top of page
Search
  • Jānis Orlovs

Ansible: Variable Input Validation

We recently encountered a challenging issue with Ansible: throughout the process of automating our Oracle database setup, one of the components necessitated a particular sequence of symbols for passwords. Failing to adhere to this password policy results in the installation playbook malfunctioning, leading to the necessity of restarting the entire process.

This error is quite costly, given that a complete cycle approximately consumes an hour and a half. Before encountering this issue, we had been manually verifying variables to ensure they complied with the password policy.


After few trial and error loops, we found a solution to the problem: variable input validation with Ansible.


General process: 1. Initialize an empty variable array

- name: Initialize an empty variable list for variables validation
  set_fact:
    variable_validation: []
  delegate_to: localhost

2. Pass the list of variables to be validated against a regex


- name: Check if the variables match the password rules
  set_fact:
    failed_checks: "{{ variable_validation + [item.name] }}"
  when: "{{ item.password is not match('^[a-zA-Z][a-zA-Z0-9_$#]*$') }}"
  loop:
    - { name: 'oracle_sys_password', password: "{{ oracle_sys_password }}" }
    - { name: 'oracle_redo_user_password', password: "{{ oracle_edo_user_password }}" }
  no_log: yes
  delegate_to: localhost

3. Print failed variables


- name: Assert that all checks passed
  assert:
    that: variable_validation | length == 0
    fail_msg: "Variables that didn't match regex: {{ variable_validation | join(', ') }}"
  delegate_to: localhost

Full playbook:


---
- name: Initialize an empty variable list for variables validation
  set_fact:
    variable_validation: []
  delegate_to: localhost

- name: Check if the variables match the password rules
  set_fact:
    failed_checks: "{{ variable_validation + [item.name] }}"
  when: "{{ item.password is not match('^[a-zA-Z][a-zA-Z0-9_$#]*$') }}"
  loop:
    - { name: 'oracle_sys_password', password: "{{ oracle_sys_password }}" }
    - { name: 'oracle_redo_user_password', password: "{{ oracle_edo_user_password }}" }
  no_log: yes
  delegate_to: localhost

- name: Assert that all checks passed
  assert:
    that: variable_validation | length == 0
    fail_msg: "Variables that didn't match regex: {{ variable_validation | join(', ') }}"
  delegate_to: localhost



With the Ansible variable input validation technique there is an opportunity, to improve delivery pace and quality



コメント


bottom of page