We are trying to create users on hosts with default settings like this:
- name: create all required users
user: name={{ item }} password={{ initial_password }} shell=/bin/bash
group=root groups=root,sudo home=/home/{{ item }} generate_ssh_key=yes
ssh_key_bits=2048
with_items: $admins
This works really well. However, if we run the same playbook again, the user
module will be executed again which wouldn't matter if it didn't reset the
password.
This make sense, since ansible tries to set the target to a state, and the password is part of that state.
So, what we're looking for is to execute that command only if the user does
not yet exist on a specific host. We tried with "when:" but couldn't figure
out how to do that. Any advise?
I would not set password in the first rule, and handle this either with a handler or a registering a variable and have another task that is conditional on that variable.changed.
I had thought about the idea with the handler already but it doesn’t seem to work as the user module always seems to be returning with “changed” so that the handler gets called every single time. How would that be different with a registered variable? Can you provide a code snippet please?
In essense, what I’m looking for is a command to check if a user already existed and then call a handler - or not.
Currently there’s an open ticket on fiddling with the group membership and ‘changed’, that is probably what you are seeing.
I think I’d really prefer seeing an option added for create_with_password that way it could be done in one step.
update_password_on=create|always(default)
I don’t think on change makes much sense, always as default preserves current usage.
Slight grammar tweak:
update_password = on_creation | always (default)
works for me.
Tried this today and it works. Just a caveat in either the documentation or in the code: documentation states that a possible value is “on_creation” but the code expects “on_create”
Yeah please file a ticket when you see something like this, or patch the documentation itself.
(In this case the documentation lives in the module source in “library/” and is code generated)