictionary. At times, The dot notation can cause problems if the key
names are the same as names of Python methods or attributes, such as discard, copy, add, and so on. Using the
brackets notation can help avoid conflicts and errors.
Ansible Variables - DevSecOps Quick Bytes 16
Registered Variables

• Register statement is used


to capture the output of a
command (or) execution
of a module to a variable
for debugging or some
other purposes
Note:
“register” statement is in the same indentation of its task
“debug” is a new task, so its in the same indentation of other task

Ansible Variables - DevSecOps Quick Bytes 17


Exercise

• Create inventory variables & see the order of


execution
• Host specific
• Group specific
• Nested group specific
• Create host_vars and group_vars files and see the
order of execution
• Host specific
• Group specific
• Nested group specific

Ansible Variables - DevSecOps Quick Bytes 18


Ansible Secret
(Vault)

19
How it works?
• Using python-cryptography package
• PyCrypto command is used for cryptographic
operations

$ sudo yum install python-cryptography

Ansible Variables - DevSecOps Quick Bytes


20
Managing Secrets
• Creating an encrypted file

• Using vault password file

• Encrypting an existing file

Ansible Variables - DevSecOps Quick Bytes 21


Managing Secrets
• Viewing an encrypted file

• Editing an existing encrypted file

Ansible Variables - DevSecOps Quick Bytes 22


Managing Secret
• Decrypting (removing encryption permanently)

• Changing the Password of an Encrypted File

• Changing the password using a vault password file

Ansible Variables - DevSecOps Quick Bytes 23


Ansible Variables - DevSecOps Quick Bytes
24
Exercise

• Create an encrypted file


• View an encrypted file
• Decrypt an encrypted file
• Change the encryption password
• Use command line and file options to enter
the key

Ansible Variables - DevSecOps Quick Bytes 25


• Facts
Ansible Facts • Custom Facts
26
What is Ansible Facts?
• It’s a set of variables (contain host-specific information) of a managed
node, discovered by Ansible control node on every time the play is
executed
This is accomplished by following ad-hoc
command
Why Facts?
• To define host specific variables
• To determine the state of a controlled node
• To use as a regular variables To avoid facts gathering step add following in
playbook
• To use in conditional statements
• To use in loops

Ansible Variables - DevSecOps Quick Bytes 27


Examples

Ansible Variables - DevSecOps Quick Bytes 28


Playbook examples:
This can also be written as
Will fetch the fully qualified domain name
{{ ansible_facts[‘fqdn’]

This can also be written as


Will fetch the IP address of the controlled node
ansible_facts['default_ipv4'] ['address']

Ansible Variables - DevSecOps Quick Bytes 29


Custom Facts

Ansible Variables - DevSecOps Quick Bytes 30

30
Ansible defined variables of other hosts that
might be of use in your play for the “current
control node”
• hostvars
{{ hostvars['test.example.com']['ansible_distribution'] }}

• group_names
Magic {% if 'webserver' in group_names %}
# action

Variables
{% endif %}

• groups
{% for host in groups['app_servers'] %}
# something that applies to all app servers.
{% endfor %}

Example: to fetch IP of hosts in app_servers group

Ansible Variables - DevSecOps Quick Bytes 31


Ansible prompt is another method to induce
variables on the fly.

Example:

Vars_prompt
in playbook

To be moved to vars section**


Ansible Variables - DevSecOps Quick Bytes 32
Run ad-hoc command to capture system
facts, try with remote hosts

Create custom facts, call it in playbook

Exercise
Use Vars_prompt and use it in your play

Explore magic variable of another system,


print the values

Ansible Variables - DevSecOps Quick Bytes 33


Ansible Variable
Lookup
Order of precedence more specific
inventory INI or
inventory playbook inventory inventory INI or

host_vars/*
role defaults script group

inventory
group_vars/all group_vars/all group_vars/* script host vars
vars

role vars
block vars (only

(defined in play playbook


for tasks in

play vars_files play vars host facts


vars_prompt host_vars/*
block)

role/vars/main.y
ml)

role (and
task vars (only set_facts /
include_role) include params include_vars extra vars
for the task) registered vars
params

Note: Within any section, redefining a var will overwrite the previous instance. If multiple groups have the same variable, the
last one loaded wins. If you define a variable twice in a play’s vars: section, the 2nd one wins.

Ansible Variables - DevSecOps Quick Bytes 35


Decide your variable location ahead of
time

Avoid declaring same variable in multiple


places

Best Practices
Keep your sensitive variables in vault

Keep away your variables from playbook –


to avoid shipping along with your
playbook to everyone
Ansible Variables - DevSecOps Quick Bytes 1

You might also like