how to minise set_fact with lookup password

Question

I'm trying to create passwords variables with lookup('password') and trying to respect this specific policy: foOBar1_FoO2Bar_3BarFoo (for exemple)

regex: 7 characters from "digits,ascii_lowercase,ascii_uppercase" repeated 2 two, separated by '_' character

I wrote this:

---

- hosts: localhost
  gather_facts: no
  vars:
    password_length: "7"
    password_spec_str: "digits,ascii_lowercase,ascii_uppercase"
  tasks:
  - name: "Generate 2 randoms passwords"
    set_fact:
      FirstPass: "{{ lookup('password', '/dev/null length=' ~ password_length ~ ' chars=' ~ password_spec_str ) + '_' + lookup('password', '/dev/null length=' ~ password_length ~ ' chars=' ~ password_spec_str ) + '_' + lookup('password', '/dev/null length=' ~ password_length ~ ' chars=' ~ password_spec_str ) }}"
      SecondPass: "{{ lookup('password', '/dev/null length=' ~ password_length ~ ' chars=' ~ password_spec_str ) + '_' + lookup('password', '/dev/null length=' ~ password_length ~ ' chars=' ~ password_spec_str ) + '_' + lookup('password', '/dev/null length=' ~ password_length ~ ' chars=' ~ password_spec_str ) }}"

...

Results :

PLAY [localhost] ***************************************************************************************************************************************************************************************************************************************

TASK [Generate 2 randoms passwords] ********************************************************************************************************************************************************************************************************************
mardi 26 juillet 2022  16:26:05 +0200 (0:00:00.020)       0:00:00.020 *********
ok: [localhost] => changed=false
  ansible_facts:
    FirstPass: WqUjDBf_NDPX5zQ_YRnhaAP
    SecondPass: RGBkrIM_t9zS8tB_iCFrp3E

PLAY RECAP *********************************************************************************************************************************************************************************************************************************************
localhost                  : ok=1    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

Playbook run took 0 days, 0 hours, 0 minutes, 0 seconds

So the result suits me perfectly, but not the way to write that..

Does anyone have another idea to 'beautify' this set_fact ?

Thanks !

So, you would like not to have `lookup('password' ...` three times in one line, but stay with the produced result. Would a `loop` work for you? — U880D, Jul 28 '22 at 16:43

U880D · Accepted Answer · 2022-07-29T06:36:44.727

So the result suits me perfectly, but not the way to write that. Does anyone have another idea to 'beautify' this set_fact ?

If

neither the password lookup plugin nor an other plugin is producing the output you are looking for
and you like to simplify the logic of password generation

you may need to work with characters and strings.

You could generate a longer temporary random string and construct the final string from it. To do so

---
- hosts: localhost
  become: false
  gather_facts: false

  vars:

    password_length: "22" # character for one password excluding delimiter counting from 1
    password_spec_str: "digits,ascii_lowercase,ascii_uppercase"
    d: '_' # delimiter

  tasks:

  - name: "Generate 2 randoms passwords"
    set_fact:
      FirstPass: "{{ _pwd[:7] + d + _pwd[7:14] + d + _pwd[-7:] }}"
      SecondPass: "{{ _pwd[:7] + d + _pwd[7:14] + d + _pwd[-7:] }}"
    vars:
      _pwd: "{{ lookup('password', '/dev/null length=' ~ password_length ~ ' chars=' ~ password_spec_str ) }}"

  - name: Show passwords
    debug:
      msg:
        - "{{ FirstPass }}"
        - "{{ SecondPass }}"

In this case accessing elements with slice notation was used, as well task vars (only for the task) resulting into an output in example of

TASK [Show passwords] *****
ok: [localhost] =>
  msg:
  - F3lH5SV_heNTbTO_4YFAyOw
  - O8BucxG_VBDTHaO_6vzCV80

One advantage of the approach is that the lookup plugin is called only twice instead of six times before. An other one is that it is shorter and easier to read, the lookup plugin call is just written ones instead of six times before.

Depending on the Ansible version your are on, you could enhance your case with random_words lookup – Return a number of random words

---
- hosts: localhost
  become: false
  gather_facts: false

  tasks:

  - name: Generate words
    debug:
      var: lookup('random_words', numwords=3, delimiter='_', case='random')

Further Reading

XKCD password generator

random_words generate "predictive" words, here I want to completly mix characters and digits on parts of the passwords randomly — Wrest, Jul 28 '22 at 16:24

how to minise set_fact with lookup password

1 Answers1