Merge pull request #46 from qburst/ansible-user-management

Ansible user management

README.md

@@ -11,4 +11,5 @@ To facilitate easy navigation and access to the resources within this repository
 
 1. [**Scripts**](/scripts/README.md): Within this folder, you will find a collection of various scripts that have been developed to automate tasks and streamline processes. These scripts have proven to be valuable tools, enhancing productivity in various workflows.
 2. [**GitHub Actions**](/github-actions/README.md):  This folder contains a selection of GitHub Actions that have been designed to optimize workflows. These actions offer a reusable and configurable approach for achieving efficiency and consistency in your development practices.
-3. [**Terraform**](/terraform/README.md): In this folder, you will discover a comprehensive set of Terraform modules created to address common use cases. These modules helps you to rapidly provision and manage infrastructure resources with ease, leveraging the power and flexibility of Terraform.
+3. [**Terraform**](/terraform/README.md): In this folder, you will discover a comprehensive set of Terraform modules created to address common use cases. These modules helps you to rapidly provision and manage infrastructure resources with ease, leveraging the power and flexibility of Terraform.
+4. [**Ansible**](/ansible/README.md): In this folder, you will discover a comprehensive set of Ansible roles to run many common scenarios.

ansible/README.md

@@ -0,0 +1,16 @@
+# Ansible Roles
+=========
+
+## Structure
+- **ansible**
+This is where the various roles resides.
+
+## Prerequisites
+- Ansible
+- Python
+
+## Role List
+### 1. User-management 
+[User management in various tools](/ansible/user-management/main.yml)
+
+    This role helps you to manage/creates users in different platforms like AWS, Linux, Jenkins, MySQL and Postgres.

ansible/main.yml

@@ -0,0 +1,7 @@
+---
+- name: Ansible roles to create/manage users
+  hosts: localhost
+  gather_facts: true
+  become: yes
+  roles:
+    - role: user-management

ansible/user-management/README.md

@@ -0,0 +1,74 @@
+# Ansible Role for User Management
+=========
+
+Ansible playbook to create user accounts in AWS, Jenkins, Linux, MySQL and PostgreSQL.
+
+# Requirements
+------------
+
+The role can be executed on any machine having Linux OS with the below packages.
+  - Ansible 
+  - Python
+  - pymysql
+  - mysql-client
+  - postgresql-client
+  - awscli
+
+# Role Variables
+--------------
+
+Available variables are listed below (user-management/vars/main.yml): 
+
+users
+ - aws
+ - linux
+ - jenkins
+ - mysql
+ - postgres
+
+# Role tasks
+-------------
+
+Available tasks are listed below (user-management/tasks/)
+
+tasks
+  - aws-add-user.yml
+  - jenkins-add-user.yml
+  - linux-add-user.yml
+  - mysql-add-user.yml
+  - postgres-add-user.yml
+
+# Dependencies
+------------
+
+1. Configure AWS access key and secret key for running aws user creation.
+2. Modify Jenkins authorization security by enabling necessary permission for the admin user.
+3. Grant access to the IP from where you are running this playbook in the MySQL server. 
+4. Allow necessary access in all the servers.
+
+
+# Example Playbook
+----------------
+
+Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
+
+    ---
+    - name: Ansible roles to create/manage users
+      hosts: servers
+      gather_facts: true
+      become: yes
+      roles:
+        - role: user-management
+
+The same is provided in the main.yml residing outside the role. You can use the following command to run all the tasks.
+
+### ansible-playbook main.yml
+
+You can use --skip-tags to exclude any particular role
+
+### Ex: ansible-playbook main.yml --skip-tags linux
+
+# Author Information
+------------------
+
+QBurst DevOps Team

