Can't assign password to user with ansible user module

Question

- name: Add new SFTP user (user provided by prompt)'
  hosts: '{{ target }}'
  vars:
    pwd_alias: "{{ lookup('password', '/dev/null length=15 chars=ascii_letters') }}"
    user_to_add: "{{ newuser }}"
  tasks:
    - set_fact:
        my_pass: "{{ pwd_alias | password_hash('sha512') }}"
    - name: Create user
      user:
        name: "{{ user_to_add }}"
        password: "{{ my_pass }}"
        shell: /bin/bash
        create_home: yes
        home: "/home/sftp/{{ user_to_add }}"
        group: cgred
    - debug:
        msg: "{{ pwd_alias }},{{ my_pass }}"

When I run this it does what it's supposed to do. It creates the user and the home directory that I specify. It also prints out a password and the hash but I can't log change to this user no matter what I do.

Any suggestions on how I can get a password assigned to this user correctly would be much appreciated.

Answer 1

The problem is that pwd_alias, when put into the vars, will be evaluated each time referenced. For example the play below

  vars:
    pwd_alias: "{{ lookup('password', '/dev/null length=15 chars=ascii_letters') }}"
  tasks:
    - debug: var=pwd_alias
    - debug: var=pwd_alias
    - debug: var=pwd_alias

gives

"pwd_alias": "RrhCtAFEHievoTY"
"pwd_alias": "TxHCsdKlpweqVJL"
"pwd_alias": "xbFLVvuMkkNkqIE"

The solution is simple. Put the evaluation of pwd_alias into the tasks. For example

tasks:
  - set_fact:
      pwd_alias: "{{ lookup('password', '/dev/null length=15 chars=ascii_letters') }}"
  - set_fact:
      my_pass: "{{ pwd_alias | password_hash('sha512') }}"