Ansible Roles with tags not respecting the tag, Instead playing all the tast defined

Question

Here is my play book:

- name: Install MySQL with replication
  hosts: mysql-master:mysql-slave
  user: root
  sudo: false
  roles:
    - common
    - admin-users
    - generic-directories
    - { role: iptables, tags: [ 'mysql-iptables'] }
    - mysql

I have ip tables tasks for different ports, I want to run the task depending on the group of servers.

I have tagged the iptables task based on the group. When i ran the play book instead of playing the tagged task, its run through all the tasks defined in iptables role.

Please let me know if am doing anything wrong here.

Answer 1

In practices roles should not contains code/configuration used only by you. Try to develop roles like if you're going to publish them, doing this you will create more generic/usefull roles

With an iptable role, what you want in the end is to open port/change firewall configuration. The role should contains tasks that allow configuration in the playbook:

---
- name: iptables | Open ports
  command: 'open port {{item.protocol}} {{item.port}} 
  with_items: 'iptable_conf'
  tags:
   - iptables

then you playbook

- name: Install MySQL with replication
  hosts: mysql-master:mysql-slave
  user: root
  sudo: false
  vars:
    - iptables_conf: 
       - {protocol: tcp, port: 3307}
       - {protocol: tcp, port: 3306}
  roles:
    - common
    - admin-users
    - generic-directories
    - iptables
    - mysql

Answer 2

Hope you like opinionated software all the way: https://github.com/ansible/ansible/issues/3283 .

If I'm reading that correctly, you're experiencing a feature, with everything in that role being tagged for you and your CLI tag specification subsequently matching all those tasks. I hate this feature. It's stupid. "Application" vs. "selection" w/r/t to tags is an obvious first question when you're initially exposed to Ansible tags. It should have a more flexible answer, or at least a nod in the docs.

I would suggest a different way of organizing the versatile iptables role. First, consider not having the role if it's wrapping a very sparse amount of tasks. I would recommend for roles to have meaning to you, and not be module-adapters. So maybe the sql role can handle sql-specific rules in a separate tasks file.

Otherwise, a role parameter which can then be used to load variables dynamically (e.g. the list of firewall rules). Here's what that would look like, stubbed out:

Playbook:

---
- hosts: loc
  roles:
    - { role: does-too-much, focus_on: 'specific-kind' }

Role tasks/main.yml:

---
 - include_vars: "{{ focus_on }}.yml"
 - debug:
     msg: "ok - {{ item }}"
   with_items: stuff

Variables vars/specific-kind.yml:

---
stuff:
 - b
 - c