- name: "Change database root user password" mysql_user: name: root pa

1. - name: "Change database root user password"
2. mysql_user:
3. name: root
4. password: "{{ lookup('password','/dev/null chars=ascii_letters,digits length=32') }}"
5. host: "{{ item }}"
6. check_implicit_admin: yes
7. priv: "*.*:ALL,GRANT"
8. state: present
9. when: mysql_root_result.stat.exists == False
10. with_items:
11. - localhost
12. - "::1"
13. - 127.0.0.1
14.  
15. [client]
16. user={{ item.user }}
17. password={{ item.password }}
18.  
19. # MariaDB: Set up secure root password
20. # Set up (and save) secure root password
21. # Check for /root/.my.cnf
22. # All the other things are skipped if this file already exists
23. - name: "Check if we already have a root password config"
24. stat:
25. path: /root/.my.cnf
26. register: mysql_root_result
27.  
28. # Generate password
29. # This uses https://docs.ansible.com/ansible/latest/plugins/lookup/password.html
30. # to generate a 32 character random alphanumeric password
31. - name: "Generate database root password if needed"
32. set_fact:
33. mysql_root_passwd: "{{ lookup('password','/dev/null chars=ascii_letters,digits length=32') }}"
34. when: mysql_root_result.stat.exists == False
35.  
36. # Generate /root/.my.cnf.new
37. # A temporary file is used to keep it from breaking further commands
38. # It also ensures that the password is on the server if the critical
39. # parts are interrupted
40. - name: "Save new root password in temporary file"
41. template:
42. src: my_passwd.cnf.j2
43. dest: /root/.my.cnf.new
44. owner: root
45. group: root
46. mode: 0400
47. when: mysql_root_result.stat.exists == False
48. with_items:
49. - user: root
50. password: "{{ mysql_root_passwd }}"
51.  
52. # START of area that you don't want to interrupt
53. # If this is interrupted after the first task
54. # it can be fixed by manually running this on the server
55. # mv /root/.my.cnf.new /root/.my.cnf
56. # If the playbook is reran before that. The password would be lost!
57. # Add DB user
58. - name: "Add database root user"
59. mysql_user:
60. name: root
61. password: "{{ mysql_root_passwd }}"
62. host: "{{ item }}"
63. check_implicit_admin: yes
64. priv: "*.*:ALL,GRANT"
65. state: present
66. when: mysql_root_result.stat.exists == False
67. with_items:
68. - localhost
69.  
70. # Now move the config in place
71. - name: "Rename config with root password to correct name - Step 1 - link"
72. file:
73. state: hard
74. src: /root/.my.cnf.new
75. dest: /root/.my.cnf
76. force: yes
77. when: mysql_root_result.stat.exists == False
78. # END of area that you don't want to interrupt
79.  
80. # Interrupting before this task will leave a temporary file around
81. # Everything will work as it should though
82. - name: "Rename config with root password to correct name - Step 2 - unlink"
83. file:
84. state: absent
85. path: /root/.my.cnf.new
86. when: mysql_root_result.stat.exists == False
87.  
88. # Remove additional root users - these don't have the password set
89. # You might want to ensure that none of these variables are `localhost`
90. # All return somewhat different values on my test system
91. - name: "Clean up additional root users"
92. mysql_user:
93. name: root
94. host: "{{ item }}"
95. check_implicit_admin: yes
96. state: absent
97. with_items:
98. - "::1"
99. - 127.0.0.1
100. - "{{ ansible_fqdn }}"
101. - "{{ inventory_hostname }}"
102. - "{{ ansible_hostname }}"