search

ansible / terraform-provider-ansible

community terraform provider for ansible
https://registry.terraform.io/providers/ansible/ansible/latest
GNU General Public License v3.0
183 stars 42 forks source link

How to run a playbook and specify a become password #42

Open nicleary opened 1 year ago

nicleary commented 1 year ago

The documentation is not very clear on this--how do we run a playbook and supply a become password?

Specifically, I'm looking to store a become password in a vault file, and use that as the become password, without ever being prompted for it.

anazobec commented 1 year ago

Hi, I've looked into your question and created an example to help you. It is possible to store your become password in a vault file and then use that become password without ever being prompted for it. Here's how.

Step 1: Create a vault file with your become password

ansible-vault create vault.yml

# or this, for a different editor
EDITOR=<you_editor> ansible-vault create vault.yml

After entering one of the above commands, you'll be prompted for a password to use for your vault. Next a text editor will open, where you'll write the content of your vault file. Here's an example:

my_become_password: password

Note: If you're using an editor such as nano, save using crtl+s and exit using ctrl+x

Then, create your vault password file with your vault password as content.

echo my_vault_password > my_vault_password_file.txt

Step 2: my_playbook.yml

---
- hosts: all

  tasks:
    - ansible.builtin.command: whoami
      register: iam

    - name: Who am I
      ansible.builtin.debug:
        var: iam.stdout

    - name: My become password
      ansible.builtin.debug:
        msg: "My become passowrd is: {{ ansible_become_pass }}"

Step 3:

Option A: (main.tf) If you're using the ansible_playbook resource:

terraform {
    required_providers {
        ansible = {
            source = "ansible/ansible"
            version = "~> 1.1.0"
        }
    }
}

resource "ansible_playbook" "my_playbook" {
  playbook    = "my_playbook.yml"

  name        = "my_host"

  # Specify the vault file and its password file
  vault_files = [
    "./vault.yml"
  ]
  vault_password_file = "./my_vault_password_file.txt"

  extra_vars = {
    ansible_hostname = "my_host"

    # keep this line if your host is a docker
    # if needed, change it according to ansible documentation
    ansible_connection = "docker"  

    # Specify your become password.
    # my_become_password is a variable the vault file 
    # which stores your become password.
    ansible_become_user = "myuser"
    ansible_become = true
    ansible_become_pass = "{{ my_become_password }}"
  }
}

Option B: If you're using an ansible-playbook from your terminal (plain CLI ansible-playbook):

ansible-playbook \
-i my_inventory.ini -e hostname=my_host \
-e @./vault.yml --vault-id @./vault_password_file.txt \
-e ansible_become_pass={{ my_become_password }} \
-e ansible_become_user=myuser -e ansible_hostname=my_host \
-e ansible_become=true \
-e ansible_connection=docker my_playbook.yml

In extra_vars you can see a bunch of ansible_something variables. Those are magic variables, and you can find a list of them [here](https://docs.ansible.com/ansible/latest/reference_appendices/special_variables.

Change up the variables from this example to your needs and that's it. Let me know if this helps. :)

nicleary commented 1 year ago

This looks great, and is exactly what I need. Is it possible to add this as an example in the docs? It seems like it would be a very common use case that isn't immediately obvious.