Environment variables prefix with ANSIBLE_, and AWX

[felixfontein]

Summary

Three years ago it was decided at the public ansible project meeting (https://meetbot.fedoraproject.org/ansible-meeting/2019-02-26/ansible_core_irc_public_meeting.2019-02-26-19.02.html, https://meetbot.fedoraproject.org/ansible-meeting/2019-02-26/ansible_core_irc_public_meeting.2019-02-26-19.02.log.html#l-121) that all environment variables used for configuring Ansible should be prefixed with ANSIBLE_ if their name is not dictated from some library used or some 3rd party tool that the module/plugin controls.

Now AWX decided at some point to disallow setting environment variables prefixed with ANSIBLE_ by injecting secrets, and tells users to avoid ANSIBLE_ environment variables in general. (I don't know when that happened, but at least the secret injection seems to be from before that: ansible/awx#2363)

This now leads to the problem that some community collections stick to the naming convention of prefixing env variables with ANSIBLE_, while users who try to use these collections with AWX are experiencing problems due to this. Examples:

• AWX and ANSIBLE_ prefixed environment variables - support a 2nd set of env vars? ansible vars? ansible-collections/community.hashi_vault#49
• New environment variable scheme causes issues in some usage ansible-collections/community.hashi_vault#85
• xen_orchestra inventory plugin problematic environment variable names ( Error in AWX) ansible-collections/community.general#4501

For most plugin types, one can add further configuration possibilities, for example with Ansible variables, and suggest users to switch using these instead. But for inventory plugins, this isn't possible (AFAIK), so this really is a problem.

So: what can we do, what should we do, and what do we want to suggest users and collection maintainers to do? The current situation is annoying for both users and maintainers.

[jamescassell]

Sounds like AWX is broken...

[briantist]

AWX may have a legitimate security concern, but they could help mitigate this issue by having an allow-list and/or block-list for specific variables that are allowed.

[felixfontein]

It would also be possible to define a prefix that isn't covered by that rule, like ANSIBLE_COMMUNITY_, or ANSIBLE_COLLECTION_ (I'm not happy about these two ones, but cannot think of a better one right now).

[Andersson007]

@gundalow should folks from awx be engaged in the issue?

[felixfontein]

@gundalow ping

[gundalow]

Sounds sensible, let's discuss in the AWX channel

[briantist]

@gundalow curious why we would move discussion into IRC/matrix instead of having it here?

[eLLIkin]

@gundalow ping

[mariolenz]

@felixfontein Please close this issue if done, or open a new forum topic and then close the issue with a pointer to the new discussion: Community-topics: Archiving the repo

[felixfontein]

I've created https://forum.ansible.com/t/environment-variables-prefix-with-ansible-and-awx/5737 to continue this discussion in the forum.