Avoid loop.first variable in conditional jinja loops

Fixes 'variable referenced before assignment in enclosing scope' error that appeared with python 2.7.12 and its apparent change in handling the {% if loop.first %} jinja control structure.
roots · Jan 12, 2017 · 06ce3a3 · 06ce3a3
1 parent 71af9aa
commit 06ce3a3
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 4 deletions.
diff --git a/roles/remote-user/tasks/main.yml b/roles/remote-user/tasks/main.yml
@@ -24,6 +24,6 @@
 
 - name: Load become password
   set_fact:
-    ansible_become_pass: "{% for user in vault_users | default([]) if user.name == ansible_user and user.password is defined %}{% if loop.first %}{{ user.password }}{% endif %}{% endfor %}"
+    ansible_become_pass: "{% for user in vault_users | default([]) if user.name == ansible_user %}{{ '{% raw %}' }}{{ user.password | default('') }}{{ '{% endraw %}' }}{% endfor %}"
   when: ansible_user != 'root' and not cli_ask_become_pass | default(false) and ansible_become_pass is not defined
   no_log: true
diff --git a/roles/users/tasks/main.yml b/roles/users/tasks/main.yml
@@ -16,8 +16,8 @@
 - name: Fail if root login will be disabled but admin_user will not be a sudoer
   assert:
     that:
-      - "{% for user in users if user.name == admin_user %}{% if loop.first %}{{ 'sudo' in user.groups }}{% endif %}{% else %}{{ false }}{% endfor %}"
-      - "{% for user in vault_users | default([]) if user.name == admin_user %}{% if loop.first %}{{ user.password is defined }}{% endif %}{% else %}{{ false }}{% endfor %}"
+      - "{% for user in users if user.name == admin_user %}{{ 'sudo' in user.groups }}{% else %}{{ false }}{% endfor %}"
+      - "{% for user in vault_users | default([]) if user.name == admin_user %}{{ user.password is defined }}{% else %}{{ false }}{% endfor %}"
     msg: |
       When `sshd_permit_root_login: false`, you must add `sudo` to the `groups` for admin_user (in `users` hash), and set a password for admin_user in `vault_users` (in `group_vars/{{ env }}/vault.yml`). Otherwise Ansible could lose the ability to run the necessary sudo commands. {% if sudoer_passwords is defined or vault_sudoer_passwords is defined %}
 
@@ -33,7 +33,7 @@
     name: "{{ item.name }}"
     group: "{{ item.groups[0] }}"
     groups: "{{ item.groups | join(',') }}"
-    password: '{% for user in vault_users | default([]) if user.name == item.name and user.password is defined %}{% if loop.first %}{{ user.password | password_hash("sha512", user.salt[:16] | default(None) | regex_replace("[^\.\/a-zA-Z0-9]", "x")) }}{% endif %}{% else %}{{ None }}{% endfor %}'
+    password: '{% for user in vault_users | default([]) if user.name == item.name and user.password is defined %}{{ user.password | password_hash("sha512", user.salt | default("") | truncate(16, true, "") | regex_replace("[^\.\/a-zA-Z0-9]", "x")) }}{% else %}{{ None }}{% endfor %}'
     state: present
     shell: /bin/bash
     update_password: always