How can I loop over all hosts in a group in this playbook?

[Abe Voelker]

I have an inventory file like this:

[webservers]
10.0.0.1
10.0.0.2
10.0.0.3

[postgresservers]
10.0.0.4

And I'm trying to run this playbook against my Postgres host:

---
- name: Allow eth1 port 5432 access to Web servers
  ufw: rule=allow interface=eth1 direction=in port=5432 proto=tcp src={{ item }}
  with_items:
    {% for host in groups['webservers'] %}
      - "{{ hostvars[host]['ansible_eth1']['ipv4']['address'] }}"
    {% endfor %}

What I'm trying to accomplish is for the playbook to determine each Web host's eth1 IPv4 address (which is different from the eth0 IPv4 address listed in the inventory file) and add allowances for them in the Postgres host's firewall.

However, my syntax is incorrect (sorry, I'm a Python noob):

ERROR: Syntax Error while loading YAML script, /tmp/ansible/roles/postgres/tasks/firewall.yml
Note: The error may actually appear before this position: line 5, column 6


  with_items:
    {% for host in groups['web_servers'] %}
     ^

Am I taking the right approach here and just need to fix my syntax, or is there a better way?

Thanks!

Abe

[Matt Martz]

I think what you want is the following:

---
- name: Allow eth1 port 5432 access to Web

 servers
  ufw: rule=allow interface=eth1 direction=in port=5432 proto=tcp src="{{ hostvars[item]['ansible_eth1']['ipv4']['address'] }}"
  with_items: groups['webservers']

That will loop over groups['webservers'] making item be an individual host in the group, then you can just grab what you need from hostvars.

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/6bbb9367-d0ac-4931-adb9-471d86266be8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
Matt Martz
ma...@sivel.net
http://sivel.net/

[Abe Voelker]

Matt, thanks so much, I do believe that did the trick!

[Venkata Vuppala]

Hi Matt,

Thanks for the with_items variable, but can this looping system be used to scan for hosts deep inside the inventory file rather than groups  (a child group? )

admin-1/2 are hosts here. I am using Ansible 2.4

Eg:

[admin:children]

admin-1

admin-2

I did try with the below syntax, but it didn't work. I think Ansible didn't like it either.

- -A INPUT -s "{{ hostvars[ my_platform + my_server + [item]]['ansible_ssh_host'] }}" -j ACCEPT

with_items: groups['admin:children']

Regards

VK

To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscribe@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/6bbb9367-d0ac-4931-adb9-471d86266be8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Kai Stian Olstad]

On 25.02.2019 17:36, Venkata Vuppala wrote:
> Thanks for the with_items variable, but can this looping system be used to
> scan for hosts deep inside the inventory file rather than groups (a child
> group? )

nsible inventory kind of a flat structure, groups and hosts.

> admin-1/2 are hosts here. I am using Ansible 2.4
>
> Eg:
>
> [admin:children]
> admin-1
> admin-2

This means that group admin-1 and group admin-2 is member of group admin.

So if admin-1 and 2 are host this should be

[admin]

admin-1
admin-2


> I did try with the below syntax, but it didn't work. I think Ansible didn't
> like it either.
>
> - -A INPUT -s "{{ hostvars[ my_platform + my_server + [item]]['ansible_ssh_host'] }}" -j ACCEPT

This Jinja template is not valid, I'm not sure what you are trying to do.


> with_items: groups['admin:children']

this would be
with_items: groups['admin']


--
Kai Stian Olstad

[Venkata Vuppala]

Hi Kai,

I was trying to write IPtable rules for database servers in ansible, wherein every time an admin server is added into the environment it should be allowed to ssh to the database server.

I tried to use Matt's idea of with_items and tried to call hosts listed in the admin:children ( in the child group ) and unfortunately, it didn't work.

My question was that with_items can look for hosts listed in the child groups in the inventory?

Regards

VK

[Kai Stian Olstad]

On 25.02.2019 18:08, Venkata Vuppala wrote:
> I was trying to write IPtable rules for database servers in ansible,
> wherein every time an admin server is added into the environment it should
> be allowed to ssh to the database server.
> I tried to use Matt's idea of with_items and tried to call hosts listed in
> the admin:children ( in the child group ) and unfortunately, it didn't work.
>
> My question was that with_items can look for hosts listed in the child
> groups in the inventory?

There's nothing called a child group, that's just a syntax to say which group is a member in another group.
These two inventory is the same just different syntax.

inventory1:
-----------
[mysql1]
host1
host2
host3


[mysql2]
host4
host5
host6

[database:children]
mysql1
mysql2


This is the same as writing
ivertory2:
----------
[mysql1]
host1
host2
host3

[mysql2]
host4
host5
host6

[database]
host1
host2
host3
host4
host5
host6


As i wrote in previous mail, you need to use groups['admin'] and not groups['admin:children']


--
Kai Stian Olstad