Ansible playbook to setup new development server ( users,groups,permissions,home directories,password using Ansible vault )

Shubham K. Sawant Shubham K. Sawant

Shubham K. Sawant

DevSecOps @PwC | 2x AWS | Terraform Certified | GitOps Certified | Scripting | Infrastructure As a Code | CICD | Docker | Kubernetes | Ansible | Azure | AIOps

发布日期: 2024年8月23日
+ 关注

Assuming ansible has been setup in new instances and inventory file has been updated

Structure the Users File (users.yml) This file contains the list of users and their respective groups 

admins:
  - user1
  - user2
developers:
  - user3
  - user4

Why Use Ansible Vault to Encrypt Passwords?

Ansible Vault helps you securely store sensitive data, such as passwords, API keys, and credentials, within playbooks. Without encryption, storing sensitive information in plain text makes it vulnerable to exposure and misuse. By encrypting the passwords, you ensure that only those with the vault password can decrypt and use the sensitive data.

Encrypt the Password Using Ansible Vault

Let’s say you have two passwords:

- One for developers: ksH85UJjhb

- One for admins: BruCStnMT5

You don’t want these passwords to be visible in plain text within your playbook. Instead, you can use Ansible Vault to encrypt them.

to Encrypt Developer Password: 

  ansible-vault encrypt_string 'ksH85UJjhb' --name 'developer_password'

- encrypt_string: This command encrypts a string instead of a whole file.

- ksH85UJjhb: This is the developer password that needs to be encrypted.

--name 'developer_password' : This gives the encrypted string a name, which will be referenced in the playbook.

to Encrypt Admin Password: 

  ansible-vault encrypt_string 'BruCStnMT5' --name 'admin_password'

- This works similarly to the developer password encryption.The output is the encrypted form of the password. It can be safely stored in users.ym without exposing the original value. 

cat ~/playbooks/users.yml
---
admins:
  - user1
  - user2
developers:
  - user3
  - user4

developer_password: !vault |
    $ANSIBLE_VAULT;1.1;AES256
623532363139613635346335383738643962656535336133623232633962393361393634383364333462656431306534633061363933616535633634383733370a393238303266616666313961663364
    ...

admin_password: !vault |
    $ANSIBLE_VAULT;1.1;AES256
623532363139613635346335383738643962656535336133623232633962393361393634383364333462656431306534633061363933616535633634383733370a393238303266616666313961663364
    ...

Store the Vault Password in a File

When using Ansible Vault to encrypt and decrypt sensitive data, you need to provide a password to unlock the vault and access the encrypted content. To automate this process without prompting for the vault password every time, you can store the vault password in a file.

to Store the Vault Password in vault.txt:

领英推荐

  echo 'my_vault_password' > ~/playbooks/secrets/vault.txt

- This stores the string my_vault_password in the file vault.txt.

- This file will be referenced by Ansible to unlock the vault whenever the playbook is run.

Configure Ansible to Use the Vault Password File

To avoid manually entering the vault password each time you run a playbook, you can configure Ansible to automatically read the vault password from the vault.txt file.

- Edit the ansible.cfg File to add the Vault Password File Setting: 

  cat ~/playbooks/ansible.cfg

    [defaults]
    vault_password_file = ~/playbooks/secrets/vault.txt

- This tells Ansible to look for the vault password in the vault.txt file whenever it encounters encrypted content. Now, when running a playbook, Ansible will automatically use the vault password from the file without prompting you.

Create the Ansible Playbook (add_users.yml) 

 cd ~/playbooks
 cat add_users.yml

- name: Manage users and groups for new joinees
  hosts: app_server_1
  become: yes
  vars_files:
    - data/users.yml  # Contains users and encrypted passwords
  tasks:
  
    - name: Create developers group
      ansible.builtin.group:
        name: developers
        state: present

    - name: Create admins group
      ansible.builtin.group:
        name: admins
        state: present

    - name: Add users from developers group with custom home directory
      ansible.builtin.user:
        name: "{{ item }}"
        group: developers
        home: /var/www
        shell: /bin/bash
        password: "{{ developer_password }}"
        state: present
      loop: "{{ developers }}"

    - name: Add users from admins group with default home directory
      ansible.builtin.user:
        name: "{{ item }}"
        group: admins
        shell: /bin/bash
        password: "{{ admin_password }}"
        state: present
      loop: "{{ admins }}"

    - name: Add admins to the wheel group (sudo access)
      ansible.builtin.user:
        name: "{{ item }}"
        groups: "wheel"
        append: yes
      loop: "{{ admins }}"

- The playbook references the encrypted passwords using variables developer_password and admin_password. Ansible decrypts these values automatically when running the playbook.


Once everything is configured run the playbook 

ansible-playbook -i inventory add_users.yml

- Ansible will automatically read the vault password from the vault.txt file and decrypt the developer_password and admin_password variables when needed.

Reachout to me on linkedin :-https://www.dhirubhai.net/in/shubhamsawant/

Checkout my work on GitHub :-https://github.com/shubhamksawant/shubhamksawant

Checkout more Blogs on Medium - https://medium.com/@shubhamksawant

#DevOps #mariadb #Linux #ConfigurationManagement #LearningJourney #shubhamksawant #DevOps #DevSecOps #AIOps #LearnWithShubham #DevOpsWithShubham #DevSecOpsWithShubham #AIOpsWithShubham #everydaylearning #what_did_i_learn_today


要查看或添加评论,请登录

Shubham K. Sawant的更多文章

社区洞察

其他会员也浏览了