Can I specify that an argument can't be used with a specific choice in Ansible module spec?

Question

I'm looking for a way of specifying that a module argument can't be used if another argument has a certain value. You can specify required_if to require an argument if another argument has a specific value but I need the opposite. Something that's conceptually similar to mutually_exclusive and might be called forbidden_if.

I'm developing a module that creates a login for an SQL server. It can either be a SQL login that's specific to the server or a Windows log in that uses the domain controller. For an SQL login you must specify a password for but you can't for Windows as this is set by the domain controller. Logins have an identifier (SID) that may be specified by the user for SQL logins but can't be for Window.

Although it's a Powershell module for a Windows host I'll use Python examples because that's what the documentation is in.

This is the spec for a module that creates an SQL login

module = AnsibleModule(
    argument_spec=dict(
        username=dict(type='str', required=True),
        password=dict(type='str', no_log=True, required=True),
        sid=dict(type='str', required=False),
    ),
    supports_check_mode=True
)

and one for a Windows login

module = AnsibleModule(
    argument_spec=dict(
        username=dict(type='str', required=True),
    ),
    supports_check_mode=True
)

This is my current attempt at a spec for a combined module

module = AnsibleModule(
    argument_spec=dict(
        username=dict(type='str', required=True),
        password=dict(type='str', no_log=True, required=False),
        sid=dict(type='str', required=False),
        login_type=dict(
            type='str',
            choices=[ 'sql', 'windows' ],
            default='sql',
            required=False
        )
    ),
    required_if=[
        ('login_type', 'sql', ('password')),
    ],
    supports_check_mode=True
)

I was able to make password required for the sql login_type. Since password and sid can't be specified for a windows login so I'd like to prevent them being used if login_type is windows. Is this possible and if so, how do I do it?

no your case is not possible actually, then only way is to control this case with code and return error — Frenchy, Feb 25 '22 at 07:32
@Frenchy Sorry, I only got an alert for the initial comment so I've only just seen the answer. — Wes Toleman, Mar 09 '22 at 11:41

score 3 · Accepted Answer · edited Mar 12 '22 at 16:17

I don't see a solution to your problem without coding the test:

arguments = dict(
    username=dict(type='str', required=True),
    password=dict(type='str', no_log=True, required=False),
    sid=dict(type='str', required=False),
    login_type=dict(
        type='str',
        choices=[ 'sql', 'windows' ],
        default='sql',
        required=False
            )
)
module = AnsibleModule(
    argument_spec=arguments,
    required_if=[
        ('login_type', 'sql', ('password',)),
    ],
    supports_check_mode=True
)

if module.params['login_type'] == 'windows' and (module.params['password'] or module.params['sid']):
    module.fail_json(msg="unable to use 'login_type=windows' with args 'password' or 'sid'")

FYI: I noticed an error in your code, you forgot the , in the test:

required_if=[
    ('login_type', 'sql', ('password'**,**)),
],

Result:

fatal: [localhost]: FAILED! => {"changed": false, "msg": "unable to use 'login_type=windows' with args 'password' or 'sid'"}

Can I specify that an argument can't be used with a specific choice in Ansible module spec?

1 Answers1