Hello!
I try to make ssh users management via ansible and find some problem, with blow up my brain.
My environment: some numbers of users, some numbers of hosts. Production, test and demo projects.
I put all users in file group_vars/all and it looks like this:
user1:
- { user: 'user1', group: 'test1', comment: "Test_User_1", uid: '10001', password: 'HaSH1' }
user2:
- { user: 'user2', group: 'test2', comment: 'Test_User_2', uid: '10000', password: 'HaSh2' }
My role file for users looks like this:
- name: Add ssh user
user:
name={{ item.user }}
groups={{ item.group }}
comment={{ item.comment }} uid={{ item.uid }}
password={{ item.password }}
with_items: "ssh_users"
And ssh_users describes for each host group like
- hosts: app
vars:
ssh_users: "{{ssh_users_app}}"
vars_files:
- vars/production
roles:
- users
- hosts: db
vars:
ssh_users: "{{ssh_users_db}}"
vars_files:
- vars/production
roles:
- users
And last step is:
In vars/production i give list of users from group_vars/all file:
ssh_users_app:
- "{{user1}}"
- "{{user2}}"
ssh_users_db:
- "{{user2}}"
So, ansible take ssh_users_app variable from vars/production file, put it in ssh_users variable and send to role. For each host group i can specifies list of users and all going well... BUT!
When i need to remove user - i need to remove it from ssh_users_app variable and then run something like this:
ansible -i hosts app -m user -a 'name=user1 state=absent'
It make me feel little uncomfortable and i try to improve my solution.
My idea was to specified special value in vars/production with will be describe state value for user. Like this:
ssh_users_app:
- "{{user1}}" state: 'present'
- "{{user2}}" state: 'absent'
ssh_users_db:
- "{{user2}}" state: 'present'
End if i need to remove user from host group - i will changing his state and apply role to hosts
Does any legal method to do this? Or ansible have more elegant solution for user management case?
Thanks a lot for any help!