From a8189ca2a9e606c5555663d47456a3e78c8146cc Mon Sep 17 00:00:00 2001 From: qburst-arjunm Date: Fri, 16 Feb 2024 17:07:10 +0530 Subject: [PATCH] adding ansible role for user-management --- README.md | 3 +- ansible/README.md | 79 +++++++++++++++++++ ansible/main.yml | 7 ++ ansible/user-management/defaults/main.yml | 1 + .../user-management/tasks/aws-add-user.yml | 38 +++++++++ .../tasks/jenkins-add-user.yml | 27 +++++++ .../user-management/tasks/linux-add-user.yml | 21 +++++ ansible/user-management/tasks/main.yml | 15 ++++ .../user-management/tasks/mysql-add-user.yml | 42 ++++++++++ .../tasks/postgres-add-user.yml | 25 ++++++ ansible/user-management/tests/inventory | 2 + ansible/user-management/vars/main.yml | 28 +++++++ 12 files changed, 287 insertions(+), 1 deletion(-) create mode 100644 ansible/README.md create mode 100644 ansible/main.yml create mode 100644 ansible/user-management/defaults/main.yml create mode 100644 ansible/user-management/tasks/aws-add-user.yml create mode 100644 ansible/user-management/tasks/jenkins-add-user.yml create mode 100644 ansible/user-management/tasks/linux-add-user.yml create mode 100644 ansible/user-management/tasks/main.yml create mode 100644 ansible/user-management/tasks/mysql-add-user.yml create mode 100644 ansible/user-management/tasks/postgres-add-user.yml create mode 100644 ansible/user-management/tests/inventory create mode 100644 ansible/user-management/vars/main.yml diff --git a/README.md b/README.md index fda79cd..35cb459 100644 --- a/README.md +++ b/README.md @@ -11,4 +11,5 @@ To facilitate easy navigation and access to the resources within this repository 1. [**Scripts**](/scripts/README.md): Within this folder, you will find a collection of various scripts that have been developed to automate tasks and streamline processes. These scripts have proven to be valuable tools, enhancing productivity in various workflows. 2. [**GitHub Actions**](/github-actions/README.md): This folder contains a selection of GitHub Actions that have been designed to optimize workflows. These actions offer a reusable and configurable approach for achieving efficiency and consistency in your development practices. -3. [**Terraform**](/terraform/README.md): In this folder, you will discover a comprehensive set of Terraform modules created to address common use cases. These modules helps you to rapidly provision and manage infrastructure resources with ease, leveraging the power and flexibility of Terraform. \ No newline at end of file +3. [**Terraform**](/terraform/README.md): In this folder, you will discover a comprehensive set of Terraform modules created to address common use cases. These modules helps you to rapidly provision and manage infrastructure resources with ease, leveraging the power and flexibility of Terraform. +4. [**Ansible**](/ansible/README.md): In this folder, you will discover a comprehensive set of ansible roles to create/manage users. This role helps you to easily manage users in different platforms like AWS, Linux, Jenkins, MySQL and Postgres. \ No newline at end of file diff --git a/ansible/README.md b/ansible/README.md new file mode 100644 index 0000000..d61c0a5 --- /dev/null +++ b/ansible/README.md @@ -0,0 +1,79 @@ +# Ansible Role for User Management +========= + +Ansible playbook to create user accounts in AWS, Jenkins, Linux, MySQL and PostgreSQL. + +# Requirements +------------ + +The role can be executed on any machine having Linux OS with the below packages. + - Ansible + - Python + - pymysql + - mysql-client + - postgresql-client + - awscli + +# Role Variables +-------------- + +Available variables are listed below (user-management/vars/main.yml): + +users + - aws + - linux + - jenkins + - mysql + - postgres + +# Role tasks +------------- + +Available tasks are listed below (user-management/tasks/) + +tasks + - aws-add-user.yml + - jenkins-add-user.yml + - linux-add-user.yml + - mysql-add-user.yml + - postgres-add-user.yml + +# Dependencies +------------ + +1. Configure AWS access key and secret key for running aws user creation. +2. Modify Jenkins authorization security by enabling necessary permission for the admin user. +3. Grant access to the IP from where you are running this playbook in the MySQL server. +4. Allow necessary access in all the servers. + + +# Example Playbook +---------------- + +Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: + + --- + - name: Ansible roles to create/manage users + hosts: servers + gather_facts: true + become: yes + roles: + - role: user-management + +The same is provided in the main.yml residing outside the role. You can use the following command to run all the tasks. + +### ansible-playbook