Menu
I'm struggling to properly use ansible's user module. The problem is every time I run my playbook, the users I created always show as changed, even if I have already created them.
I found other people with the same issue here, though I am struggling to actually fix it based on the github thread. Probably the most helpful comment that I didn't understand 👇
I can confirm that it only looked like a bug - adding the append option to two tasks made it so that they're not always undoing the work of the other, and fixed the permanently changed trigger. I did not need to add "group:"
This is what my playbook looks like:
- name: Generate all users for the environment
user:
createhome: yes
state: present # to delete
name: "{{ item.user }}"
groups: "{{ 'developers' if item.role == 'developer' else 'customers' }}"
password: "{{ generic_password | password_hash('sha512') }}"
append: yes
with_items:
- "{{ users }}"
My intention is the have every user belong to their own private group (User Private Groups) but also have a developer belong to the developers group. With the current configuration currently it works, with the problem being ansible always reports the user as "changed". I'll then add the developers group to the sudoers file; hence I'd like to add the user to the developers group.
e.g.
vagrant@ubuntu-bionic:/home$ sudo su - nick
$ pwd
/home/nick
$ touch file.txt
$ ls -al
-rw-rw-r-- 1 nick nick 0 Jul 3 12:06 file.txt
vagrant@ubuntu-bionic:/home$ cat /etc/group | grep 'developers'
developers:x:1002:nick,ldnelson,greg,alex,scott,jupyter
Here is the verbose output running against vagrant locally for one of the users:
changed: [192.168.33.10] => (item={'user': 'nick', 'role': 'developer', 'with_ga': False}) => {
"append": true,
"changed": true,
"comment": "",
"group": 1004,
"groups": "developers",
"home": "/home/nick",
"invocation": {
"module_args": {
"append": true,
"comment": null,
"create_home": true,
"createhome": true,
"expires": null,
"force": false,
"generate_ssh_key": null,
"group": null,
"groups": [
"developers"
],
"hidden": null,
"home": null,
"local": null,
"login_class": null,
"move_home": false,
"name": "nick",
"non_unique": false,
"password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"password_lock": null,
"remove": false,
"seuser": null,
"shell": null,
"skeleton": null,
"ssh_key_bits": 0,
"ssh_key_comment": "ansible-generated on ubuntu-bionic",
"ssh_key_file": null,
"ssh_key_passphrase": null,
"ssh_key_type": "rsa",
"state": "present",
"system": false,
"uid": null,
"update_password": "always"
}
},
"item": {
"role": "developer",
"user": "nick",
"with_ga": false
},
"move_home": false,
"name": "nick",
"password": "NOT_LOGGING_PASSWORD",
"shell": "/bin/sh",
"state": "present",
"uid": 1002
}
Should be unrelated, but I am adding some to the developers group as I intend to grant sudo access for certain commands.
651
Ansible user module is a way to use Ansible to do user management on target remote machines. In any operating system like Linux or Microsoft Windows; user, group, and role management are an important part. Which makes users segregated based on their assigned privileges, requirement, and scope of work.
The Ansible failed_when and changed_when Statements Ansible failed_when and changed_when statements are similar to ansible when statement. The only difference is that It will mark the task as failed or Success [changed], when the condition defined, is met or satisfied.
We presume that you have all the basic knowledge of Ansible. If not, we highly recommend you to refer the following articles and come back. Ansible In Action: How setup your own ansible infrastructure using Vagrant and run your playbook These articles can help you to get started with Ansible.
Red Hat subscribers, select 2.9 in the version selection to the left for the most recent Red Hat release. This module is part of ansible-core and included in all Ansible installations.
generic_password | password_hash('sha512') is not idempotent. Salt of the hash changes each time the function password_hash runs.
To make it idempotent, either run it with a specific salt
- name: Generate all users for the environment
user:
password: "{{ generic_password | password_hash('sha512', 'mysalt') }}"
, or update the password on_create only
- name: Generate all users for the environment
user:
update_password: on_create
(, or register the return values and declare changed_when).
Consider external management of passwords e.g. Ansible Vault or Passwordstore. There is a lookup plugin for passwordstore. See ansible-doc -t lookup passwordstore. See also my implementation of Passwordstore.
99
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
