ansible-role-firewall icon indicating copy to clipboard operation
ansible-role-firewall copied to clipboard

Published 20 hours ago verified publisher icon mikegleasonjr

Beware if your host is in more than one group

Open jschaeff opened this issue 7 years ago • 2 comments

My inventory defines hosts and groups. Each group has a firewall_v4_group_rules dictionary defined. I was expecting to get a merge of all the firewall_v4_group_rules from each group a host belongs to, but instead, the host only got the rules defined from one group.

Example:

[all]
myhost

[web]
myhost

[database]
myhost

Then group_vars/web.yaml and group_vars/database.yaml define each firewall_v4_group_rules

As a result, myhost only receives rules from one of the 2 groups.

I can work around this issue by setting globally for ansible "hash_behaviour = merge" but is there a way to get this in the role (without changing ansible config) ? Maybe at the template level (I'm not an expert)?

jschaeff avatar Apr 13 '18 14:04 jschaeff

Hi,

I was expecting to get a merge of all the firewall_v4_group_rules from each group a host belongs to, but instead, the host only got the rules defined from one group.

That's not how Ansible works, see https://docs.ansible.com/ansible/2.5/user_guide/playbooks_variables.html?highlight=variables#variable-scopes. "Child groups override parent groups, and hosts always override their groups." Also see this question on stack overflow which covers your exact same case: https://stackoverflow.com/questions/23525546/ansible-host-in-multiple-groups. Also https://github.com/ansible/ansible/issues/6538. "This is a common misconception. [...] When variables are all at the same level, there is no defined order."

The firewall_v4_default_rules, firewall_v4_group_rules and firewall_v4_host_rules could be also something like firewall_v4_level_1, firewall_v4_level_2 and firewall_v4_level_3. They are not related to groups/hosts in Ansible. They are just pain variables in a role. They have a relation to them in the sense that they are merged together by the role in a specific order. But the content of those 3 variables for a host are specific for this particular host at any point in time. The group variable is not shared among all the groups.

Hope this helps and thank you for your question and interest in the role!

mikegleasonjr avatar Apr 14 '18 11:04 mikegleasonjr

A little late to the party here, but we use merge_vars to accomplish that. It works quite well.

ibarrere avatar Mar 19 '19 20:03 ibarrere