Ansible Variables

Balasubramanian M
Sakthimurugan A
 Goal: Write playbooks that use variables,
sensitive variables (password and etc.) and facts
to simplify management of the playbook and facts
to reference information about the managed
Managing hosts

Variables Objectives:
• Create and reference variables
• Encrypt sensitive variables
• Using Facts and configuring Custom Facts

Ansible Variables - DevSecOps Quick Bytes 1

 Create once and use it throughout the
playbook

Dynamically assign value during run-time

Why
variables? Reduces manual error in the cases of repeat
usage

Users to create
Packages to install
Example
Services to restart
such as: Files to remove
Archives to retrieve from the internet

Ansible Variables - DevSecOps Quick Bytes 2

Ansible Variables - DevSecOps Quick Bytes 3
 Variable Scope in Ansible

Global scope: Variables Host scope: Variables set

set from the command Play scope: Variables set on host groups and
line or Ansible in the play and related individual hosts by the
configuration. structures. inventory, fact gathering,
or registered tasks.

Ansible Variables - DevSecOps Quick Bytes 4

 vars
Playbook
Variables
(Play scope)
vars_files

Note: vars_files are used to separate important variable being

packaged in playbook.
Ansible Variables - DevSecOps Quick Bytes 5
 Defining Variables in Playbook
• There two ways to define
• vars: section
- hosts: all
vars:
user: joe
home: /home/joe

File contents are in YAML syntax

• vars_files: section
- hosts: all Space
vars_files:
- vars/users.yml
<name>: <value>

user: joe
home: /home/joe
Relative path is
good enough

Ansible Variables - DevSecOps Quick Bytes 6

Using Variables
• After variables have been declared, administrators can use the variables in
tasks.
• Variables are referenced by placing the variable name in double curly braces
({{}}).
• Ansible substitutes the variable with its value when the task is executed.

Example:
vars:
user: joe
tasks: # This line will read: Creates the user joe
- name: Creates the user {{ user }}
user: # This line will create the user named Joe
name: "{{ user }}"

Ansible Variables - DevSecOps Quick Bytes 7

Error Handling

Ansible Variables - DevSecOps Quick Bytes 8

 Exercise

• Declare variable under vars and

vars_files in playbook and execute
• Use debug module to print the
variables

Ansible Variables - DevSecOps Quick Bytes 9

Host & Group
Variables
(host scope)
INVENTORY VARIABLES GROUP_VARS &
HOST_VARS DIRECTORIES

Ansible Variables - DevSecOps Quick Bytes 10

 Declared in inventory file
(ex: /etc/ansible/inventory)
Inventory
Variables
Host variables: Group variables:
applies to a applies to a
specific host specific group

Note:
• Host variable takes precedence than group variable
• Playbook variable takes precedence than these two
• Command-line variable takes precedence than these three
Ansible Variables - DevSecOps Quick Bytes 11
Defining Variables in Inventory file
Defining the “user” as group variable
Defining the “user” as host variable in inventory file for multiple groups of hosts

Defining the “user” as group variable in inventory file

Ansible Variables - DevSecOps Quick Bytes 12

 Using
group_vars
and host_vars To define host variables for a particular host
Directories • create a YAML file named <host-name> under
host_vars directory

To define group variables for the servers group

• create a YAML file named <group> under
group_vars directory

Note:
• Contents of that file would set variables to values using the same syntax as in a playbook
• <group> is the group / nested groups defined in inventory file
• <host-name> is the hosts listed in inventory file
Ansible Variables - DevSecOps Quick Bytes 13
Using group_vars and host_vars Directories

Ansible Variables - DevSecOps Quick Bytes 14

Command line Variable

Note: Command line variables also known as extra variables in Ansible takes highest precedence of all

Ansible Variables - DevSecOps Quick Bytes 15

Variables and Arrays
General vars: users ”array”:

Using ”users” variable Alternate & Recommended way of using ”users” variable

Note: Variables in Ansible are defined as Python dictionary. At times, The dot notation can cause problems if the key
names are the same as names of Python methods or attributes, such as discard, copy, add, and so on. Using the
brackets notation can help avoid conflicts and errors.
Ansible Variables - DevSecOps Quick Bytes 16
 Registered Variables

