cisagov / ansible-manage-user Goto Github PK

View Code? Open in Web Editor NEW

5.0 8.0 2.0 853 KB

Ansible playbooks to manage a user account on a set of hosts

License: Creative Commons Zero v1.0 Universal

Shell 100.00%

ansible ansible-playbook

ansible-manage-user's Introduction

ansible-manage-user ⚙️

Ansible playbooks to manage a user account on a set of hosts.

These are the actions that are currently supported:

Create a new user account and add a public ssh key to its authorized_keys file, with the option to allow the user to run privileged commands via sudo
Delete an existing user account and all of its directories and files

Warning ⚠️

These commands can be damaging, so always double-check the id of the user that you plan to manage!

Pre-requisites

You must run these playbooks as a user that has ssh access to and sudo privileges on each target host in your inventory.

You must create an Ansible inventory file at the root of this project containing the name or IP address of each target host on which you wish to manage users. A sample inventory file might look like this:

all:
  hosts:
    my_ungrouped_host:
  children:
    group1:
      hosts:
        my_server:
        my_database:
    group2:
      hosts:
        sample.mydomain.com:
        db.mydomain.com:
    group3:
      hosts:
        192.168.1.5:
        192.168.1.6:

Ansible supports more complicated inventory management. If you have a need for that, consult the Ansible documentation for more information.
You must create a directory group_vars at the root of this project that contains files with the Ansible variable values for each group specified in the inventory; for example, to specify the same values for every host in the inventory you might create a single file named all.yml that looks like this:
```
allow_sudo: true
ansible_become: yes
username: audit
ssh_public_key: "{{ lookup('aws_ssm', /ssh/public/key) }}"
```

Usage

Adding a new user account

ansible-playbook --inventory=inventory.yml create/playbook.yml

Deleting an existing user account

ansible-playbook --inventory=inventory.yml delete/playbook.yml

Contributing

We welcome contributions! Please see CONTRIBUTING.md for details.

License

This project is in the worldwide public domain.

This project is in the public domain within the United States, and copyright and related rights in the work worldwide are waived through the CC0 1.0 Universal public domain dedication.

All contributions to this project will be released under the CC0 dedication. By submitting a pull request, you are agreeing to comply with this waiver of copyright interest.

Author Information

David Redmin - [email protected]

ansible-manage-user's People

Contributors

Stargazers

Watchers

Forkers

mfaridi1394 cnenno

ansible-manage-user's Issues

Unnecessary line

This line is unnecessary. The default shell is /bin/bash now. See here for more details.

Password?

Don't we want to specify a password for the account here?

You can generate the crypted password via mkpasswd --method=sha-512 and put it in SSM. The crypted value is even safe to commit to git, although I don't think there is any need for that here. (There is no known way to retrieve the password from the crypted value.)

Use YAML inventory and group variables files to simplify use of this project

💡 Summary

I think the use of this project can be enhanced by using a YAML inventory file and group variables stored in the project's root directory, and I think it makes sense to modify the README.md instructions to reflect this.

Motivation and context

When I recently used this project to create the credentialed users for our compliance scans, I created an ansible-manage-user/inventory.yml file that looked like this:

all:
    children:
        openvpn:
            hosts:
                i-0123456789abcdef0:
        freeipa:
            hosts:
                i-0123456789abcdef1:
                i-0123456789abcdef2:
                i-0123456789abcdef3:

Note that this more easily allows one to create or destroy the user for a particular group of servers.

I also created an ansible-manage-user/group_vars directory, which contain a single file named all.yml that looks like:

allow_sudo: true
ansible_become: yes
username: abcdef
ssh_public_key: ssh-rsa blahblahblah abcdef

With these two files in place, I can run the "create" playbook like this:

$ AWS_PROFILE=cool-sharedservices-startstopssmsession AWS_SHARED_CREDENTIALS_FILE=~/.aws/production_credentials AWS_DEFAULT_REGION=us-east-1 ansible-playbook --inventory=inventory.yml create/playbook.yml

And I can run the "delete" playbook (whose name perturbs me since "destroy" is the opposite of "create") like this:

$ AWS_PROFILE=cool-sharedservices-startstopssmsession AWS_SHARED_CREDENTIALS_FILE=~/.aws/production_credentials AWS_DEFAULT_REGION=us-east-1 ansible-playbook --inventory=inventory.yml delete/playbook.yml

To my mind, these changes make this project quite a bit easier to use.

Acceptance criteria

The instructions in the README.md file are edited to reflect the above changes.

GitHub Actions CI builds are failing

🐛 Bug Report

This repository's GitHub Actions are failing because it has no lineage file and hence has not received updates; therefore, it is still using the previously-deprecated and now-disallowed ::set-env name=PY_VERSION::3.8.6 syntax.

To Reproduce

Re-run this GitHub Action and enjoy the failure.

Expected behavior

The GitHub Action should complete successfully.

Any helpful log output

Paste the results here:

Unable to process command '::set-env name=PY_VERSION::3.8.6' successfully.

The `set-env` command is disabled. Please upgrade to using Environment Files or opt into unsecure command execution by setting the `ACTIONS_ALLOW_UNSECURE_COMMANDS` environment variable to `true`. For more information see: https://github.blog/changelog/2020-10-01-github-actions-deprecating-set-env-and-add-path-commands/