I’m having a bit of trouble figuring out the best structure for declaring a 
default variable value per inventory group that would be used by a role, 
that is over rideable per inventory.

I'm aware that versions of this question have been asked many, many times 
before but I haven't yet seen a suitable answer.


I’ve structured my project similar to this:


├── ansible.cfg

├── inventories/         # Parent directory for our environment-specific 

│   │

│   ├── dev/              # Contains all files specific to the dev 

│   │   ├── group_vars/   # dev specific group_vars files

│   │   │   ├── all.yml

│   │   │   ├── billing.yml

│   │   │   └── policy.yml

│   │   └── hosts         # Contains only the hosts in the dev environment

│   │

│   ├── prod/             # As above but for the prod environment

│   │

│   └── stage/            # As above but for the stage environment


├── playbook.yml

├── group_vars/           # Play specific group_vars files

│   ├── all.yml

│   ├── billing.yml

│   └── policy.yml


├── roles/

│   ├── deploy-tomcat-war/


└── . . .


I keep all common variables in playbook/group_vars/<group>.yml because 
there is no other place to declare them that all inventories have access to 
(that I am aware of).


I keep all environment specific overrides in 


For any of you familiar with my problem you’ll already know the fatal flaw 
in my approach.  Ansible’s order of precedence means that the 
playbook/group_vars override inventory/group_vars.  The “recommended” 
solution for this is to place the default variable declaration in 
playbook/group_vars/all as inventory/group_vars will override this, but 
playbook/group_vars/all does not support declaring the same variable with a 
different value per group.


https://github.com/ansible/ansible/issues/9877 has a very good write up of 
the issue but fails to come up with a good solution. 


My understanding of the purpose of each Ansible component is:

   - Inventories: define *where* a play is run (and organize servers by 
   - Playbooks: define *what* roles are applied to a group (the link 
   between inventory and role)
   - Roles: define *how* the components are applied to the group

Given that understanding it should follow that variables define in roles 
are overridden by those defined in playbook/group_vars which in turn should 
be overridden by those defined in inventories/group_vars.  However I keep 
coming across the statement that “playbook/group_vars are meant to override 
the inventory as plays are more specific than inventory”.  I don’t 
understand how the Ansible developers have come to that conclusion, sure 
playbooks control what is run but I would argue that inventories are more 
specific because they control the where.


All the proposed solutions I’ve seen fall into the following groups:

1.     Use customs variable loader.  

a.     Seems a lot of work for something that should be in built


2.     Put all override-able variables into playbook/group_vars/all.yml and 
which will allow you to use inventories/group_vars/<group>.yml to override 

a.     You lose the ability to define variables per group which is vital in 
my playbook / role combinations


3.     Use environment specific groups in inventory your files.  

a.     I can’t even be bothered explaining how bad a solution that strikes 
me as


4.     Keep fingers crossed that developers provide a mechanism to do this, 

   - allow override of the precedence order
   - support groups in playbooks/group_vars/all/<group>/yml 

a.     Based on the age of some of the threads I’ve seen people have been 
waiting a long, long time so I'm not expecting this any time soon


So all you Ansible dev's out there, where do you suggest I put default 
variable declarations for each group where it can be overridden by an 
inventory if required?

You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
For more options, visit https://groups.google.com/d/optout.

Reply via email to