How to run Ansible as root only at first pass?

Question

This is a step-by-step of what I'm trying to accomplish via Ansible:

SSH as root
Install python(not present in ubuntu), and other basic packages.
Create new deploy user and config /etc/ssh/sshd_config such that PasswordAuhentication no and PermitRootLogin no.
Restart ssh service.

Later on I am updating my playbook with new tasks, roles, etc. So I want to re-run the playbook against the same server(which has root access blocked), just this time accessing as the newly created user.

I'm expectedly being returned a Permission denied access, since Ansible is attempting to access as root.

Question:

How can I just do this first pass as root and then jump over the root tasks(pre_tasks in this case) on the next playbook runs?

One option is to just make it into two separate playbooks: one for provisioninig, one for the rest.

# playbook.yml
---
- name: Prepare server
  hosts: webserver
  gather_facts: False
  pre_tasks:
    - name: Install python for Ansible
      remote_user: root
      raw: type /usr/bin/python || (apt -y update && apt install -y python)
    - name: Create user
      remote_user: root
      include_role:
        name: deploy-user

  roles:
    # Future roles here

#roles/deploy-user/tasks/main.yml
---
- group:
    name: deploy
    state: present

- name: Create Deploy user
  user: 
    name={{ deploy_user }} 
    comment="Deploy User" 
    groups="sudo,deploy" 
    password="{{ deploy_password | password_hash('sha512') }}" 
    shell=/bin/bash 
    update_password=on_create


- name: Set authorized key took from files
  authorized_key:
    user: "{{ deploy_user }}"
    state: present
    key: "{{ lookup('file', item) }}"
  with_items:
    - '{{ ssh_authorized_keys }}'

- name: Disallow password authentication
  lineinfile:
    dest: /etc/ssh/sshd_config
    regexp: "^PasswordAuthentication"
    line: "PasswordAuthentication no"
    state: present

- name: Disallow root SSH access
  lineinfile:
    dest: /etc/ssh/sshd_config
    regexp: "^PermitRootLogin"
    line: "PermitRootLogin no"
    state: present

- name: restart-sshd
  remote_user: root
  service: name=ssh state=restarted

I missed the part where you were disabling root access. In that case, I think your best option is simply to have separate playbooks. — larsks, Mar 21 '17 at 20:13

score 5 · Answer 1 · answered Mar 21 '17 at 22:09

Create two inventory files defining the same host group:

in the first one (bootstrap) define the ansible_user=root,
in the second one (inventory) define ansible_user=regular_user_with_sudo_permissions.

Define the second one (inventory) as the default inventory file in ansible.cfg.

Run with -i bootstrap option whenever you need to bootstrap a new machine. Omit the option in other cases.

score 0 · Answer 2 · answered Oct 16 '19 at 14:49

The playbook below the # line will provide you what you want with becoming a different user all inside of one playbook if you would like to do this with two playbooks you can do the same thing just split your file. What you were looking for is the become_user for Ansible. this allows you to become anyone as long as you know the password information for that user which you would have to store as a variable but you already had in your playbook as a variable. I took the liberty of showing you another way to be able to pass a password to the playbook and encrypt the value before it's passed across to the configured machine. You don't have to use that portion for the lower block to work I was just trying to expand what upon your knowledge base. Apologies if you already know some of this content. I do have concerns about you turning off password authentication and not having a ssh key created for the new "{{ deploy_user }}"

---
- hosts: [some_server]
  become: true

- vars_prompt:
  - name: deploy_pass
    prompt: "What is the password for the new user"
    confirm: true
    private: true
    encrypt: "sha512_crypt"
    salt_size: 7

- name: Create Deploy user
  user: 
    name: "{{ deploy_user }}" 
    comment: "Deploy User" 
    groups: sudo, deploy 
    password: {{ deploy_password | password_hash('sha512') }} 
    shell=/bin/bash 
    update_password=on_create


- name: Set authorized key took from files
  authorized_key:
    user: "{{ deploy_user }}"
    state: present
    key: "{{ lookup('file', item) }}"
  with_items:
    - '{{ ssh_authorized_keys }}'

- name: Disallow password authentication
  lineinfile:
    dest: /etc/ssh/sshd_config
    regexp: "^PasswordAuthentication"
    line: "PasswordAuthentication no"
    state: present

- name: Disallow root SSH access
  lineinfile:
    dest: /etc/ssh/sshd_config
    regexp: "^PermitRootLogin"
    line: "PermitRootLogin no"
    state: present

- name: restart-sshd
  remote_user: root
  service: name=ssh state=restarted
python ubuntu ssh ansible devops

- hosts: [some_server]
  become: true
  become_user: "{{ deploy_user }}"

How to run Ansible as root only at first pass?

2 Answers2