update

ansible/roles/bastion/defaults/main.yml

@@ -41,3 +41,8 @@ crictl_file_group: root
 # temp
 username: root
 password: saasadmin1234
+
+# common user flag
+common_user: False
+
+pause_time: 1

ansible/roles/bastion/tasks/main.yml

@@ -1,9 +1,6 @@
 ---
-- include: login_defs.yml
-  tags: login_defs
-
-- include: pam.yml
-  tags: pam
+- pause:
+    seconds: "{{ pause_time }}"
 
 - include: sshd_config.yml
   tags: sshd_config
@@ -11,14 +8,5 @@
 - include: sudoers.yml
   tags: sudoers
 
-- include: profile.yml
-  tags: profile
-
-- include: banner.yml
-  tags: banner
-
-- include: crictl.yml
-  tags: crictl
-
 - include: admin_set.yml
   tags: admin_set

ansible/roles/bastion/tasks/sudoers.yml

@@ -1,4 +1,15 @@
 ---
+- name: Get all ssh sessions 
+  shell: ps -ef | grep sshd | grep -v root | grep -v "{{ ansible_user }}" | awk '{print $2}' 
+  register: ssh_sessions
+  ignore_errors: true
+
+- name: Terminate ssh sessions
+  shell: kill -9 {{ item }}
+  with_items: "{{ ssh_sessions.stdout_lines }}"
+  when: ssh_sessions is defined
+  ignore_errors: true
+
 - name: "Create devops group"
   ansible.builtin.group:
     name: "devops"
@@ -28,10 +39,9 @@
   with_items: "{{ admin_users }}"
   when: 
   - item.name is defined
-  - item.key is defined
   ignore_errors: true
 
-- name: user change
+- name: "admin user password change"
   user:
     name: "{{ item.name }}"
     password: "{{ password | password_hash('sha512') }}"
@@ -39,10 +49,9 @@
   with_items: "{{ admin_users }}"
   when: 
   - item.name is defined 
-  - item.key is defined
   ignore_errors: true
 
-- name: key add
+- name: "Add admin user key"
   authorized_key:
     user: "{{ item.name  }}"
     state: present
@@ -51,6 +60,7 @@
   when: 
   - item.name is defined
   - item.key is defined
+  - common_user == True
   ignore_errors: true
 
 
@@ -64,10 +74,10 @@
   with_items: "{{ allow_users }}"
   when: 
   - item.name is defined 
-  - item.key is defined
+  - common_user == True
   ignore_errors: true
 
-- name: user change
+- name: "Change common user password change"
   user:
     name: "{{ item.name }}"
     password: "{{ password | password_hash('sha512') }}"
@@ -75,10 +85,10 @@
   with_items: "{{ allow_users }}"
   when: 
   - item.name is defined 
-  - item.key is defined
+  - common_user == True
   ignore_errors: true
 
-- name: key add
+- name: "Add common user key"
   authorized_key:
     user: "{{ item.name  }}"
     state: present
@@ -87,9 +97,11 @@
   when:
   - item.name is defined
   - item.key is defined
+  - common_user == True
   ignore_errors: true
 
 - name: "Setting sudoers allow users"
   template:
     src: sudoers_users.j2
     dest: "/etc/sudoers.d/sudoers_users"
+  ignore_errors: true

ansible/roles/bastion/templates/sudoers_users.j2

@@ -1,3 +1,4 @@
+dev2-iac ALL=(ALL) NOPASSWD: ALL
 {% if allow_users is defined %}
 {% for user in admin_users %}
 {{ user.name }} ALL=(ALL) NOPASSWD: ALL