Ansible Local Python Script with Parameters

Question

So here is what I want to do I want to run a playbook like this

ansible-playbook playbookX.yml --ask-vault-pass [host or hostgroup]

The playbook should run a local (on the ansible server) python script with parameters

python scriptname.py Parameter1 Parameter2

Parameter1: a secret that should be encrypted and not visible i.e. with ps -aufx and I should get the password from a vault-file. Maybe I should decrypt it in the python script?

Parameter2: The hostname specified in host or hostgroup (Note: The script should be run for every host when the playbook is run with a hostgroup)

Another note: The python script should best be executed in a virtual_env while the environment should have urllib3 installed.

How could I accomplish that?

Answer 1

You can verify urllib3 is present in the venv with the pip module: http://docs.ansible.com/ansible/latest/pip_module.html

I think you need to pass the host/hostgroup as a var on command line to the playbook:

ansible-playbook playbookX.yml -e "myhosts=[host or hostgroup]" --ask-vault-pass

I suggest use no_log on the task to hide the parameters in the output. I guess it will still show in with ps though.

---
- name: Run on remote host
  hosts: "{{ myhosts }}"

  tasks:
    - <my other tasks on remote host>
    - name: run python script locally
      local_action: command python scriptname.py "{{ my_ecrypted_password }}" "{{ myhosts }}"
      no_log: True

You could create a template scriptname.py.j2, add "{{ my_encrypted_password }}" where needed, then create your tmp scriptname.py, execute and remove the tmp file. That was it won't show with ps but it will be in the tmp .py file.

Last suggestions would be to just put it in the .py scipt and encrypt it with ansible-vault.