I'm trying to change the password of an existing user with Ansible, but only if the user is already present. I do not want to create any new users. Is there any good way?
vars:
myusers:
- { name: 'user1', update_pass: 'passwd' }
- { name: 'user2', update_pass: 'passwd' }
- { name: 'user3', update_pass: 'passwd' }
tasks:
- name: check exist
shell: /usr/sbin/usermod {{ item.name }}
with_items: myusers
register: result
failed_when: result.rc not in [6,2]
changed_when: result.rc != 6
- name: change passwd
user: name={{ item.name }} password={{ item.update_pass }} update_password=always
when: result|changed
with_items: myusers
vars_prompt:
- name: user_name
prompt: Enter the user name for password reset
private: no
- name: pass
prompt: Enter the password
tasks:
- name: Change {{ user_name }} password
user: name={{ user_name }} password={{ pass|password_hash('sha512') }} update_password=always
vars:
myusers:
- { name: 'user1', update_pass: 'passwd' }
- { name: 'user2', update_pass: 'passwd' }
- { name: 'user3', update_pass: 'passwd' }
# Contents of passwd will be stored in ansible_facts.getent_passwd as a dict
- name: Determine local user accounts
getent:
database: passwd
# Update password if user account is found in /etc/passwd
- name: change passwd
user: name={{ item.name }} password={{ item.update_pass }} update_password=always
with_items: myusers
when: item in ansible_facts.getent_passwd
Related
I have multiple repositories for those credentials I am keeping in hashi vault
vault:
Key : value
user1 : password
user2 : password
config.yml file
repo1: docker
user: user1
password: password
repo2: docker1
user: user2
password: password2
I have created json.j2 file for the same:
config.json.j2
{
"url" : "{{url}}",
"username" : "",
"password" : {{ repo_cred }},
}
And playbook that should that is giving me the list of username and password:
main.yml
tasks:
- name: lookup user name and password
set_fact:
repo_cred: "{{ lookup('hashi_vault', hashi_vault_params) }}"
delegate_to: localhost
vars:
hashi_vault_params: >-
secret={{ hashi_vault.secret }}
url={{ url }}
token={{ hashi_vault }}
ca_cert={{ hashi_vault }}
hashi_vault:
secret: "test/repo_pass"
token: "{{ vault_token }}"
url: "{{ service }}"
ca_cert: "{{ ca_cert }}"
- debug: msg="{{ repo_cred }}"
I am getting the list of username and password as output while running above task but I don't know how to make sure that the each repositories has their username and password.
I am trying to add a when condition in my ansible-playbook. However, I am not able to figure out the exact syntax/method to do it because my roles are using additional parameters. Below mentioned is my playbook
---
- name: Deploying application code
hosts: uat-aegis
roles:
- { role: roles/send_slack, slack_message_text: "*`Started : Deploying code for {{ module_name }} on {{ inventory_hostname }}`*"}
- { role: roles/application_code_backup, backup_directory_name: "NAME", repo_directory: "/path/to/repo" }
- { role: roles/application_copy_config, repo_directory: "/path/to/repo"}
- { role: roles/application_git_pull, repo_url: "git#code.git", repo_directory: "/path/to/repo", branch_name: "BRANCH_NAME"}
- { role: roles/application_pm2_restart, process_name: "NAME" }
- { role: roles/send_slack, slack_message_text: "*`=== Completed : Deploying code for {{ module_name }} on {{ inventory_hostname }} ===`*"}
Here I need to execute roles/application_copy_config only when a certain variable value is true. This variable value is passed as --extra-vars while executing the ansible-playbook from Jenkins(Boolean value parameter in Execute Script). I have tried using the below piece of code but it does not work.
