I suspect something has changed with the user
module since this mock exam question was created. I spent 2 hours working through this one question and dearly hope I don’t have to have this level of Ansible knowledge for the exam–good practice though 
So, because the vaulted password becomes plaintext when called, and the user module requires a hashed password you have to use a filter. Because of some deeper issues you have to use the string
filter before password_hash
:
Snippet:
- name: Add and configure admin users
user:
name: "{{ item }}"
password: "{{ admin_pass | string | password_hash('sha512') }}"
groups: wheel
loop: "{{ users.admins }}"
Full playbook with some debugging output for context:
---
- name: Add and configure users
hosts: node00
vars:
admin_pass: !vault |
$ANSIBLE_VAULT;1.1;AES256
32666132323233363435623530336538363562303930656662363631353766643264393765646433
3464646335663238663766383338353766376363333533370a656331396230623439646439356366
61643466393863353864313864343464363262393433663834653635653735663961346263313865
6339623532353264320a323737646265373265366233366534376234363238396561656266626438
3265
developer_pass: !vault |
$ANSIBLE_VAULT;1.1;AES256
35393832663964376264306639373839386262643964623139633335643938313739373239633862
3838626334376232393536633233613636303334623563300a663666333837383630316632646165
65366136616562626665313833643837396262393439326633346139636532656561613035386438
3736313830313030350a636463343864623962363931303931636366363633373533666562653764
3334
tasks:
- name: Include users
include_vars:
file: ~/playbooks/data/users.yml
name: users
- name: Show users
debug:
var: users
- name: Show admin password decrypted from vault
debug:
var: admin_pass
- name: Show hashed admin password
debug:
msg: "{{ admin_pass | string | password_hash('sha512') }}"
- name: Add and configure admin users
user:
name: "{{ item }}"
password: "{{ admin_pass | string | password_hash('sha512') }}"
groups: wheel
loop: "{{ users.admins }}"
- name: Add and configure developer users
user:
name: "{{ item }}"
password: "{{ developer_pass | string | password_hash('sha512') }}"
home: /var/www
loop: "{{ users.developers }}"
Ansible Output
thor@ansible-controller ~/playbooks$ ansible-playbook -i inventory add_users.yml --check
PLAY [Add and configure users] ***********************************************************************************
TASK [Include users] *********************************************************************************************
ok: [node00]
TASK [Show users] ************************************************************************************************
ok: [node00] => {
"users": {
"admins": [
"rob",
"david",
"joy"
],
"developers": [
"tim",
"ray"
]
}
}
TASK [Show admin password decrypted from vault] ******************************************************************
ok: [node00] => {
"admin_pass": "adm$n$"
}
TASK [Show hashed admin password] ********************************************************************************
ok: [node00] => {
"msg": "$6$cuK0bEpla1xxAJ6y$Bk.m12c5yY5If9JY7o7eyrDfP1qICLPyvIJL7a.xAtiJiLloGuYWwSC4isJyAdQnml4efrcNupyDBtPFwetYj."
}
TASK [Add and configure admin users] *****************************************************************************
changed: [node00] => (item=rob)
changed: [node00] => (item=david)
changed: [node00] => (item=joy)
TASK [Add and configure developer users] *************************************************************************
changed: [node00] => (item=tim)
changed: [node00] => (item=ray)
PLAY RECAP *******************************************************************************************************
node00 : ok=6 changed=2 unreachable=0 failed=0
Possible errors for reference:
This first error means you are sending a plaintext password (or one that has been decrypted from ansible-vault):
[WARNING]: The input password appears not to have been hashed. The 'password' argument must be encrypted for this module to work properly.
This second error happens on some (all?) versions of Ansible (2.7.10 currently in the Mock Exam 1 labs) when you use {{ variable | password_hash('sha512') }}
without the string
filter in between (for more details see https://github.com/ansible/ansible/issues/24425). I can’t tell if it’s been fixed or if the string
filter is the appropriate method going forward.
fatal: [node00]: FAILED! => {"msg": "Unexpected templating type error occurred on ({{ admin_pass | password_hash('sha512')}}): must be string, not AnsibleVaultEncryptedUnicode"}