Add regex to lineinfile, Add comments, Fix handler

To make the lineinfile use more fault tolerant, add regexp to catch variations in how the line can be written (spaces, quotes) Also explained several other choices in comments, especially the choice to only update the password on_create: to maintain idempotency. Also corrected the handler name: mongodb not mongod.
StackStorm · Sep 14, 2018 · a3d5f3d · a3d5f3d
1 parent b4ff559
commit a3d5f3d
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 1 deletion.
diff --git a/roles/mongodb/defaults/main.yml b/roles/mongodb/defaults/main.yml
@@ -23,4 +23,6 @@ mongodb_users: []
 #    roles: readWrite
 
 # whether or not to force a password update for any users in mongodb_users
+# Setting this to yes will result in 'changed' on every run, even if the password is the same.
+# See the comment in tasks/mongodb_auth.yml for more details.
 mongodb_force_update_password: no
diff --git a/roles/mongodb/tasks/mongodb_auth.yml b/roles/mongodb/tasks/mongodb_auth.yml
@@ -10,13 +10,16 @@
     path: /etc/mongod.conf
     insertafter: 'security:'
     line: '  authorization: enabled'
+    regexp: "^\s+['\"]*authorization['\"]*\s*:"
   register: _mongo_authorization
   # changed = line not in file, authorization is disabled
   # succeeded = line in file, authorization is enabled
 
 - name: Add mongo admin
   mongodb_user:
     state: present
+
+    # NOTE: on_create is idempotent - see comment below
     update_password: on_create
 
     name: "{{ mongodb_admin_username }}"
@@ -41,15 +44,27 @@
   lineinfile:
     path: /etc/mongod.conf
     insertafter: '^security:'
+    # two space indentation (the default) assumed
     line: '  authorization: enabled'
-  notify: restart mongod
+    regexp: "^\s+['\"]*authorization['\"]*\s*:"
+  notify: restart mongodb
 
 # Restart mongod if required here, so that we can safely assume that auth is already enabled when adding more users.
+# Hope for the future: https://github.com/ansible/ansible/pull/25573
 - meta: flush_handlers
 
 - name: Add additional mongo users
   mongodb_user:
     state: present
+
+    # NOTE: on_create is idempotent, always is not.
+    # With `update_password: on_create`, mongodb_user checks to see if the user
+    # (a) exists on the db, and (b) has the same roles,
+    # and then it only adds the user if it's not there or the roles have changed.
+    # With `update_password: always`, mongodb_user cannot tell if the password
+    # needs to be changed without attempting a login with those credentials.
+    # But mongodb_user does not currently implement such a check.
+    # A comment in mongodb_user points to https://jira.mongodb.org/browse/SERVER-22848
     update_password: "{{ mongodb_force_update_password|ternary('always', 'on_create') }}"
 
     name: "{{ item.username }}"