Avoid loop.first when working with users and vault_users data

Fixes 'variable referenced before assignment in enclosing scope' error that appeared with python 2.7.12 and its apparent change in handling the {% if loop.first %} jinja control structure.
roots · Jan 9, 2017 · 70411af · 70411af
1 parent 991c83d
commit 70411af
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 9 deletions.
diff --git a/group_vars/all/helpers.yml b/group_vars/all/helpers.yml
@@ -12,3 +12,4 @@ site_hosts_canonical: "{{ item.value.site_hosts | map(attribute='canonical') | l
 site_hosts_redirects: "{{ item.value.site_hosts | selectattr('redirects', 'defined') | sum(attribute='redirects', start=[]) | list }}"
 site_hosts: "{{ site_hosts_canonical | union(site_hosts_redirects) }}"
 ssl_enabled: "{{ item.value.ssl is defined and item.value.ssl.enabled | default(false) }}"
+ansible_become_pass: "{% set passwords = vault_users | default([]) | selectattr('name', 'equalto', admin_user) | selectattr('password', 'defined') | map(attribute='password') | list %}{{ passwords | ternary(passwords | first, None) }}"
diff --git a/roles/remote-user/tasks/main.yml b/roles/remote-user/tasks/main.yml
@@ -21,9 +21,3 @@
 - name: Announce which user was selected
   debug:
     msg: "Note: Ansible will attempt connections as user = {{ ansible_user }}"
-
-- name: Load become password
-  set_fact:
-    ansible_become_pass: "{% for user in vault_users | default([]) if user.name == ansible_user and user.password is defined %}{% if loop.first %}{{ user.password }}{% endif %}{% endfor %}"
-  when: ansible_user != 'root' and not cli_ask_become_pass | default(false) and ansible_become_pass is not defined
-  no_log: true
diff --git a/roles/users/tasks/main.yml b/roles/users/tasks/main.yml
@@ -16,8 +16,8 @@
 - name: Fail if root login will be disabled but admin_user will not be a sudoer
   assert:
     that:
-      - "{% for user in users if user.name == admin_user %}{% if loop.first %}{{ 'sudo' in user.groups }}{% endif %}{% else %}{{ false }}{% endfor %}"
-      - "{% for user in vault_users | default([]) if user.name == admin_user %}{% if loop.first %}{{ user.password is defined }}{% endif %}{% else %}{{ false }}{% endfor %}"
+      - "{{ 'sudo' in users | selectattr('name', 'equalto', admin_user) | selectattr('groups', 'defined') | sum(attribute='groups', start=[]) | list }}"
+      - "{{ ansible_become_pass | default('') | length }}"
     msg: |
       When `sshd_permit_root_login: false`, you must add `sudo` to the `groups` for admin_user (in `users` hash), and set a password for admin_user in `vault_users` (in `group_vars/{{ env }}/vault.yml`). Otherwise Ansible could lose the ability to run the necessary sudo commands. {% if sudoer_passwords is defined or vault_sudoer_passwords is defined %}
 
@@ -33,11 +33,14 @@
     name: "{{ item.name }}"
     group: "{{ item.groups[0] }}"
     groups: "{{ item.groups | join(',') }}"
-    password: '{% for user in vault_users | default([]) if user.name == item.name and user.password is defined %}{% if loop.first %}{{ user.password | password_hash("sha512", user.salt[:16] | default(None) | regex_replace("[^\.\/a-zA-Z0-9]", "x")) }}{% endif %}{% else %}{{ None }}{% endfor %}'
+    password: '{{ user_secrets | ternary(user_secrets.password | default("") | password_hash("sha512", user_secrets.salt | default("") | truncate(16, true, "") | regex_replace("[^\.\/a-zA-Z0-9]", "x")), None) }}'
     state: present
     shell: /bin/bash
     update_password: always
   with_items: "{{ users }}"
+  vars:
+    user_secrets_list: "{{ vault_users | default([]) | selectattr('name', 'equalto', item.name) | selectattr('password', 'defined') | list }}"
+    user_secrets: "{{ user_secrets_list | ternary(user_secrets_list | first, None) }}"
 
 - name: Add web user sudoers items for services
   template: