Ansible - restrict the deployment after entering a specific password (note: not an SSH password)

Question

Ansible deploys to multiple servers: dev, qa, uat, prod etc. SSH keys are set up for all environments.

I would like to restrict the deployment to prod only after entering a specific password (note: not an SSH password).

How do I enforce this only while running on the prod inventory?

Answer 1

The easiest you can do, is to actually use an SSH password, but at the same time set up a requirement on the production servers to provide both: the password and the key for the Ansible user.

Add the following to the end of sshd_config and restart the SSH daemon:

Match User ansible
    PasswordAuthentication yes
    AuthenticationMethods "publickey,password" "publickey,keyboard-interactive"

(of course, replace ansible with the actual account name)

---

This way you don't subvert the security:

• ansible user must use both: password (you'd need to add -k to the Ansible call for production servers) and key-based authentication
• all other users must use key-based authentication (assuming you have PasswordAuthentication no in the general section of sshd_config)

Answer 2

To prevent accidental deploys you can use extra vars or environment variables (add it as your first task):

---
- hosts: localhost
  gather_facts: no
  tasks:
    - assert:
        that: "'prod' not in group_names or ('prod' in group_names and (allow_prod_deploy | default(false) or lookup('env', 'ALLOW_PROD_DEPLOY') | default(false)))"
        msg: "Trying to deploy to production, but allow_prod_deploy is not set!"

Execute prod deploy as follows:

ansible-playbook -e allow_prod_deploy=1 myplaybook.yml 
or
ALLOW_PROD_DEPLOY=1 ansible-playbook myplaybook.yml