feat(ansible): per-variable fields in the playbook run form
When you click Run, Steward now parses the playbook and renders a field for each declared variable instead of a blank extra-vars textarea. The form loads on demand via HTMX (/ansible/run-form/<source>/<playbook>). - sources.discover_playbook_variables: parse vars: defaults + vars_prompt: (vars_prompt wins on name collision; non-scalar vars skipped; role/include vars not traversed). Flags secret-looking names + vars_prompt private. - Run-time values flow through a JSON extra-vars file (-e @file), which is space/quote-safe — fixes a latent shlex-split bug in the old -e key=value textarea path. executor.build_extra_vars_file (pure) + start_run merge. - Secret-flagged fields are masked AND routed through an unpersisted secret_vars channel (runner.trigger_run → start_run), so passwords entered at run time never land in the DB / run history. - Defaults shown as placeholders (not prefilled): an untouched field falls through to the inventory/play default instead of overriding it. - routes: run_form HTMX endpoint; _parse_run_params now returns (params, secret_vars, err) and reads var__/secret__ fields. Schedules drop secret vars (can't prompt unattended). - templates: ansible/_run_form.html fragment; browse.html rewired to HTMX, static JS run-form removed. Advanced section keeps limit/tags/check + a free-form extra-vars escape hatch. - tests: test_playbook_variables.py (discovery + extra-vars file). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -186,6 +186,20 @@ def build_bootstrap(connection: dict | None, tmpdir: str) -> tuple[list[str], li
|
||||
return args, files
|
||||
|
||||
|
||||
def build_extra_vars_file(merged: dict | None, tmpdir: str) -> tuple[list[str], list[tuple[str, str]]]:
|
||||
"""Run-time variables → a JSON extra-vars file (``-e @file``).
|
||||
|
||||
Pure: returns (argv, files). JSON is valid YAML to Ansible and, unlike
|
||||
``-e key=value`` strings (which Ansible shlex-splits on whitespace), keeps
|
||||
values with spaces/quotes intact. Used for both operator-entered playbook
|
||||
variables and the unpersisted secret subset (merged by the caller).
|
||||
"""
|
||||
if not merged:
|
||||
return [], []
|
||||
path = os.path.join(tmpdir, "extravars.json")
|
||||
return ["-e", "@" + path], [(path, json.dumps(merged))]
|
||||
|
||||
|
||||
def ansible_env(creds: dict | None, base_env) -> dict:
|
||||
"""Return a copy of base_env with ANSIBLE_HOST_KEY_CHECKING set from creds."""
|
||||
env = dict(base_env)
|
||||
@@ -282,6 +296,7 @@ async def start_run(
|
||||
params: dict | None = None,
|
||||
inventory_content: str | None = None,
|
||||
connection: dict | None = None,
|
||||
secret_vars: dict | None = None,
|
||||
) -> None:
|
||||
"""Execute ansible-playbook as a subprocess and update the DB run row.
|
||||
|
||||
@@ -292,6 +307,9 @@ async def start_run(
|
||||
connection is an optional per-run SSH override (user/password) for
|
||||
first-contact provisioning. It is applied to the subprocess only — it is
|
||||
never persisted on the AnsibleRun row, never placed on argv, and not logged.
|
||||
secret_vars are run-time playbook variables flagged sensitive; like
|
||||
connection they reach the subprocess (merged into the extra-vars file) but
|
||||
are never persisted.
|
||||
"""
|
||||
from steward.models.ansible import AnsibleRunStatus
|
||||
|
||||
@@ -374,7 +392,10 @@ async def start_run(
|
||||
|
||||
cred_args, cred_files = build_credentials(effective_creds, tmpdir)
|
||||
boot_args, boot_files = build_bootstrap(conn, tmpdir)
|
||||
for cred_path, content in cred_files + boot_files:
|
||||
# Operator-entered run-time vars (persisted) + secret vars (not).
|
||||
merged_vars = {**((params or {}).get("extra_vars_map") or {}), **(secret_vars or {})}
|
||||
ev_args, ev_files = build_extra_vars_file(merged_vars, tmpdir)
|
||||
for cred_path, content in cred_files + boot_files + ev_files:
|
||||
with open(cred_path, "w", encoding="utf-8") as cf:
|
||||
cf.write(content)
|
||||
os.chmod(cred_path, 0o600)
|
||||
@@ -388,7 +409,7 @@ async def start_run(
|
||||
user_args += ["--user", ssh_user]
|
||||
|
||||
proc = await asyncio.create_subprocess_exec(
|
||||
*cmd, *cred_args, *boot_args, *user_args,
|
||||
*cmd, *cred_args, *boot_args, *user_args, *ev_args,
|
||||
stdout=asyncio.subprocess.PIPE,
|
||||
stderr=asyncio.subprocess.STDOUT,
|
||||
cwd=cwd,
|
||||
|
||||
Reference in New Issue
Block a user