I'm currently troubleshooting an issue we have in which we have an Ansible playbook which retrieves the password of a system using LAPS, assigns that password to a fact and then uses that to connect to a remote server to run an ansible role.
For the most part this works perfectly fine, however we recently had an issue where, as a total fluke, the password generated by LAPS contained {{ which seems to have caused a failure. Unfortunately the nature of LAPS makes this very difficult to replicate as we don't have access to modify the password attribute directly and the problem machine was deleted before we were made aware.
But I'm looking for a way to prevent this from happening again in future by escaping the {{ or }} characters in the event they are in the password. The code we're currently running is,
- name: Get password using gssapi auth
set_fact:
lapsPass: "{{ lookup('laps_password', host, domain=kdc) }}"
delegate_to: 127.0.0.1
- name: Run role
include_role:
name: my_role
vars:
ansible_user: adminuser
ansible_password: "{{ lapsPass }}"
ansible_become: yes
ansible_become_method: runas
ansible_become_user: adminuser
ansible_become_pass: "{{ lapsPass }}"
We're retrieving the password and setting the fact on the local host as we need to get the password to actually establish the remote connection.
I have tried using { raw }...{% endraw %} on both the fact setting and the password fields in the role task but these don't seem to work.
Anybody got any other ideas/suggestions?
