Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unexpected reported change for credentials role in combination with GUI #919

Open
juliaschindler opened this issue Oct 1, 2024 · 6 comments
Labels

Comments

@juliaschindler
Copy link

Summary

Setting up a credential in the AAP GUI and then running the credentials role with the same credential configured in controller_credentials and using "update_secrets: false" reports back "changed" on the first run, "ok" on rerun.

Issue Type

  • Bug Report

Ansible, Collection, Controller details

ansible --version
ansible [core 2.16.11]
  config file = /home/juliaschindler/.ansible.cfg
  configured module search path = ['/home/juliaschindler/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.12/site-packages/ansible
  ansible collection location = /home/juliaschindler/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/juliaschindler/.local/bin/ansible
  python version = 3.12.6 (main, Sep  9 2024, 00:00:00) [GCC 14.2.1 20240801 (Red Hat 14.2.1-1)] (/usr/bin/python3)
  jinja version = 3.1.4
  libyaml = True

ansible-galaxy collection list
# /home/juliaschindler/.ansible/collections/ansible_collections
Collection                     Version
------------------------------ -------
ansible.controller             4.5.12 
infra.controller_configuration 2.10.3 

Controller version
Ansible Automation Platform Controller 4.5.6
  • ansible installation method: OS package

Desired Behavior

Setting up a credential in the AAP GUI and then running the credentials role with the same credential configured in controller_credentials and using "update_secrets: false" reports back "ok" on any run.
This is the experienced behaviour with the users role, that has the same "update_secrets" parameter.

Actual Behavior

Setting up a credential in the AAP GUI and then running the credentials role with the same credential configured in controller_credentials and using "update_secrets: false" reports back "changed" on the first run, "ok" on rerun.

  • playbook: see steps to reproduce
  • configuration file / list: credentials to set up in {{ playbook_dir }}/controller/credentials.yml, see steps to reproduce; connections variables like controller_hostname set up in {{ playbook_dir }}/aaps_secrets.yml
  • Unexpected behavior:

First playbook run after setting up the credential already in the AAP GUI:

$ ansible-playbook --ask-vault-pass credentials_play.yml
Vault password: 

PLAY [localhost] ***************************************************************

TASK [Gathering Facts] *********************************************************
ok: [localhost]

TASK [Include vars from configs directory] *************************************
ok: [localhost]

TASK [infra.controller_configuration.meta_dependency_check : Check awx.awx is installed] ***
ok: [localhost]

TASK [infra.controller_configuration.meta_dependency_check : Check ansible.controller is installed] ***
ok: [localhost]

TASK [infra.controller_configuration.meta_dependency_check : Ensure one is installed] ***
skipping: [localhost]

TASK [infra.controller_configuration.credentials : Validating arguments against arg spec 'main' - An Ansible Role to create credentials on Ansible Controller.] ***
ok: [localhost]

TASK [infra.controller_configuration.credentials : Managing Credentials] *******
ok: [localhost] => (item=Create/Update Credential Test credential)

TASK [infra.controller_configuration.credentials : Flag for errors (check mode only)] ***
skipping: [localhost]

TASK [infra.controller_configuration.credentials : Managing Controller Credentials | Wait for finish the credential management] ***
FAILED - RETRYING: [localhost]: Managing Controller Credentials | Wait for finish the credential management (30 retries left).
FAILED - RETRYING: [localhost]: Managing Controller Credentials | Wait for finish the credential management (29 retries left).
changed: [localhost] => (item=Create/Update Credential Test credential | Wait for finish the credential creation)

PLAY RECAP *********************************************************************
localhost                  : ok=7    changed=1    unreachable=0    failed=0    skipped=2    rescued=0    ignored=0   

On further runs:

$ ansible-playbook --ask-vault-pass credentials_play.yml
[...]
TASK [infra.controller_configuration.credentials : Managing Controller Credentials | Wait for finish the credential management] ***
FAILED - RETRYING: [localhost]: Managing Controller Credentials | Wait for finish the credential management (30 retries left).
ok: [localhost] => (item=Create/Update Credential Test credential | Wait for finish the credential creation)

PLAY RECAP *********************************************************************
localhost                  : ok=7    changed=0    unreachable=0    failed=0    skipped=2    rescued=0    ignored=0

STEPS TO REPRODUCE

  1. Create a Machine credential with name, organization, username and password set in the AAP GUI.
  2. Run a playbook calling the credentials role that sets up the same credential and have "update_secrets: false" set.
  3. See that a changed task is reported, even though nothing of the credential configuration has changed.
  4. Rerun the playbook, see that no change is reported.
---
# playbook credentials_play.yml
- hosts: localhost
  connection: local
  vars_files:
    - ./aaps_secrets.yml

  collections:
    - ansible.controller
    - infra.controller_configuration

  pre_tasks:
    - name: Include vars from configs directory
      include_vars:
        dir: ./controller
        extensions:
          - yml
      tags:
        - always

  roles:
    - role: credentials
      when: controller_credentials is defined
      tags: credentials
---
# variable file {{ playbook_dir }}/controller/credentials.yml
controller_credentials:
  - name: Test credential
    state: present
    credential_type: Machine
    organization: myorg
    inputs:
      username: myuser
      password: test1234
    update_secrets: false
@juliaschindler juliaschindler added bug Something isn't working new New issue, this should be removed once reviewed labels Oct 1, 2024
@djdanielsson
Copy link
Collaborator

if you turn off no_log and turn up verbosity it should show what it sees as a change

