Allow to load vars with expressions evaluated lazily.

felixfontein · felixfontein · commit 88cf936fe428 · 2025-04-14T21:02:49.000+02:00
diff --git a/plugins/action/load_vars.py b/plugins/action/load_vars.py
@@ -55,19 +55,33 @@ def _evaluate(self, value):
             return dict((k, self._evaluate(v)) for k, v in iteritems(value))
         return value
 
+    def _make_safe(self, value):
+        if isinstance(value, string_types):
+            # must come *before* Sequence, as strings are also instances of Sequence
+            return _make_safe(value)
+        if isinstance(value, Sequence):
+            return [self._make_safe(v) for v in value]
+        if isinstance(value, Mapping):
+            return dict((k, self._make_safe(v)) for k, v in iteritems(value))
+        return value
+
     @staticmethod
     def setup_module():
         argument_spec = ArgumentSpec(
             argument_spec=dict(
                 file=dict(type='path', required=True),
                 name=dict(type='str'),
-                expressions=dict(type='str', default='ignore', choices=['ignore', 'evaluate-on-load']),
+                expressions=dict(type='str', default='ignore', choices=['ignore', 'evaluate-on-load', 'lazy-evaluation']),
             ),
         )
         argument_spec.argument_spec.update(get_sops_argument_spec())
         return argument_spec, {}
 
     def run_module(self, module):
+        expressions = module.params['expressions']
+        if expressions == 'lazy-evaluation' and not HAS_DATATAGGING:
+            module.fail_json(msg='expressions=lazy-evaluation requires ansible-core 2.19+ with Data Tagging support.')
+
         data = dict()
         files = []
         try:
@@ -84,10 +98,12 @@ def run_module(self, module):
             value = dict()
             value[name] = data
 
-        expressions = module.params['expressions']
         if expressions == 'evaluate-on-load':
             value = self._evaluate(value)
 
+        if expressions == 'lazy-evaluation':
+            value = self._make_safe(value)
+
         module.exit_json(
             ansible_included_var_files=files,
             ansible_facts=value,
diff --git a/plugins/modules/load_vars.py b/plugins/modules/load_vars.py
@@ -34,14 +34,14 @@
       - If set to V(ignore), expressions will not be evaluated, but treated as regular strings.
       - If set to V(evaluate-on-load), expressions will be evaluated on execution of this module, in other words, when the
         file is loaded.
-      - Unfortunately, there is no way for non-core modules to handle expressions "unsafe", in other words, evaluate them
-        only on use. This can only achieved by M(ansible.builtin.include_vars), which unfortunately cannot handle SOPS-encrypted
-        files.
+      - If set to V(lazy-evaluation), expressions will be lazily evaluated. This requires ansible-core 2.19 or newer
+        and is the same behavior than M(ansible.builtin.include_vars). V(lazy-evaluation) has been added in community.sops 2.1.0.
     type: str
     default: ignore
     choices:
       - ignore
       - evaluate-on-load
+      - lazy-evaluation
 extends_documentation_fragment:
   - community.sops.sops
   - community.sops.attributes
diff --git a/tests/integration/targets/load_vars/tasks/main.yml b/tests/integration/targets/load_vars/tasks/main.yml
@@ -23,7 +23,7 @@
 
     - assert:
         that:
-          - '"value of expressions must be one of: ignore, evaluate-on-load, got: invalid value" in load_vars_invalid_value.msg'
+          - '"value of expressions must be one of: ignore, evaluate-on-load, lazy-evaluation, got: invalid value" in load_vars_invalid_value.msg'
 
     - name: Test load_vars with missing file
       community.sops.load_vars:
@@ -124,3 +124,35 @@
         that:
           - load_vars_expr_evaluated_now_2 is success
           - test2_2 == 'something_else'
+
+    - when: ansible_version.full is version('2.19', '>=')
+      block:
+        - set_fact:
+            to_be_defined_earlier: something_defined_before
+            bar_2: baz
+
+        - name: Test load_vars with expressions evaluated lazily
+          community.sops.load_vars:
+            file: proper-vars-2.sops.yaml
+            expressions: lazy-evaluation
+          register: load_vars_expr_lazy_evaluated
+
+        - assert:
+            that:
+              - load_vars_expr_lazy_evaluated is success
+              - test1_2 == 'baz'
+              - test2_2 == 'something_defined_before'
+              - test3_2[0] == 'baz'
+              - test4_2.test_4_2_1 == 'bazbaz'
+
+        - set_fact:
+            to_be_defined_earlier: something_else
+            bar_2: buzz
+
+        - assert:
+            that:
+              - load_vars_expr_lazy_evaluated is success
+              - test1_2 == 'buzz'
+              - test2_2 == 'something_else'
+              - test3_2[0] == 'buzz'
+              - test4_2.test_4_2_1 == 'buzzbuzz'
