Hi, i’m trying to apply a CIS hardening ansible role for the RHEL 8 AMI i’m building. Packer spins up an ec2 instance does the provisioning but i’m consistently hit with the error regarding sudo password missing while applying the CIS role. How do i handle this as i don’t have control over the ec2 instance packer is spinning up. Please suggest.
Welcome to the HashiCorp Forums!
Did you get this sorted? I would recommend you share more details so that someone can help (eg: share the packer file, the ansible role used etc).
Hi, below is the ansible role i’m trying to apply
My current packer config with Ansible provisioner looks like this:
- hosts: default
vars_files:
- vars/main.yml
- vars/{{ cloud }}.yml
roles:
- config
- role: galaxy-ansible-role-lockdown-rhel8-cis
become: yes
ignore_errors: true
Ignore_errors flag here would skip the tasks which would require sudo password but i don’t want that to happen. I’d want the whole CIS role running successfully without having to ignore errors. Please suggest.
Thanks,
Sankeerth.
Thank you for providing the details. This seems to be something that should be handled in Ansible and not in Packer.
I tried this Ansible role and I could get it working using the following playbook.
- hosts: default
tasks:
- name: create a random password
ansible.builtin.set_fact:
password: "{{ lookup('ansible.builtin.password', '/dev/null', chars=['ascii_lowercase', 'digits'], length=8) }}"
- name: Set password for {{ ansible_env.SUDO_USER }}
ansible.builtin.user:
name: "ec2-user"
password: "{{ password | password_hash('sha512') }}"
become: yes
- hosts: default
roles:
- role: RHEL8-CIS
tasks:
- name: Remove password for {{ ansible_env.SUDO_USER }}
ansible.builtin.user:
name: "ec2-user"
password: "!"
become: yes
vars:
ansible_become_password: "{{ password }}"
This is one way to get this working. Also, note that I am removing the password in the last step. If you find this okay from a security point of view, feel free to try this out.