Ansible variable precedence and vault

Question

I am reworking my ansible inventory to use ansible-vault. Everything is working fine however I have an issue with, I think precendence of variables. When I try to make a local connection to ansiblemaster ( localhost 127.0.0.1 ) it seems to be using the sudo passwords of the global configuration instead of that one in the host_vars

this is my setup:

hosts.ini
group_vars/all/config.yml
group_vars/all/secrets.yml
host_vars/ansiblemaster

So I have this defined in group_vars/all/config.yml:

### GLOBAL ###
ansible_become_password: "{{ secret_ansible_become_password }}"
ansible_password: "{{ secret_ansible_password }}"
ansible_user: "{{ secret_ansible_user }}"

And I have this defined in host_vars/ansiblemaster:

ansible_ssh_host: 127.0.0.1
ansible_user: "{{secret_master_ansible_user}}"
ansible_password: "{{secret_master_ansible_password}}"
ansible_become_password: "{{secret_master_ansible_become_password}}"
ansible_become_user: "{{secret_master_ansible_become_user}}"
ansible_connection: local

I keep getting:

password: \nsudo: 1 incorrect password attempt\n" When I run a playbook that makes a local connection and performs sudo.

Does my definition in host_vars/ansiblemaster not overwrite group_vars/all/config ?

I'd try adding `.yml` to your `host_vars/ansiblemaster`. – Konstantin Suvorov Sep 26 '17 at 09:38 — Konstantin Suvorov, Sep 26 '17 at 09:38
This doesn't fix it. – Synbitz Prowduczions Sep 26 '17 at 09:43 — Synbitz Prowduczions, Sep 26 '17 at 09:43

score 0 · Answer 1 · answered Sep 26 '17 at 11:58

I've solved it. Comes down to this: I had a local_action: Task that wasn't picking up the variables for "ansiblemaster" ( which is localhost ) ... I changed it to use delegate_to: ansiblemaster and now it does pick up the variables in my host_vars/

...

not sure if this is best practise.

Ansible variable precedence and vault

1 Answers1