If you’re an Ansible convert, you want every part of your deployment to be managed by the tasks in your roles. \u00a0I recently wanted to manage my Elastic Watcher config with Ansible. \u00a0It was enough of a struggle (“learning process”) that I wanted to document it here.<\/p>\n
While I was developing my first few watches, I made stand-alone shell scripts that could be run to create\/update them. \u00a0This worked fine, and even handled the basic auth configuration in front of the master\u00a0nodes. \u00a0Basically it was:<\/p>\n
curl -u username\u00a0-XPUT 'http:\/\/hostname\/_watcher\/watch\/watchname' -d '{ ... }'<\/pre>\nIt would prompt for the user’s password and send the information along.<\/p>\n
Ansible can run local commands, but doesn’t like interactive commands. \u00a0As such, the password prompt would block the task from completing. \u00a0Looking around for other solutions\u00a0led me to the ‘uri’ module. \u00a0By default, it won’t prompt for the password either, but you can use the prompts system<\/a>. \u00a0I chose to use the Ansible vault to store the password to avoid external sharing\/management of the password.<\/p>\nThe final config looks like this:<\/p>\n
- set_fact:\r\n watch: \"{{ lookup('file','watcher.json') }}\"\r\n\r\n- name: Install watcher for cluster health\r\n uri:\r\n delegate_to: 127.0.0.1\r\n url: \"http:\/\/hostname\/\/_watcher\/watch\/watchname\"\r\n method: PUT\r\n user: \"ansible\"\r\n password: \"{{ ansible_password }}\"\r\n force_basic_auth: yes\r\n body: \"{{ watch }}\"\r\n run_once: true<\/pre>\nThe set_fact loads the contents of the file into a variable (otherwise, you’d have to list the entire json in uri’s body<\/em> section).<\/p>\nBy using delegate_to, the PUT will be run on the local machine. \u00a0Coupled with run_once, it contacts the cluster and sets the config one time.<\/p>\n
On my desktop mac, it originally gave me errors about\u00a0httplib2, which I had to install:<\/p>\n
sudo pip install httplib2<\/pre>\nAs mentioned before, the variable that contains the basic auth password comes from an ansible vault.<\/p>\n
One final – yet important – gotcha. \u00a0Ansible seemingly wants to process all data as templates. \u00a0Unfortunately, watcher uses the same variable syntax as Ansible, so your watcher definition may include lines with watcher variables:<\/p>\n
{{ ctx.payload.status }}<\/pre>\nAnsible will think these\u00a0are its own variables, and you’ll get errors when running the playbook:<\/p>\n
fatal: [localhost] => One or more undefined variables: 'ctx' is undefined<\/pre>\nThe solution is to tell Ansible to ignore that section:<\/p>\n
{% raw %}{{ ctx.payload.status }}{% endraw %}<\/pre>\nThis can be a little tedious, but I didn’t find a way to prevent\u00a0Ansible from interpreting the string.<\/p>\n","protected":false},"excerpt":{"rendered":"
If you’re an Ansible convert, you want every part of your deployment to be managed by the tasks in your roles. \u00a0I recently wanted to manage my Elastic Watcher config with Ansible. \u00a0It was enough of a struggle (“learning process”) … Continue reading