giner / ansible-role-tfenv

Ansible role to install tfenv and Terraform into user's home or custom directory
https://galaxy.ansible.com/giner/tfenv
Apache License 2.0
1 stars 0 forks source link

fix become #6

Open jochen314 opened 1 year ago

jochen314 commented 1 year ago

The script does not work, when executed locally as root user. The script does not correctly switch to the tfenv_user user

 - name: Install tfenv
  become_user: "{{ tfenv_user }}" 

does not correctly switch the user.

The docu says:

become_user
set to user with desired privileges — the user you become, NOT the user you login as. **Does NOT imply become: yes**, to allow it to be set at host level. Default value is root.
giner commented 1 year ago

I'm not able to reproduce. Can you share more details?

jochen314 commented 1 year ago

Ok, i guess it is more complicated, than i thought.... What we do: we have a role to setup our development environment in a AWS virtual machine. As part of the role, we have the following tasks:

- name: install terraform
  include_role:
    name: giner.tfenv
    apply:
      tags:
        - terraform
  vars:
    tfenv_user: ubuntu
  tags:
    - terraform

When we run this 'normally', everything is fine.

But we want to run the ansible play using the AWS Stage Manager using the AWS-ApplyAnsiblePlaybooks command. Our understand is, that this executes:

#!/bin/bash
[...]
ansible-playbook -i "localhost," -c local -e "" "-v" "play.yml"

as root.

But then we get an error:

TASK [install terrform] ********************************************************

TASK [giner.tfenv : Install dependencies] **************************************
ok: [localhost] => {"cache_update_time": 1670411020, "cache_updated": false, "changed": false}

TASK [giner.tfenv : Set default tfenv_user] ************************************
skipping: [localhost] => {"changed": false, "skip_reason": "Conditional result was False"}

TASK [giner.tfenv : Read user's entry] *****************************************
ok: [localhost] => {"ansible_facts": {"getent_passwd": {"ubuntu": ["x", "1000", "1000", "Jochen", "/home/ubuntu", "/bin/bash"]}}, "changed": false}

TASK [giner.tfenv : Set tfenv_user_home (based on getent passwd)] **************
ok: [localhost] => {"ansible_facts": {"tfenv_user_home": "/home/ubuntu"}, "changed": false}

TASK [giner.tfenv : Set default tfenv_dir] *************************************
ok: [localhost] => {"ansible_facts": {"tfenv_dir": "/home/ubuntu/.tfenv"}, "changed": false}

TASK [giner.tfenv : Set default tfenv_bindir] **********************************
ok: [localhost] => {"ansible_facts": {"tfenv_bindir": "/home/ubuntu/bin"}, "changed": false}

TASK [giner.tfenv : Clone tfenv repo] ******************************************
fatal: [localhost]: FAILED! => {"changed": false, "msg": "Failed to set a new url https://github.com/tfutils/tfenv for origin:  fatal: detected dubious ownership in repository at '/home/ubuntu/.tfenv'\nTo add an exception for this directory, call:\n\n\tgit config --global --add safe.directory /home/ubuntu/.tfenv\n"}

So a some point, the ownership of the git repository does not match the user executing the git clone command.

But I also could not reproduce the problem without going through the whole process with AWS RunCommand :-(

But my understand of the documention is, that become_user is ignored, if not also accompanied with become: yes. Is that wrong?

giner commented 1 year ago

You are right. If ansible user and tfenv_user are different then become is necessary. becomecan be applied to include_role in the playbook,