provision_user.yml

---
- name: Create Non-Root User
  hosts: all:!localhost:!hypervisor:!vswitches
  gather_facts: no
  any_errors_fatal: true
  vars:
      # Password isn't exposed by by default
      non_root_pw: "{{ provision.topology.password | default('redhat') }}"
  tasks:
    - block:
      # When we extend topology, these tasks will run also on old nodes and we don't want that.
      # If tasks run on old VM, ansible_user will be overwriten to cloud-user, that is why
      # we need to check if ansible_user is root and to execute the tasks only in this case
      - name: create non root user
        user:
            name: "{{ provision.topology.username }}"
            state: present
            password: "{{ non_root_pw | password_hash('sha512') }}"
        register: create_user
        when: ansible_user|default(ansible_ssh_user) == 'root'

      - name: add user to sudoers
        lineinfile:
            dest: "/etc/sudoers"
            line: "{{ provision.topology.username }} ALL=(ALL) NOPASSWD:ALL"
        when: create_user is changed

      - name: Set up authorized_keys for non root user
        authorized_key:
            user: "{{ provision.topology.username }}"
            key: "{{ lookup('file',  inventory_dir + '/id_rsa.pub') }}"
        when: create_user is changed
      when: inventory_hostname not in groups.overcloud_nodes|default([])

    # this task should be out of block above
    # otherwise it will be skipped due the block condition
    # because add_host bypasses the play host loop and
    # only runs once for all the hosts in the play,
    - name: Update hosts user
      add_host:
          name: "{{ item }}"
          ansible_user: "{{ provision.topology.username }}"
      when:
        - item not in groups.overcloud_nodes|default([])
        - hostvars[item].create_user is changed
      with_items: "{{ ansible_play_hosts }}"