Format for conditional password change

[Ian Dennison]

Am creating a playbook where the password age is set to 0 on userid create. The variable "user_created" gets detected as "changed" when a deleted userid is already deleted (ie, has "absent" in the item.state), so I am trying to work around this by putting a double conditional in the "users set passwd age on add" task. However ansible will not let me reference the item.state variable in any way, shape or form. I have tried "with quotes", "with brackets", "without quotes and with brackets", "with quoutes and without brackets".

Question 1: Is the "changed" attribute being set when no user was actually removed a bug in the module?

Question 2: What is the syntax for referencing item.state in a conditional? 

# tasks file for user

---

- name: users | add / delete

  user:

    name: "{{ item.name }}"

    comment: "{{ item.comment | default('') }}"

    group: "{{ item.group | default(item.name) }}"

    groups: "{{ item.groups | default([]) | join(',') }}"

    append: "{{ item.append | default(false) }}"

    password: "{{ item.password | default('*') }}"

    update_password: "{{ item.update_password | default('always') }}"

    shell: "{{ item.shell | default('/bin/bash') }}"

    # default('~' + item.name) also seems to work, but is not idempotent

    home: "{{ item.home | default(('/' if item.name == 'root' else '/home/') + item.name) }}"

    system: "{{ item.system | default(false) }}"

    state: "{{ item.state | default('present') }}"

    remove: "{{ item.remove | default(false) }}"

  when: item.uid is not defined

  with_items: user_users

  tags:

    - user-users-no-gid

  register: user_created

# Remove when minimal Ansible version >= 1.8

- name: users | add / delete (with UID)

  user:

    name: "{{ item.name }}"

    uid: "{{ item.uid }}"

    comment: "{{ item.comment | default('') }}"

    group: "{{ item.group | default(item.name) }}"

    groups: "{{ item.groups | default([]) | join(',') }}"

    append: "{{ item.append | default(false) }}"

    password: "{{ item.password | default('*') }}"

    update_password: "{{ item.update_password | default('always') }}"

    shell: "{{ item.shell | default('/bin/bash') }}"

    home: "{{ item.home | default(('/' if item.name == 'root' else '/home/') + item.name) }}"

    system: "{{ item.system | default(false) }}"

    state: "{{ item.state | default('present') }}"

    remove: "{{ item.remove | default(false) }}"

  when: item.uid is defined

  with_items: user_users

  tags:

    - user-users-gid

  register: user_created

# Extra step to set password age

- name: users set passwd age on add

  shell: chage -d 0 {{ item.name }}

  when: "{{ item.state }}" == "present" and user_create.changed

  with_items: user_users

  ignore_errors: yes

Error received: 

fatal: [iantest2]: FAILED! => {"failed": true, "reason": "Syntax Error while loading YAML.\n\n\nThe error appears to have been in '/home/ind01/chorus-BAU/roles/user/tasks/users.yml': line 49, column 28, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n  shell: chage -d 0 {{ item.name }}\n  when: \"{{ item.state }}\" == \"present\" and user_created.changed\n                           ^ here\nWe could be wrong, but this one looks like it might be an issue with\nmissing quotes.  Always quote template expression brackets when they\nstart a value. For instance:\n\n    with_items:\n      - {{ foo }}\n\nShould be written as:\n\n    with_items:\n      - \"{{ foo }}\"\n"}

[Ian Dennison]

Anybody? Bueller? Bueller?

[Kai Stian Olstad]

On 21. juli 2016 00:09, Ian Dennison wrote:
> Question 2: What is the syntax for referencing item.state in a conditional?
>

> # Extra step to set password age
> - name: users set passwd age on add
> shell: chage -d 0 {{ item.name }}
> when: "{{ item.state }}" == "present" and user_create.changed
> with_items: user_users
> ignore_errors: yes

Never use curly brackets in when:, they are implied.

--
Kai Stian Olstad