I am using Ansible Tower to expose play. User stars job calling REST API and she/he provides some extra_vars. I have to validate provided variable against some other variables. For example: user provides hostname and I have in the inventory variable: allowed_hostnames. Problem is extra_vars trumps everything, so user can always override variable for list of allowed values, and test does not make sense. In Tower there is a Survey feature that can be used to limit variables allowed to change by user, but enabling Survey will block dict variables and I need it.
Q: "Problem is extra_vars trumps everything"
A: Avoid variable. For example the task
- debug:
msg: "{{ my_host|default('') }} is allowed to ..."
when: "my_host|default('') in lookup('file', 'allowed_hosts.yml')|from_yaml"
with the data
$ cat allowed_hosts.yml
- host1
- host2
- host3
- host9
gives
$ ansible-playbook play.yml -e 'my_host=host2'
"msg": "host2 is allowed to ..."