ACL Master Token not generated automatically

[guillaumesmo]

SUMMARY

When provisioning a multi-server cluster with a bootstrap server and one or more servers, the ACL master token is not generated automatically

ISSUE TYPE

• Bug Report

COMPONENT NAME

?

ANSIBLE VERSION

ansible [core 2.16.1]
  config file = None
  configured module search path = ['/Users/guillaumesmo/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /opt/homebrew/Cellar/ansible/9.1.0/libexec/lib/python3.12/site-packages/ansible
  ansible collection location = /Users/guillaumesmo/.ansible/collections:/usr/share/ansible/collections
  executable location = /opt/homebrew/bin/ansible
  python version = 3.12.1 (main, Dec  7 2023, 20:45:44) [Clang 15.0.0 (clang-1500.0.40.1)] (/opt/homebrew/Cellar/ansible/9.1.0/libexec/bin/python)
  jinja version = 3.1.2
  libyaml = True

COLLECTION VERSION

?

CONFIGURATION

CONFIG_FILE() = None

OS / ENVIRONMENT

Mac OS X Sonoma 14.0 Apple M2 Pro

STEPS TO REPRODUCE

Create a 3 server inventory as below:

[consul_instances]
consul1 consul_node_role=bootstrap
consul2 consul_node_role=server
consul3 consul_node_role=client

---
- hosts: consul_instances
  become: true
  roles:
    - role: consul
      vars:
        consul_acl_master_token_display: true
        consul_acl_enable: true
        consul_acl_default_policy: deny
        consul_acl_token_persistence: true
        consul_version: 1.18.0

EXPECTED RESULTS

3 servers provisioned, ACL token displayed in the output and usable in the Consul UI

ACTUAL RESULTS

The "Generate ACL master token" task is configured with run_once: true, however it's run once on the bootstrap server. Since the task has the consul_node_role == 'server' condition, it's always skipped. Since the token is not generated, it's not able to be saved on the other servers and fails with an error.

TASK [consul : Generate ACL master token] **************************************
task path: .../roles/consul/tasks/acl.yml:35
skipping: [consul1] => {"changed": false, "false_condition": "consul_node_role == 'server'", "skip_reason": "Conditional result was False"}

TASK [consul : Save ACL master token] ******************************************
task path: .../roles/consul/tasks/acl.yml:40
skipping: [consul1] => {"changed": false, "false_condition": "consul_node_role == 'server'", "skip_reason": "Conditional result was False"}
fatal: [consul2]: FAILED! => {"msg": "The task includes an option with an undefined variable. The error was: 'dict object' has no attribute 'stdout'. 'dict object' has no attribute 'stdout'\n\nThe error appears to be in '.../roles/consul/tasks/acl.yml': line 40, column 7, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n    - name: Save ACL master token\n      ^ here\n"}
skipping: [consul3] => {"changed": false, "false_condition": "consul_node_role == 'server'", "skip_reason": "Conditional result was False"}

TASK [consul : Display ACL Master Token] ***************************************
task path: .../roles/consul/tasks/acl.yml:49
skipping: [consul1] => {"false_condition": "consul_node_role == 'server'"}

TASK [consul : Read ACL master token from previously boostrapped server] *******
task path: .../roles/consul/tasks/acl.yml:59
skipping: [consul1] => {"censored": "the output has been hidden due to the fact that 'no_log: true' was specified for this result", "changed": false}

TASK [consul : Save acl_replication_token from existing configuration] *********
task path: .../roles/consul/tasks/acl.yml:66
skipping: [consul1] => {"censored": "the output has been hidden due to the fact that 'no_log: true' was specified for this result", "changed": false}
skipping: [consul3] => {"censored": "the output has been hidden due to the fact that 'no_log: true' was specified for this result", "changed": false}

Please note I removed a few "no_log" attributes in acl.yml to have plain error messages

I was able to provision the cluster successfully by replacing all the consul_node_role == 'server' conditions in acl.yaml with consul_node_role == 'server' or consul_node_role == 'bootstrap'