[ansible-project] group_by with random key values

Thu, 11 Jun 2020 11:40:10 -0700 


I am trying to develop a playbook to set a common password on groups of 
servers.  The concept is that all servers within a given group would 
receive one randomly generated password, all servers within the next group 
would receive a different randomly generated password, and so on.  The 
issue I have is that this playbook needs to be able to act upon multiple 
inventories, each containing arbitrary group names.

So for example, my inventories can look something this:

inventory_file_1
[INV1_PRD]
prdhost1
prdhost2

[INV_DEV]
devhost1
devhost2


inventory_file_2
[INV2_PRD]
prdhost3
prdhost4

[INV2_DEV]
devhost3
devhost4


In general, the playbook looks something like this:

- name: Generate random password
  set_fact:
    password: "{{lookup('password', '/dev/null')}}"
    run_once: true

- name: Set password on host
  user:
    name: "{{account}}"
    password: "{{lookup('vars', account)|password_hash('sha_512')}}"

- name: Store password in external vault
  ...


This works fine as long as I run the playbook once for each group (i.e. 
once for INV1_PRD, again for INV1_DEV, etc.).  All hosts in a single run 
get the same password.  But we would like to run it once for each inventory 
file and have a different password set for each group within that 
inventory.  I tried to set a group variable for each group and then use 
'group_by' with that variable as the key to break the groups out, but then 
I could not come up with a way of arbitrarily specifying hosts after that:

- group_by:
    key: my_group_var

- hosts: "{{my_group_var}}"
  tasks:
    - name: Generate random password
      etc.

This returns "The field 'hosts' has an invalid value, which includes an 
undefined variable. The error was: 'my_group_var' is undefined"  The '- 
hosts:' line seems to be expecting predefined names, with a '- hosts:' line 
for every possible group.  That is not what we want to do here as there 
could be any number of inventory files, each with its own set of group 
names.
So, does anyone have any suggestions?  
    Mark





 

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/0d9b8538-6151-48d1-b376-ec81b488d852o%40googlegroups.com.

Reply via email to