LAB: Working with Ansible Templates, Variables, and Facts

[francsw]

• [x] Create a template sudoers file in /home/ansible/hardened.j2 that produces a file with appropriate output for each host.
• [x] The deployed file should resemble the following, except with the IP and hostnames customized appropriately:

  %sysops 34.124.22.55 = (ALL) ALL
  Host_Alias WEBSERVERS = server1, server2
  Host_Alias DBSERVERS = serverA, serverB
  %httpd WEBSERVERS = /bin/su - webuser
  %dba DBSERVERS = /bin/su - dbuser

• [x] Create a playbook in /home/ansible/security.yml that uses the template module to deploy the template on all servers in the default ansible inventory after validating the syntax of the generated file.
• [x] Note: You may find it easier to have the play output to /home/ansible/test and validate manually using /sbin/visudo -cf before using the template module's validate.
• [x] IMPORTANT: Do not deploy any file to /etc/sudoers.d/ without first validating with visudo! A syntax error in a sudoers file will break sudo on the system and require starting the exercise over again!
• [x] Note: The video shows the use of join(' ') which is a typo. To support multiple hosts in the sudoers file it should instead be join(', ')
• [x] Run the playbook and ensure the files deployed correctly.
• [ ]

[francsw]

---
- hosts: test
  gather_facts: yes
  become: yes

  tasks:
  - name: Create sudoers template
    template:
      src: hardened.j2
      dest: /etc/sudoers.d/hardened.out
      validate: /usr/sbin/visudo -cf %s

%sysops {{ ansible_default_ipv4.address }} = (ALL) ALL
Host_Alias WEBSERVERS = {{ groups['WEBSERVERS'] | join(" ,") }}
Host_Alias DBSERVERS = {{ groups['DBSERVERS'] | join(" ,") }}
%httpd WEBSERVERS = /bin/su - webuser
%dba DBSERVERS = /bin/su - dbuser

[francsw]

{% ... %} for Statements
{{ ... }} for Expressions to print to the template output
{# ... #} for Comments not included in the template output
#  ... ## for Line Statements