[Bug]: Improve support for Ansible 2.19, remove template delimiters and assess variable precidence and processing.

[trfore]

What happened?

PR #62 covers this issue.

The suggested fix works in the default testing scenarios, however, the following errors occur during the listed scenarios:

SSH test

Problem lines are in roles/step_cert/tasks/certs.yml

TASK [trfore.smallstep.step_cert : Certs | Check Required Variables] ***********
[ERROR]: Task failed: Action failed: item.name needs to be set for the role to work
Origin: /home/trf/Documents/code/devops/ansible-public-repos/ansible-smallstep/.tox/py3.11-ansible2.19-ssh/.ansible/collections/ansible_collections/trfore/smallstep/roles/step_cert/tasks/certs.yml:2:3

1 ---
2 - name: Certs | Check Required Variables
    ^ column 3

failed: [ca-client-py3.11-ansible2.19-ssh] (item=item.name) => {"ansible_loop_var": "req_var", "assertion": "lookup('vars', req_var, default='') | length > 0", "changed": false, "evaluated_to": false, "msg": "item.name needs to be set for the role to work", "req_var": "item.name"}

Multi-cert test

Problem lines are in roles/step_provisioner/tasks/main.yml

TASK [trfore.smallstep.step_provisioner : Add provisioner to step-ca] **********
[ERROR]: Task failed: Finalization of task args for 'ansible.builtin.command' failed: Error while resolving value for '_raw_params': object of type 'dict' has no attribute 'ssh'

Task failed.
Origin: /home/trf/Documents/code/devops/ansible-public-repos/ansible-smallstep/.tox/py3.11-ansible2.19-multi/.ansible/collections/ansible_collections/trfore/smallstep/roles/step_provisioner/tasks/main.yml:30:3

28     jmesquery: "authority.provisioners[*].type"
29
30 - name: Add provisioner to step-ca
     ^ column 3

<<< caused by >>>

Finalization of task args for 'ansible.builtin.command' failed.
Origin: /home/trf/Documents/code/devops/ansible-public-repos/ansible-smallstep/.tox/py3.11-ansible2.19-multi/.ansible/collections/ansible_collections/trfore/smallstep/roles/step_provisioner/tasks/main.yml:32:3

30 - name: Add provisioner to step-ca
31   when: item.type|lower not in provisioners|lower
32   ansible.builtin.command: >-
     ^ column 3

<<< caused by >>>

Error while resolving value for '_raw_params': object of type 'dict' has no attribute 'ssh'
Origin: /home/trf/Documents/code/devops/ansible-public-repos/ansible-smallstep/.tox/py3.11-ansible2.19-multi/.ansible/collections/ansible_collections/trfore/smallstep/roles/step_provisioner/tasks/main.yml:32:28

30 - name: Add provisioner to step-ca
31   when: item.type|lower not in provisioners|lower
32   ansible.builtin.command: >-
                              ^ column 28

failed: [ca-server-py3.11-ansible2.19-multi] (item=(censored due to no_log)) => {"censored": "the output has been hidden due to the fact that 'no_log: true' was specified for this result", "changed": false}
[ERROR]: Task failed: Finalization of task args for 'ansible.builtin.command' failed: Error while resolving value for '_raw_params': object of type 'dict' has no attribute 'renewal_after_expiry'

Task failed.
Origin: /home/trf/Documents/code/devops/ansible-public-repos/ansible-smallstep/.tox/py3.11-ansible2.19-multi/.ansible/collections/ansible_collections/trfore/smallstep/roles/step_provisioner/tasks/main.yml:30:3

28     jmesquery: "authority.provisioners[*].type"
29
30 - name: Add provisioner to step-ca
     ^ column 3

<<< caused by >>>

Finalization of task args for 'ansible.builtin.command' failed.
Origin: /home/trf/Documents/code/devops/ansible-public-repos/ansible-smallstep/.tox/py3.11-ansible2.19-multi/.ansible/collections/ansible_collections/trfore/smallstep/roles/step_provisioner/tasks/main.yml:32:3

30 - name: Add provisioner to step-ca
31   when: item.type|lower not in provisioners|lower
32   ansible.builtin.command: >-
     ^ column 3

<<< caused by >>>

Error while resolving value for '_raw_params': object of type 'dict' has no attribute 'renewal_after_expiry'
Origin: /home/trf/Documents/code/devops/ansible-public-repos/ansible-smallstep/.tox/py3.11-ansible2.19-multi/.ansible/collections/ansible_collections/trfore/smallstep/roles/step_provisioner/tasks/main.yml:32:28

