Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

ansible user module always shows changed

Tags:

ansible

I'm struggling to properly use ansible's user module. The problem is every time I run my playbook, the users I created always show as changed, even if I have already created them.

I found other people with the same issue here, though I am struggling to actually fix it based on the github thread. Probably the most helpful comment that I didn't understand 👇

I can confirm that it only looked like a bug - adding the append option to two tasks made it so that they're not always undoing the work of the other, and fixed the permanently changed trigger. I did not need to add "group:"

This is what my playbook looks like:

- name: Generate all users for the environment
  user:
    createhome: yes
    state: present # to delete
    name: "{{ item.user }}"
    groups: "{{ 'developers' if item.role == 'developer' else 'customers' }}"
    password: "{{ generic_password | password_hash('sha512') }}"
    append: yes
  with_items:
    - "{{ users }}"

My intention is the have every user belong to their own private group (User Private Groups) but also have a developer belong to the developers group. With the current configuration currently it works, with the problem being ansible always reports the user as "changed". I'll then add the developers group to the sudoers file; hence I'd like to add the user to the developers group.

e.g.

vagrant@ubuntu-bionic:/home$ sudo su - nick
$ pwd
/home/nick
$ touch file.txt
$ ls -al
-rw-rw-r--  1 nick nick    0 Jul  3 12:06 file.txt

vagrant@ubuntu-bionic:/home$ cat /etc/group | grep 'developers'
developers:x:1002:nick,ldnelson,greg,alex,scott,jupyter

Here is the verbose output running against vagrant locally for one of the users:

changed: [192.168.33.10] => (item={'user': 'nick', 'role': 'developer', 'with_ga': False}) => {
    "append": true,
    "changed": true,
    "comment": "",
    "group": 1004,
    "groups": "developers",
    "home": "/home/nick",
    "invocation": {
        "module_args": {
            "append": true,
            "comment": null,
            "create_home": true,
            "createhome": true,
            "expires": null,
            "force": false,
            "generate_ssh_key": null,
            "group": null,
            "groups": [
                "developers"
            ],
            "hidden": null,
            "home": null,
            "local": null,
            "login_class": null,
            "move_home": false,
            "name": "nick",
            "non_unique": false,
            "password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "password_lock": null,
            "remove": false,
            "seuser": null,
            "shell": null,
            "skeleton": null,
            "ssh_key_bits": 0,
            "ssh_key_comment": "ansible-generated on ubuntu-bionic",
            "ssh_key_file": null,
            "ssh_key_passphrase": null,
            "ssh_key_type": "rsa",
            "state": "present",
            "system": false,
            "uid": null,
            "update_password": "always"
        }
    },
    "item": {
        "role": "developer",
        "user": "nick",
        "with_ga": false
    },
    "move_home": false,
    "name": "nick",
    "password": "NOT_LOGGING_PASSWORD",
    "shell": "/bin/sh",
    "state": "present",
    "uid": 1002
}

Should be unrelated, but I am adding some to the developers group as I intend to grant sudo access for certain commands.

like image 651
Nick Brady Avatar asked Jul 03 '19 12:07

Nick Brady


People also ask

What is an ansible user module?

Ansible user module is a way to use Ansible to do user management on target remote machines. In any operating system like Linux or Microsoft Windows; user, group, and role management are an important part. Which makes users segregated based on their assigned privileges, requirement, and scope of work.

What is failed_when and changed_when in Ansible?

The Ansible failed_when and changed_when Statements Ansible failed_when and changed_when statements are similar to ansible when statement. The only difference is that It will mark the task as failed or Success [changed], when the condition defined, is met or satisfied.

Do I need to know all the basic knowledge of Ansible?

We presume that you have all the basic knowledge of Ansible. If not, we highly recommend you to refer the following articles and come back. Ansible In Action: How setup your own ansible infrastructure using Vagrant and run your playbook These articles can help you to get started with Ansible.

How do I find the ansible module for Red Hat Ansible?

Red Hat subscribers, select 2.9 in the version selection to the left for the most recent Red Hat release. This module is part of ansible-core and included in all Ansible installations.


1 Answers

generic_password | password_hash('sha512') is not idempotent. Salt of the hash changes each time the function password_hash runs.

To make it idempotent, either run it with a specific salt

- name: Generate all users for the environment
  user:
    password: "{{ generic_password | password_hash('sha512', 'mysalt') }}"

, or update the password on_create only

- name: Generate all users for the environment
  user:
    update_password: on_create

(, or register the return values and declare changed_when).


Consider external management of passwords e.g. Ansible Vault or Passwordstore. There is a lookup plugin for passwordstore. See ansible-doc -t lookup passwordstore. See also my implementation of Passwordstore.

like image 99
Vladimir Botka Avatar answered Nov 15 '22 11:11

Vladimir Botka