Ansible 2.x errors on the task with the with_items loop with when: some_var is defined condition when it is used in a role, but not in a play

[romanrev]

Issue Type: Bug Report
Ansible Version:

$ ansible-playbook --version
ansible-playbook 2.1.0 (devel a584ab3420) last updated 2016/02/02 18:36:05 (GMT +1100)
  lib/ansible/modules/core: (detached HEAD a19fa6ba48) last updated 2015/04/25 10:47:42 (GMT +1100)
  lib/ansible/modules/extras: (detached HEAD df7fcc90d9) last updated 2015/04/25 10:47:42 (GMT +1100)
  config file =
  configured module search path = Default w/o overrides

Ansible Configuration: nothing changed
Environment: OS X 10.11.2
Summary:

Provided the some_var variable is not defined, Ansible 2.x produces an error on the task with the with_items loop with when: some_var is defined condition when it is used in a role, however it does not produce an error when that task is used in a play.

Given the input and command to run:

cat > undefined_var_test_role_inclusion.yml <<EOF

---
- hosts: all
  connection: local
  gather_facts: false

  roles:

  - { role: some_role,
      some_var: "{{ some_value }}",
      when: some_value is defined,
      tags: [ tag1, tag2 ]
    }
EOF
mkdir -p roles/some_role/tasks
cat > roles/some_role/tasks/main.yml <<EOF

---
- name: reference the some_var variable
  local_action: >
    shell
    echo {{ some_var }}

- name: reference the some_var variable in a loop
  local_action: >
    shell
    echo {{ item }}
  with_items: some_var

- debug: var=some_result
EOF

With ansible-playbook from the develop branch I get this:

No config file found; using defaults
1 plays in ./undefined_var_test_role_inclusion.yml

PLAY ***************************************************************************

TASK [some_role : reference the some_var variable] *****************************
task path: /Users/roman/Dev/ansible-bugs/roles/some_role/tasks/main.yml:2
skipping: [localhost] => {"changed": false, "skip_reason": "Conditional check failed", "skipped": true}
[DEPRECATION WARNING]: Using bare variables is deprecated. Update your playbooks
 so that the environment value uses the full variable syntax ('{{some_var}}').
This feature will be removed in a future release. Deprecation warnings can be
disabled by setting deprecation_warnings=False in ansible.cfg.
ERROR! 'some_value' is undefined

Expected output and behaviour (with Ansible 1.9.4):

$ ansible-playbook -i localhost, ./undefined_var_test_role_inclusion.yml -vvv

PLAY [all] ********************************************************************

TASK: [some_role | reference the some_var variable] ***************************
skipping: [localhost]

TASK: [some_role | reference the some_var variable in a loop] *****************
skipping: [localhost] => (item=some_var)

TASK: [some_role | debug var=some_result] *************************************
skipping: [localhost]

PLAY RECAP ********************************************************************
localhost                  : ok=1    changed=0    unreachable=0    failed=0

If, however the task

- name: reference the some_var variable in a loop
  local_action: >
    shell
    echo {{ item }}
  with_items: some_var
  when: some_var is defined

is used in the tasks list in play instead of inside roles, Ansible 2.x correctly ignores it.

Just to reiterate and make it as possibly clear as I can:

My main point is that Ansible 2.x does not error when the above mentioned task is being used in a play, but does error when the task is used in a role. It should either:

• emit an error ​_all the time_​ regardless of where the task is, and then one can use bold statements such as “when using with_items loop please make sure to define a variable that is used in the loop, regardless of the when: condition or it will error!”, or
• not emit an error in case the when: some_var is defined is supplied in a task with a with_items: some_var loop - regardless of whether the task is in a role or a play

Please note: this issue has been initially reported in https://github.com/ansible/ansible/issues/14201but since the latter one has been closed for no reason, I am opening a new issue

[Wtower]

I believe I have reproduced this with Ansible 2.1 in Ubuntu Trusty.

[sivel]

This should no longer be the case as of 347b282

An undefined variable should now cause the task to skip instead of causing an error.

[dkasak]

So just to confirm, there is no undeprecated way of conditionally depending on a role? I realize that with_items does something akin to expansion of a task into multiple instances for each of the items specified so it fails if one of them is not defined, but this is an implementation detail from my point of view and hurts composability.

The use case we're aiming for is having a set of N roles, each of which is providing the same feature semantically but through a different mechanism. We're switching between those N roles based on a variable in the top-level playbook so that only one of those roles is run. However, this fails because some of those N roles have unique variables which are left undefined if we don't want to depend on that particular role. The only way I see this could be done with the current implementation is if we defined all the variables in each of those roles even if we're going to skip the entire role for that particular run and that seems awful.

Is there a reason why the when clause is not checked before the when_items expansion?

EDIT: I guess the reason is that this way {{ item }} can appear inside the when. It would be nice to have a stronger when which operated on the task in its unexpanded form.

[jimi-c]

Closing, as this should be resolved by the above commit.

If you continue seeing any problems related to this issue, or if you have any further questions, please let us know by stopping by one of the two mailing lists, as appropriate:

• https://groups.google.com/forum/#!forum/ansible-project - for user questions, tips, and tricks
• https://groups.google.com/forum/#!forum/ansible-devel - for strategy, future planning, and questions about writing code

Because this project is very active, we're unlikely to see comments made on closed tickets, but the mailing list is a great way to ask questions, or post if you don't think this particular issue is resolved.

