users and multiple domains

[Aleksey Khaustov]

Hi everyone.

There are 3 data centers In an organization where I'm  working   - i'll call it "domain" further in the text.
I write small playbook for creating developer's accounts on machines in the single domain:

---
- hosts: all
  vars:
    accounts:
      user1:
        uid: 1345
        pub_key: 'ssh-rsa AAAAB3Nza....'
      user2:
        uid: 1341
        pub_key: 'ssh-rsa AAAAB3NzaC1yc'
      user3:
        uid: 1443
        pub_key: 'ssh-rsa'

  remote_user: ansible
  sudo: yes
  gather_facts: no

  tasks:
  - name: create account
    user: name={{item.key}}
          uid={{item.value.uid}}
          password="rZqhKLcR0PBsqMxbYr9eYd"
          update_password=always
          shell="/bin/bash"
    with_dict: accounts

  - name: create authorized_key
    authorized_key: key="{{item.value.pub_key}}" user={{item.key}}
    with_dict: accounts

For each domain i have different inventory file, so it's just work.

But a few days ago i talked with team lead, and he  says that it isn't good idea and
not all developers must have access to machines in all domains - another words - we must have "access matrix" like this:

        domain1 domain2 domain3
user1   x            x
user2                                 x
user3                x
    .. .. .. .. .. .. ..
userN               x                x

and so on.


How I can implement  it ?

I've tried use jinja2 search filter, but it doesn't work - seems like ansible can't use variable inside regexp:
.. .. ..
   user3:
      uid: 1443
      pub_key: 'ssh-rsa'
      my_domains: domain1,domain2
.. .. .. ..

tasks:
  - name: create account
    user: name={{item.key}}
          uid={{item.value.uid}}
          password="rZqhKLcR0PBsqMxbYr9eYd"
          update_password=always
          shell="/bin/bash"
          when: ansible_domain|search("{{item.value.my_domains}}")
    with_dict: accounts

Thank you for any comments and ideas
With regards - Aleksey.