In this part we will setup a project in AAP and sync that from (github/gitlab) and using that project create job template execute the same.
So lets quickly go to github and create a repo and add a file name password.yml
---
- name: Genrate and set random password on Remote Servers
hosts: all
gather_facts: no
tasks:
- name: Check if server are reachable or not
ansible.builtin.ping:
register: ping_result
- debug:
msg: "{{ ping_result }}"
- name: Generate Complex randome password
set_fact:
generated_password: "{{ lookup('community.general.random_string', length=12, min_lower=1, min_upper=1, min_numeric=1, min_special=1, override_special='-_=+!#$()[]') }}"
- name: Write password to Vault using key value V2 engine
delegate_to: 127.0.0.1
community.hashi_vault.vault_write:
path: secret/data/dev/{{inventory_hostname}}
# auth_method: approle
# role_id: ''
# secret_id: ''
data:
data:
password: "{{ generated_password }}"
- name: Setting password for user
ansible.builtin.user:
name: "{{ ansible_user | trim }}"
password: "{{ generated_password | password_hash('sha512', 'mysecretsalt') }}"
So in the This file will help to setup the password on remote server also update it in the password vault so this way if required we can rapidly change the password without disrupting existing automation.
Also we will write one more playbook to test if password change worked and we can execute the play become and after the password change.This play will show you the output of ifconfig and hostname command.point being we can using the updated password from vault and able to connect
---
- name: Debug AAP
hosts: all
tasks:
- name: Running Hostname command to confirm and no funny bussness
ansible.builtin.shell: hostname
register: hostname
- name: Show debug output
ansible.builtin.debug:
msg: "{{hostname.stdout}}"
- name: Running ifconfig command to confirm and no funny bussness
ansible.builtin.shell: ifconfig
register: ifg
- name: Show debug output
ansible.builtin.debug:
msg: "{{ifg.stdout}}"
lets we need to create a job template out in one job template select password.yml and in other select the test.yml also the execution environment will be custom-ee which we have created in the part 3 and Enjoy
we can see in the screen shot as below the execution
Changing/Rotating the Password |
Updated Random pass for one of the server |
Able to connect even after changing the pass so no impact to existing automation |
We are able to create a zero trust environment .In which we can rotate the password every 60 days if requireed to keep our system safe.
Let me know if on which ansible you want to know more and i am happy to help
No comments:
Post a Comment