Home>

I am creating a Linux user with Ansible.
Create user definition (other than password) as group variable yml,
Password definition encrypted with Ansible Vault is done in another yml.

I want to create an Ansible process to send an email to the user when a new user is created
You can send an email, but you cannot embed password information there.
Send mail using the mail module, mail body template file (Jinja2 template)
I am making an email referring to

Here are the sources.

  • commom.yml (user defined)
user:
  -name: user_a
    uid: 5001
    groups: subgroup
    state: present
    append: yes
    generate_ssh_key: yes
    comment: '[email protected]'
  -name: user_b
    uid: 5002
    groups: subgroup
    state: present
    append: yes
    generate_ssh_key: yes
    comment: '[email protected]'
  • secret.yml (password definition)
secret:
  -user: user_a
    password: 'abcdefg'
  -user: user_b
    password: 'hijklmn'
  • main.yml (user-created role)
# Create user
-name: "Create user"
  include_tasks: user.yml
  with_items: "{{user}}"
  loop_control:
    loop_var: user_item
# Set password
-name: "Password setting"
  include_tasks: password.yml
  with_items: "{{secret}}"
  loop_control:
    loop_var: secret_item
  • user.yml (task included from main.yml)
# Create user
-name: "{{user_item.name}} user creation"
  user:
    name: "{{user_item.name}}"
    uid: "{{user_item.uid}}"
    groups: "{{user_item.groups}}"
    state: "{{user_item.state}}"
    append: "{{user_item.append}}"
    generate_ssh_key: "{{user_item.generate_ssh_key}}"
  register: _user
# send e-mail
-name: "{{user_item.name}} send email"
  mail:
    subject: "Sending server access information ({{user_item.name}})"
    from: [email protected]
    to: "{{user_item.comment}}"
    body: "{{lookup ('template', 'mail_template.j2')}}"
  when: _user.create_home is defined # Send mail only when creating new

I want to embed user password information in "mail_template.j2" here.
Since there is no password in the "user" variable, it cannot be referenced successfully.

Tried
  • json_query filter
    https://docs.ansible.com/ansible/latest/user_guide/playbooks_filters.html#json-query-filter
    I wrote the following in the template using the json_query filter here.
Password: {{secret | json_query ('[? user == user_item.name] .password')}}


The result was just an empty list called "[]" in the place where it was embedded.

Password: []
  • json_query filter # 2
    I tried to write the user name directly in the location specified by "user_item.name" in the json_query filter.
    It's an experiment because you can't actually write your username directly.
Password: {{secret | json_query ('[? user ==' user_a ']. password')}}


As a result, although the password was able to be taken out, an extra character string ([u&apos ;,]) was stuck before and after.

Password: [u'abcdefg ']


Maybe you just don't know how to use jinja2 filters ...

I think it's a common technique to go out only for password encryption.
In that case, how are you guys doing to look up the password that corresponds to the user?
Is it wrong to create a variable sequence or mapping, or how to create a Role?
Please lend us your wisdom!

・ Do you define password in user variable without encryption
・ Do you define a password in the user variable and encrypt everything?
It seems that it can be easily realized with either of these, but I would like to use it as a last resort.

Supplemental information (FW/tool version etc.)

Ansible version: 2.6.1

  • Answer # 1

    I think this can be done.

    Password: {{secret | json_query ("[? user == '" + user_item.name + "'] .password") | join}}

    The argument of json_query is a string, so you cannot use a variable directly. Supported by string concatenation.

    [u'abcdefg']seems to output an array, so join it into a string.

    The page referenced is as follows.

    jinja2-Ansible template adds'u'to array in template-Stack Overflow
    Search keyword:ansible template u

    json_query filter not expanding variable inside query · Issue # 22346 · ansible/ansible
    Search keyword:ansible json_query variable

      

    I think it's a common technique to go out only for password encryption.
      In that case, how are you guys doing to look up the password that corresponds to the user?

    I don't know much about it, but I wonder if I can use Ansible Vault. . .