---
- name: Deploying application code
hosts: uat-aegis
roles:
- { role: roles/send_slack, slack_message_text: "*`Started : Deploying code for {{ module_name }} on {{ inventory_hostname }}`*"}
- { role: roles/application_code_backup, backup_directory_name: "NAME", repo_directory: "/path/to/repo" }
- { role: roles/application_copy_config
when: "copy_config=true", repo_directory: "/path/to/repo"}
- { role: roles/application_git_pull, repo_url: "git#code.git", repo_directory: "/path/to/repo", branch_name: "BRANCH_NAME"}
- { role: roles/application_pm2_restart, process_name: "NAME" }
- { role: roles/send_slack, slack_message_text: "*`=== Completed : Deploying code for {{ module_name }} on {{ inventory_hostname }} ===`*"}
ansible-playbook command is as follows
ansible-playbook plays/deploy_application/code.yml --extra-vars "module_name=$MODULE_NAME config_copy_path=$CURRENT_PATH/ env=$ENVIRONMENT copy_config=$COPY_CONFIG"
Please help me to use the when condition in the ansible-playbook. This is required becuase I need to execute the role: roles/application_copy_config only when the variable value is true. I have used this reference for adding when condition in the role
Was able to apply the when condition for boolean values using bool filter as mentioned below
---
- name: Deploying application code
hosts: uat-aegis
roles:
- { role: roles/send_slack, slack_message_text: "*`Started : Deploying code for {{ module_name }} on {{ inventory_hostname }}`*"}
- { role: roles/application_code_backup, backup_directory_name: "NAME", repo_directory: "/path/to/repo", when: var1 | bool }
- { role: roles/application_copy_config, repo_directory: "/path/to/repo"}
- { role: roles/application_git_pull, repo_url: "git#code.git", repo_directory: "/path/to/repo", branch_name: "BRANCH_NAME", when: var2 | bool}
- { role: roles/application_pm2_restart, process_name: "NAME", when: not var3 | bool }
- { role: roles/send_slack, slack_message_text: "*`=== Completed : Deploying code for {{ module_name }} on {{ inventory_hostname }} ===`*"}
Use the below code to check true and false
when: var1 | bool ----> true
when: not var2 | bool ----> false
You can specify conditionals with different style:
- name: Deploying application code
hosts: uat-aegis
roles:
- role: roles/application_code_backup
vars:
backup_directory_name: "NAME"
repo_directory: "/path/to/repo"
when: var1 | bool
I have a role which uses with_items:
- name: Create backup config files
template:
src: "config.yml.j2"
dest: "/tmp/{{ project }}_{{ env }}_{{ item.type }}.yml"
with_items:
- "{{ backups }}"
I can access the item.type, as usual, but not project or env which are defined outside the collection:
deploy/main.yml
- hosts: ...
vars:
project: ...
rails_env: qa
roles:
- role: ../../../roles/deploy/dolly
project: "{{ project }}"
env: "{{ rails_env }}"
backups:
- type: mysql
username: ...
password: ...
The error I get is:
Error was a <class 'ansible.errors.AnsibleError'>, original message: An unhandled exception occurred while templating '{{ project }}'
The template, config.j2.yml, is:
type: {{ item.type }}
project: {{ project }}
env: {{ env }}
database:
username: {{ item.username }}
password: {{ item.password }}
It turns out for can't redefine a var with the same name as an existing var, so project: {{ project }} will always fail with an error.
Instead project can be omitted and the existing definition, in vars, can be used.
- hosts: ...
vars:
project: ... # <- already defined here
roles:
- role: ../../../roles/deploy/dolly
backups:
- type: mysql
username: ...
password: ...
If the var is not defined in vars can be defined in the role:
- hosts: ...
vars:
name: ...
roles:
- role: ../../../roles/deploy/dolly
project: "{{ name }}" # <- define here
backups:
- type: mysql
username: ...
password: ...
Started to experiment with Ansible and using playbooks to automate some routine tasks on network devices. I was able to get some basic stuff working and learn in the process but I know my knowledge is limited so when I see this playbook and how much stuff seems redundant I have to assume there are better ways to eliminate some of the redundancy and make things cleaner and more efficient.
Example I want to try to use and explain in order to get some ideas on is around configuring a new vlan on a group of devices.
Typically a new vlan first needs to be configured on the two distribution switches and then there are specific interfaces on those two switches that we have to add the vlan to.
So, for this first part I have the two hosts in a group called "dist" in my hosts file:
[dist]
DIST01 ansible_host=10.10.1.1
DIST02 ansible_host=10.10.1.2
Then I created the following in my playbook:
- name: Add Heartbeat VLAN to DIST
hosts: dist
connection: local
gather_facts: no
tasks:
- name: Include Login Credentials
include_vars: secrets.yml
- name: Define Provider
set_fact:
provider:
host: "{{ ansible_host }}"
username: "{{ creds['username'] }}"
password: "{{ creds['password'] }}"
tasks:
- name: Ensure VLAN Exists
provider: "{{ provider }}"
nxos_vlan: vlan_id="2600" state=present host={{ ansible_host }}
- name: Ensure VLAN Name Configured
provider: "{{ provider }}"
nxos_vlan: vlan_id={{ item.vid }} name={{ item.name }} host={{ ansible_host }} state=present
with_items:
- { vid: 2600, name: Ansible Heartbeat VLAN }
- name: ASSIGN VLAN TO TRUNK PORTS
nxos_switchport:
interface: "{{ item.interface }}"
mode: trunk
trunk_vlans: "{{ item.vlan }}"
provider: "{{ provider }}"
with_items:
- { interface: po850, vlan: 2600 }
- { interface: po860, vlan: 2600 }
- { interface: po865, vlan: 2600 }
- { interface: po868, vlan: 2600 }
- { interface: po871, vlan: 2600 }
- { interface: po872, vlan: 2600 }
- { interface: po875, vlan: 2600 }
- { interface: po877, vlan: 2600 }
- { interface: po884, vlan: 2600 }
So, for each host in that group it iterates through a list of interfaces / ports and adds the vlan specified.
