User Module - can I use expired as a condition?

I am setting up user administration through Ansible for the first time. I handle large batches of users a few times a year, since I work for a college. Can I use Ansible’s user module to remove expired accounts? What conditional statement would I use?

Pardon my untested pseudocode, but I am looking for something like the following:

tasks:

  • name: remove expired users
    user: name=students.key state=absent force=yes
    when: expired <----- what condition do I put here?
    with_dict: students

it mostly depends on how you have the data, supposing students is a
list with each student being a dictionary with it's properties:

is expired a key of each student? if it is a boolean, as you have it
it should look like this:

user: name=item.name ...
when: item.expired
with_items: students

if you need an expression you need to give us the criteria which you
follow to determine if a user is expired. For example:

user: name=item.name ...
when: item.graduates > lookup('pipe', 'date +%s')
with_items: students

# assumes you keep the epoch of when he graduates

So it just needs to be an expression that evaluates to true or false,
the exact expression depends on the structure of your data.

Hi Brian,

Thanks for your response. I am working on building my student dictionary entries from a csv file produced by the college admissions/administration, and one of the values I create will be a future-dated expiration in epoch. I understand the user module will set the expiration on the system for the user account based on the value of the epoch in “user: expires=epoch”.

I will write a playbook comparing the current date with the expiry date in my dictionary to decide whether to remove accounts (fast, limited processing for remote host). Or, I could use the shell command to look up each user individually on the remote host (slower, but verifying live data instead of dictionary data). Actually, I should combine the two: I’ll process the list to decide which accounts to target, and then look up the targeted user account(s) on the remote host to verify the expiration hasn’t been changed manually.

I was hoping that a boolean for expired might be built in to the user module, since the OS knows whether an account is expired. If it’s not built in before I get to it, I’ll contribute to it. It could take me a long time to get to it, though.

Thanks!
Joanna

You can use the getent module to the data on the existing users, iirc
the 5th column has expire data. It should be faster as it gets all the
user data in one shot.