Trying to include a list of tasks from an playbook in Ansible

Question

My folder structure:

First I'll give you this so you can see how this is laid out and reference it when reading below:

/environments
  /development
    hosts // Inventory file
    /group_vars
      proxies.yml
    /custom_tasks
      firewall_rules.yml // File I'm trying to bring in

playbook.yml // Root playbook, just brings in the plays
rev-proxy.yml // Reverse-proxy playbook, included by playbook.yml

playbook.yml:

---
- include: webserver.yml
- include: rev-proxy.yml

proxies.yml just contains firewall_custom_include_file: custom_tasks/firewall_rules.yml

firewall_rules.yml:

tasks:
- name: "Allowing traffic from webservers on 80"
  ufw: src=10.10.10.3, port=80, direction=in, rule=allow
- name: "Allowing traffic all on 443"
  ufw: port=443, rule=allow

and finally rev-proxy.yml play:

---
- hosts: proxies
  become: yes
  roles:
   - { role: firewall }
   - { role: geerlingguy.nginx }
  pre_tasks:
  # jessie-backports for nginx-extras 1.10
   - name: "Adding jessie-backports repo"
     copy: content="deb http://ftp.debian.org/debian jessie-backports main" dest="/etc/apt/sources.list.d/jessie-backports.list"
   - name: Updating apt-cache.
     apt: update_cache="yes"
   - name: "Installing htop"
     apt:
      name: htop
      state: present
   - name: "Coopying SSL certificates"
     copy: src=/vagrant/ansible/files/ssl/ dest=/etc/ssl/certs force=no
  tasks:
  - name: "Including custom firewall rules."
    include: "{{ inventory_dir }}/{{ firewall_custom_include_file }}.yml"
    when: firewall_custom_include_file is defined
  vars_files:
    - ./vars/nginx/common.yml
    - ./vars/nginx/proxy.yml

What I'm trying to do:

Using Ansible 2.2.1.0

I'm trying to include a list of tasks that will be run if a variable firewall_custom_include_file is set. The list is included relative to the inventory directory by doing "{{ inventory_dir }}/{{ firewall_custom_include_file }}.yml" - in this case that works out to /vagrant/ansible/environments/development/custom_tasks/firewall_rules.yml

Essentially the idea here is that I need to have different firewall rules be executed based on what environment I'm in, and what hosts are being provisioned.

To give a simple example: I might want to whitelist a database server IP on the production webserver, but not on the reverse proxy, and also not on my development box.

The problem:

Whenever I include firewall_rules.yml like above, it tells me:

TASK [Including custom firewall rules.] ****************************************
fatal: [proxy-1]: FAILED! => {"failed": true, "reason": "included task files must contain a list of tasks"}

I'm not sure what it's expecting, I tried taking out the tasks: at the beginning of the file, making it:

- name: "Allowing traffic from webservers on 80"
  ufw: src=10.10.10.3, port=80, direction=in, rule=allow
- name: "Allowing traffic all on 443"
  ufw: port=443, rule=allow

But then it gives me the error:

root@ansible-control:/vagrant/ansible# ansible-playbook -i environments/development playbook.yml
ERROR! Attempted to execute "/vagrant/ansible/environments/development/custom_tasks/firewall_rules.yml" as inventory script: problem running /vagrant/ansible/environments/development/custom_tasks/firewall_rules.yml --list ([Errno 8] Exec format error)
Attempted to read "/vagrant/ansible/environments/development/custom_tasks/firewall_rules.yml" as YAML: 'AnsibleSequence' object has no attribute 'keys'
Attempted to read "/vagrant/ansible/environments/development/custom_tasks/firewall_rules.yml" as ini file: /vagrant/ansible/environments/development/custom_tasks/firewall_rules.yml:2: Expected key=value host variable assignment, got: name:

At this point I'm not really sure what it's looking for in the included file, and I can't seem to really find clear documentation on this, or other people having this issue.

Answer 1

Try to execute with -i environments/development/hosts instead of directory.

But I bet that storing tasks file inside inventory is far from best practices.

You may want to define list of custom rules as inventory variable, e.g.:

custom_rules:
  - src: 10.10.10.3
    port: 80
    direction: in
    rule: allow
  - port: 443
    rule: allow

And instead of include task, make something like this:

- ufw:
    port: "{{ item.port | default(omit) }}"
    rule: "{{ item.rule | default(omit) }}"
    direction: "{{ item.direction | default(omit) }}"
    src: "{{ item.src | default(omit) }}"
  with_items: "{{ custom_rules }}"