0

TLDR

I want the users on our infrastructure to reflect exactly the configuration files (json) that I provide to ansible.

A fast and simple approach would then be:

  • delete all users
  • recreate all users

but that means that at each deployment, the users will disappear for a moment, this must be avoided! A better approach would probably be:

  • list all users on the infracture
  • create the missing users
  • update all users (make sure they use the latest configuration found in the json files)
  • delete all other users

While I can probably implement this manually, this seems rather cumbersome. Is there an easier way of implementing this with ansible?

Long story

We are using ansible to configure our infrastructure. When creating users for example, the main task would look like this:

- name: import users
  uri:
    url: "{{ '%(url)s/users/user/%(user)s'|format(
        url=url,
        user=user
      ) }}"
    method: PUT
    user: "{{ configuration_user }}"
    password: "{{ configuration_password }}"
    force_basic_auth: yes
    body_format: json
    body: "{{ lookup('template', item) }}"
    status_code: 200, 201
  vars:
    user: "{{ item | basename | regex_replace('.json','') }}"
  with_fileglob:
    - security/users/*.json

So we are just using the PUT method to create/update the users. Difficulties with this approach:

  • the infrastructure must provide a create/update method (PUT or POST with overwrite option or something similar)
  • when a user is deleted, and we delete the corresponding json file, running the ansible script again won't delete that user.
Chris Maes
  • 35,025
  • 12
  • 111
  • 136
  • Users in what system ? I don't think Ansible is the tool you are looking for doing stuff like this. – Alex R Nov 05 '20 at 14:15
  • nomatter what system. This seems quite standard API usage to me: I have a list of user config files user-a.json, user-b.json. On the system users-a and user-c are already present, I would like ansible to create b, update a (and b) and remove c. In my case this applies at least to mongodb atlas and elasticsearch, it applies also to more than users only: roles, or whatever objects. – Chris Maes Nov 05 '20 at 14:17
  • those are well known tools, and if you need to manage users on those systems there is a module or plugin for them already. Don't reinvent the wheel. – Alex R Nov 05 '20 at 14:29
  • Thanks for the input. You are right that some modules / collections exist. Most of them are not complete however (allowing to configure users only, no roles, watches, ...). The ansible-elasticsearch module is for installing, not configuring only (we use elastic cloud). I need to investigate what is the best way forward here. – Chris Maes Nov 05 '20 at 15:04

0 Answers0