I am trying to develop a playbook to set a common password on groups of servers. The concept is that all servers within a given group would receive one randomly generated password, all servers within the next group would receive a different randomly generated password, and so on. The issue I have is that this playbook needs to be able to act upon multiple inventories, each containing arbitrary group names.
So for example, my inventories can look something this:
inventory_file_1
[INV1_PRD]
prdhost1
prdhost2
[INV_DEV]
devhost1
devhost2
inventory_file_2
[INV2_PRD]
prdhost3
prdhost4
[INV2_DEV]
devhost3
devhost4
In general, the playbook looks something like this:
-
name: Generate random password
set_fact:
password: “{{lookup(‘password’, ‘/dev/null’)}}”
run_once: true -
name: Set password on host
user:
name: “{{account}}”
password: “{{lookup(‘vars’, account)|password_hash(‘sha_512’)}}” -
name: Store password in external vault
…
This works fine as long as I run the playbook once for each group (i.e. once for INV1_PRD, again for INV1_DEV, etc.). All hosts in a single run get the same password. But we would like to run it once for each inventory file and have a different password set for each group within that inventory. I tried to set a group variable for each group and then use ‘group_by’ with that variable as the key to break the groups out, but then I could not come up with a way of arbitrarily specifying hosts after that:
-
group_by:
key: my_group_var -
hosts: “{{my_group_var}}”
tasks: -
name: Generate random password
etc.
This returns “The field ‘hosts’ has an invalid value, which includes an undefined variable. The error was: ‘my_group_var’ is undefined” The ‘- hosts:’ line seems to be expecting predefined names, with a ‘- hosts:’ line for every possible group. That is not what we want to do here as there could be any number of inventory files, each with its own set of group names.
So, does anyone have any suggestions?
Mark