Fix(plugins): Make ansible global_vars work for ansible-core>=2.19 (#6619)

Co-authored-by: Vibhu-gslab <109593615+Vibhu-gslab@users.noreply.github.com>

Author: gmuloc

ansible_collections/arista/avd/plugins/vars/global_vars.py

@@ -93,9 +93,39 @@
 from ansible.plugins.vars import BaseVarsPlugin
 from ansible.utils.vars import combine_vars
 
+from ansible_collections.arista.avd.plugins.plugin_utils.utils import ANSIBLE_ABOVE_2_19
+
+if ANSIBLE_ABOVE_2_19:
+    from ansible.template import trust_as_template
+
 FOUND: list = []
 
 
+def _mark_strings_as_trusted(data: Any) -> Any:
+    """
+    Recursively mark all strings in a data structure as trusted templates.
+
+    This is required for ansible-core >= 2.19 where the template trust model was inverted.
+    Only strings marked as trusted can be rendered as Jinja2 templates.
+
+    Should only be called when ANSIBLE_ABOVE_2_19 is True.
+
+    Args:
+        data: The data structure to process (can be dict, list, str, or any other type)
+
+    Returns:
+        The same data structure with all strings marked as trusted templates
+    """
+    if isinstance(data, str):
+        return trust_as_template(data)
+    if isinstance(data, dict):
+        return {key: _mark_strings_as_trusted(value) for key, value in data.items()}
+    if isinstance(data, list):
+        return [_mark_strings_as_trusted(item) for item in data]
+
+    return data
+
+
 class VarsModule(BaseVarsPlugin):
     def find_variable_source(self, path: str, loader: object) -> list:
         """Return the source files from which to load data, if the path is a directory - lookup vars file inside."""
@@ -144,8 +174,13 @@ def get_vars(self, loader: object, path: str, entities: Any, _cache: bool = True
                 continue
 
             for found_path in FOUND:
+                # Load the file. In ansible-core < 2.19, unsafe=True allows Jinja2 templates to be rendered.
+                # In ansible-core >= 2.19, we need to explicitly mark strings as trusted templates.
                 new_data = loader.load_from_file(found_path, cache=True, unsafe=True)
                 if new_data:
+                    if ANSIBLE_ABOVE_2_19:
+                        # Mark all strings in the loaded data as trusted templates for ansible-core >= 2.19
+                        new_data = _mark_strings_as_trusted(new_data)
                     variables = combine_vars(variables, new_data)
 
         return variables

ansible_collections/arista/avd/tests/integration/targets/vars_global_vars/global_vars.yml

@@ -7,3 +7,15 @@ overwritten_by_zz_global_vars_01: GLOBAL_VALUE
 overwritten_by_zz_global_vars_02: GLOBAL_VALUE
 not_overwritten_by_zz_global_vars_03: GLOBAL_VALUE
 not_overwritten: GLOBAL_VALUE
+
+# Test inline Jinja2 templating
+base_value: "BASE"
+jinja_template_simple: "{{ base_value }}_RENDERED"
+jinja_template_filter: "{{ base_value | lower }}_filtered"
+cleartext_password: "{{ vault.users.cvpadmin.password | default(lookup('ansible.builtin.env', 'CVP_PASSWORD'), true) }}"
+cleartext_password_2: "{{ lookup('ansible.builtin.env', 'CVP_PASSWORD') }}"
+
+vault:
+  users:
+    cvpadmin:
+      password: "vaulted_password"

ansible_collections/arista/avd/tests/integration/targets/vars_global_vars/playbook.yml

@@ -1,7 +1,12 @@
 ---
+
 - name: Testing All
   hosts: all
   tasks:
+    - name: Print Ansible version
+      ansible.builtin.debug:
+        msg: "Ansible version: {{ ansible_version.full }}"
+
     - name: Verify Global Variables
       ansible.builtin.assert:
         that:
@@ -11,6 +16,16 @@
           - not_overwritten_by_zz_global_vars_03 == 'GLOBAL_VALUE'
           - overwritten_by_group_all == 'ALL_VALUE'
 
+    - name: Verify Jinja2 Template Rendering
+      ansible.builtin.assert:
+        that:
+          - base_value == 'BASE'
+          - jinja_template_simple == 'BASE_RENDERED'
+          - jinja_template_filter == 'base_filtered'
+          - cleartext_password == 'vaulted_password'
+          - cleartext_password_2 == 'env_password'
+        fail_msg: "Jinja2 templates in global_vars are not being rendered correctly"
+
 - name: Testing leaf1
   hosts: leaf1
   tasks:

ansible_collections/arista/avd/tests/integration/targets/vars_global_vars/runme.sh

@@ -2,6 +2,7 @@
 
 set -eux
 
+export CVP_PASSWORD="env_password"
 # Testing with ansible.cfg
 export ANSIBLE_CONFIG=./ansible.cfg
 ansible-playbook -i hosts.yml playbook.yml