@djdanielsson djdanielsson removed the new New issue, this should be removed once reviewed label Oct 1, 2024
@juliaschindler
Copy link
Author

Thanks, I tried using -vvvvv and controller_configuration_credentials_secure_logging: false on two runs, but I was not able to see differences:

First run:

changed: [localhost] => (item=Create/Update Credential Test credential | Wait for finish the credential creation) => {
    "__credentials_job_async_results_item": {
        "__controller_credentials_item": {
            "credential_type": "Machine",
            "inputs": {
                "password": "test1234",
                "username": "myuser"
            },
            "name": "Test credential",
            "organization": "myorg",
            "state": "present",
            "update_secrets": false
        },
        "ansible_job_id": "j519626111530.45220",
        "ansible_loop_var": "__controller_credentials_item",
        "changed": false,
        "failed": 0,
        "finished": 0,
        "results_file": "/home/juliaschindler/.ansible_async/j519626111530.45220",
        "started": 1
    },
    "ansible_job_id": "j519626111530.45220",
    "ansible_loop_var": "__credentials_job_async_results_item",
    "attempts": 3,
    "changed": true,
    "finished": 1,
    "id": 14,
    "invocation": {
        "module_args": {
            "controller_config_file": null,
            "controller_host": "<hostname>",
            "controller_oauthtoken": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "controller_password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "controller_username": "<adminuser>",
            "copy_from": null,
            "credential_type": "Machine",
            "description": null,
            "inputs": {
                "password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
                "username": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER"
            },
            "name": "Test credential",
            "new_name": null,
            "organization": "myorg",
            "request_timeout": null,
            "state": "present",
            "team": null,
            "user": null,
            "validate_certs": false
        }
    },
    "results_file": "/home/juliaschindler/.ansible_async/j519626111530.45220",
    "started": 1,
    "stderr": "",
    "stderr_lines": [],
    "stdout": "",
    "stdout_lines": []
}

second run:

ok: [localhost] => (item=Create/Update Credential Test credential | Wait for finish the credential creation) => {
    "__credentials_job_async_results_item": {
        "__controller_credentials_item": {
            "credential_type": "Machine",
            "inputs": {
                "password": "test1234",
                "username": "myuser"
            },
            "name": "Test credential",
            "organization": "myorg",
            "state": "present",
            "update_secrets": false
        },
        "ansible_job_id": "j98685813622.45642",
        "ansible_loop_var": "__controller_credentials_item",
        "changed": false,
        "failed": 0,
        "finished": 0,
        "results_file": "/home/juliaschindler/.ansible_async/j98685813622.45642",
        "started": 1
    },
    "ansible_job_id": "j98685813622.45642",
    "ansible_loop_var": "__credentials_job_async_results_item",
    "attempts": 3,
    "changed": false,
    "finished": 1,
    "id": 14,
    "invocation": {
        "module_args": {
            "controller_config_file": null,
            "controller_host": "<hostname>",
            "controller_oauthtoken": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "controller_password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "controller_username": "<adminuser>",
            "copy_from": null,
            "credential_type": "Machine",
            "description": null,
            "inputs": {
                "password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
                "username": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER"
            },
            "name": "Test credential",
            "new_name": null,
            "organization": "myorg",
            "request_timeout": null,
            "state": "present",
            "team": null,
            "user": null,
            "validate_certs": false
        }
    },
    "results_file": "/home/juliaschindler/.ansible_async/j98685813622.45642",
    "started": 1,
    "stderr": "",
    "stderr_lines": [],
    "stdout": "",
    "stdout_lines": []
}

@github-actions github-actions bot added the inactive No movement has happened in 30 days label Nov 1, 2024
@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale Nov 8, 2024
@djdanielsson djdanielsson removed the inactive No movement has happened in 30 days label Nov 8, 2024
@djdanielsson djdanielsson reopened this Nov 8, 2024
@djdanielsson
Copy link
Collaborator

this is likely a bug at the module level but I would have to try and spend more time testing

@juliaschindler
Copy link
Author

Oh ok, thanks for the update. Please let me know if I should rather open an issue at the repository of the credentials module then?

@djdanielsson
Copy link
Collaborator

djdanielsson commented Nov 15, 2024

it would be here https://github.com/ansible/awx/issues. another thing you could do is create a support case on it, but you will have to use the module itself in testing not our collection for them to likely accept the bug.

@juliaschindler
Copy link
Author

I have tested using the credential module directly in a playbook as you suggested, and indeed it also showed the change on first run. I have created the issue mentioned above. I think this issue here can be closed. Thank you very much! :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants