I'm now at Chapter 7, the first part discusses the default and role variables in a role.
It is written that role variables (in vars/main.yml) can not be overridden.
But for secrets it writes:
"Roles should not have site specific data in them or contain any secrets like passwords or private keys because roles are supposed to be generic, reusable, and freely shareable. Therefore, site specific details should not be hard coded into them.
Secrets should be provided to the role through other means. This requirement is one reason that you might want to set role variables when calling a role. Role variables set in the play could provide the secret, or point to an Ansible Vault encrypted file containing the secret."
So it writes to use role variables for secrets and set them in a play. But role variables are supposed to not be overridden: if you want to have a variable that is to be overriden you should use default variables.
So I am confused.
Referencing the variable precedence:
Here is the order of precedence from least to greatest (the last listed variables override all other variables):
command line values (for example, -u my_user, these are not variables)
role defaults (defined in role/defaults/main.yml) 1
inventory file or script group vars 2
inventory group_vars/all 3
playbook group_vars/all 3
inventory group_vars/* 3
playbook group_vars/* 3
inventory file or script host vars 2
inventory host_vars/* 3
playbook host_vars/* 3
host facts / cached set_facts 4
play vars
play vars_prompt
play vars_files
role vars (defined in role/vars/main.yml)
block vars (only for tasks in block)
task vars (only for the task)
include_vars
set_facts / registered vars
role (and include_role) params
include params
extra vars (for example, -e "user=my_user")(always win precedence)
Shows that role variables (15) can be overridden but as the chapter states: "not by inventory variables" (such as 3,4,6,8,9), this is because they have a lower precedence and role variables are expected to be used for internal functioning of the role.
So to clarify all variable types/locations post 15 in the list can override the role variables kept in role/vars/main.yml
Referencing the variable precedence:
Here is the order of precedence from least to greatest (the last listed variables override all other variables):
command line values (for example, -u my_user, these are not variables)
role defaults (defined in role/defaults/main.yml) 1
inventory file or script group vars 2
inventory group_vars/all 3
playbook group_vars/all 3
inventory group_vars/* 3
playbook group_vars/* 3
inventory file or script host vars 2
inventory host_vars/* 3
playbook host_vars/* 3
host facts / cached set_facts 4
play vars
play vars_prompt
play vars_files
role vars (defined in role/vars/main.yml)
block vars (only for tasks in block)
task vars (only for the task)
include_vars
set_facts / registered vars
role (and include_role) params
include params
extra vars (for example, -e "user=my_user")(always win precedence)
Shows that role variables (15) can be overridden but as the chapter states: "not by inventory variables" (such as 3,4,6,8,9), this is because they have a lower precedence and role variables are expected to be used for internal functioning of the role.
So to clarify all variable types/locations post 15 in the list can override the role variables kept in role/vars/main.yml
Red Hat
Learning Community
A collaborative learning environment, enabling open source skill development.