How can I change a zabbix user password?

I’m trying to develop a playbook to deploy a zabbix server on an Ubuntu host. Zabbix (and postgres) run as a docker compose stack.

So far, I’ve got the server up and running but now I’m trying to change the password of the default user. I tried this:

    # Have previously set ansible_zabbix_auth_key
    - name: Change the admin password
      vars:
        ansible_network_os: community.zabbix.zabbix
        ansible_connection: httpapi
        ansible_httpapi_port: 80
        ansible_httpapi_use_ssl: false
        ansible_httpapi_validate_certs: false
        ansible_host: zabbix.bath.veeasystems.com
      community.zabbix.zabbix_user:
        username: Admin
        current_passwd: zabbix
        passwd: "{{ lookup('file', 'zabbix.passwd') }}"
        override_passwd: true

This fails in this way:

TASK [Change the admin password] *********************************************************************************************
fatal: [zabbix]: FAILED! => {"changed": false, "msg": "state is present but all of the following are missing: usrgrps"}

So I’ve tried fetching the user info and then using it to fill in usrgrps:

    - name: Fetch the zabbix admin user info
      vars:
        ansible_network_os: community.zabbix.zabbix
        ansible_connection: httpapi
        ansible_httpapi_port: 80
        ansible_httpapi_use_ssl: false
        ansible_httpapi_validate_certs: false
        ansible_host: zabbix.bath.veeasystems.com
      community.zabbix.zabbix_user_info:
        username: Admin
      register: admin_user_info

    - name: Change the admin password
      vars:
        ansible_network_os: community.zabbix.zabbix
        ansible_connection: httpapi
        ansible_httpapi_port: 80
        ansible_httpapi_use_ssl: false
        ansible_httpapi_validate_certs: false
        ansible_host: zabbix.bath.veeasystems.com
      community.zabbix.zabbix_user:
        username: Admin
        current_passwd: zabbix
        passwd: "{{ lookup('file', 'postgres.passwd') }}"
        override_passwd: true
        usrgrps: "{{ admin_user_info.zabbix_user.usrgrps }}"

But this fails too, I think because you can’t use a dictionary as a parameter value like this:

TASK [Change the admin password] *********************************************************************************************
fatal: [zabbix]: FAILED! => {"changed": false, "msg": "No user groups found"}

I must be missing something. Is there really no way to change a user’s password without reiterating all of the user’s group information one element at a time in the playbook?

Users can be members of multiple groups in Zabbix, which is why admin_user_info.zabbix_user.usrgrps is a list of dictionaries with information like usrgrpid, name and status.

The usrgrps parameter in community.zabbix.zabbix_user expects a list containing one or more group names and is a required parameter for the default state (present).
Assuming the user is only member of one group:

    - name: Change the admin password
      vars:
        ansible_network_os: community.zabbix.zabbix
        ansible_connection: httpapi
        ansible_httpapi_port: 80
        ansible_httpapi_use_ssl: false
        ansible_httpapi_validate_certs: false
        ansible_host: zabbix.bath.veeasystems.com
      community.zabbix.zabbix_user:
        username: Admin
        current_passwd: zabbix
        passwd: "{{ lookup('file', 'postgres.passwd') }}"
        override_passwd: true
        usrgrps:
          - "{{ admin_user_info['zabbix_user']['usrgrps'][0]['name'] }}"

You should also consider specifying the user’s role, as it will become a required parameter moving forward.