Using Ansible to decrypt remote files? - ansible

Maybe it's a silly question but...
I would like to have an Ansible task that simply decrypts some remote files that have been encrypted with ansible-vault
I had in mind to use the copy module with the option decrypt: yes but it is not working for me because remote_src: yes don't support decrypt: yes
Autodecryption of files does not work when remote_src=yes.
https://docs.ansible.com/ansible/2.9/modules/copy_module.html
Is there any other way to achieve this?
- name: Decrypting secrets
become: true
copy:
src: "{{ path }}"
dest: "{{ path }}"
owner: "{{ user }}"
group: "{{ user }}"
decrypt: yes
remote_src: yes
Ansible version --> 2.9

Related

In Ansible, can I re-use a role like a subroutine?

Ansible v2.11
I install a lot of applications on a Windows target, and most of them follow the same routine - download, unzip, for example.
- name: Download the zip file
win_url:
url_username: user
url_password: password
url: "{{ some_url }}"
dest: "C:\\temp\\{{ some_archive }}"
- name: Unzip the archive
win_unzip:
src: "C:\\temp\\{{ some_archive }}"
dest: "{{ archive_install_dir }}"
Is it possible to re-use the above role in "other roles" where I just pass in the some_archive and archive_install_dir variables for example? I set up my roles so each one has its own Git repository.

You can use include_role or import_role to pull it in.

Ansible - Copy multiple files on remote host

I would like to copy few files on remote host , I used copy module as following but it copy all files under 'app' variable (dir) to 'backup_conf' variable (dir).
please advice here.
- name: backup configuration files
copy:
src: '{{ app }}'
dest: '{{ backup_conf }}'
remote_src: true
with_items:
- /bin/setenv.sh
- /conf/server.xml

Thank you, I fixed my issue:
- name: backup configuration files
copy:
src: "{{ item }}"
dest: "{{ backup_conf }}"
remote_src: true
with_items:
- /bin/setenv.sh
- /conf/server.xml

Setting Ansible vars with set_fact results

Im running ansible 2.9.18 on RHEL7.
I am using hvac to retrieve usernames and passwords from a Hashicorp vault.
vars:
- creds: "{{ lookup('hashi_vault', 'secret=tst2/data/cisco token= url=http://10.80.23.81:8200') }}"
tasks:
- name: set Cisco creds
set_fact:
cisco: "{{ creds['data'] }}"
- name: Get nxos facts
nxos_command:
username: "{{ cisco['username'] }}"
password: "{{ cisco['password'] }}"
commands: show ver
timeout: 30
register: ver_out
- debug: msg="{{ ver_out.stdout }}"
But username and password are deprecated and I am trying to figure out how to pass the username, password as a "provider" variable. And this code doesn't work:
vars:
asa_api:
- creds: "{{ lookup('hashi_vault', 'secret=tst2/data/cisco token= url=http://10.80.23.81:8200') }}"
set_fact:
cisco: "{{ creds['data'] }}"
username: "{{ cisco['username'] }}"
password: "{{ cisco['password'] }}"
tasks:
- name: show run
asa_command:
commands: show run
provider: "{{ asa_api }}"
register: run
become: yes
tags:
- show_run
I cannot figure how syntax for making this work. I would greatly appreciate any help.
Thanks,
Steve

Disclaimer: This is a generic answer. I do not have any network device to test this fully so you might have to adapt a bit after reading the documentation
Your are taking this the wrong way. You don't need set_fact at all and both method you are trying to use (user/pass or provider dict) are actually deprecated. Ansible treats you network device as any host and will use the available user and password you have configured if they exist.
In the following example, I'm assuming your playbook only targets network devices and that the login/pass stored in your vault is the same on all devices.
- name: Untested network device connection configuration demo
hosts: my_network_device_group
vars:
# This indicates which connection plugin to use. Default is ssh
# An other possible value is httpapi. See above documentation link
ansible_connection: network_cli
vault_secret: tst2/data/cisco
vault_token: verysecret
vault_url: http://10.80.23.81:8200
vault_options: "secret={{ vault_secret }} token={{ vault_token }} url={{ vault_url }}"
creds: "{{ lookup('hashi_vault', vault_options).data }}"
# These are the user and pass used for connection.
ansible_user: "{{ creds.username }}"
ansible_password: "{{ creds.password }}"
tasks:
- name: Get nxos version
nxos_command:
commands: show ver
timeout: 30
register: ver_cmd
- name: show version
debug:
msg: "NXOS version on {{ inventory_hostname }} is {{ ver_cmd.stdout }}"
- name: An other task to play on targets
debug:
msg: "Task played on {{ inventory_hostname }}"
Rather than vars at play level, you can store this information in your inventory for all hosts or for a specific group, even for each host. See how to organise your group and host variables if you want to use that feature.

