Skip to main content
RH294

Passing Ansible Variables from the Command Line

By February 19, 2020One Comment

Passing Ansible Variables from the Command Line into Playbooks will add power and flexibility to your plays


Passing Ansible Variables from the Command Line is important to Ansible as any other language  Working with Ansible it is easy to start with a module such as the user module to show some of its power. Being able to deploy user accounts quickly and easily across many systems. We can manage this with ad-hoc commands if there is not a requirement to configure too many properties:

$ ansible all -b -m user -a "name=bob"

or, to remove the account we can use:

$ ansible all -b -m user -a "name=bob state=absent remove=true"

Using a playbook we can easily repeat the same steps reliably without forgetting important elements. This is a major feature of any configuration language, the reliability of repeated commands. Creating a simple user play, user.yml, it may look as in the following:

---
- name: Manage Users
  hosts: all
  become: true
  gather_facts: false
  tasks:
    - name: Create User
      user:
      name: bob

This is all we need to create a basic user account in an Ansible playbook. We will start to see how by passing Ansible variables from the command line we can improve this immensely. One issue here is we are hard-coding the user account name into the playbook. If we want to create another user , Sue, we would need to edit the playbook. To add flexibility we could use a variable in place of the user name:

---
- name: Manage Users
  hosts: all
  become: true
  gather_facts: false
  tasks:
    - name: Create User
      user:
      name: "{{ user_name }}"

To execute the playbook populating the variable we need to add the option -e:

$ ansible-playbook -e "user_name=bob"

With one problem solved we can now move onto soling another by passing Ansible variables from the command line. Building a little logic into the playbook with the when clause we can either create or remove the user:

---
- name: Manage Users
  hosts: all
  become: true
  gather_facts: false
  tasks:
    - name: Create User
      user:
        name: "{{ user_name }}"
      when: user_create == 'yes'

    - name: Delete User
      user:
        name: "{{ user_name }}"
        state: absent
        remove: true
      when: user_create == 'no'

Creating a User

$ ansible-playbook -e "user_name=bob user_create=yes" user.yml

Deleting a User

$ ansible-playbook -e "user_name=bob user_create=no" user.yml

We now have a flexibly playbook that is adjustable to the user that we want and can either create or delete the specified account. The when clause, in Ansible, should be aligned with the name of the task and the module name.

Adding User Passwords

Although adding user passwords does not require passing Ansible variable from the command line, we will look at setting passwords for out users. Setting passwords requires the password to be encrypted. This can be managed in the playbook itself or we can create a Python script to encrypt the password. This allows the script to be used with Ansible or other programs like useradd itself.

A possible Python script could look like this:

#!/usr/bin/python3
import sys, crypt
if len(sys.argv) == 1 : sys.exit("You must provide a password to encrypt")
print(crypt.crypt(sys.argv[1],crypt.mksalt(crypt.METHOD_SHA512)))

The run the script:

$ chmod u+x mypasswd.py
$ ./mkpasswd.py Password1
$6$GzvKED69j0yCroa/$88Pw/B31GCQHeVDqvPWT7Ic3WvliQ8JSDRwLU6.C1RK2ntaJlc2PaJ9qbLijG814hxcdq8upGoKrGuYFDv69U0

The output will be the encrypted password. Paste this into the password key of a user in an Ansible playbook.

---
- name: Manage Users
  hosts: all
  become: true
  gather_facts: false
  tasks:
    - name: Create User
        user:
        name: "{{ user_name }}"
        password: $6$B7LZjSawuNFpuETp$BrKGEWXVTxzxUi6Phzzgh6O2WzqKw5YbtrPlREBCn0OFXezq1O94rwic7FNh6Wy8OyTkU7Sx8DIHMybuZCi9U
        update_password: on_create
      when: user_create == 'yes'

    - name: Delete User
      user:
        name: "{{ user_name }}"
        state: absent
        remove: true
      when: user_create == "no"


As well as setting the password we set the key update_password to ensure that we only manage the password for new accounts and not existing accounts. This allows users to set their own passwords without them being reset on re-execution of the play book file.

If we want to have the playbook manage the password encryption:

---
- name: Manage Users
  hosts: all
  become: true
  gather_facts: false
  tasks:
    - name: Create User
      user:
        name: "{{ user_name }}"
        password: "{{ 'Password1' | password_hash('sha512') }}"
        update_password: on_create
      when: user_create == 'yes'

    - name: Delete User
      user:
        name: "{{ user_name }}"
        state: absent
        remove: true
      when: user_create == "no"

Part of Ansible Automation RHCE

 

One Comment

Leave a Reply