I'm trying to create a set of users in Ansible using with_dict. The problem is sometimes the user already exists and I don't have the password. In that case I'd like to simply skip setting the password, but manage the rest of the user attributes. Here is an ugly workaround, but there must be a better way to do this:
- name: create FTP users (password known)
user:
name: "{{ item.key }}"
comment: "{{ item.value.comment | default('') }}"
password: "{{ item.value.password }}"
shell: "{{ item.value.shell | default('/sbin/nologin') }}"
home: "{{ item.value.home | default('/var/ftp/' + item.key) }}"
createhome: "{{ item.value.createhome | default('no') }}"
with_dict: "{{ ftp_users }}"
when: item.value and item.value.password is defined
- name: create FTP users (password unknown)
user:
name: "{{ item.key }}"
comment: "{{ item.value.comment | default('') }}"
shell: "{{ item.value.shell | default('/sbin/nologin') }}"
home: "{{ item.value.home | default('/var/ftp/' + item.key) }}"
createhome: "{{ item.value.createhome | default('no') }}"
with_dict: "{{ ftp_users }}"
when: item.value.password is not defined
I've also found I can just pull the password for every user in to ansible from /etc/shadow, but that is kind of ugly as well. Is there a way to simply not try to manage the password attribute if the dict value is unset?
Excerpt from the user module docs:
To skip unknown parameter, use omit:
Run all accounts through the 'password unknown' playbook.
Use a separate playbook to set the passwords of the new accounts.