Skip to content

Instantly share code, notes, and snippets.

Show Gist options
  • Save thieryl/6b9b2e6f16a2eb3d4b11d0acb5deaba2 to your computer and use it in GitHub Desktop.
Save thieryl/6b9b2e6f16a2eb3d4b11d0acb5deaba2 to your computer and use it in GitHub Desktop.

Ansible

In an ideal world, all of your configuration information would be stored as Ansible variables, in the various places that Ansible lets you define variables (e.g., the vars section of your playbooks, files loaded by vars_files , files in the host_vars or group_vars directory).

Alas, the world is a messy place, and sometimes a piece of configuration data we need lives somewhere else. Maybe it’s in a text file or a .csv file, and we don’t want to just copy the data into an Ansible variable file because now you have to maintain two copies of the same data, and you believe in the DRY 2 principle. Or maybe the data isn’t maintained as a file at all; it’s maintained in a key-value storage service such as etcd.

Ansible has a feature called lookups that allows you to read in configuration data from various sources and then use that data in your playbooks and template. Ansible supports a collection of lookups for retrieving data from different sources. Some of the lookups are shown in the Table

Name Description
file Contents of a file
password Randomly generate a password
pipe Output of locally executed command
env Environment variable
template Jinja2 template after evaluation
csvfile Entry in a .csv file
dnstxt DNS TXT record
redis_kv Redis key lookup
etcd etcd key lookup

You invoke lookups by calling the lookup function with two arguments. The first is a string with the name of the lookup, and the second is a string that contains one or more arguments to pass to the lookup. For example, we call the file lookup like this:

lookup('file', '/path/to/file.txt')
  - name: Copying the ssh-keys 
    authorized_key:
      user: "{{ item.name }}"
      state: "{{ item.state }}"
      key: "{{ lookup('file','{{ item.key }}') }}"
    with_items: 
      - "{{ users }}"
    ignore_errors: "{{ ansible_check_mode }}"

You can invoke lookups in your playbooks between {{ braces }} , or you can put them in templates.

In this section, I provided only a brief overview of lookups that are available. The Ansible documentation provides more details on available lookups and how to use them.

Create a password with a random password and store it in a file

Let's try to generate a random password for a users list come from a file. The password should be encrypted and save in a file.

First we should have or import a list of users which we will use to create on our targets, the list is the below:

users:
  - name: luiz.eduardo
    comment: "Service account"
    job: dev
  - name: isweluiz
    comment: "Service account"
    job: infra
- hosts: all
  become: true
  vars:
    state_user: present
  vars_files:
    - users.yml
  tasks:
    - name: Create new user with random password - DEV
      user:
        name: "{{ item.name }}"
        comment: "{{ item.comment }}"
        password: "{{ lookup('password', '/home/vagrant/' + item.name + '/password.txt encrypt=md5_crypt length=15') }}"
        state: "{{ state_user }}"
      when:
        - item.job == 'dev'
      with_items:
        - "{{ users }}"

    - name: Create new user with random password - INFRA
      user:
        name: "{{ item.name }}"
        comment: "{{ item.comment }}"
        password: "{{ lookup('password', '/home/vagrant/' + item.name + '/password.txt encrypt=md5_crypt length=8') }}"
        state: "{{ state_user }}"
      when:
        - item.job == 'infra'
      with_items:
        - "{{ users }}"

Let run and see the result:

[vagrant@node-centos-1 ~]$ ansible-playbook playbooks/create-user.yml

PLAY [all] *******************************************************************************************************************************************************************************************

TASK [Gathering Facts] *******************************************************************************************************************************************************************************
Tuesday 04 October 2022  18:52:32 +0100 (0:00:00.020)       0:00:00.020 ******* 
ok: [192.168.56.12]
ok: [192.168.56.13]

TASK [Create new user with random password] **********************************************************************************************************************************************************
Tuesday 04 October 2022  18:52:33 +0100 (0:00:00.732)       0:00:00.752 ******* 
changed: [192.168.56.12] => (item={'name': 'luiz.eduardo', 'comment': 'Service account', 'job': 'dev'})
skipping: [192.168.56.12] => (item={'name': 'isweluiz', 'comment': 'Service account', 'job': 'infra'}) 
changed: [192.168.56.13] => (item={'name': 'luiz.eduardo', 'comment': 'Service account', 'job': 'dev'})
skipping: [192.168.56.13] => (item={'name': 'isweluiz', 'comment': 'Service account', 'job': 'infra'}) 

TASK [Create new user with random password] **********************************************************************************************************************************************************
Tuesday 04 October 2022  18:52:33 +0100 (0:00:00.725)       0:00:01.478 ******* 
skipping: [192.168.56.12] => (item={'name': 'luiz.eduardo', 'comment': 'Service account', 'job': 'dev'}) 
skipping: [192.168.56.13] => (item={'name': 'luiz.eduardo', 'comment': 'Service account', 'job': 'dev'}) 
changed: [192.168.56.12] => (item={'name': 'isweluiz', 'comment': 'Service account', 'job': 'infra'})
changed: [192.168.56.13] => (item={'name': 'isweluiz', 'comment': 'Service account', 'job': 'infra'})

PLAY RECAP *******************************************************************************************************************************************************************************************
192.168.56.12              : ok=3    changed=2    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0   
192.168.56.13              : ok=3    changed=2    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0   

Tuesday 04 October 2022  18:52:34 +0100 (0:00:00.641)       0:00:02.120 ******* 
=============================================================================== 
Gathering Facts ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 0.73s
Create new user with random password ---------------------------------------------------------------------------------------------------------------------------------------------------------- 0.73s
Create new user with random password ---------------------------------------------------------------------------------------------------------------------------------------------------------- 0.64s
[vagrant@node-centos-1 ~]$ 

Now let's check if the folder and password was created inside it:

[vagrant@node-centos-1 ~]$ ls -la isweluiz/ luiz.eduardo/
isweluiz/:
total 8
drwx------.  2 vagrant vagrant   26 Oct  4 18:52 .
drwx------. 14 vagrant vagrant 4096 Oct  4 18:52 ..
-rw-------.  1 vagrant vagrant   23 Oct  4 18:52 password.txt

luiz.eduardo/:
total 8
drwx------.  2 vagrant vagrant   26 Oct  4 18:52 .
drwx------. 14 vagrant vagrant 4096 Oct  4 18:52 ..
-rw-------.  1 vagrant vagrant   30 Oct  4 18:07 password.txt

[vagrant@node-centos-1 ~]$ cat isweluiz/password.txt 
WZD-C.hu salt=PEbfORdB

Eplore more:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment