validate_vars.yml: ansible-core 2.16.1 req 'loop' not 'with_items' w/ 'assert' templating

2025-03-09 15:40:17 +00:00 · 2023-12-04 18:01:55 -05:00 · 2023-12-04 18:01:55 -05:00 · 9f00b7b41b
commit 9f00b7b41b
parent af9597d5b2
1 changed files with 30 additions and 12 deletions
--- a/roles/0-init/tasks/validate_vars.yml
+++ b/roles/0-init/tasks/validate_vars.yml
@ -158,20 +158,38 @@
  when: item != 'mysql' and item != 'postgresql' and item != 'mongodb' and item != 'nodejs' and item != 'yarn'    # Exclude auto-installed dependencies
  loop: "{{ vars_checklist }}"

+
+- name: Set vars_deprecated_list for 4+ vars ("XYZ_install") to be checked
+  set_fact:
+    vars_deprecated_list:
+      - dhcpd               # Deprecated
+      - named               # Deprecated
+      - wondershaper        # Deprecated
+      - dansguardian        # Deprecated
+      #- xo_services        # Unmaintained
+      #- activity_server    # Unmaintained
+      #- ejabberd_xs        # Unmaintained
+      #- idmgr              # Unmaintained
+      #- dokuwiki           # Unmaintained
+      #- ejabberd           # Unmaintained
+      #- elgg               # Unmaintained
+
 - name: 'DISALLOW "XYZ_install: True" if deprecated'
  assert:
    that: "{{ item }}_install is undefined or not {{ item }}_install"
    fail_msg: "DISALLOWED: '{{ item }}_install: True' (e.g. in /etc/iiab/local_vars.yml)"
    quiet: yes
-  with_items:
-    - dhcpd               # Deprecated
-    - named               # Deprecated
-    - wondershaper        # Deprecated
-    - dansguardian        # Deprecated
-    #- xo_services        # Unmaintained
-    #- activity_server    # Unmaintained
-    #- ejabberd_xs        # Unmaintained
-    #- idmgr              # Unmaintained
-    #- dokuwiki           # Unmaintained
-    #- ejabberd           # Unmaintained
-    #- elgg               # Unmaintained
+  loop: "{{ vars_deprecated_list }}"
+  # 2023-12-04: ansible-core 2.16.1 suddenly no longer allows 'assert' with
+  # 'with_items' below (whereas 'loop' construct above works!)  BACKGROUND:
+  #
+  #  'due to mitigation of security issue CVE-2023-5764 in ansible-core 2.16.1,
+  #  conditional expressions with embedded template blocks can fail with the
+  #  message “Conditional is marked as unsafe, and cannot be evaluated.”'
+  #  https://docs.ansible.com/ansible-core/2.16/porting_guides/porting_guide_core_2.16.html#playbook
+  #
+  # with_items:
+  #   - dhcpd               # Deprecated
+  #   - named               # Deprecated
+  #   - wondershaper        # Deprecated
+  #   - dansguardian        # Deprecated