Create user if not exist in Ansible

ansible

I want to make sure a given user always exist in a system, so only create when it is not exist

my current tasks is:

- name: Create default user
action: user name={{ user }} groups={{ group }}  state=present

However, it raise the error when a user already exists, so how to avoid the error when the user account already exist?

Best Answer

Modules, and therefore, playbooks like the one you show, have to be idempotent to be of any use.

Repeating the same action several times both with a playbook and a onliner does not result in any errors, as expected:

$ ansible 10.0.0.2 -u dawud -m user -a "name=sysadm group=1000 state=present"
10.0.0.2 | success >> {
    "append": false,
    "changed": false,
    "comment": "System Administrator,,,",
    "group": 1000,
    "home": "/home/sysadm",
    "name": "sysadm",
    "shell": "/bin/bash-static",
    "state": "present",
    "uid": 1000
}


$ ansible-playbook ansible/sample.yml -u dawud -K
sudo password:

PLAY [10.0.0.2] *********************

GATHERING FACTS *********************
ok: [10.0.0.2]

TASK: [create admin user] *********************
ok: [10.0.0.2]

PLAY RECAP *********************
10.0.0.2                       : ok=2    changed=0    unreachable=0    failed=0

The playbook I have used:

$ cat ansible/sample.yml
- hosts: 10.0.0.2
  sudo: yes

  tasks:

    - name: create admin user
      action: user name=sysadm group=1000 state=present

Related Solutions

Ldap – Filter LDAP user through PAM so it appears to not exist at all

Here's my final solution, coded in ansible:

- name: Disable ldap users                                                  
  ini_file: dest=/etc/sssd/sssd.conf section='nss' 
            option=filter_users value={{ filter_ldap_users | join(",") }}
  register: sssd_conf_users                                                   

- name: Disable ldap groups                                                 
  ini_file: dest=/etc/sssd/sssd.conf section='nss' 
            option=filter_groups value={{ filter_ldap_groups | join(",") }}
  register: sssd_conf_groups                                                  

- name: Restart SSSD                                                        
  when: sssd_conf_users.changed or sssd_conf_groups.changed                   
  service: name=sssd state=restarted                                          

- name: Flush NSCD cache                                                    
  when: sssd_conf_users.changed or sssd_conf_groups.changed                   
  shell: "for db in /var/db/nscd/*; do nscd -i $(basename $db); done"         

- name: Flush SSSD cache                                                     
  when: sssd_conf_users.changed or sssd_conf_groups.changed                   
  command: /usr/sbin/sss_cache -E

Ansible user module fails when group parameter matches name parameter (e.g. creating user & group name)

You can have a look at what happens internally in ansible for you distro

After reading the source code of the module, the answer to your question is, in the context of CentOS:

If you specify a primary group (whatever it is), this group must exist prior to running the module
If you don't specify a primary group, the module will rely on useradd to automagically add the user to a group with the same name. If that group already exists, the module will take care of adding the -N flag to bypass any potential error.

That being said, I would not rely on any of those mechanisms and would systematically create the needed groups prior to using them explicitly in the user module because:

it will not make much difference in terms of running time on your overall playbook.
it is easier to read and understand by someone picking your code months after (including you).
it is more agnostic and would work on a much wider variety of OS if needed (macOS, *BSD, ...) reproducing the same result (idempotency) where defaults might be different (e.g. adding new users to the users system group...)

Best Answer

Related Solutions

Ldap – Filter LDAP user through PAM so it appears to not exist at all

Ansible user module fails when group parameter matches name parameter (e.g. creating user & group name)

Related Topic