我有一个json文件,像这样
{
"service_accounts": {
"sql-automation": "Automation Service account for Cloud SQL Instances",
"gke-proxy": "GKE proxy account",
"gke-node": "Default GKE nodes service account",
"syncdata": "Data sync between environments",
}
}
然后我有另一个json文件与默认访问帐户需要(这是一个模板文件)
{
"key_gen_auths": {
"worker": [{
"role": "roles/iam.serviceAccountKeyAdmin",
"members": [
"serviceAccount:dataprovisioning@{{ project_id }}.iam.gserviceaccount.com"
]
}],
"gke-node": [{
"role": "roles/iam.serviceAccountUser",
"members": [
"serviceAccount:deployment-automation@{{ project_id }}.iam.gserviceaccount.com"
]
}],
"sql-automation": [{
"role": "roles/iam.serviceAccountUser",
"members": [
"serviceAccount:deployment-automation@{{ project_id }}.iam.gserviceaccount.com"
]
}]
}
}
在剧本里,我想说:如果服务帐户存在于service_accounts文件中,则从key_gen_auths中提取该对象,如果它存在于key_gen_auths中(如果它不存在于key_gen_auths中,则忽略)。我看了几个选项,如selecattr, combine, difference,但我没有进一步比我开始的时候,我想知道如果我能找到正确的语法,我只是更好地使用when语句,任何帮助将是感激的。
- name: Play for reading json
hosts: localhost
vars:
project_id: 123
tasks:
- name: acct_list
set_fact:
acct_list: "{{ lookup('template', 'acct_list.json') }}"
- name: key_auth_default
set_fact:
keyauth_default: "{{ lookup('template', 'key_auths.json') }}"
- name:
set_fact:
access_file: "{{ item }}"
with_items: "{{ keyauth_default.key_gen_auths }}"
when: item in acct_list.service_accounts
- debug:
var: access_file
不需要查找就可以读取文件
vars_files:
- acct_list.json
- key_auths.json
vars:
project_id: 123
为
service_accounts:
gke-node: Default GKE nodes service account
gke-proxy: GKE proxy account
sql-automation: Automation Service account for Cloud SQL Instances
syncdata: Data sync between environments
key_gen_auths:
gke-node:
- members:
- serviceAccount:deployment-automation@123.iam.gserviceaccount.com
role: roles/iam.serviceAccountUser
sql-automation:
- members:
- serviceAccount:deployment-automation@123.iam.gserviceaccount.com
role: roles/iam.serviceAccountUser
worker:
- members:
- serviceAccount:dataprovisioning@123.iam.gserviceaccount.com
role: roles/iam.serviceAccountKeyAdmin
Q:"如果service_accounts中存在服务帐户,则从key_gen_auths中提取该对象。">
service_accounts_list: "{{ service_accounts.keys()|list }}"
key_gen_auths_list: "{{ key_gen_auths.keys()|list }}"
service_account_exists: "{{ service_accounts_list|intersect(key_gen_auths_list) }}"
为
service_accounts_list: [sql-automation, gke-proxy, gke-node, syncdata]
key_gen_auths_list: [worker, gke-node, sql-automation]
service_account_exists: [sql-automation, gke-node]
使用现有帐户列表提取对象并创建字典
access_file: "{{ dict(service_account_exists|
zip(service_account_exists|map('extract', key_gen_auths))) }}"
为
access_file:
gke-node:
- members:
- serviceAccount:deployment-automation@123.iam.gserviceaccount.com
role: roles/iam.serviceAccountUser
sql-automation:
- members:
- serviceAccount:deployment-automation@123.iam.gserviceaccount.com
role: roles/iam.serviceAccountUser
测试的完整剧本示例
- hosts: localhost
vars_files:
- acct_list.json
- key_auths.json
vars:
project_id: 123
service_accounts_list: "{{ service_accounts.keys()|list }}"
key_gen_auths_list: "{{ key_gen_auths.keys()|list }}"
service_account_exists: "{{ service_accounts_list|intersect(key_gen_auths_list) }}"
access_file: "{{ dict(service_account_exists|
zip(service_account_exists|map('extract', key_gen_auths))) }}"
tasks:
- debug:
var: service_accounts
- debug:
var: key_gen_auths
# If the service account exists in service_accounts
# extract those objects from key_gen_auths
- debug:
var: service_accounts_list|to_yaml
- debug:
var: key_gen_auths_list|to_yaml
- debug:
var: service_account_exists|to_yaml
- debug:
var: access_file
嗯,我认为这显示了你想要的数据,在debug中,你可以在set_fact中使用它,因为你认为合适:
- name: Play for reading json
hosts: localhost
vars_files:
- acct_list.json
- key_auths.json
vars:
project_id: 123
tasks:
- debug:
msg: "{{ key_gen_auths[item] | default('Not Found') }}"
loop: "{{ service_accounts.keys() }}"
ignore_errors: yes