Avoid looking up variables with vars[some][variable]Β #226
Description
Looking up variables via e.g. {{ vars['icingaweb2_modules'][_module]['database']['password'] }} leads to unexpected outputs when the content of icingaweb2_modules._module.database.password is itself looking up or referencing a variable, e.g. a password.
This leads to results where e.g. a forged MySQL command contains {{ lookup('ansible.builtin.env', 'MYSQL_X509_PASSWORD', default=Undefined) }} as the -p flag, because Ansible doesn't expand the 'nested' lookup.
Below output is a result of this bug:
mysql -h "host.example.com" -P "3306" -u "x509"
-p"{{ lookup('ansible.builtin.env', 'MYSQL_X509_PASSWORD', default=Undefined) }}"
"x509" < /usr/share/icingaweb2/modules/x509/schema/mysql.schema.sql
Referencing the variable in question directly works as expected:
{{ icingaweb2_modules[_module]['database']['password'] }}