CODEWITHSUNDEEP
ansible
TRex
TRex

Reputation: 55

Accessing ENV vars in facts.d scripts

I have a need for dynamic facts, and as a solution, have written a script that lives in /etc/ansible/facts.d/my_facts.fact

It has to pull some of its information from a cloud provider, and therefore, needs an API token, which, for obvious reasons, one does not want to store in plain text on the server.

Ansible is always triggered by a process that includes MY_SECRET_API_TOKEN exported in it's environment. The ansible code looks like such with MY_SECRET_API_TOKEN :

---
- name: do the things
  import_tasks: my_tasks.yml
  environment:
    MY_SECRET_API_TOKEN: "{{ lookup('env', 'MY_SECRET_TOKEN') }}"
  when: ansible_facts['os_family'] == "Debian"

And the my_facts.fact bash file has a line like this that'll trip fact gathering with a rc: 99 when the TOKEN is not present in the environment.

[[ ${MY_SECRET_TOKEN} == '' ]] && { echo Secret not found && exit 99 ; }

curl --silent -XGET -H "Authorization: Bearer ${MY_SECRET_TOKEN}" https://web.site.com/api/lookup

I've tried putting the environment: block at the role level to no avail as well.

How can I get Gather Facts on the remote server to pick up that ENV variable?

Upvotes: 2

Views: 44

Answers (1)

flowerysong
flowerysong

Reputation: 2939

You have to set environment at the play level if you want it to affect the play-level fact gathering:

- hosts: all
  gather_facts: true
  environment:
    MY_SECRET_API_TOKEN: "{{ lookup('env', 'MY_SECRET_TOKEN') }}"
  tasks:
    # etc.

If you do not want to (or cannot) modify the play, you can instead add an explicit setup task with the correct environment:

- name: Re-gather local facts
  setup:
    gather_subset: local
  environment:
    MY_SECRET_API_TOKEN: "{{ lookup('env', 'MY_SECRET_TOKEN') }}"

Upvotes: 2

Related Questions