A few things here: 1) Your gist of that file, and what you indicate in your email are different, specifically the `if env in ["dev", "stg]` part 2) As a result of #1 the YAML renders incorrectly, causing that error
Here is the result of the template when `env: dev` is set: --- Version: 2012-10-17 Statement: - Effect: Allow Action: - "s3:List*" Resource: "arn:aws:s3:::bucket" - Effect: Allow Action: - "s3:Get*" - "s3:Put*" Resource: - "arn:aws:s3:::bucket/dev" - "arn:aws:s3:::bucket/dev/*" As such, your template needs to be adjusted with something like this, where the `{% if %}` and `{% endif %}` blocks aren't adding to the indentation, by being completely left justified: --- Version: 2012-10-17 Statement: - Effect: Allow Action: - "s3:List*" Resource: "arn:aws:s3:::bucket" - Effect: Allow Action: - "s3:Get*" {% if env in ["dev", "stg"] %} - "s3:Put*" {% endif %} Resource: - "arn:aws:s3:::bucket/{{ env }}" - "arn:aws:s3:::bucket/{{ env }}/*" On Mon, Mar 6, 2023 at 12:40 PM Guido Accardo <gacca...@gmail.com> wrote: > Hi Ansible community., > > I'd like to share a problem I'm having while trying lo load a yaml > formatted template and perhaps getting feedback from you on how to make it > work. > > I wrote the following playbook: > https://gist.github.com/gaccardo/2c12fc4aab443978fe33829129237cbc > > If the content of "policy_content.yaml" is "pure" YAML, i.e: > https://gist.github.com/gaccardo/3047c0c06d36d39a69d2d3c60a3daf4e, the > task Create IAM Managed Policy works as expected, meaning the IAM policy > gets created in my AWS account. > > Now, instead if I change the file policy_content.yaml to the following: > https://gist.github.com/gaccardo/fc30a3c40f8ff01d44b61ad6fec0a3b7, the > task fails with the following error: > https://gist.github.com/gaccardo/f27accb0dac958ab83c232bb347a292b. > > This is how i'm calling the playbook: > > $ ansible-playbook -e "selected_env=dev" policy.yml -vvv > > Is it possible that the filter "from_yaml" is getting the template > unredered from "lookup"? > > The error says: "did not find expected '-' indicator" but I'm starting the > lines within the Actions with the required "-" > > ... > 7 - Effect: Allow > 8 Action: > 9 - "s3:Get*" > 10 {% if env in ["dev", "stg"] %} > 11 - "s3:Put*" > 12 {% endif %} > 13 Resource: > 14 - "arn:aws:s3:::bucket/{{ env }}" > 15 - "arn:aws:s3:::bucket/{{ env }}/*" > > Check lines 9 and 11. > > Thank you in advance for you time. Best! > > -- > You received this message because you are subscribed to the Google Groups > "Ansible Project" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ansible-project+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ansible-project/40d7bc6c-69a8-49e3-89b3-c64b8767f0d6n%40googlegroups.com > <https://groups.google.com/d/msgid/ansible-project/40d7bc6c-69a8-49e3-89b3-c64b8767f0d6n%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- Matt Martz @sivel sivel.net -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAD8N0v_%3DkOyVCYWUcdhheSynFLkYzzdf0BEbrNOSqgH402HUtQ%40mail.gmail.com.