Migrate side-effecting lookups
When To Use This
Use this when older keytab or certificate lookup patterns should move to explicit modules.
Required Authority
Lookups should be read-focused. Modules carry explicit mutation semantics and check-mode behavior.
Safety Boundary
This workflow is preflight. Confirm that this is the intended boundary before placing it in a scheduled job or AAP workflow.
Inputs
- Named target objects
- Credentials with the required IdM or platform authority
- A reviewed output path or downstream task
Steps
- Confirm the target objects and authority before running.
- Run the command or task with review-friendly output.
- Inspect the returned evidence before continuing to any mutating step.
ansible-playbook --syntax-check playbooks/workload-secret-delivery-static-validation.yml
Example Migration
This example moves a keytab rotation out of a lookup and into an explicit module task with a visible rotation guard.
before.yml
---
- name: Old pattern hides rotation inside a lookup expression
ansible.builtin.copy:
content: >-
{{ lookup('eigenstate.ipa.keytab',
principal,
retrieve_mode='generate') | b64decode }}
dest: /etc/httpd/conf/httpd.keytab
no_log: true
after.yml
---
- name: New pattern makes the mutating operation explicit
eigenstate.ipa.keytab_manage:
principal: "{{ principal }}"
state: rotated
confirm_rotation: true
destination: /etc/httpd/conf/httpd.keytab
mode: "0600"
server: idm-01.example.com
kerberos_keytab: /runner/env/ipa/automation.keytab
no_log: true
Expected Evidence
The static validation playbook exercises the render-only roles without hidden lookup-side effects. A captured run from this checkout produced:
PLAY [Validate workload Secret delivery roles without a live cluster] *********
TASK [eigenstate.ipa.kubernetes_secret_from_idm_vault : Render reviewable Kubernetes Secret manifest] ***
changed: [localhost]
TASK [eigenstate.ipa.kubernetes_tls_from_idm_cert : Render reviewable Kubernetes TLS Secret manifest] ***
changed: [localhost]
TASK [eigenstate.ipa.keytab_secret_render : Render reviewable keytab Secret manifest] ***
changed: [localhost]
PLAY RECAP **************************************************************
localhost : ok=20 changed=6 unreachable=0 failed=0 skipped=15 rescued=0 ignored=0
Troubleshooting
- Permission failure: verify the account and delegated authority.
- Unexpected empty result: verify target names and source records.
- Unsafe output: redact payloads and add
no_log: truewhere secret material is present.