I have a very weird issue that I am unable to resolve. Already spent 4 hours on debugging but without any progress, never encountered something like this before.
Ansible's information:
ansible [core 2.11.5]
config file = /Users/igor/Projects/infrastructure/mint2/ansible.cfg
configured module search path = ['/Users/igor/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /Users/igor/.local/share/virtualenvs/mint2-x8LdeqZ_/lib/python3.9/site-packages/ansible
ansible collection location = /Users/igor/.ansible/collections:/usr/share/ansible/collections
executable location = /Users/igor/.local/share/virtualenvs/mint2-x8LdeqZ_/bin/ansible
python version = 3.9.6 (default, Jun 28 2021, 19:24:41) [Clang 12.0.5 (clang-1205.0.22.9)]
jinja version = 3.0.1
libyaml = False
Here is a sample playbook:
---
- hosts: somehost
gather_facts: yes
vars_files:
- host_vars/somehost/common/common.yml
- host_vars/somehost/backup/backup.yml
pre_tasks:
- name: Prepare | Remove AppArmor
apt:
name: apparmor
state: absent
- name: Prepare | Stop AppArmor
service:
name: apparmor
enabled: no
roles:
- roles/role-provision-common
- roles/role-deploy-backup
Here is the structure of the host_vars:
host_vars/somehost
├── backup
│ ├── backup.yml
│ └── encryption_key
├── common
│ ├── common.yml
│ └── ssh-keys
│ ├── id_rsa_backup
│ └── id_rsa_backup.pub
Here is the content of the common.yml:
common_packages_generic_enabled: true
common_packages_stats_enabled: true
common_packages_mysql_enabled: true
common_packages_web_server_enabled: false
common_network_rename_interfaces: true
common_preferred_timezone: 'UTC'
Here is the content of the backup.yml:
backup_server_hostname: someserver
backup_server_path: /home/someuser
backup_server_user: somerserver
backup_server_port: '22'
backup_host_user: someremoteuser
backup_host_mount_path: /home/someremoteuser/backup
backup_host_user_private_key_path: host_vars/somehost/common/ssh-keys/id_rsa_backup
The encryption_key and id_rsa_backup and id_rsa_backup_pub are vault encrypted files.
So, when I run:
ansible-playbook --check --diff somehost.yml -vvvvvvvv
I receive the following error:
PLAY [somehost] ************************************************************************************************************************************************************************************
Found a vault_id (default) in the vaulttext
We have a secret associated with vault id (default), will try to use to decrypt /Some/Local/Path/host_vars/somehost/backup/encryption_key
Trying to use vault secret=(FileVaultSecret(filename='/Some/Local/Path/.vault')) id=default to decrypt /Some/Local/Path/host_vars/somehost/backup/encryption_key
Trying secret FileVaultSecret(filename='/Some/Local/Path/.vault') for vault_id=default
Decrypt of "b'/Some/Local/Path/host_vars/somehost/backup/encryption_key'" successful with secret=FileVaultSecret(filename='/Some/Local/Path/.vault') and vault_id=default
Found a vault_id (default) in the vaulttext
We have a secret associated with vault id (default), will try to use to decrypt None
Trying to use vault secret=(FileVaultSecret(filename='Some/Local/Path/.vault')) id=default to decrypt None
Trying secret FileVaultSecret(filename='Some/Local/Path/.vault') for vault_id=default
Decrypt successful with secret=FileVaultSecret(filename='Some/Local/Path/.vault') and vault_id=default
ERROR! failed to combine variables, expected dicts but got a 'dict' and a 'AnsibleUnicode':
{'backup_server_hostname': 'somehost', 'backup_server_path': '/home/somehostpath', 'backup_server_user': 'somehostpath', 'backup_server_port': '22', 'backup_host_user': 'automator', 'backup_host_mount_path': '/home/xxxx/mnt/backup', 'backup_host_user_private_key_path': 'host_vars/somehost/common/ssh-keys/id_rsa_backup', 'backup_borgmatic_configuration': [{'source_directories': ['/home/xxxx/.mysql'], 'repositories': ['/home/xxxx/mnt/backup/backup'], 'application_name': 'somehost_db', 'location': {'exclude_if_present': '.nobackup'}, 'storage': {'encryption_passphrase': 'xxxxx', 'archive_name_format': "'{hostname}-mysql-{now}'"}, 'retention': {'keep_hourly': '168', 'prefix': "'{hostname}-mysql-'"}, 'consistency': {'checks': ['archives'], 'check_repositories': ['/home/xxxx/mnt/backup/backup']}, 'hooks': {'before_backup': ['sh /home/xxxx/.scripts/check_sshfs.sh', 'sh /home/xxxx/.scripts/mysql_backup.sh', 'echo "Starting a backup."'], 'after_backup': ['echo "Backup done"'], 'on_error': ['echo "Backup failed"']}}]}
"BORG_KEY 36dfe604435ad8eaca89e39 hqlhbGdvcml0aG2mc2hhMjU2pGRhdGHaAN5a1XnA0c3O3MC44+lN2nWgol31naZud/Gf1p Q2aDmnXeMj7pHR1LPL/K/b3vrBgWW64RV6e9E9PSsYicrLcYDrPA0s2YSHbZpTBBPKURxX h0uIhTTj8497vhiezwQOhjDxFpVPtzqWmlmz9ibQlrGCiBQQD95+NitfFJTBUoQ7HS+rgs /m87v8rQaOWhv6/4V9w1K4ooMu5ufMxNeUXUfidFJNs5HeJf2QS2iTd7dSBYLUmId5guZT PTypFvdtpsnUfXGQ5l0rluAgd1BigYxCtvdNwNRus88y9nc74y+kaGFzaNoAIN8uIPII2m Fzh6ZxBaG21vIbDFnFZHWjxBZwO+1MGz5Fqml0ZXJhdGlvbnPOAAGGoKRzYWx02gAgIpO9 oD"
The part before BORG_KEY sequence is the content of the backup/backup.yml file, and the text after that is decrypted encyption_key.
In order to run this playbook I have to remove encryption_key and id_rsa_backup and id_rsa_backup_pub files.
But - here is a weird part - I have another 5 playbooks which run same roles and have practically same host_vars structure and vault encrypted files, but they run just fine without need to remove encrypted files. So in half cases it doesn't work, and in other half it does work. And they all belong to the same groups.
I have no clue why is this happening and why Ansible tries to include files that I haven't specifically asked for.
Any help is appreciated.
UPDATE: I also found out that if I add any extension to the encrypted files (.key and .pem), my playbook works fine. And I have no idea why.
