Role played on all hosts, condition "when: 'group' in group_names" not correctly evaluated

[Valérie P]

Hi, 

I am using Ansible 2.2.0 to configure network devices. I have a problem with the evaluation of a condition using "when: 'group' in group_names'. 

The playbook is : 

- name: Configure topologies
  hosts: "{{ TOPO }}"
  strategy: debug
  vars_files:
    - "vars_file/{{TOPO}}.yml"
  roles:
   - set_ce_bgp_params
   - set_pe_bgp_params
   - set_sw_vlan
   - set_banner
  tags:
    - config

Where TOPO is an extra vars I provide when I launch the play. Here TOPO is topo14. The host list contains the following items : 

[ce]
rtr-site1
rtr-site2-1
rtr-site2-2
rtr-site2-tagin-1
rtr-site2-tagin-2
rtr-site3-1
rtr-site3-2
rtr-site4-1
rtr-site4-2
rtr-site5
rtr-site6


[pe]
rtr-ipsn
rtr-pe1
rtr-pe2


[topo14]
rtr-site6
rtr-site2-1
rtr-site2-2
rtr-pe1
rtr-pe2
sw-site1
sw-site3
ch-site2-qa-1
ch-site6-qa

I have a problem with this role : 

- name: Update neighbor parameters
  connection: local
  ios_config:
      host: "{{ inventory_hostname }}"
      parents:
        - "router bgp {{ bgp_as }}"
        - "address-family ipv4 vrf {{ vrf }}"
      commands:
        - "neighbor {{ item.value }} {{topo[rtr_site][rtr_index]['bgp_actions'][item.key]}}"
  with_dict: bgp_neighbors
  when:
    - "'ce' in group_names"
    - not (
      (topo[rtr_site][rtr_index]['bgp_actions'][item.key] is undefined) or
      (topo[rtr_site][rtr_index]['bgp_actions'][item.key] | trim == "")
      )
  notify: clear ip bgp

The role is supposed to be used only on hosts belonging to the [ce] group, but when I launch the play here is the output : 

PLAY [Configure topologies] ****************************************************

 


 

TASK [set_ce_bgp_params : Update neighbor parameters] **************************

fatal: [sw-site3]: FAILED! => {"failed": true, "msg": "with_dict expects a dict"}

fatal: [sw-site1]: FAILED! => {"failed": true, "msg": "with_dict expects a dict"}

fatal: [ch-site2-qa-1]: FAILED! => {"failed": true, "msg": "with_dict expects a dict"}

fatal: [ch-site6-qa]: FAILED! => {"failed": true, "msg": "with_dict expects a dict"}

fatal: [rtr-pe2]: FAILED! => {"failed": true, "msg": "with_dict expects a dict"}

fatal: [rtr-pe1]: FAILED! => {"failed": true, "msg": "with_dict expects a dict"}

changed: [rtr-site6] => (item={'key': u'ipsn', 'value': u'57.0.0.9'})

skipping: [rtr-site6] => (item={'key': u'pe1', 'value': u'10.16.11.2'})  

changed: [rtr-site2-1] => (item={'key': u'ipsn', 'value': u'57.0.0.9'})

changed: [rtr-site2-2] => (item={'key': u'ipsn', 'value': u'57.0.0.9'})

skipping: [rtr-site2-2] => (item={'key': u'hsrp', 'value': u'10.12.0.1'})  

skipping: [rtr-site2-2] => (item={'key': u'pe2', 'value': u'10.12.22.2'})  

ok: [rtr-site6] => (item={'key': u'pe2', 'value': u'10.16.12.2'})

ok: [rtr-site2-1] => (item={'key': u'pe1', 'value': u'10.12.11.2'})

skipping: [rtr-site2-1] => (item={'key': u'pe2', 'value': u'10.12.12.2'})  

skipping: [rtr-site2-1] => (item={'key': u'hsrp', 'value': u'10.12.0.2'})

The role is played even if rtr-pe1/rtr-pe2 and else are not in [ce] group. 

What am I doing wrong? Can I do this in an other way?

Kind regards, 

Valerie

[Brian Coca]

a) you cannot make a role conditional, any 'when' is just applied to the tasks in the role

b) with_ runs before when: (so you can make execution conditional by item)

c) use |default({}) to skip the task and avoid the error

----------

Brian Coca

[Valérie P]

Thank you very much Brian!