0

I have the following ansible role:

- name: Copy trusted certificates
  ansible.builtin.copy:
    src: "{{ item }}"
    dest: '{{ ssl_certs_path }}/'
  register: installed_certs
  with_items: '{{ ssl_trusted_certs }}'
  become: true

- name: Calculate certificate hash
  ansible.builtin.command: openssl x509 -noout -hash -in {{ item }}
  register: cert_hash
  loop: "{{ installed_certs | json_query('results[*].dest') }}"

The variable ssl_trusted_certs is defined in the playbook:

- hosts: all
  name: Run role
  roles:
    - myRole
  vars:
    ssl_trusted_certs:
      - '/foo/myCa.crt'

This has worked well for some time, but today ansible-lint started complaining, that the variable installed_certs (which is registered in the first task) used in the Jinja template is unknown:

WARNING  Listing 1 violation(s) that are fatal
jinja[invalid]: Error in jmespath.search in json_query filter plugin:
'installed_certs' is undefined

The problem occurs on Debian Testing with the ansible-lint package from the repository. That's ansible-lint-6.13.1 and ansible-7.2.0.

mat
  • 1,645
  • 15
  • 36
  • I would say `ssl_trusted_certs` should be defined in the role, as a role should be self sufficient. You should pass the variable to the role, instead of defining it as a play variable: https://stackoverflow.com/questions/42883909/passing-variables-to-ansible-roles – β.εηοιτ.βε Mar 08 '23 at 10:07
  • ^- this said I cannot reproduce this warning. Could you share your version of Ansible lint as well as your version of Ansible? – β.εηοιτ.βε Mar 08 '23 at 10:44
  • 2
    To add-up to @β.εηοιτ.βε comment: you should at least define `ssl_trusted_certs` as an empty list in `defaults/main.yml` if that's not already the case. – Zeitounator Mar 08 '23 at 11:27
  • 2
    That being said, [I can't reproduce your problem (with or without a default declared)](https://gist.github.com/zeitounator/e10d571dcb6fd9eecda25a6077a0b4f5) – Zeitounator Mar 08 '23 at 11:50
  • I appended my question with the versions in use – mat Mar 08 '23 at 12:39
  • But `ssl_trusted_certs` is not the problem (neither in actual usage nor according to the linter). ansible-lint complains about `installed_certs` – mat Mar 08 '23 at 12:40
  • 1
    Well whatever the variable, an undefined variable in a role does not yield anything to an out of the box linter. Do you have specific rules added? – β.εηοιτ.βε Mar 08 '23 at 13:51
  • I am skipping a few rules, but apart from that I am not using any switches for ansible-lint – mat Mar 08 '23 at 13:55
  • Oh, do you have jmespath installed on that box? `pip show jmespath`? – β.εηοιτ.βε Mar 08 '23 at 13:57
  • 1
    Other than that, it looks like you are hitting a know and fixed issue: https://github.com/ansible/ansible-lint/issues/3047 – β.εηοιτ.βε Mar 08 '23 at 13:58
  • Trying to run your playbook I get an error about a missing `ssl_certs_path` variable. Besides that my `ansible-lint` for your playbook runs through without errors. (ansible-lint v4.2.0; ansible v2.9.6) – Gerd Mar 08 '23 at 14:09
  • Yes, `python3-jmespath` is a dependency of `ansible-lint` in Debian. – mat Mar 08 '23 at 14:13
  • Thank you for the link to the issue @β.εηοιτ.βε. THan I guess I just have to wait for 6.14.0 to hit the Debian repositories. – mat Mar 08 '23 at 14:40
  • 1
    Install `ansible-lint` with pip, rather. – β.εηοιτ.βε Mar 08 '23 at 14:41
  • pip is the only officially supported method for installing Ansible and its tools (and the only reliable way to have an up-to-date stack). Moreover this lets you have many installations in different versions if needed for a specific system user and even in different virtual python environments. – Zeitounator Mar 08 '23 at 17:01

0 Answers0