Thank you!

[yfried]

Please reopen. I've recreated it

[DEPRECATION WARNING]: Skipping task due to undefined Error, in the future this will be a fatal error.: 'dict object' has no attribute 'flavors'.
This feature will be removed in a future release. Deprecation warnings can be disabled by 
setting deprecation_warnings=False in ansible.cfg.
fatal: [localhost]: FAILED! => {"failed": true, "msg": "with_dict expects a dict"}



ansible 2.1.0 (devel 2dd687acdd) last updated 2016/04/03 17:07:47 (GMT +300)
  lib/ansible/modules/core: (detached HEAD a38bdfc720) last updated 2016/04/03 17:07:51 (GMT +300)
  lib/ansible/modules/extras: (detached HEAD 7c3999a92a) last updated 2016/04/03 17:07:51 (GMT +300)
  config file = /home/yfried/workspace/git/InfraRed/ansible.cfg
  configured module search path = ['library', '/home/yfried/.virtualenvs/InfraRed/lib/python2.7/site-packages/ansible/modules']

[romanrev]

@yfried-redhat Could you open the topic on the https://groups.google.com/forum/#!forum/ansible-project - my experience with the Ansible github issues is that once they close it, the issue becomes dormant. Thank you!

[aaomoware]

Undefined variable(s) causes ansible to throw "Fatal". Perhaps the fix for this bug is yet to be released officially as the issue still persists.

I am running ansible 2.0.1.0, in Ubuntu Trusty.

TASK [sensu : custom configs] **************************************************
[DEPRECATION WARNING]: Skipping task due to undefined Error, in the future this will be a fatal error.. This feature will be removed in a future release. Deprecation warnings can be disabled by setting
deprecation_warnings=False in ansible.cfg.
[DEPRECATION WARNING]: Skipping task due to undefined Error, in the future this will be a fatal error.. This feature will be removed in a future release. Deprecation warnings can be disabled by setting
deprecation_warnings=False in ansible.cfg.
fatal: [monitor-1]: FAILED! => {"failed": true, "msg": "with_dict expects a dict"}
fatal: [monitor-2]: FAILED! => {"failed": true, "msg": "with_dict expects a dict"}

[sboulkour]

I too am facing this issue, while moving project from 1.9.x to 2.0.x.
Everything works fine with Ansible 1.9 but I can't make it work with ansible 2.

Tasks in role :

- name: Enable administrators SSH Keys for user ansible
  authorized_key: user=ansible key="{{ lookup('file', item )}}"
  with_fileglob:
    - "{{ ssh_keys_root }}/admins/enabled/*"
  become: yes

- name: Enable team SSH keys for user ansible
  authorized_key: user=ansible key="{{ lookup('file', item) }}"
  when: team_name is defined
  with_fileglob:
    - "{{ ssh_keys_root }}/{{ team_name }}/enabled/*"

The output (with some hidden path & filenames)

TASK [ssh-keys : Enable administrators SSH Keys for user ansible] **************
ok: [xxx.xxx] => (item=/Volumes/SecuredDisk/aaa/aaa/aaa.pub)
ok: [xxx.xxx] => (item=/Volumes/SecuredDisk/bbb/bbb/bbb.pub)
ok: [yyy.yyy] => (item=/Volumes/SecuredDisk/aaa/aaa/aaa.pub)
ok: [yyy.yyy] => (item=/Volumes/SecuredDisk/bbb/bbb/bbb.pub)

TASK [ssh-keys : Enable team SSH keys for user ansible] ************************
[DEPRECATION WARNING]: Skipping task due to undefined Error, in the future this will be a fatal error.. This feature will be removed in a future release. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.
[DEPRECATION WARNING]: Skipping task due to undefined Error, in the future this will be a fatal error.. This feature will be removed in a future release. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.

[aaomoware]

@sboulkour
Check undefine/unsagined variables. Make sure any variables you are referencing are a properly defined/assigned. That was the issue in my case.

The way I understand the new improvement in 2.0 is: undefined/unassigned variable should be ignored. But apparently that is not happening.

[sboulkour]

@aaomoware
Yeah thks, issue were with team_name that wasn't defined for this team :)

But still, the error message doesn't make sense to me.

[aaomoware]

@sboulkour
I agree with you. The exception don't make sense as it misleads one to think it is a deprecated method error; it is not. It is the with_* just moaning because of an undefined variable. Hopefully it gets fixed soon

[jimi-c]

We're keeping it as a warning for now. In the future, this will be a play-ending error.

[waffledonkey]

It's probably not good form, but this seems to avoid the exception; YMMV

with_items: "{{undefined_var| default({}) }}"

it results in what looks like a skipped step... the -name, if present, will outputs but no ok, changed, skipping, etc.

If you want the result of the step, you can do this:

with_items: "{{undefined_var| default(omit) }}"

which results in:

skipping: [control] => (item=__omit_place_holder__8a599a567482c5400c4ff70ff4849759780c47e1)

[djowett]

This was awkward for me, my eventual workaround used a local_action: shell cat instead of the with_fileglob, like this:

- name: Read SSH Keys
  local_action:
    shell cat {{ odoo_user_sshkeys }}
  register: all_ssh_keys

- name: Set SSH public keys for the Odoo user
  authorized_key: user={{ odoo_user }}
                  key="{{ all_ssh_keys.stdout }}"
  when: all_ssh_keys.stdout

maybe this helps @sboulkour and others?