Question #1.
First thing that stands out as being "inefficient" in my mind is I don't believe its very wise to have to specify the "vlan: 2600" every where.
I would think I should just set the vlan as a variable some where (in the playbook? in some other file that gets called?) to be used in each case where it is needed.
Next set of tasks:
After the previous task the next requires us to connect to each access switch that needs the vlan to be deployed on and configure the new vlan there.
The issue I run into here is that the port-channel on each of these switches is a different interface #. So I can't apply the same config by just iterating through a list of devices.
For instance what I have to do is something like this:
host: ACCESS01 interface: po850 vlan: 2600
host: ACCESS02 interface: po860 vlan: 2600
host: ACCESS03 interface: po870 vlan: 2600
So for each host/switch you add the vlan to the interface associated with that switch.
I just created a new task for each device that specifies the interface to configure for that switch.
Example:
- name: Add Heartbeat VLAN to ACCESS01
hosts: ACCESS01
connection: local
gather_facts: no
tasks:
- name: Include Login Credentials
include_vars: secrets.yml
- name: Define Provider
set_fact:
provider:
host: "{{ ansible_host }}"
username: "{{ creds['username'] }}"
password: "{{ creds['password'] }}"
tasks:
- name: Ensure VLAN Exists
provider: "{{ provider }}"
nxos_vlan: vlan_id="2600" state=present host={{ ansible_host }}
- name: Ensure VLAN Name Configured
provider: "{{ provider }}"
nxos_vlan: vlan_id={{ item.vid }} name={{ item.name }} host={{ ansible_host }} state=present
with_items:
- { vid: 2600, name: Ansible Heartbeat VLAN }
- name: ASSIGN VLAN TO PORTS
nxos_switchport:
interface: "{{ item.interface }}"
mode: trunk
trunk_vlans: "{{ item.vlan }}"
provider: "{{ provider }}"
with_items:
- { interface: po850, vlan: 2600 }
- name: Add Heartbeat VLAN to ACCESS02
hosts: ACCESS02
connection: local
gather_facts: no
tasks:
- name: Include Login Credentials
include_vars: secrets.yml
- name: Define Provider
set_fact:
provider:
host: "{{ ansible_host }}"
username: "{{ creds['username'] }}"
password: "{{ creds['password'] }}"
tasks:
- name: Ensure VLAN Exists
provider: "{{ provider }}"
nxos_vlan: vlan_id="2600" state=present host={{ ansible_host }}
- name: Ensure VLAN Name Configured
provider: "{{ provider }}"
nxos_vlan: vlan_id={{ item.vid }} name={{ item.name }} host={{ ansible_host }} state=present
with_items:
- { vid: 2600, name: Ansible Heartbeat VLAN }
- name: ASSIGN VLAN TO PORTS
nxos_switchport:
interface: "{{ item.interface }}"
mode: trunk
trunk_vlans: "{{ item.vlan }}"
provider: "{{ provider }}"
with_items:
- { interface: po860, vlan: 2600 }
- name: Add Heartbeat VLAN to ACCESS03
hosts: ACCESS03
connection: local
gather_facts: no
tasks:
- name: Include Login Credentials
include_vars: secrets.yml
- name: Define Provider
set_fact:
provider:
host: "{{ ansible_host }}"
username: "{{ creds['username'] }}"
password: "{{ creds['password'] }}"
tasks:
- name: Ensure VLAN Exists
provider: "{{ provider }}"
nxos_vlan: vlan_id="2600" state=present host={{ ansible_host }}
- name: Ensure VLAN Name Configured
provider: "{{ provider }}"
nxos_vlan: vlan_id={{ item.vid }} name={{ item.name }} host={{ ansible_host }} state=present
with_items:
- { vid: 2600, name: Ansible Heartbeat VLAN }
- name: ASSIGN VLAN TO PORTS
nxos_switchport:
interface: "{{ item.interface }}"
mode: trunk
trunk_vlans: "{{ item.vlan }}"
provider: "{{ provider }}"
with_items:
- { interface: po870, vlan: 2600 }
And so you see... I know when I see things almost identical repeated over and over again I have to assume there is a better way and I just don't know enough yet to solve on my own.
