link
- path: /etc/nginx/nginx.conf
state: absent
Only the following syntax can allow to run multiple tasks that have mixed params (and null params in some case):
- file:
args: "{{ item }}"
with_items: "{{ files }}"
If I used the syntax you offered above, I would need to specify defaults to None for all the arguments:
- file:
src: "{{item.src | default(None) }}"
dest: "{{item.dest | default(None) }}"
path: "{{ item.path | default(None) }}"
state: "{{ item.state }}"
with_items: "{{ files }}"
The last syntax is worse because:
- it removes the original task defaults and you have specify them AGAIN by looking up documentations and setting every task args to their original defaults.
- if I need to use one of the other resource arguments (say `mode`, I have to modify my task to add it, when the first syntax gives you a task that work with any argument defined in the `file` resource...)
Another example with EC2 provisioning:
After deprecation, I am again forced to explicitly define all the `ec2` task variables (if I want automation flexibility in `group_vars`):
- name: Provision EC2 instances
ec2:
key_name: "{{ item.key_name }}"
instance_type: "{{ item.instance_type }}"
image: "{{ item.image}}"
wait: "{{ item.wait }}"
exact_count: "{{ item.exact_count }}"
count_tag: "{{ item.count_tag }}"
vpc_subnet_id: "{{ item.vpc_subnet_id }}"
assign_public_ip: "{{ item.assign_public_ip }}"
region: "{{ item.region }}"
group: "{{ item.group }}"
instance_tags: "{{ item.instance_tags }}"
instance_profile_name: "{{ item.instance_profile_name }}"
volumes: "{{ item.volumes }}"
with_items: "{{ ec2_instances }}"
Before the deprecation, we could have much simpler tasks:
- name: Provision EC2 instances
ec2: "{{ item }}"
with_items: "{{ ec2_instances }}"
Summary
The Ansible core team has not specified the reason it consider this practice unsafe. If an attacker can temper with the `group_vars`, he can do it in both case (this syntax enabled or not). Deprecating this also violates Python principle of simplicity. IMHO, this is a step backwards for Ansible.
The DevOps engineer or the developer automating the solution should worry if it's safe / unsafe, should own the deployment code / deployment variables and has to make sure those are stored in a safe place. I don't think it's the responsibility of Ansible to prevent this behaviour.
Please explain how you consider this last syntax as more unsafe than the first syntax, and in what conditions.
Thanks,
Olivier Cervello
Cloud DevOps Infrastructure Engineer
Google Inc.