main.yml + +You can use --skip-tags to exclude any particular role + +### Ex: ansible-playbook main.yml --skip-tags linux + +# License +------- + +BSD + +# Author Information +------------------ + +QBurst DevOps Team \ No newline at end of file diff --git a/ansible/main.yml b/ansible/main.yml new file mode 100644 index 0000000..3f11c0f --- /dev/null +++ b/ansible/main.yml @@ -0,0 +1,7 @@ +--- +- name: Ansible roles to create/manage users + hosts: localhost + gather_facts: true + become: yes + roles: + - role: user-management \ No newline at end of file diff --git a/ansible/user-management/defaults/main.yml b/ansible/user-management/defaults/main.yml new file mode 100644 index 0000000..036a59d --- /dev/null +++ b/ansible/user-management/defaults/main.yml @@ -0,0 +1 @@ +### NA \ No newline at end of file diff --git a/ansible/user-management/tasks/aws-add-user.yml b/ansible/user-management/tasks/aws-add-user.yml new file mode 100644 index 0000000..0790d44 --- /dev/null +++ b/ansible/user-management/tasks/aws-add-user.yml @@ -0,0 +1,38 @@ +--- +- name: Ensuring AWS IAM User does not exist + amazon.aws.iam_user_info: + name: "{{ users.aws.username }}" + register: user_info_result + +- name: Creating AWS IAM User + amazon.aws.iam_user: + name: "{{ users.aws.username }}" + state: present + password: "{{ users.aws.password }}" + password_reset_required: false + when: user_info_result.iam_users | length == 0 + +- name: Attaching AWS IAM Policy to IAM User + amazon.aws.iam_user: + name: "{{ users.aws.username }}" + managed_policies: "{{ users.aws.policy }}" + state: present + +- name: Check if access key exists for the IAM user + community.aws.iam_access_key_info: + user_name: "{{ users.aws.username }}" + register: iam_access_key_info_result + +- name: Creating AWS Access key for IAM user + community.aws.iam_access_key: + user_name: "{{ users.aws.username }}" + state: present + register: iam_access_key_result + when: iam_access_key_info_result.access_keys | length == 0 + +- name: Storing Credentials in home folder + copy: + content: "{{ iam_access_key_result.access_key.access_key_id }}:{{ iam_access_key_result.secret_access_key }}" + dest: "./aws_credentials.txt" + mode: "0600" + when: iam_access_key_info_result.access_keys | length == 0 \ No newline at end of file diff --git a/ansible/user-management/tasks/jenkins-add-user.yml b/ansible/user-management/tasks/jenkins-add-user.yml new file mode 100644 index 0000000..80eb738 --- /dev/null +++ b/ansible/user-management/tasks/jenkins-add-user.yml @@ -0,0 +1,27 @@ +--- +- name: Adding new user to Jenkins + jenkins_script: + url: "{{ users.jenkins.jenkins_host }}" + user: "{{ users.jenkins.admin_username }}" + password: "{{ users.jenkins.admin_password }}" + script: | + import jenkins.model.* + import hudson.security.* + + def instance = Jenkins.getInstance() + def existingUser = instance.securityRealm.allUsers.find {it.id == "{{ users.jenkins.new_username }}"} + println "Value of existingUser: $existingUser" + if (existingUser == null) { + def hudsonRealm = new HudsonPrivateSecurityRealm(false) + hudsonRealm.createAccount("{{ users.jenkins.new_username }}","{{ users.jenkins.new_password }}") + instance.setSecurityRealm(hudsonRealm) + instance.save() + } + else { + println("user already exists") + } + register: result + +- name: Printing result + debug: + var: result diff --git a/ansible/user-management/tasks/linux-add-user.yml b/ansible/user-management/tasks/linux-add-user.yml new file mode 100644 index 0000000..6d13128 --- /dev/null +++ b/ansible/user-management/tasks/linux-add-user.yml @@ -0,0 +1,21 @@ +--- +- name: Checking if the user already exists in Linux + command: getent passwd {{ users.linux.username }} + register: user_check + ignore_errors: true + when: "ansible_os_family == 'RedHat' or ansible_os_family == 'Debian'" + +- debug: + var: user_check + +- name: Creating new user in Linux + user: + name: "{{ users.linux.username }}" + state: present + groups: "{{ users.linux.groups }}" + password: "{{ users.linux.password }}" + shell: "{{ shell | default('/bin/bash') }}" + comment: "{{ comment | default('') }}" + update_password: always + when: "ansible_os_family == 'RedHat' or ansible_os_family == 'Debian' and user_check.rc != 0" + diff --git a/ansible/user-management/tasks/main.yml b/ansible/user-management/tasks/main.yml new file mode 100644 index 0000000..db74acd --- /dev/null +++ b/ansible/user-management/tasks/main.yml @@ -0,0 +1,15 @@ +--- +- include: linux-add-user.yml + tags: linux + +- include: jenkins-add-user.yml + tags: jenkins + +- include: aws-add-user.yml + tags: aws + +- include: mysql-add-user.yml + tags: