Logging in with username/password (fetched from an API) in an Ansible playbook

Question

I'm trying to handle the following situation in an Ansible playbook:

1. create a server via a cloud provider's API
2. store root credentials (username/password) from the API's response
3. use the root credentials to log in and place an SSH key
4. setup new users, disable root login, etc.

I can use authorized_key and user modules for step 4. I have a module (self-built) for step 1 and 2. How do I handle step 3 ? Are there any existing solutions for programmatically logging in with a username/password? I DO NOT want to give them via command line.

Basically I could build a module for this too. Ideally I'd like something similar to:

- task: setup SSH
  place_ssh_with_passwd:
    state: present
    key: /path/to/local/key
    path: /root/.ssh/authorized_keys
    user: "{{ server.username }}"
    password: "{{ server.password }}"

Answer 1

I found one way to accomplish this in the same play after server creation:

 - name: create server
   ...use module, create server and grap password from output...

 - name: add SSH key to server
   shell: "./scp_ssh_key.sh /path/to/key user@host:/path/ {{ passwd }}

Where the shell script would be something along the lines of: https://gist.github.com/elnygren/965a6db4f3fd8e242e90

After this one could use Ansible's built in modules to setup users, other keys etc.

Answer 2

Use the add_host action to add the host to a new group and set ansible_ssh_host, ansible_ssh_user and ansible_ssh_pass with Jinja templates off your response from the cloud provider (see the example in the docs). Then start a new play that targets the new group to do your key placement and whatever other setup tasks you want against the new host.