validate_vars.yml: ansible-core 2.16.1 req 'loop' not 'with_items' w/ 'assert' templating

roles/0-init/tasks/validate_vars.yml

@@ -158,12 +158,10 @@
   when: item != 'mysql' and item != 'postgresql' and item != 'mongodb' and item != 'nodejs' and item != 'yarn'    # Exclude auto-installed dependencies
   loop: "{{ vars_checklist }}"
 
-- name: 'DISALLOW "XYZ_install: True" if deprecated'
+
-  assert:
+- name: Set vars_deprecated_list for 4+ vars ("XYZ_install") to be checked
-    that: "{{ item }}_install is undefined or not {{ item }}_install"
+  set_fact:
-    fail_msg: "DISALLOWED: '{{ item }}_install: True' (e.g. in /etc/iiab/local_vars.yml)"
+    vars_deprecated_list:
-    quiet: yes
-  with_items:
       - dhcpd               # Deprecated
       - named               # Deprecated
       - wondershaper        # Deprecated
@@ -175,3 +173,23 @@
       #- dokuwiki           # Unmaintained
       #- ejabberd           # Unmaintained
       #- elgg               # Unmaintained
+
+- name: 'DISALLOW "XYZ_install: True" if deprecated'
+  assert:
+    that: "{{ item }}_install is undefined or not {{ item }}_install"
+    fail_msg: "DISALLOWED: '{{ item }}_install: True' (e.g. in /etc/iiab/local_vars.yml)"
+    quiet: yes
+  loop: "{{ vars_deprecated_list }}"
+  # 2023-12-04: ansible-core 2.16.1 suddenly no longer allows 'assert' with
+  # 'with_items' below (whereas 'loop' construct above works!)  BACKGROUND:
+  #
+  #  'due to mitigation of security issue CVE-2023-5764 in ansible-core 2.16.1,
+  #  conditional expressions with embedded template blocks can fail with the
+  #  message “Conditional is marked as unsafe, and cannot be evaluated.”'
+  #  https://docs.ansible.com/ansible-core/2.16/porting_guides/porting_guide_core_2.16.html#playbook
+  #
+  # with_items:
+  #   - dhcpd               # Deprecated
+  #   - named               # Deprecated
+  #   - wondershaper        # Deprecated
+  #   - dansguardian        # Deprecated