How to store MySQL password on remote host in Ansible?

Using the mysql_user module, I store the new password in a file, however, it stores it on my localhost. I want to save it to the remote host instead. How can I send the file to the /tmp/ directory on the remote machine?
- name: Create MySQL user on Dev
mysql_user:
login_unix_socket: /var/run/mysqld/mysqld.sock
login_host: my_remote_host
login_user: "{{ MYSQL_USER }}"
login_password: "{{ MYSQL_PASS }}"
name: "{{ name }}"
password: "{{ lookup('password', '/tmp/new_password.txt chars=ascii_letters,digits,hexdigits,punctuation length=10') }}"
host: 192.168.%
priv: '*.*:ALTER,ALTER ROUTINE,CREATE,CREATE ROUTINE,CREATE TEMPORARY TABLES,CREATE VIEW,DELETE,DROP,EVENT,EXECUTE,GRANT OPTION,INDEX,INSERT,LOCK TABLES,PROCESS,SELECT,SHOW DATABASES,SHOW VIEW,TRIGGER,UPDATE'
state: present
I have a feeling I cannot register the password parameter according to this answer, so I am editing my question.

In Ansible, lookup runs on the control host where Ansible is running. There's no way to have the password lookup create the file directly on the remote host.
You could use the copy module after generating your password:
- name: Create MySQL user on Dev
mysql_user:
login_unix_socket: /var/run/mysqld/mysqld.sock
login_host: my_remote_host
login_user: "{{ MYSQL_USER }}"
login_password: "{{ MYSQL_PASS }}"
name: "{{ name }}"
password: "{{ lookup('password', '/tmp/new_password.txt chars=ascii_letters,digits,hexdigits,punctuation length=10') }}"
host: 192.168.%
priv: '*.*:ALTER,ALTER ROUTINE,CREATE,CREATE ROUTINE,CREATE TEMPORARY TABLES,CREATE VIEW,DELETE,DROP,EVENT,EXECUTE,GRANT OPTION,INDEX,INSERT,LOCK TABLES,PROCESS,SELECT,SHOW DATABASES,SHOW VIEW,TRIGGER,UPDATE'
state: present
- name: copy password file to remote host
copy:
src: /tmp/new_password.txt
dest: /tmp/new_password.txt
But using a template task to e.g. generate a my.cnf file on the remote would also be a reasonable solution.

Try using a template task
- name: Save mysql password file
template:
src: mysql.j2
dest: /tmp/mysql-password-file
mysql.j2
{{ password }}

How to download and extract apache tomcat using ansible and rename unzaip file

I’m setting up a new setup for tomcat.
I wanna download and extract apache tomcat using ansible to several nodes of linux, but the thing is unzip file should be seen or rename as apache only. It doesn't matter what would be a version of tomcat?
- name: variable check
hosts: all
become: yes
vars:
tomcat_url: 'http://mirrors.estointernet.in/apache/tomcat/tomcat-8/v8.5.45/bin/apache-tomcat-8.5.45.tar.gz'
tasks:
- name:
get_url:
url: "{{tomcat_url}}"
dest: /opt

Here's complete working example:
---
- hosts: all
become: yes
vars:
tomcat_url: 'http://mirrors.estointernet.in/apache/tomcat/tomcat-8/v8.5.45/bin/apache-tomcat-8.5.45.tar.gz'
tasks:
- name: Download and Extract apache tomcat
unarchive:
src: "{{ tomcat_url }}"
dest: "/opt/"
remote_src: yes
- name: Synchronize the "{{ tomcat_url.split('/')[-1].rstrip('.tar.gz') }}" directory to apache on one remote host
synchronize:
src: "/opt/{{ tomcat_url.split('/')[-1].rstrip('.tar.gz') }}"
dest: "/opt/apache"
delegate_to: "{{ inventory_hostname }}"
- name: Remove the {{ tomcat_url.split('/')[-1].rstrip('.tar.gz') }} directory
file:
path: "/opt/{{ tomcat_url.split('/')[-1].rstrip('.tar.gz') }}"
state: absent

Resources