Red Hat Ansible for Network Automation
The ability to automate operations that would otherwise require manual intervention is a key capability. Working with encrypted data potentially frees processes from blocking on prompts for password entry.
In this exercise, you will use Ansible Vault to encrypt the file containing passwords on the local system and use the encrypted file in a playbook to create users on the spine01 managed host.
Outcomes
You should be able to use variables defined in the encrypted file when performing a play.
Open a terminal window on the workstation VM and change to the ~/proj/ directory.
Create an encrypted file named
users-secret.ymlin the~/proj/vars/directory. This file will define the password variables and store the passwords to be used in the playbook.Use the associative array variable
newusersto define users and passwords using the name and pw keys, respectively. Define theansibleuser1user and itsredhatpassword. Also define theansibleuser2user and itsRe4H1Tpassword.Set the Vault password to
redhat.If you do not already have a
vars/directory, create it now.[student@workstation proj]$mkdir -p varsChange to the
varsdirectory.[student@workstation proj]$cd varsCreate an encrypted file named
users-secret.ymlinvars/. Provide a Vault password ofredhatand confirm it. This will open a file in the default editor.[student@workstation vars]$ansible-vault create users-secret.ymlNew Vault password:redhatConfirm New Vault password:redhatAdd a variable named
newusers. It should consist of a list of associative arrays, with key/value pairs, where the keys arenameandpw, as illustrated here:--- newusers: - name: ansibleuser1 pw: redhat - name: ansibleuser2 pw: Re4H1T
Save the file.
Create a playbook in the
~/proj/directory namedcreate-users.ymlthat uses the variables defined in thevars/users-secret.ymlencrypted file.[student@workstation proj]$cat create-users.yml--- - name: create users on the spine machines hosts: spines vars_files: - vars/users-secret.yml tasks: - name: create users vyos_user: name: "{{ item.name }}" configured_password: "{{ item.pw }}" state: present loop: "{{ newusers }}" loop_control: label: "{{ item.name }}"Verify the syntax of the play contained in your playbook, and then run it. The first command in the following example is on one long line that ends with
create-users.yml.[student@workstation proj]$ansible-playbook --ask-vault-pass --syntax-check create-users.ymlVault password:redhatplaybook: create-users.yml[student@workstation proj]$ansible-playbook --ask-vault-pass create-users.ymlSSH password:vyosVault password:redhatPLAY [create users on the spine machines] ************************************* TASK [create users] ************************************************************ changed: [spine01] => (item=ansibleuser1) changed: [spine02] => (item=ansibleuser1) changed: [spine01] => (item=ansibleuser2) changed: [spine02] => (item=ansibleuser2) PLAY RECAP ********************************************************************* spine01 : ok=1 changed=1 unreachable=0 failed=0 spine02 : ok=1 changed=1 unreachable=0 failed=0Execute an ad hoc command to confirm that the users exist.
[student@workstation proj]$ansible -m vyos_command \>-a "commands='sh sys login users'" spinesSSH password:vyosspine02 | SUCCESS => { "changed": false, ...output omitted... "stdout_lines": [ [ "Username Type Tty From Last login", "ansibleuser1 vyatta never logged in", "ansibleuser2 vyatta never logged in", "vyos vyatta pts/0 172.25.250.254 Thu Jul 30 14:40:16 2020" ] ] } spine01 | SUCCESS => { "changed": false, ...output omitted... "stdout_lines": [ [ "Username Type Tty From Last login", "ansibleuser1 vyatta never logged in", "ansibleuser2 vyatta never logged in", "vyos vyatta pts/0 172.25.250.254 Thu Jul 30 14:40:15 2020" ] ] }
This concludes the guided exercise.