ansible/user-management/defaults/main.yml

@@ -0,0 +1 @@
+### NA

ansible/user-management/tasks/aws-add-user.yml

@@ -0,0 +1,44 @@
+---
+- name: Ensuring AWS IAM User does not exist
+  amazon.aws.iam_user_info:
+    name: "{{ item.username }}"
+  register: user_info_result
+  with_items: "{{ users.aws }}"
+
+- name: Creating AWS IAM User
+  amazon.aws.iam_user:
+    name: "{{ item.username }}"
+    state: present
+    password: "{{ item.password }}"
+    password_reset_required: false
+  when: user_info_result.iam_users | length == 0
+  with_items: "{{ users.aws }}"
+
+- name: Attaching AWS IAM Policy to IAM User
+  amazon.aws.iam_user:
+    name: "{{ item.username }}"
+    managed_policies: "{{ item.policy }}"
+    state: present
+  with_items: "{{ users.aws }}"
+
+- name: Check if access key exists for the IAM user
+  community.aws.iam_access_key_info:
+    user_name: "{{ item.username }}"
+  register: iam_access_key_info_result
+  with_items: "{{ users.aws }}"
+
+- name: Creating AWS Access key for IAM user
+  community.aws.iam_access_key:
+    user_name: "{{ item.username }}"
+    state: present
+  register: iam_access_key_result
+  when: iam_access_key_info_result.access_keys | length == 0
+  with_items: "{{ users.aws }}"
+
+- name: Storing Credentials in home folder
+  copy:
+    content: "{{ iam_access_key_result.access_key.access_key_id }}:{{ iam_access_key_result.secret_access_key }}"
+    dest: "./aws_credentials.txt"
+    mode: "0600"
+  when: iam_access_key_info_result.access_keys | length == 0
+  with_items: "{{ users.aws }}"

ansible/user-management/tasks/jenkins-add-user.yml

@@ -0,0 +1,29 @@
+---
+- name: Adding new user to Jenkins
+  jenkins_script:
+    url: "{{ item.jenkins_host }}"
+    user: "{{ item.admin_username }}"
+    password: "{{ item.admin_password }}"
+    script: |
+      import jenkins.model.*
+      import hudson.security.*
+
+      def instance = Jenkins.getInstance()
+      def existingUser = instance.securityRealm.allUsers.find {it.id == "{{ item.new_username }}"}
+      println "Value of existingUser: $existingUser"
+      if (existingUser == null) {
+        def hudsonRealm = new HudsonPrivateSecurityRealm(false)
+        hudsonRealm.createAccount("{{ item.new_username }}","{{ item.new_password }}")
+        instance.setSecurityRealm(hudsonRealm)
+        instance.save()
+      }
+      else {
+        println("user already exists")
+      }
+  register: result
+  with_items: "{{ users.jenkins }}"
+
+- name: Printing result
+  debug:
+    var: result
+  with_items: "{{ users.jenkins }}"

ansible/user-management/tasks/linux-add-user.yml

@@ -0,0 +1,18 @@
+---
+- name: Create user
+  user:
+    name: "{{ item.username }}"
+    uid: "{{ item.uid }}"
+    state: present
+    groups: "{{ item.groups }}"
+    shell: /bin/bash
+    home: "{{ item.home_directory | default('/home/' + item.username) }}"
+  with_items: "{{ users.linux }}"
+
+- name: Add SSH public key to authorized_keys
+  authorized_key:
+    user: "{{ item.username }}"
+    key: "{{ item.ssh_key }}"
+    state: present
+  with_items: "{{ users.linux }}"
+

ansible/user-management/tasks/main.yml

@@ -0,0 +1,15 @@
+---
+- include: linux-add-user.yml
+  tags: linux
+
+- include: jenkins-add-user.yml
+  tags: jenkins
+
+- include: aws-add-user.yml
+  tags: aws
+
+- include: mysql-add-user.yml
+  tags: mysql
+
+- include: postgres-add-user.yml
+  tags: postgres

