Ansible Create Users and Groups (with vault)

jcakakpo · March 13, 2023, 1:37am

Here is the problem statement for the task:

On jump host itself there is a list of users in ~/playbooks/data/users.yml file and there are two groups — admins and developers —that have list of different users. Create a playbook ~/playbooks/add_users.yml on jump host to perform the following tasks on app server 3 in Stratos DC.

a. Add all users given in the users.yml file on app server 3.

b. Also add developers and admins groups on the same server.

c. As per the list given in the users.yml file, make each user member of the respective group they are listed under.

d. Make sure home directory for all of the users under developers group is /var/www (not the default i.e /var/www/{USER}). Users under admins group should use the default home directory (i.e /home/devid for user devid).

e. Set password ksH85UJjhb for all of the users under developers group and TmPcZjtRQx for of the users under admins group. Make sure to use the password given in the ~/playbooks/secrets/vault.txt file as Ansible vault password to encrypt the original password strings. You can use ~/playbooks/secrets/vault.txt file as a vault secret file while running the playbook (make necessary changes in ~/playbooks/ansible.cfg file).

f. All users under admins group must be added as sudo users. To do so, simply make them member of the wheel group as well.

Here is my issue and question:
For setting the password, it seems the task only passes if we set the following in the playbook under the ansible “user” module:
password: “{{ ‘ksH85UJjhb’ | password_hash(‘sha512’) }}”

My question is, what is the point of encrypting a password with a password stored in a vault if we are going to show the password in plain-text in the playbook?

jcakakpo · March 13, 2023, 1:43am

Why doesn’t this work ?

---
- name: perform tasks on servers
  hosts: stapp03
  remote_user: root
  become: true
  vars:
    passwd_developers: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          36353431396335313565356432366138353039656530393638336431653261623038633238616137
          3563653134646534663265376538323163633033343562310a663533626433383365646338383463
          32626238366466643336363936376239643732366335333833303664663865346564613564363831
          3838323836396133360a336262323161313466626132323163303333363061393537336239353138
          3934

    passwd_admins: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          32376463643665363337646634383037353538613965323964313231336261663761346632326237
          6435376234643864613336303566373561633235316331650a376539643631303939386435643633
          66663030343936343164663138346361306430613937346463303039313739356361393334353264
          3032653735386135340a363431323764396666353965633238623466373133613761663039396534
          6261

  tasks:
    - name: Ensure required groups exist
      ansible.builtin.group:
        name: "{{ item }}"
        state: present
      with_items:
        - admins
        - developers
    - name: add users belonging to group "admins" and add same users to "wheel" group
      ansible.builtin.user:
        name: "{{ item }}"
        groups: admins,wheel
        state: present
        append: yes
        password: "{{ '{{ passwd_admins }}' | password_hash('sha512') }}"
      with_items:
        - rob
        - david
        - joy
    - name: add users belonging to group "developers"
      ansible.builtin.user:
        name: "{{ item }}"
        groups: developers
        state: present
        append: yes
        home: /var/www/"{{ item }}"
        password: "{{ '{{ passwd_developers }}' | password_hash('sha512') }}"
      with_items:
        - tim
        - ray
        - jim
        - mark