complex ansible playbook for user creation

Question

I have a setup consisting of prod and dev environments there are 2 projects ( project1 and project2 )

I have dev's and ops users. Devs to only be created on dev servers in projects that the user is assigned and ops's to be created in all projects and envs.

I'd like for all users to be defined in the same user definition file.

my user definitions :

  - username: 
    profile:                                   # dev / ops 
    projects:                                  # project1 / project2 / all
    key:                                       #"ssh-rsa key
    OSgroups: ""                               # which OS groups is user member of
    OSpass: ""                                 # hashed OS password 

my user create playbook:

  - name: Create users
    become: yes
    user:
      name={{ item.username }}
      shell={{ item.shell }}
      groups={{ item.groups }}
      createhome=yes
      password={{ item.OSpass }}
## now the problem part
    with_items:
      - "{{ users }}"
    when: "{{ defaults_for_env.environment }} == {{ item.profile }}"  
##
------------------------------------------------------------

## environment defaults
---
defaults_for_env:
  - environment: "dev"

when just running usercreate playbook users are created, so the commands work.

What I'd like is for the playbook to: for host is in inventory group [development] to create dev's assigned to inventory group [project1] and all users of type ops.

And for hosts in inventory group [prod] to only create users of type ops.

I cant get my head around the loops and inventory'n'stuff

Hope my question makes sense ?

Answer 1

One possible solution to your current requirement.

Inventory

---
all:
  children:
    dev:
      hosts:
        devhost1:
        devhost2:
    prod:
      hosts:
        prodhost1:
        prodhost2

group_vars/all.yaml

---
#....
default_users:
  - name: opsuser1
    shell: /bin/bash
    groups:
      - group1
      - group2
    createhome: true
    password: S0S3cr3t
  - name: opsuser2
    shell: /bin/sh
    groups:
      - wheel
      - docker
      - users
    createhome: false
    password: n0ts0S3cr3t

users: "{{ default_users + (specific_users | default([])) }}"

group_vars/dev.yml

---
#....
specific_users:
  - name: devuser1
    shell: /bin/bash
    groups:
      - groupa
      - groupb
    createhome: true
    password: v3rYS3cr3t
  - name: devuser2
    shell: /bin/sh
    groups:
      - titi
      - toto
      - tata
    createhome: false
    password: U1trAS3cr3t

Your playbook

- hosts: all
  become: true

  tasks:
    - name: Create users
      user:
        name: "{{ item.username }}"
        shell: "{{ item.shell }}"
        groups: "{{ item.groups }}"
        createhome: "{{ item.createhome | bool }}"
        password: ""{{ item.password | password_hash('sha512', 'S3cretS4lt') }}"
      loop: "{{ users | flatten(levels=1) }}"

The playbook will go over all your hosts. By default it will read the values in the all group where you have the definition of default_users (i.e. ops) + the calculation for the users list being default_users + specific_users.

For machines in the prod group, specific_users is null and will default to an empty list.

For machines in the dev group, specific_users will be added to the default ones.

The loop is then made on users which will have the correct values for each machine depending on its situation.