ansible/user-management/tasks/mysql-add-user.yml

@@ -0,0 +1,47 @@
+---
+  - name: Installing MySQL Python library
+    pip:
+      name: 
+        - mysql-client
+        - pymysql
+      executable: pip3 
+    when: ansible_distribution == 'Ubuntu' or ansible_distribution == 'CentOS'
+    ignore_errors: yes
+
+  - name: Checking if MySQL user already exists
+    mysql_query:
+      login_host: "{{ item.mysql_host }}" # Replace with the correct host name
+      login_user: root # Assuming default MySQL superuser
+      login_password: "{{ item.mysql_root_password }}" # Specify the password for the MySQL superuser
+      login_db: mysql # Replace with the correct database name
+      query: "SELECT User FROM mysql.user WHERE User='{{ item.mysql_new_user }}';"
+    register: mysql_user_check
+    with_items: "{{ users.mysql }}"
+
+  - debug:
+      var: mysql_user_check
+    with_items: "{{ users.mysql }}"
+
+  - name: Checking if user exists
+    debug:
+      msg: "User already exists"
+    when: mysql_user_check.rowcount[0] > 0
+    with_items: "{{ users.mysql }}"
+
+  - name: Creating MySQL User
+    mysql_user:
+      name: "{{ item.mysql_new_user }}" # specify the new user
+      password: "{{ item.mysql_new_password }}" # specify the new user password
+      priv: "*.*:ALL"  # Example privilege; adjust as needed
+      state: present
+      login_user: root # Assuming default MySQL superuser
+      login_password: "{{ item.mysql_root_password }}" # Specify the password for the MySQL superuser
+      login_host: "{{ item.mysql_host }}" # Replace with the correct host name
+    when: mysql_user_check.rowcount[0] == 0
+    register: user_creation_result
+    with_items: "{{ users.mysql }}"
+
+  - name: Printing Creation Result
+    debug:
+      var: user_creation_result
+    with_items: "{{ users.mysql }}"

ansible/user-management/tasks/postgres-add-user.yml

@@ -0,0 +1,27 @@
+  - name: Querying PostgreSQL for user existence
+    community.general.postgresql_query:
+      db: "{{ item.postgres_db }}"  # Replace with the correct database name
+      login_host: "{{ item.postgres_host }}" # Replace with the correct host name
+      login_user: "{{ item.postgres_root_user }}"  # Assuming default PostgreSQL superuser
+      login_password: "{{ item.postgres_root_password }}"  # Specify the password for the PostgreSQL superuser
+      query: "SELECT 1 FROM pg_roles WHERE rolname='{{ item.postgres_new_user }}'"
+    register: user_exists
+    ignore_errors: true
+    with_items: "{{ users.postgres }}"
+
+  - name: Checking if the user already exist
+    debug:
+      msg: "User already exists"
+    when: user_exists.results[0].rowcount > 0
+
+  - name: Creating PostgreSQL user
+    community.postgresql.postgresql_user:
+      db: "{{ item.postgres_db }}"  # Replace with the correct database name
+      login_host: "{{ item.postgres_host }}" # Replace with the correct host name
+      login_user: "{{ item.postgres_root_user }}" # Assuming default PostgreSQL superuser
+      login_password: "{{ item.postgres_root_password }}" # Specify the password for the PostgreSQL superuser
+      name: "{{ item.postgres_new_user }}" # specify the new user
+      password: "{{ item.postgres_new_password }}" # specify the new user password
+      priv: "ALL"  # Example privilege; adjust as needed
+    when: user_exists.results[0].rowcount == 0
+    with_items: "{{ users.postgres }}"

ansible/user-management/tests/inventory

@@ -0,0 +1,2 @@
+localhost
+

ansible/user-management/vars/main.yml

@@ -0,0 +1,39 @@
+---
+users:
+  linux:
+    - username: linux
+      groups: 
+        - docker
+        - qburst
+        - sudo
+      ssh_key: ssh-rsa xyzxyzxyz
+      uid: 4015
+      home_directory: /home/test
+    - username: testuser
+      groups: 
+        - docker
+        - sudo
+      ssh_key: ssh-rsa xyzxyzxyz
+      uid: 5015
+  jenkins:
+    - new_username: jenkins
+      new_password: jenkins@12#
+      jenkins_host: http://localhost:8080
+      admin_username: admin
+      admin_password: admin@12#
+  aws:
+    - username: aws_user
+      password: aws_user@12#
+      policy: AmazonS3FullAccess
+  mysql:
+    - mysql_root_password: root@12#
+      mysql_new_user: mysql
+      mysql_new_password: mysql@12#
+      mysql_host: localhost
+  postgres:
+    - postgres_root_password: root@12#
+      postgres_root_user: root
+      postgres_new_user: postgres_user
+      postgres_new_password: postgres_user@12#
+      postgres_host: localhost
+      postgres_db: root