[postgresql] Avoid unnecessary password lookup

When a password is defined for a role, the lookup of the password should be completely avoided. The previous default construct was evaluated in a way that would still access the password lookup, and potentially generate the password, even if one was explicitly provided. The result was correct, but since the password lookup can have side effects, even in check-mode (it creates files), it should not be run if it is not needed.
cloudscale-ch · Dec 30, 2024 · c382e67 · c382e67
1 parent d0cf56d
commit c382e67
Showing 1 changed file with 4 additions and 4 deletions.
diff --git a/ansible/roles/postgresql/tasks/main.yml b/ansible/roles/postgresql/tasks/main.yml
@@ -98,11 +98,11 @@
   community.postgresql.postgresql_user:
     name: '{{ item.name | d(item.role) }}'
     port: '{{ item.port | d(postgresql__port if postgresql__port else omit) }}'
-    password: '{{ item.password | d(lookup("password",
+    password: '{{ item.password if item.password is defined else lookup("password",
                   secret + "/postgresql/" + postgresql__password_hostname +
                   "/" + (item.port | d(postgresql__port)) +
                   "/credentials/" + item.name | d(item.role) + "/password " +
-                  "length=" + postgresql__password_length + " chars=" + postgresql__password_characters)) }}'
+                  "length=" + postgresql__password_length + " chars=" + postgresql__password_characters) }}'
     encrypted: '{{ item.encrypted | d(True) }}'
     expires: '{{ item.expires | d(omit) }}'
     role_attr_flags: '{{ (item.flags | d() | join(",")) | d(omit) }}'
@@ -268,11 +268,11 @@
                (item.port | d(postgresql__port)),
                (item.database | d("*")),
                (item.role | d(item.owner)),
-               (item.password | d(lookup("password",
+               (item.password if item.password is defined else lookup("password",
                                   secret + "/postgresql/" + (item.server | d(postgresql__password_hostname))
                                   + "/" + (item.port | d(postgresql__port)) + "/credentials/"
                                   + item.name | d(item.role | d(item.owner))
-                                  + "/password length=" + postgresql__password_length))
+                                  + "/password length=" + postgresql__password_length)
                                  | regex_replace("\\", "\\\\") | regex_replace(":", "\:"))]
               | join(":") }}'
     state: 'present'