validate_vars.yml: ansible-core 2.16.1 req 'loop' not 'with_items' w/…

… 'assert' templating
iiab · Dec 4, 2023 · c220d39 · c220d39
1 parent af9597d
commit c220d39
Showing 1 changed file with 30 additions and 12 deletions.
diff --git a/roles/0-init/tasks/validate_vars.yml b/roles/0-init/tasks/validate_vars.yml
@@ -158,20 +158,38 @@
   when: item != 'mysql' and item != 'postgresql' and item != 'mongodb' and item != 'nodejs' and item != 'yarn'    # Exclude auto-installed dependencies
   loop: "{{ vars_checklist }}"
 
+
+- name: Set vars_deprecated_list for 4+ vars ("XYZ_install") to be checked
+  set_fact:
+    vars_deprecated_list:
+      - dhcpd               # Deprecated
+      - named               # Deprecated
+      - wondershaper        # Deprecated
+      - dansguardian        # Deprecated
+      #- xo_services        # Unmaintained
+      #- activity_server    # Unmaintained
+      #- ejabberd_xs        # Unmaintained
+      #- idmgr              # Unmaintained
+      #- dokuwiki           # Unmaintained
+      #- ejabberd           # Unmaintained
+      #- elgg               # Unmaintained
+
 - name: 'DISALLOW "XYZ_install: True" if deprecated'
   assert:
     that: "{{ item }}_install is undefined or not {{ item }}_install"
     fail_msg: "DISALLOWED: '{{ item }}_install: True' (e.g. in /etc/iiab/local_vars.yml)"
     quiet: yes
-  with_items:
-    - dhcpd               # Deprecated
-    - named               # Deprecated
-    - wondershaper        # Deprecated
-    - dansguardian        # Deprecated
-    #- xo_services        # Unmaintained
-    #- activity_server    # Unmaintained
-    #- ejabberd_xs        # Unmaintained
-    #- idmgr              # Unmaintained
-    #- dokuwiki           # Unmaintained
-    #- ejabberd           # Unmaintained
-    #- elgg               # Unmaintained
+  loop: "{{ vars_deprecated_list }}"
+  # 2023-12-04: ansible-core 2.16.1 sudddenly no longer allows 'assert' with
+  # 'with_items' below (whereas 'loop' construct above works!)  BACKGROUND:
+  #
+  #  'due to mitigation of security issue CVE-2023-5764 in ansible-core 2.16.1,
+  #  conditional expressions with embedded template blocks can fail with the
+  #  message “Conditional is marked as unsafe, and cannot be evaluated.”'
+  #  https://docs.ansible.com/ansible-core/2.16/porting_guides/porting_guide_core_2.16.html#playbook
+  #
+  # with_items:
+  #   - dhcpd               # Deprecated
+  #   - named               # Deprecated
+  #   - wondershaper        # Deprecated
+  #   - dansguardian        # Deprecated