The role fails when conditionally included

[BboyKeen]

Hi,

I need to use your role only on specific environments so I'm using a when instruction in my role statement in my playbook like below to choose whether or not I want to deploy security rules :

roles: 
    - { role: security, when: deploy_security_rules }

Then in the task file of my "security" role I use the statements below to include your role

- name: OS Security related configurations
  include_role:
    name: dev-sec.os-hardening

The problem occurs when I don't want to deploy security rules, i.e when deploy_security_rules = false

Here is the output I obtain during failure :

TASK [dev-sec.os-hardening : get all system accounts] **************************
[DEPRECATION WARNING]: always_run is deprecated. Use check_mode = no instead..

This feature will be removed in version 2.4. Deprecation warnings can be 
disabled by setting deprecation_warnings=False in ansible.cfg.
skipping: [vagrant-debian8.6] => {"changed": false, "skip_reason": "Conditional check failed", "skipped": true}

TASK [dev-sec.os-hardening : remove always ignored system accounts from list] **
skipping: [vagrant-debian8.6] => {"changed": false, "skip_reason": "Conditional check failed", "skipped": true}

TASK [dev-sec.os-hardening : change system accounts not on the user provided ignore-list] ***
fatal: [vagrant-debian8.6]: FAILED! => {"failed": true, "msg": "'sys_accs_cond' is undefined"}

Any idea why the role is failing ?

[rndmh3ro]

Thanks for reporting!
That's happening because in Ansible 2.x undefined variables used in with_items loops cause an error, even if the task is skipped (e.g. in check_mode or like in your case). The variable is undefined because the previous task (remove always ignored system accounts from list) is skipped.

Should be fixed here: #106

[rndmh3ro]

This also fixes #103

[BboyKeen]

Thanks. I will try your fix and get back to you !

[BboyKeen]

I can confirm that the fix proposed in the PR #106 solves the issue