variables - Is it possible to set Ansible Vars from existing facts?

Question

I find it easy to describe what I want to do showing how I tried to implement it, as below.

In one playbook1.yml, I have:

- name: set facts with ssh connecton details
  set_fact:
    ssh_user: "user01"
    ssh_pass: "passw0rd"

In my playbook2.yml, I want to do something similar to this:

import_playbook: playbook1.yml
Vars:
  ansible_user: "{{ ssh_user }}"
  ansible_ssh_pass: "{{ ssh_pass }}"

After this, my tasks in the playbook2.yml should attempt to use sshpass when connecting to my remote hosts, getting user and pass for the "ansible_*" Vars above.

Can be done? Clearly that is not working and I am unable to find a solution for this.

Setting Ansible facts for the ssh Vars does work - clearly it needs Vars to trigger sshpass and use password for remote access.

I know ssh keys is the way to go, and that is being covered, however I also need a solution for this specific use case.

Thanks in advance for any help.

question from:https://stackoverflow.com/questions/65925981/is-it-possible-to-set-ansible-vars-from-existing-facts

Answer 1

The only solution I found so far was:

playbook1: Set the facts, and save to a file

On playbook2:

Vars:
  ansible_user: "{{lookup(file',('userfactsfile')}}"
  ansible_ssh_pass: "{{lookup(file',('passfactsfile')}}"

Tasks:
- import_playbook: playbook1.yml

...
my actions here
...
delete userfactsfile
delete passfactsfile

There is still a problem: the password is saved in clear text for the duration of the playbook run. If there is an unexpected interruption in the process, the password file might be left stored in the server (which is the primary concern being addressed in this very same work).

An acceptable solution would be: Encrypt the password before saving it to file in paybook1, However, I faced some technical challenges (I am pretty noob in Ansible), but still a viable solution if I could achieve. The encryption in playbook1 would use the actual password as passphrase.The passphrase is persistent across both playbooks, in a fact. In playbook2, this password would be used to decrypt the password file in the Vars lookup.