include_role: apply become_user cannot handle jinja-phrased condition

[scholtzj]

Summary

When using the ansible-core 2.14's include_role module it cannot resolve a condition phrased in jinja-template in the apply parameter for become_user.
It passes the entire string to the included role and then fails because it is an unprivileged user.
Worked fine on 2.13.

Issue Type

Bug Report

Component Name

ansible.builtin.include_role

Ansible Version

$ ansible --version
ansible [core 2.14.6]
  config file = None
  configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.11/site-packages/ansible
  ansible collection location = /root/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/bin/ansible
  python version = 3.11.3 (main, May 10 2023, 12:26:31) [GCC 12.2.1 20220924] (/usr/bin/python3)
  jinja version = 3.1.2
  libyaml = False

Configuration

# if using a version older than ansible-core 2.12 you should omit the '-t all'
$ ansible-config dump --only-changed -t all
CONFIG_FILE() = None

OS / Environment

OracleLinux 8

Steps to Reproduce

Playbook

- name: Test playbook
  hosts: localhost
  gather_facts: no
  vars:
    var1: false
    var2: root
  tasks:
    - name: Test include_role
      ansible.builtin.include_role:
        name: taskname
        apply:
          become: "{{ var1 | ternary(true, omit) }}"
          become_user: "{{  var1 | ternary(var2, omit) }}"

roles/taskname/tasks/main.yml

---
- name: Create a file with root permissions
  ansible.builtin.copy:
    content: ''
    dest: /file
    owner: root
    group: root

- name: Change file permissions
  ansible.builtin.file:
    path: /file
    mode: '0755'

- name: Delete file
  ansible.builtin.file:
    path: /file
    state: absent

Expected Results

Output from ansible-core 2.13.7

PLAY [Test playbook] *********************************************************************************

TASK [Test include_role] *****************************************************************************

TASK [taskname : Create a file with root permissions] ************************************************
changed: [localhost]

TASK [taskname : Change file permissions] ************************************************************
changed: [localhost]

TASK [taskname : Change file permissions] ************************************************************
changed: [localhost]

PLAY RECAP *******************************************************************************************
localhost                  : ok=3    changed=3    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

Actual Results

PLAY [Test playbook] *********************************************************************************

TASK [Test include_role] *****************************************************************************
task path: /DEV/playbook.yml:9

TASK [taskname : Create a file with root permissions] ************************************************
task path: /DEV/roles/taskname/tasks/main.yml:2
<127.0.0.1> ESTABLISH LOCAL CONNECTION FOR USER: root
<127.0.0.1> EXEC /bin/sh -c 'echo ~root && sleep 0'
<127.0.0.1> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /var/tmp `"&& mkdir "` echo /var/tmp/ansible-tmp-1684848665.7514634-443-23280075011811 `" && echo ansible-tmp-1684848665.7514634-443-23280075011811="` echo /var/tmp/ansible-tmp-1684848665.7514634-443-23280075011811 `" ) && sleep 0'
Using module file /usr/lib/python3.11/site-packages/ansible/modules/stat.py
<127.0.0.1> PUT /root/.ansible/tmp/ansible-local-4378emxcerv/tmpm57d8jz6 TO /var/tmp/ansible-tmp-1684848665.7514634-443-23280075011811/AnsiballZ_stat.py
<127.0.0.1> EXEC /bin/sh -c 'setfacl -m '"'"'u:{{  var1 | ternary(var2, omit) }}:r-x'"'"' /var/tmp/ansible-tmp-1684848665.7514634-443-23280075011811/ /var/tmp/ansible-tmp-1684848665.7514634-443-23280075011811/AnsiballZ_stat.py && sleep 0'
<127.0.0.1> EXEC /bin/sh -c 'chmod u+x /var/tmp/ansible-tmp-1684848665.7514634-443-23280075011811/ /var/tmp/ansible-tmp-1684848665.7514634-443-23280075011811/AnsiballZ_stat.py && sleep 0'
<127.0.0.1> EXEC /bin/sh -c 'chown '"'"'{{  var1 | ternary(var2, omit) }}'"'"' /var/tmp/ansible-tmp-1684848665.7514634-443-23280075011811/ /var/tmp/ansible-tmp-1684848665.7514634-443-23280075011811/AnsiballZ_stat.py && sleep 0'
<127.0.0.1> EXEC /bin/sh -c 'rm -f -r /var/tmp/ansible-tmp-1684848665.7514634-443-23280075011811/ > /dev/null 2>&1 && sleep 0'
fatal: [localhost]: FAILED! => {
    "msg": "Failed to change ownership of the temporary files Ansible (via chmod nor setfacl) needs to create despite connecting as a privileged user. Unprivileged become user would be unable to read the file."
}

PLAY RECAP *******************************************************************************************
localhost                  : ok=0    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0

Code of Conduct

• I agree to follow the Ansible Code of Conduct

[ansibot]

Files identified in the description:

• lib/ansible/playbook/role/include.py

If these files are incorrect, please update the component name section of the description or use the !component bot command.

click here for bot help

[HauserV]

Seems to be related to #79752 (include_role is implicitly a block).

[sivel]

Ok, I've bisected to b5eba64 so it seems this is a duplicate of #79752