Q: "evaluate the dev_db_password ... while ansible templates secret.j2. Is there a way to achieve this in the same line by modifying dbpassword: ... ?"
A: Yes. There is. Try lookup plugin vars. See ansible-doc -t lookup vars
dbpassword: "{{'{{'}} {{ lookup('vars', namespace + '_db_password') }} {{'}}'}}"
For example, the template
shell> cat secret.j2
stringData:
consoleadminpassword: "{{'{{'}} {{ lookup('vars', namespace + '_console_password') }} {{'}}'}}"
consolenonadminpassword: "{{'{{'}} {{ lookup('vars', namespace + '_console_password') }} {{'}}'}}"
dbpassword: "{{'{{'}} {{ lookup('vars', namespace + '_db_password') }} {{'}}'}}"
and the playbook
- hosts: localhost
tasks:
- template:
src: secret.j2
dest: secret.yml
vars:
namespace: dev
dev_console_password: passwd_console
dev_db_password: passwd_db
give
shell> cat secret.yml
stringData:
consoleadminpassword: "{{ passwd_console }}"
consolenonadminpassword: "{{ passwd_console }}"
dbpassword: "{{ passwd_db }}"
If you don't need the next evaluation of the variables (passwords) in the dictionary the template below
shell> cat secret.j2
stringData:
consoleadminpassword: {{ lookup('vars', namespace + '_console_password') }}
consolenonadminpassword: {{ lookup('vars', namespace + '_console_password') }}
dbpassword: {{ lookup('vars', namespace + '_db_password') }}
will give
shell> cat secret.yml
stringData:
consoleadminpassword: passwd_console
consolenonadminpassword: passwd_console
dbpassword: passwd_db
If you put the passwords into an encrypted file
shell> cat dev.yml
dev_console_password: passwd_console
dev_db_password: passwd_db
shell> ansible-vault encrypt dev.yml
Encryption successful
shell> cat dev.yml
$ANSIBLE_VAULT;1.1;AES256
30663636653963333864346339303034356463356234383035363561356365376130396465323736
...
the playbook will give the same results
- hosts: localhost
vars:
namespace: dev
tasks:
- include_vars: "{{ namespace }}.yml"
- template:
src: secret.j2
dest: secret.yml
