In Ansible, the “Flat Namespace” problem is a frequent stumbling block for engineers managing multi-tier environments. It occurs because Ansible merges variables from various sources (global, group, and host) into a single pool for the current execution context.
If you aren’t careful, trying to use a variable meant for “Group A” while executing tasks on “Group B” will cause the play to crash because that variable simply doesn’t exist in Group B’s scope.
The Scenario: The “Mixed Fleet” Crash
Imagine you are managing a fleet of Web Servers (running on port 8080) and Database Servers (running on port 5432). You want a single “Security” play to validate that the application port is open in the firewall.
The Failing Code:
- name: Apply Security Rules
hosts: web:database
vars:
# This is the "Flat Namespace" trap!
# Ansible tries to resolve BOTH variables for every host.
app_port_map:
web_servers: "{{ web_custom_port }}"
db_servers: "{{ db_instance_port }}"
tasks:
- name: Validate port is defined
ansible.builtin.assert:
that: app_port_map[group_names[0]] is definedThis code fails when Ansible runs this for a web_server, it looks at app_port_map. To build that dictionary, it must resolve db_instance_port. But since the host is a web server, the database group variables aren’t loaded. Result: fatal: 'db_instance_port' is undefined.
Solution 1: The “Lazy” Logic
By using Jinja2 whitespace control and conditional logic, we prevent Ansible from ever looking at the missing variable. It only evaluates the branch that matches the host’s group.
- name: Apply Security Rules
hosts: app_servers:storage_servers
vars:
# Use whitespace-controlled Jinja to isolate variable calls
target_port: >-
{%- if 'app_servers' in group_names -%}
{{ app_service_port }}
{%- elif 'storage_servers' in group_names -%}
{{ storage_backend_port }}
{%- else -%}
22
{%- endif -%}
tasks:
- name: Ensure port is allowed in firewall
community.general.ufw:
rule: allow
port: "{{ target_port | int }}"The advantage of this approach is that it’s very explicit, prevents “Undefined Variable” errors entirely, and allows for easy defaults. However, it can become verbose/messy if you have a large number of different groups.
Solution 2: The hostvars Lookup
If you don’t want a giant if/else block, you can use hostvars to dynamically grab a value, but you must provide a default to keep the namespace “safe.”
- name: Validate ports
hosts: all
tasks:
- name: Check port connectivity
ansible.builtin.wait_for:
port: "{{ vars[group_names[0] + '_port'] | default(22) }}"
timeout: 5This approach is very compact and follows a naming convention (e.g., groupname_port). But its harder to debug and relies on strict variable naming across your entire inventory.
Solution 3: Group Variable Normalization
The most “architecturally sound” way to solve the flat namespace problem is to use the same variable name across different group_vars files.
# inventory/group_vars/web_servers.yml
service_port: 80# inventory/group_vars/db_servers.yml
service_port: 5432# Playbook - main.yml
---
- name: Unified Firewall Play
hosts: all
tasks:
- name: Open service port
community.general.ufw:
port: "{{ service_port }}" # No logic needed!
rule: allowThis is the cleanest playbook code; truly “Ansible-native” way of handling polymorphism but it requires refactoring your existing variable names and can be confusing if you need to see both ports at once (e.g., in a Load Balancer config).
The “Flat Namespace” problem is really just a symptom of Ansible’s strength: it’s trying to make sure everything you’ve defined is valid. I recently solved this problem in a multi-play playbook, which I wrote for Digital Ocean infrastructure provisioning and configuration using the Lazy Logic approach, and I found this to be the best way to bridge the gap between “Group A” and “Group B” without forcing a massive inventory refactor. While I have generalized the example code, I actually faced this problem in a play that set up the host-level firewall based on dynamic inventory.
Leave a Reply