packer-plugin-ansible
packer-plugin-ansible copied to clipboard
hashicorp
Different values from group_vars between plain and Packer Ansible runs
Overview of the Issue
When using Ansible with Packer's Ansible provisioner, overridden values in group_vars are not applied correctly, causing potential security risks.
Reproduction Steps
Consider the following Ansible inventory (inventory-testing/inventory.yml):
---
all:
children:
jenkins:
hosts:
jenkinsserver1:
jenkinsserver2:
testing:
children:
jenkins:
hosts:
testserver1:
testserver2:
And two group_vars:
inventory-testing/group_vars/jenkins.yml:
---
auth: "jenkins_auth_value"
inventory-testing/group_vars/testing.yml:
---
auth: "testing_auth_value"
A playbook which prints the auth variable:
---
- name: Print auth variable for all hosts
hosts: all
gather_facts: no
tasks:
- name: Print the auth variable
delegate_to: localhost
debug:
msg: "The value of auth is: {{ auth }}"
When I run
ansible-playbook -i inventory-testing/ print_auth.yml
it prints the overridden jenkins_auth_value for the jenkins hosts properly:
ok: [jenkinsserver1 -> localhost] => {
"msg": "The value of auth is: jenkins_auth_value"
}
ok: [jenkinsserver2 -> localhost] => {
"msg": "The value of auth is: jenkins_auth_value"
}
ok: [testserver1 -> localhost] => {
"msg": "The value of auth is: testing_auth_value"
}
ok: [testserver2 -> localhost] => {
"msg": "The value of auth is: testing_auth_value"
}
So far, so good.
Now, let's create a packer-ansible inventory file, similar to one which is used by Packer Ansible plugin:
default
[jenkins]
default
[testing]
default
As far as I see the Ansible Packer provisioner does not support group hierarchies (and I would not like to duplicate our group hierarchy in the HCL too).
According to output of Packer the Ansible Packer provisioner runs a similar command for Ansible with the additional inventory file:
ansible-playbook -i inventory-testing/packer-ansible-inventory print_auth.yml
It uses the inventory file (not the whole inventory directory). This prints:
ok: [default -> localhost] => {
"msg": "The value of auth is: testing_auth_value"
}
I would expect jenkins_auth_value here.
While using the whole inventory directory:
ansible-playbook -i inventory-testing/ --limit=default print_auth.yml
prints the correct jenkins_auth_value value:
ok: [default -> localhost] => {
"msg": "The value of auth is: jenkins_auth_value"
}
Plugin and Packer version
- Packer v1.11.0
- ansible-playbook [core 2.13.10]
- python version = 3.10.12
ansible = {
version = ">= 1.1.1"
source = "github.com/hashicorp/ansible"
}
Potential Impact
It is concerning that overridden values in group_vars are not respected when using the Packer Ansible provisioner. I'm afraid this issue can lead to significant security risks, such as users gaining unintended access to servers due to incorrect variable values. For instance, a user might gain access to a server that was meant to be inaccessible based on the intended configuration in the group_vars hierarchy.
Additionally, this discrepancy can result in inconsistencies between servers created with Packer and those configured with plain Ansible, making debugging and maintaining infrastructure more challenging. Any insights or suggestions on how to address this issue would be greatly appreciated.
Might be related issues
- https://github.com/hashicorp/packer/issues/6405
