Following are the differet ways that variables can be set in Ansible. This list is in the order of precedence, where the option higher in the list takes precedence over options lower in the list.
- --extra-vars command line option or Extra Variables in Tower
- set_fact
- include_vars
- vars_prompt
- vars_files
- vars plugin
- roles vars
- group_vars (this article)
- /etc/ansible/hosts or your own inventory file
- lookup vars
- register parameter and debug module
The group_vars directory can be used to create variables that can be used by:
- all managed nodes (e.g. target systems)
- certain managed nodes (e.g. target systems)
For example, let's say main.yml contains variables, perhaps something like this.
foo: "Hello World"
environments:
- development
- staging
- production
Variables defined in the group_vars/all/main.yml file will be available to all target servers, whereas variables defined in the group_vars/dev/main.yml file would only be available to target servers that are part of the "dev" group.
Let's say you have a group of dev and prod servers in your default hosts file or your own inventory file.
dev:
hosts:
server1.example.com:
server2.example.com:
server3.example.com:
prod:
hosts:
server4.example.com:
server5.example.com:
server6.example.com:
In this scenario, you could create files in the group_vars directory like this.
/usr/local/ansible/group_vars/all.yml
/usr/local/ansible/group_vars/dev.yml
/usr/local/ansible/group_vars/prod.yml
Or like this.
/usr/local/ansible/group_vars/all/main.yml
/usr/local/ansible/group_vars/dev/main.yml
/usr/local/ansible/group_vars/prod/main.yml
AVOID TROUBLE
If both group_vars/all.yml and group_vars/all/main.yml exist, group_vars/all/main.yml will take precedence over group_vars/all.yml.
In this example:
- variables in groups_var/all would be made available to all hosts (both the dev and prod hosts)
- variables in groups_var/dev would only be available to the dev hosts
- variables in groups_var/prod would only be available to the prod hosts
Here is an example of how a playbook could be set to all (or dev, or prod).
---
- hosts: all
tasks:
- debug:
var: foo
- debug:
var: environments
...
Which should return something like this.
TASK [debug]
ok: [server1.example.com] => {
"var": "Hello World"
}
ok: [server1.example.com] => {
"environments": [
"development",
"staging",
"production"
]
}
Encrypted Ansible Vault File
You could also create an encrypted file using the ansible-vault create command in one of the group_vars directories.
ansible-vault create groups_var/all/vault.yml
Let's say groups_var/all/vault.yml contains the following.
bar: World
Let's say your playbook contains the "bar" variable.
---
- hosts: all
tasks:
- debug:
var: bar
...
When using the ansible-playbook command to run your playbook, you could use the --ask-vault-pass option.
ansible-playbook example.yml --ask-vault-pass
And you will be prompted for the vault password.
Vault password:
Or, to avoid being prompted for the vault password, you could create a vault password file, and then use the --vault-password-file command line option (if you are going to use the same password for all of the ansible-vault commands) . . .
ansible-playbook example.yml --vault-password-file /usr/local/ansible/vault/.vault_password.txt
Or the --vault-id command line option (if you want to use different passwords)
ansible-playbook example.yml --vault-id john.doe@/usr/local/ansible/vault/.vault_password.txt
Or you could set the vault_password_file directive in your ansible.cfg file.
[defaults]
vault_password_file = /usr/local/ansible/vault/.vault_password.txt
In this scenario, you wouldn't need to use any of the vault password command line options (--ask-vault-pass, --vault-password-file, --vault-id).
ansible-playbook example.yml
The playbook should then output the following, where the value of the "bar" variable in the encrypted groups_var/all/vault.yml file is returned.
TASK [debug]
ok: [server1.example.com] => {
"var": "World"
}
Did you find this article helpful?
If so, consider buying me a coffee over at