overlapping groups and their firewall rules

[patrickdeelman]

I run a complex ansible setup with many hosts and many overlapping groups. It sometimes happens that i have variables overlapping in my group_vars. I find myself not wanting to enable merge=yes in my ansible config so i kind of altered the iptables template.

Note: this only works with ansible version >= 2.5 due to the vars lookup. Also there are quite a lot of deprecation notices when running ansible 2.5 because of the when statements. You should use "result is changed" instead of the current "result|changed" (gotta love the ansible team ;) )

{% set merged = {} %}
{% set found_groups = hostvars[inventory_hostname].keys() | to_json | from_json | json_query('[?starts_with(@, 'firewall_v4_group')]') | sort %}

{% for rules in (['firewall_v4_default_rules'] + found_groups + ['firewall_v4_host_rules']) %}
{% set _ = merged.update(lookup('vars', rules)) %}
{{ rules }}
{% endfor %}

This way i can have 2 roles assigned to a host, lets say role_kafka and role_zookeeper and keep the firewall rules in seperate group files without having ansible overwrite the variable with whatever comes last.

[patrickdeelman]

ps. The from_json | to_json is a small hack because the array emmited isn't compatible with json_query somehow. I had the bug somewhere and it was confirmed last month, so it should be fixed pretty soon anyway.