• Register statement is used

to capture the output of a
command (or) execution
of a module to a variable
for debugging or some
other purposes
Note:
“register” statement is in the same indentation of its task
“debug” is a new task, so its in the same indentation of other task

Ansible Variables - DevSecOps Quick Bytes 17

Exercise

• Create inventory variables & see the order of

execution
• Host specific
• Group specific
• Nested group specific
• Create host_vars and group_vars files and see the
order of execution
• Host specific
• Group specific
• Nested group specific

Ansible Variables - DevSecOps Quick Bytes 18

Ansible Secret
(Vault)

19
How it works?
• Using python-cryptography package
• PyCrypto command is used for cryptographic
operations

$ sudo yum install python-cryptography

Ansible Variables - DevSecOps Quick Bytes

20
Managing Secrets
• Creating an encrypted file

• Using vault password file

• Encrypting an existing file

Ansible Variables - DevSecOps Quick Bytes 21

Managing Secrets
• Viewing an encrypted file

• Editing an existing encrypted file

Ansible Variables - DevSecOps Quick Bytes 22

Managing Secret
• Decrypting (removing encryption permanently)

• Changing the Password of an Encrypted File

• Changing the password using a vault password file

Ansible Variables - DevSecOps Quick Bytes 23

Ansible Variables - DevSecOps Quick Bytes
24
Exercise

• Create an encrypted file

• View an encrypted file
• Decrypt an encrypted file
• Change the encryption password
• Use command line and file options to enter
the key

Ansible Variables - DevSecOps Quick Bytes 25

 • Facts
Ansible Facts • Custom Facts
26
What is Ansible Facts?
• It’s a set of variables (contain host-specific information) of a managed
node, discovered by Ansible control node on every time the play is
executed
This is accomplished by following ad-hoc
command
Why Facts?
• To define host specific variables
• To determine the state of a controlled node
• To use as a regular variables To avoid facts gathering step add following in
playbook
• To use in conditional statements
• To use in loops

Ansible Variables - DevSecOps Quick Bytes 27

Examples

Ansible Variables - DevSecOps Quick Bytes 28

Playbook examples:
This can also be written as
Will fetch the fully qualified domain name
{{ ansible_facts[‘fqdn’]

This can also be written as

Will fetch the IP address of the controlled node
ansible_facts['default_ipv4'] ['address']

Ansible Variables - DevSecOps Quick Bytes 29

Custom Facts

Ansible Variables - DevSecOps Quick Bytes 30

30
 Ansible defined variables of other hosts that
might be of use in your play for the “current
control node”
• hostvars
{{ hostvars['test.example.com']['ansible_distribution'] }}

• group_names
Magic {% if 'webserver' in group_names %}
# action

Variables
{% endif %}

• groups
{% for host in groups['app_servers'] %}
# something that applies to all app servers.
{% endfor %}

Example: to fetch IP of hosts in app_servers group

Ansible Variables - DevSecOps Quick Bytes 31

 Ansible prompt is another method to induce
variables on the fly.

Example:

Vars_prompt
in playbook

To be moved to vars section**

Ansible Variables - DevSecOps Quick Bytes 32
 Run ad-hoc command to capture system
facts, try with remote hosts

Create custom facts, call it in playbook

Exercise
Use Vars_prompt and use it in your play

Explore magic variable of another system,

print the values

Ansible Variables - DevSecOps Quick Bytes 33

Ansible Variable
Lookup
Order of precedence more specific
inventory INI or
inventory playbook inventory inventory INI or

host_vars/*
role defaults script group

inventory
group_vars/all group_vars/all group_vars/* script host vars
vars

role vars
block vars (only

(defined in play playbook

for tasks in

play vars_files play vars host facts

vars_prompt host_vars/*
block)

role/vars/main.y
ml)

role (and
task vars (only set_facts /
include_role) include params include_vars extra vars
for the task) registered vars
params

Note: Within any section, redefining a var will overwrite the previous instance. If multiple groups have the same variable, the
last one loaded wins. If you define a variable twice in a play’s vars: section, the 2nd one wins.

Ansible Variables - DevSecOps Quick Bytes 35

 Decide your variable location ahead of
time

Avoid declaring same variable in multiple

places

Best Practices
Keep your sensitive variables in vault

Keep away your variables from playbook –

to avoid shipping along with your
playbook to everyone
Ansible Variables - DevSecOps Quick Bytes 1