From c43c8300055b7ae1efe566de3cab1cc71636557b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= <jlecour@evolix.fr>
Date: Thu, 16 Nov 2017 00:07:28 +0100
Subject: [PATCH] convention for merging arrays

---
 CONVENTIONS.md | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/CONVENTIONS.md b/CONVENTIONS.md
index efde4c6..55d34d2 100644
--- a/CONVENTIONS.md
+++ b/CONVENTIONS.md
@@ -216,6 +216,23 @@ When making a role or a task the necessary packages must be installed explicitly
 
 For example for the "mysql" role we obviously need the MySQL packages, but we also need the "apg" package to generate new passwords. This package is installed by "evolinux-base" but the "mysql" role can be executed on a fresh server.
 
+### merge arrays
+
+Some roles need to have an array of values in a variable. For example, any roles use a list of trusted IP addresses (firewall, http auth, ssh whitelist…).
+It this array needs to include some values from a late file inclusion (from var_files, cli argument…) it becomes impossible to merge with another variable.
+
+The workaround is to have 2 different default variables (eg. `evolix_trusted_ips` and `additional_trusted_ips`), witha default value of `[]` and merge them into the final variable. One of the variables (typically `evolix_xxx`) can be "hardcoded" in a vault and the final array remains extensible.
+
+Example from the minifirewall role (with a final default value) :
+
+```
+evolix_trusted_ips: []
+additional_trusted_ips: []
+# Let's merge evolix_trusted_ips with additional_trusted_ips
+# and default to ['0.0.0.0/0'] if the result is still empty
+minifirewall_trusted_ips: "{{ evolix_trusted_ips | union(additional_trusted_ips) | unique | default(['0.0.0.0/0'], true) }}"
+```
+
 ## Caveats
 
 ### Unix permissions must be written as String values