2

When running Ansible in check mode (--check), it seems the validate command is not run for template tasks:

- name: Nginx is configured
  template:
    src: nginx.conf.j2
    dest: /usr/local/etc/nginx/nginx.conf
    validate: /usr/local/sbin/nginx -t -c %s
  notify: Reload Nginx

Since Ansible is able to tell the difference between the existing destination and new file that is to be installed when running in check mode, it should be able to validate the new file. As it is now, if the template contains an error it will only show up in the real run, not in check mode.

Is there a way to validate template files in check mode?

Adam Lindberg
  • 16,447
  • 6
  • 65
  • 85

1 Answers1

2

I think the thing you're looking for is check_mode: no which has a very confusing double-negative name but effectively allows a task to opt-out of check-mode suppression.

HOWEVER, in your case you will want to stage that file somewhere first, so you can render the template to disk and have nginx test it, leaving the mv /tmp/nginx.conf /usr/local/etc/nginx/nginx.conf and its notify: guarded by actual check mode.

mdaniel
  • 31,240
  • 5
  • 55
  • 58
  • Do you know if creating a separate file as a separate task would let the verification run in check mode? – Adam Lindberg Oct 18 '18 at 08:37
  • I don't exactly follow your question, but if you mean "but check mode prevents the `template:` from executing," then, yes, of course you'll have to opt the `template:` out of check mode, too, along with the "check mode now writes files to disk" risk that accompanies it – mdaniel Oct 19 '18 at 03:14
  • So running it in check mode would still actually write the real template to the target system in that case? – Adam Lindberg Oct 25 '18 at 10:21
  • it will write it _somewhere_, yes, unless `nginx` supports checking stdin (which it _might_, if it can still find any included resources correctly); but it will only overwrite the for-real one when running in for-real mode – mdaniel Oct 27 '18 at 03:01
  • If I understand all this correctly, I could add two tasks (one that renders a temp file, and one that does a manual validation) and run those in check mode. Then I change the template task to a copy task that only runs if the validation task was successful? This basically feels like a manual "check mode" hack... – Adam Lindberg Nov 07 '18 at 11:16