ansible · s-hertel · Feb 19, 2020 · Feb 14, 2020 · Feb 14, 2020 · Feb 19, 2020
diff --git a/changelogs/fragments/67429-jinja2-caching.yml b/changelogs/fragments/67429-jinja2-caching.yml
@@ -0,0 +1,2 @@
+bugfixes:
+- "Templating - Ansible was caching results of Jinja2 expressions in some cases where these expressions could have dynamic results, like password generation (https://github.com/ansible/ansible/issues/34144)."
diff --git a/lib/ansible/template/__init__.py b/lib/ansible/template/__init__.py
@@ -628,7 +628,7 @@ def template(self, variable, convert_bare=False, preserve_trailing_newlines=True
                         # we only cache in the case where we have a single variable
                         # name, to make sure we're not putting things which may otherwise
                         # be dynamic in the cache (filters, lookups, etc.)
-                        if cache:
+                        if cache and only_one:
                             self._cached_result[sha1_hash] = result
 
                 return result

diff --git a/test/integration/targets/templating_lookups/template_lookups/tasks/main.yml b/test/integration/targets/templating_lookups/template_lookups/tasks/main.yml
@@ -71,3 +71,18 @@
 - name: set with_dict
   shell: echo "{{ item.key + '=' + item.value  }}"
   with_dict: "{{ mydict }}"
+
+# BUG #34144 bad template caching
+
+- name: generate two random passwords
+  set_fact:
+    password1: "{{ lookup('password', '/dev/null length=20') }}"
+    password2: "{{ lookup('password', '/dev/null length=20') }}"
+    # If the passwords are generated randomly, the chance that they
+    # coincide is neglectable (< 1e-18 assuming 120 bits of randomness
+    # per password).
+
+- name: make sure passwords are not the same
+  assert:
+    that:
+      - password1 != password2