Ansible: how to run a play with hosts with different passwords?

Question

I'm currently learning how to use Ansible. Right now, I've got a bunch of servers, both new and legacy, that have different logins or passwords or both. All have key access to run the plays.

Here's what I started with. Example hosts file:

# legacy and new have different logins (like root and deploy)
[legacy]
serv1
serv2

[new]
serv3
serv4

# different has a different login and password altogether
[different]
serv5

So to keep things simple, I originally had a playbook run the equivalent of sudo apt-get update && sudo apt-get upgrade on all the machines, but because of the different login/passwd, I had created multiple playbooks for each host. But now I want to DRY it out and am looking at Roles, per their docs.

Right now I have something like this. The test/roles/common/tasks/main.yml file:

---
- name: run apt-get update
  apt: update_cache=yes
- name: run apt-get upgrade
  apt: upgrade=yes

The site.yml file:

- name: apply common configuration to all nodes
  hosts: all

  roles:
  - common

I understand that I can actually define the different logins with ansible_ssh_user=root or ...=deploy in my hosts file. Or put them in group vars. But what do I do about the different sudo passwords? [legacy] is root so I don't need sudo, but [new] and [different] need it, and have different passwords. How do I do this? Group vars? Do I create these: test/group_vars/new/some_file_with_a_passwd.yml and test/group_vars/different/some_other_passwd.yml (ignoring security issues)?

How does the site.yml recognize that there are hosts with different passwords or some hosts with no passwords?

Edit for clarity's sake: I have SSH access, so doing the 'pre-tasks' step during the play always work (I connect via key access and never via a password). I'm not worried about security as that's the next step. For now, I want to get the group_vars thing right....It's the sudo escalation I have issues with. E.g. serv1 sudo might be root/password1, serv3 sudo: deploy/password2, serv5: anotherdeploy/password3

Answer 1

Okay, you kind of have two questions here:

How to connect to different hosts with different SSH keys?

Create a different group_vars file for each set of hosts, and set the credentials in there.

# group_vars/legacy
---
ansible_ssh_user: myuser
ansible_ssh_key: ~/.ssh/legacy_key.pem

Then Ansible will apply a different key based on which group each host is in, simple as that.

How to use different credentials per host for privilege escalation?

Once more, stick them in different group_vars files for each set of hosts:

# group_vars/legacy
---
ansible_become_user: root
ansible_become_pass: "{{ vaulted_legacy_password }}"

Then you can use the keyword become: yes to escalate privileges, and Ansible will apply the right credentials for each group. If you're already root, the become keyword just won't have any effect.

And then... see that {{ vaulted_legacy_password }} variable up there?

Best practice, and the only sensible thing to do if you are ever sharing this code, is to make an Ansible Vault file and keep your passwords in there. Ansible Vault password protects your sensitive variables and lets you decrypt them at the time of running.

You can either make your whole group_vars/legacy file vaulted (if the credentials are the only information in it), or make a group_vars/legacy folder, with one plaintext file and one encrypted file in it. All files in a subdirectory of group_vars will be sourced and applied to the group with the name of the folder.