mysql + +- include: postgres-add-user.yml + tags: postgres \ No newline at end of file diff --git a/ansible/user-management/tasks/mysql-add-user.yml b/ansible/user-management/tasks/mysql-add-user.yml new file mode 100644 index 0000000..30f705a --- /dev/null +++ b/ansible/user-management/tasks/mysql-add-user.yml @@ -0,0 +1,42 @@ +--- + - name: Installing MySQL Python library + pip: + name: + - mysql-client + - pymysql + executable: pip3 + when: ansible_distribution == 'Ubuntu' or ansible_distribution == 'CentOS' + ignore_errors: yes + + - name: Checking if MySQL user already exists + mysql_query: + login_host: "{{ users.mysql.mysql_host }}" # Replace with the correct host name + login_user: root # Assuming default MySQL superuser + login_password: "{{ users.mysql.mysql_root_password }}" # Specify the password for the MySQL superuser + login_db: mysql # Replace with the correct database name + query: "SELECT User FROM mysql.user WHERE User='{{ users.mysql.mysql_new_user }}';" + register: mysql_user_check + + - debug: + var: mysql_user_check + + - name: Checking if user exists + debug: + msg: "User already exists" + when: mysql_user_check.rowcount[0] > 0 + + - name: Creating MySQL User + mysql_user: + name: "{{ users.mysql.mysql_new_user }}" # specify the new user + password: "{{ users.mysql.mysql_new_password }}" # specify the new user password + priv: "*.*:ALL" # Example privilege; adjust as needed + state: present + login_user: root # Assuming default MySQL superuser + login_password: "{{ users.mysql.mysql_root_password }}" # Specify the password for the MySQL superuser + login_host: "{{ users.mysql.mysql_host }}" # Replace with the correct host name + when: mysql_user_check.rowcount[0] == 0 + register: user_creation_result + + - name: Printing Creation Result + debug: + var: user_creation_result \ No newline at end of file diff --git a/ansible/user-management/tasks/postgres-add-user.yml b/ansible/user-management/tasks/postgres-add-user.yml new file mode 100644 index 0000000..eb25f17 --- /dev/null +++ b/ansible/user-management/tasks/postgres-add-user.yml @@ -0,0 +1,25 @@ + - name: Querying PostgreSQL for user existence + community.general.postgresql_query: + db: "{{ users.postgres.postgres_db }}" # Replace with the correct database name + login_host: "{{ users.postgres.postgres_host }}" # Replace with the correct host name + login_user: "{{ users.postgres.postgres_root_user }}" # Assuming default PostgreSQL superuser + login_password: "{{ users.postgres.postgres_root_password }}" # Specify the password for the PostgreSQL superuser + query: "SELECT 1 FROM pg_roles WHERE rolname='{{ users.postgres.postgres_new_user }}'" + register: user_exists + ignore_errors: true + + - name: Checking if the user already exist + debug: + msg: "User already exists" + when: user_exists.rowcount > 0 + + - name: Creating PostgreSQL user + community.postgresql.postgresql_user: + db: "{{ users.postgres.postgres_db }}" # Replace with the correct database name + login_host: "{{ users.postgres.postgres_host }}" # Replace with the correct host name + login_user: "{{ users.postgres.postgres_root_user }}" # Assuming default PostgreSQL superuser + login_password: "{{ users.postgres.postgres_root_password }}" # Specify the password for the PostgreSQL superuser + name: "{{ users.postgres.postgres_new_user }}" # specify the new user + password: "{{ users.postgres.postgres_new_password }}" # specify the new user password + priv: "ALL" # Example privilege; adjust as needed + when: user_exists.rowcount == 0 \ No newline at end of file diff --git a/ansible/user-management/tests/inventory b/ansible/user-management/tests/inventory new file mode 100644 index 0000000..878877b --- /dev/null +++ b/ansible/user-management/tests/inventory @@ -0,0 +1,2 @@ +localhost + diff --git a/ansible/user-management/vars/main.yml b/ansible/user-management/vars/main.yml new file mode 100644 index 0000000..b7dabde --- /dev/null +++ b/ansible/user-management/vars/main.yml @@ -0,0 +1,28 @@ +--- +users: + linux: + username: linux + password: linux@12# + groups: sudo + jenkins: + new_username: jenkins + new_password: jenkins@12# + jenkins_host: http://localhost:8080 + admin_username: admin + admin_password: admin@12# + aws: + username: aws_user + password: aws_user@12# + policy: AmazonS3FullAccess + mysql: + mysql_root_password: root@12# + mysql_new_user: mysql + mysql_new_password: mysql@12# + mysql_host: localhost + postgres: + postgres_root_password: root@12# + postgres_root_user: root + postgres_new_user: postgres_user + postgres_new_password: postgres_user@12# + postgres_host: localhost + postgres_db: root \ No newline at end of file