30 - name: Add provisioner to step-ca
31   when: item.type|lower not in provisioners|lower
32   ansible.builtin.command: >-
                              ^ column 28

failed: [ca-server-py3.11-ansible2.19-multi] (item=(censored due to no_log)) => {"censored": "the output has been hidden due to the fact that 'no_log: true' was specified for this result", "changed": false}
failed: [ca-server-py3.11-ansible2.19-multi] (item=(censored due to no_log)) => {"censored": "the output has been hidden due to the fact that 'no_log: true' was specified for this result", "changed": false}

Relevant code or playbook

Relevant log output

Ansible version

No response

Control node OS

No response

Target node OS

No response

[trfore]

resolved in #62

[germebl]

Looking at these failures, they seem to reveal deeper issues beyond just the template delimiter syntax - they’re exposing problems with how variables are accessed in loops.

Important note: This is theoretical analysis based on the error messages - I haven’t been able to test these specific scenarios myself. My use case is relatively simple: I’m deploying with an existing root CA and not using the SSH or multi-cert features. I’m running Ansible 2.19.3 with Python 3.12, where the basic template delimiter fixes work fine for my scenario.

Problem 1: SSH Test - item.name

failed: [ca-client] (item=item.name) => {
  "assertion": "lookup('vars', req_var, default='') | length > 0",
  "evaluated_to": false,
  "msg": "item.name needs to be set for the role to work",
  "req_var": "item.name"
}

The issue: The code is trying to check if item.name exists, but:

• lookup('vars', 'item.name') looks for a variable literally named 'item.name'
• It doesn’t evaluate item.name as “the name attribute of the current loop item”

Suggested fix (untested): This needs context-aware checking:

# Instead of looping over variable names like 'item.name'
loop:
  - item.name
  - item.type

# The assert should directly check the actual item attributes:
- name: Check Required Variables
  ansible.builtin.assert:
    that:
      - item.name is defined
      - item.name | length > 0
      - item.type is defined
  loop: "{{ step_certificates }}"  # Loop over actual cert items

Problem 2: Multi-cert Test - Dict attribute access

Error while resolving value for '_raw_params': object of type 'dict' has no attribute 'ssh'
object of type 'dict' has no attribute 'renewal_after_expiry'

The issue: The command is trying to access item.ssh or item.renewal_after_expiry on dictionary items that don’t have these attributes.

Suggested approach (untested):

1. Use conditional attribute access with defaults:

   {{ item.ssh | default(omit) }}
   {{ item.renewal_after_expiry | default(false) }}

2. Or use when conditions to skip items without these attributes:

   when: 
     - item.type|lower not in provisioners|lower
     - item.ssh is defined  # Only run if ssh config exists

Root Cause Analysis

The original code with {{ }} in asserts was masking these structural problems because it failed earlier with syntax errors. Now that the syntax is correct, we’re discovering:

1. Variable name strings vs actual variable access - the distinction between checking if a variable name exists vs checking object attributes
2. Optional attributes in loops - not all items in loops have the same structure
3. Type safety - dicts being accessed with attributes they don’t have

My Testing Context

For context on my PR: I’m using a fairly straightforward setup:

• Ansible 2.19.3
• Python 3.12
• Deploying with an existing root CA
• Not using SSH certificates or multi-cert provisioner features
• The template delimiter fixes work perfectly for this use case

The failures you’re seeing in SSH and multi-cert tests suggest these advanced features need additional fixes beyond just removing {{ }}.

Recommendation for CI Testing

To properly test this, the CI should include:

1. Varied data structures - items with different sets of attributes
2. Optional fields - provisioners with and without ssh, renewal_after_expiry, etc.
3. Edge cases - empty lists, missing nested keys, None values
4. Basic vs advanced scenarios - simple CA setup (like mine) vs complex multi-provisioner setups

Would you like me to look at the specific files (roles/step_cert/tasks/certs.yml and roles/step_provisioner/tasks/main.yml) to propose concrete fixes? Since I can’t test these specific scenarios myself, the fixes would be theoretical, but I could at least suggest the direction based on the error patterns. It seems like this needs more than just removing template delimiters - it needs rethinking how the variable validation works in these roles.

[trfore]

@germebl just for clarification these are issues when using lookup with this:. I'll reopen this issue as a curiosity and take a look along side with you.

Also I do want to take a closer look at your CI improvements listed here and in the PR, but this will have to occur over the next week or so.

[trfore]

Also now that you are a contributor you should have access to the CI pipeline in GitHub. So all future PRs should automatically run the pipeline without requiring my approval.

As this is a public repo, all actions are free.

Granted I have also included a tox file for local testing across several platforms, Ansible versions and all current Molecule scenarios.