-
Notifications
You must be signed in to change notification settings - Fork 52
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
rabbitmq_user doesn't support Ansible check mode #107
Comments
Any update on that? It's quite a critical bug, one testing user password change can bring production down without knowing it. |
Hi @movergan thanks for the report, I will try to have a look into it this week and provide an update. |
Attaching my patched version of this module here in case it's useful for anyone else who needs a workaround for now. (Caveat emptor, etc.) |
Agreed, this is what took me out of my sunday afternoon. But these things happen. As it stands, the „smaller“ bug that we're having here is the fact that community.rabbitmq/plugins/modules/rabbitmq_user.py Lines 466 to 469 in 74f479f
So setting this to As a side note, to fix this issue „properly“, i.e. “supporting check mode“, can mean two different things:
|
I just learned about the |
@csmart I hope this doesn't come across as impatient, but if time is an issue, would it be possible to set |
@lukasjuhrich not at all, you're right. This fell off my radar, so thanks for the reminder. |
Currently, check_mode is not supported on the user module and as such, a user is actually added when run with `--check` option. This an initial temporary fix in order to avoid issues on existing systems. See ansible-collections#107
Currently, check_mode is not supported on the user module and as such, a user is actually added when run with `--check` option. This an initial temporary fix in order to avoid issues on existing systems. See ansible-collections#107
Currently, check_mode is not supported on the user module and as such, a user is actually modified when run with the `--check` option. This an initial temporary fix in order to avoid issues on existing systems. See ansible-collections#107
Currently, check_mode is not supported on the user module and as such, a user is actually modified when run with the `--check` option. This an initial temporary fix in order to avoid issues on existing systems. See ansible-collections#107
Currently, check_mode is not supported on the user module and as such, a user is actually modified when run with the `--check` option. This an initial temporary fix in order to avoid issues on existing systems. See ansible-collections#107
Currently, check_mode is not supported on the user module and as such, a user is actually modified when run with the `--check` option. This an initial temporary fix in order to avoid issues on existing systems. See #107
This has been merged to |
I've released |
Any chance of actually supporting check mode? It's a useful feature, as crossing your fingers and blindly running a playbook over an environment that may have local changes is still not great. |
For whoever needs it, I hacked up a quick ugly workaround role:
user.yml:
assumes the following data structure in var
It'll certainly have its faults but for now it's allowed me to compare state between the ansible playbook and reality on the cluster without wrecking production... |
SUMMARY
When applied with ansible --check, the rabbitmq_user module always makes any required changes to the users anyway. This is unexpected behaviour and potentially disruptive to the RabbitMQ service.
ISSUE TYPE
COMPONENT NAME
rabbitmq_user
ANSIBLE VERSION
COLLECTION VERSION
CONFIGURATION
OS / ENVIRONMENT
CentOS 7.9
STEPS TO REPRODUCE
Create a new RabbitMQ user using the rabbitmq_user module, but apply the playbook using ansible-playbook --check, which should show what would happen.
EXPECTED RESULTS
Ansible output would consistently show 'changed: [mqserver.test.com] => {"changed": true, ...}' for task but test-user would not actually be created on RabbitMQ host.
ACTUAL RESULTS
test-user is created the first time playbook is applied with --check. A second run outputs 'ok: ... "changed": false', indicating that the user now exists.
This is because the code for rabbitmq_user.py does not include support for running in check mode (e.g. compare implementation of _exec() with rabbitmq_vhost.py, which explicitly tests for check_mode being enabled and does not execute rabbitmqctl if so).
I have a modified rabbitmq_user implementation that includes check_mode support (based on rabbitmq_vhost.py) if you want a PR.
The text was updated successfully, but these errors were encountered: