Signing back into the Community for the first time? You'll need to reset your password to access your account.  Find out more.

Forum Discussion

Former Member's avatar
Former Member
4 years ago

onepassword.connect.generic_item task is not being executed when executing playbook with tags

I have a MySQL Ansible role with 2 tags: configure_mysql_users and configure_mysql_databases. Those tags are used for subsequent deployments of databases and users.

Here is a sample playbook for my test server:

```

  • hosts: somehost gather_facts: yes become: yes environment: OP_VAULT: "" OP_CONNECT_HOST: "" OP_CONNECT_TOKEN: "" collections:
    • onepassword.connect pre_tasks:
    • onepassword.connect.generic_item: vault_id: "snip" title: somehost state: present fields:
      • label: root_username value: "root" section: "MYSQL (root)"
      • label: root_password generate_value: on_create section: "MYSQL (root)" field_type: concealed generator_recipe: length: 16 include_symbols: no
      • label: testuser_username value: "testuser" section: "MYSQL (testdb)"
      • label: testuser_password generate_value: on_create section: "MYSQL (testdb)" field_type: concealed generator_recipe: length: 16 include_symbols: no
    • name: Get root password tags: [ 'always' ] item_info: item: somehost vault: Ansible field: root_password no_log: true register: root_password
    • name: Get testuser password tags: [ 'always' ] item_info: item: somehost vault: Ansible field: testuser_password no_log: true register: testuser_password vars_files:
    • host_vars/somehost/mysql.yml roles:
    • roles/role-deploy-mysql ```

Initially, I've deployed a server with root user only, and it all went well.
However, I wanted to add a new user called testuser, so I've added a new item inside pre_tasks block that should first create a new entry in 1Password, and then fetch that value and assign it to a variable. The playbook above is after those changes.

However, if I run this playbook using the following command:

ansible-playbook -i inv_production somehost.yml -t "configure_mysql_users,configure_mysql_databases" --vault-password-file=.vault --ask-become-pass

It won't create a new entry in 1Password vault for the testuser, but it will try to fetch the value which does not exist, and then my playbook execution is going to fail.
If I'm to run this playbook without tags, everything will be fine, a new entry will be made inside 1Password vault and the deployment of a new user will succeed.

So, it looks like onepassword.connect.generic_item is not being executed when playbook is running using tags. I've tried to add an always tag to it, but it didn't matter too much.

Any ideas how to overcome this issue?

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided

secrets management
  • Former Member's avatar
    Former Member
    4 years ago

    First, thank you for providing those detailed reproduction steps! I was able to reproduce this issue locally. I've included the localized version I ran at the end of this post.

    I believe this issue is actually with how Ansible handles pre-tasks and tags.

    Reproducing the Issue

    Here's what I tried and what I saw:
    I ran the playbook with the -t "configure_mysql_users,configure_mysql_databases" flag.

    Result =>: setup item NOT created; item_info steps failed

    I ran playbook without the -t flag.
    Result: setup item created :+1:

    I added tags: ['always'] to the generic_item task in pre_tasks.
    Result => setup_item executed, item_info found the requested fields.

    Next Steps

    I suggest adding tags: ['always'] to the setup_item task. The generic_item module is idempotent and won't overwrite the generated fields when you specify generate_value: on_create for the field.

    I found this old post in an Ansible mailing list discussing the issue, but it seems like the behavior still isn't well documented: https://groups.google.com/g/ansible-project/c/VxD39ABi1z4

    Let us know if that takes care of the issue!

    My local version of your playbook:

    ```

    • hosts: localhost
      environment:
      OP_VAULT: ""
      OP_CONNECT_HOST: "http://localhost:8080"
      OP_CONNECT_TOKEN: ""
      collections:

      • onepassword.connect pre_tasks:
      • name: setup item onepassword.connect.generic_item: vault_id: "" # make sure this is the same as OP_VAULT in the environment block! title: somehost state: present fields:
        • label: root_username value: "root" section: "MYSQL (root)"
        • label: root_password generate_value: on_create section: "MYSQL (root)" field_type: concealed generator_recipe: length: 16 include_symbols: no
        • label: testuser_username value: "testuser" section: "MYSQL (testdb)"
        • label: testuser_password generate_value: on_create section: "MYSQL (testdb)" field_type: concealed generator_recipe: length: 16 include_symbols: no
      • name: Get root password tags: [ 'always' ] item_info: item: somehost vault: Ansible field: root_password

      register: root_password
      - name: Get testuser password
      tags: [ 'always' ]
      item_info:
      item: somehost
      vault: Ansible
      field: testuser_password
      register: testuser_password
      ```

  • Former Member's avatar
    Former Member
    4 years ago

    Hey @David_ag thanks for the reply!

    At first, I was not sure how you managed to make it work with added always tag, especially since I tried the same thing, and it didn't work. Then I realized that I was adding tags in a wrong place. Instead of :

    pre_tasks:
    - name: setup items
    tags: [ 'always' ]
    onepassword.connect.generic_item:

    I was doing this:

    pre_tasks:
    - onepassword.connect.generic_item:
    tags: [ 'always' ]

    But yeah, it works now 🎉

  • Former Member's avatar
    Former Member
    4 years ago

    That's great to hear! Thanks for confirming the fix :)