Today I learned that in Ansible the | default(omit) filter doesn’t omit the value within a string. Instead it replaces the statement with a random string looking like this: __omit_place_holder__17ce35dc24337a3145aee27cda2d6baefa37ddea. This is rather unintuitive as one would expect that omit would result in an empty string or alike, but it seems like the Ansible implementation of omit works by replacing it with randomly generated string, and then check if each parameter is equal for this string. The lifetime of this string is limited to the lifetime of the Ansible process and used throughout its runtime wherever someone using omit as value.

I learned about this while investigating my GitLab deployment that was no longer idempotent and resulted in the GitLab container being re-created every time the playbook was running. The problem became obvious when running the playbook manually with the --diff command showing the change of this parameter in the environment variable section of the docker-compose.yml. Replacing the omit with an empty string ("") fixed the problem.