Change remote_user within main.yml in role

Question

I am new to ansible.

i am trying to create a role where i start the playbook as root and then in the next play i switch to a different user and continue. The following files are within the role itself.

---
# tasks file for /etc/ansible/roles/dashmn
#
- name: create users logged in as root
  remote_user: root
  import_tasks: whoami.yml
  import_tasks: create_users.yml
  import_tasks: set_sudoer.yml
  
- name: log in as dashadmin
  remote_user: dashadmin
  become: true
  import_tasks: whoami.yml
  import_tasks: disable_rootlogin.yml
  import_tasks: update_install_reqs.yml
  import_tasks: configure_firewall.yml
  import_tasks: add_swap.yml

i added a sudoer task that adds users to /etc/sudoer.d

---
- name: set passwordless sudo
  lineinfile:
      path: /etc/sudoers
      state: present
      regexp: '^%sudo'
      line: '%sudo ALL=(ALL) NOPASSWD: ALL'
      validate: 'visudo -cf %s'

I created a deploy.yml that uses the role i created as follows.

---
- hosts: test-mn
  roles: 
  - dashmn

when i syntax-check the deploy.yml

[DEPRECATION WARNING]: The TRANSFORM_INVALID_GROUP_CHARS settings is set to allow bad characters in group names
 by default, this will change, but still be user configurable on deprecation. This feature will be removed in 
version 2.10. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.
[WARNING]: Invalid characters were found in group names but not replaced, use -vvvv to see details
[WARNING]: While constructing a mapping from /etc/ansible/roles/dashmn/tasks/main.yml, line 4, column 3, found
a duplicate dict key (import_tasks). Using last defined value only.
[WARNING]: While constructing a mapping from /etc/ansible/roles/dashmn/tasks/main.yml, line 10, column 3, found
a duplicate dict key (import_tasks). Using last defined value only.

Any help on how to organize this to make it better would be appreciated.

Now, my problem is that if in the tasks file i remove the plays themselves and just leave the import_tasks everything works but its not using the user dashadmin, its using root.

i would like to create the users and then only ever login as dashadmin and work as dashadmin.

I also get an error

FAILED! => {"msg": "Missing sudo password"}

something is clearly wrong, just not sure where ive gone wrong.

Here is /etc/sudoers file

#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults    env_reset
Defaults    mail_badpass
Defaults    secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root    ALL=(ALL:ALL) ALL

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

# Allow members of group sudo to execute any command
%sudo ALL=(ALL) NOPASSWD: ALL

# See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d

Answer 1

First of all, the way you defined import_tasks will basically executes the last import_tasks only as the warning says.

Secondly, remote_user is used for logging in to defined host(s) but if you want to login as a user then execute tasks using a different user then you need to define become_user. By default, become_user is set to root.

So probably below is how you can change the role's import_tasks:

/etc/ansible/roles/dashmn/tasks/main.yml

- name: create users logged in as root
  block:
  - import_tasks: whoami.yml
  - import_tasks: create_users.yml
  - import_tasks: set_sudoer.yml
  remote_user: root
  
- name: log in as dashadmin
  block:
  - import_tasks: whoami.yml
  - import_tasks: disable_rootlogin.yml
  - import_tasks: update_install_reqs.yml
  - import_tasks: configure_firewall.yml
  - import_tasks: add_swap.yml
  remote_user: dashadmin
  become: yes

Refer privilege escalation for more details.

Answer 2

Q: "Change remote_user within main.yml in a role"

Short answer: See the example in "Play 3" on how to change remote_user for each task.

Details: Keyword remote_user can be used in all playbook's objects: play, role, block, task. See Playbook Keywords.

The best practice is to connect to the remote host as an unprivileged user and escalate the privilege. For example,

- name: Play 1
  hosts: test_01
  remote_user: user1
  become: true
  tasks:
    - command: whoami
      register: result
    - debug:
        var: result.stdout

gives

ok: [test_01] => 
  result.stdout: root

---

Without the escalation of priviledge the tasks will be executed by the remote_user at the remote host. For example,

- name: Play 2
  hosts: test_01
  remote_user: user1
  tasks:
    - command: whoami
      register: result
    - debug:
        var: result.stdout

gives

ok: [test_01] => 
  result.stdout: user1

---

It's possible to declare the remote_user for each task. For example

- name: Play 3
  hosts: test_01
  remote_user: user1
  tasks:
    - command: whoami
      register: result
    - debug:
        var: result.stdout
    - command: whoami
      remote_user: user2
      register: result
    - debug:
        var: result.stdout

gives

ok: [test_01] => 
  result.stdout: user1

ok: [test_01] => 
  result.stdout: user2

All plays can be put into one playbook.

---

Example of sudoers file

root.test_01# cat /usr/local/etc/sudoers
...
#includedir /usr/local/etc/sudoers.d
admin ALL=(ALL) NOPASSWD: ALL
user1 ALL=(ALL) NOPASSWD: ALL
user2 ALL=(ALL) NOPASSWD: ALL