Ansible. Reconnecting the playbook connection

Question

The server is being created. Initially there is user root, his password and ssh on 22 port (default).

There is a written playbook, for example, for a react application.

When you start playbook'a, everything is deployed for it, but before deploying, you need to configure the server to a minimum. Those. create a new sudo user, change the ssh port and copy the ssh key to the server. I think this is probably needed for any server.

After this setting, yaml appears in the host_vars directory with the variables for this server (ansible_user, ansible_sudo_pass, etc.)

For example, there are 2 roles: initial-server, deploy-react-app. And the playbook itself (main.yml) for a specific application:

- name: Deploy
  hosts: prod
  roles:
  - role: initial-server
  - role: deploy-react-app

How to make it so that when you run ansible-playbook main.yml, the initial-server role is executed from the root user with his password, and the deploy-react-app role from the newly created one user and connection was by ssh key and not by password (root)? Or is it, in principle, not the correct approach?

Answer 1

Note: using dashes (-) in role names is deprecated. I fixed that in my below example

Basically:

- name: initialize server
  hosts: prod
  remote_user: root

  roles:
    - role: initial_server

- name: deploy application
  hosts: prod
  # That one will prevent to gather facts twice but is not mandatory
  gather_facts: false
  remote_user: reactappuser

  roles:
    - role: deploy_react_app

You could also set the ansible_user for each role vars in a single play:

- name: init and deploy
  hosts: prod

  roles:
    - role: initial_server
      vars:
        ansible_user: root
    - role: deploy_react_app
      vars:
        ansible_user: reactappuser

There are other possibilities (using an include_role task). This really depends on your precise requirement.