community-topics icon indicating copy to clipboard operation
community-topics copied to clipboard

Published 20 hours ago verified publisher icon ansible-community

Environment variables prefix with ANSIBLE_, and AWX

Open felixfontein opened this issue 3 years ago • 9 comments

Summary

Three years ago it was decided at the public ansible project meeting (https://meetbot.fedoraproject.org/ansible-meeting/2019-02-26/ansible_core_irc_public_meeting.2019-02-26-19.02.html, https://meetbot.fedoraproject.org/ansible-meeting/2019-02-26/ansible_core_irc_public_meeting.2019-02-26-19.02.log.html#l-121) that all environment variables used for configuring Ansible should be prefixed with ANSIBLE_ if their name is not dictated from some library used or some 3rd party tool that the module/plugin controls.

Now AWX decided at some point to disallow setting environment variables prefixed with ANSIBLE_ by injecting secrets, and tells users to avoid ANSIBLE_ environment variables in general. (I don't know when that happened, but at least the secret injection seems to be from before that: https://github.com/ansible/awx/pull/2363)

This now leads to the problem that some community collections stick to the naming convention of prefixing env variables with ANSIBLE_, while users who try to use these collections with AWX are experiencing problems due to this. Examples:

  • https://github.com/ansible-collections/community.hashi_vault/issues/49
  • https://github.com/ansible-collections/community.hashi_vault/issues/85
  • https://github.com/ansible-collections/community.general/issues/4501

For most plugin types, one can add further configuration possibilities, for example with Ansible variables, and suggest users to switch using these instead. But for inventory plugins, this isn't possible (AFAIK), so this really is a problem.

So: what can we do, what should we do, and what do we want to suggest users and collection maintainers to do? The current situation is annoying for both users and maintainers.

felixfontein avatar Apr 13 '22 18:04 felixfontein

Sounds like AWX is broken...

jamescassell avatar Sep 07 '22 18:09 jamescassell

AWX may have a legitimate security concern, but they could help mitigate this issue by having an allow-list and/or block-list for specific variables that are allowed.

briantist avatar Sep 07 '22 18:09 briantist

It would also be possible to define a prefix that isn't covered by that rule, like ANSIBLE_COMMUNITY_, or ANSIBLE_COLLECTION_ (I'm not happy about these two ones, but cannot think of a better one right now).

felixfontein avatar Sep 07 '22 18:09 felixfontein

@gundalow should folks from awx be engaged in the issue?

Andersson007 avatar Nov 09 '22 19:11 Andersson007

@gundalow ping

felixfontein avatar Apr 13 '23 19:04 felixfontein

Sounds sensible, let's discuss in the AWX channel

gundalow avatar Apr 17 '23 09:04 gundalow

@gundalow curious why we would move discussion into IRC/matrix instead of having it here?

briantist avatar Apr 17 '23 19:04 briantist

@gundalow ping

eLLIkin avatar Aug 02 '23 08:08 eLLIkin

@felixfontein Please close this issue if done, or open a new forum topic and then close the issue with a pointer to the new discussion: Community-topics: Archiving the repo

mariolenz avatar May 02 '24 15:05 mariolenz

I've created https://forum.ansible.com/t/environment-variables-prefix-with-ansible-and-awx/5737 to continue this discussion in the forum.

felixfontein avatar May 10 '24 16:05 felixfontein