Question #2. I suspect there is a better way to handle repeating the following for each task in the playbook:
tasks:
- name: Include Login Credentials
include_vars: secrets.yml
- name: Define Provider
set_fact:
provider:
host: "{{ ansible_host }}"
username: "{{ creds['username'] }}"
password: "{{ creds['password'] }}"
Question #3, Could I possibly just list this data some where, either in the playbook or another file maybe and then create a task that could iterate through the data to determine what port needs to be configured?
host: ACCESS01 interface: po850 vlan: 2600
host: ACCESS02 interface: po860 vlan: 2600
host: ACCESS03 interface: po870 vlan: 2600
Some sort of logic to this in my mind would be something like, if "host" equals "ACCESS01" then interface equals po850.
So the task could just be referencing variables that are populated depending on the host its currently working on?
Any thoughts and advice on improving both the playbook and my knowledge of things is greatly appreciated. I guess I'm look for the most "ansiblistic" way to accomplish this. That's not a word huh?
For Question#1, you can use like this:
- name: ASSIGN VLAN TO TRUNK PORTS
nxos_switchport:
interface: "{{ item.interface }}"
mode: trunk
trunk_vlans: "{{ item.vlan | default('2600') }}"
provider: "{{ provider }}"
with_items:
- interface: po850
- interface: po860
- interface: po865
- interface: po868
- interface: po871
- interface: po872
- interface: po875
- interface: po884
If you want to assign different vlan to one or more interface(s), then you can use like this:
- { interface: po850, vlan: 2700 }
Hope that help you.
Is it possible to call a role multiple times in a loop like this:
vars:
my_array:
- foo
- bar
- baz
roles:
- role: foobar
with_items: my_array
How can we do this?
Now supported as of Ansible 2.3.0:
- name: myrole
with_items:
- "aone"
- "atwo"
include_role:
name: myrole
vars:
thing: "{{ item }}"
There's no way to loop over a role currently but as mentioned in that Google Group discussion you can pass a list or dict to the role and then loop through that internally.
So instead you could do something like:
# loop_role/tasks/main.yml
- name: debug item
debug: var="{{ item }}"
with_items: my_array
And then use it like this:
- hosts: all
vars:
my_array:
- foo
- bar
- baz
roles:
- { role: loop_role, my_array: "{{ my_array }}" }
I used something like below on Ansible version 2.8
tasks:
- name: looping role to create multiple filesystem
include_role:
name: /opt/ansible/playbook/app_filesystem
vars:
vgname: "{{ item.vgname }}"
lvname: "{{ item.lvname }}"
lvsize: "{{ item.lvsize }}"
mountpoint: "{{ item.mountpoint }}"
loop:
- { vgname: 'vgapp', lvname: 'lvapp', lvsize: '30g', mountpoint: '/app' }
- { vgname: 'vgapp', lvname: 'lvappzk', lvsize: '64g', mountpoint: '/app/z' }
- { vgname: 'vgapp', lvname: 'lvappdatazk', lvsize: '+100%FREE', mountpoint: '/app/data/zookeeper' }
tasks:
- name: looping role to create multiple filesystem
include_role:
name: /opt/ansible/playbook/app_filesystem
vars:
vgname: "{{ item.vgname }}"
lvname: "{{ item.lvname }}"
lvsize: "{{ item.lvsize }}"
mountpoint: "{{ item.mountpoint }}"
loop:
- { vgname: 'vgapp', lvname: 'lvapp', lvsize: '30g', mountpoint: '/app' }
- { vgname: 'vgapp', lvname: 'lvappzk', lvsize: '64g', mountpoint: '/app/zookeeper' }
- { vgname: 'vgapp', lvname: 'lvappdatazk', lvsize: '+100%FREE', mountpoint: '/app/data/zookeeper' }
You can do so using the include_role module. See docs
According to the docs it was introduced in Ansible 2.2 already (not in 2.3 as others have stated).
The code would then look like
- name: Use role in loop
ansible.builtin.include_role:
name: my-role
vars:
some_role_variable: '{{ loop_var }}'
loop:
- '{{ roleinput1 }}'
- '{{ roleinput2 }}'
loop_control:
loop_var: loop_var
Here is a code sample for using include_role looping on my_array:
- name: Use role in loop
include_role:
name: myrole
loop: "{{ my_array }}"