cisco.intersight.intersight_local_user_policy module – Local User Policy configuration for Cisco Intersight

Note

This module is part of the cisco.intersight collection (version 2.18.0).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install cisco.intersight.

To use it in a playbook, specify: cisco.intersight.intersight_local_user_policy.

Synopsis

  • Local User Policy configuration for Cisco Intersight.

  • Used to configure local users on endpoint devices.

  • For more information see Cisco Intersight.

Parameters

Parameter

Comments

always_update_password

boolean

Since passwords are not returned by the API and are encrypted on the endpoint, this option will instruct the module when to change the password.

If true, the password for each user will always be updated in the policy.

If false, the password will be updated only if the user is created.

Choices:

  • false ← (default)

  • true

api_key_id

string / required

Public API Key ID associated with the private key.

If not set, the value of the INTERSIGHT_API_KEY_ID environment variable is used.

api_private_key

path / required

Filename (absolute path) or string of PEM formatted private key data to be used for Intersight API authentication.

If a string is used, Ansible vault should be used to encrypt string data.

Ex. ansible-vault encrypt_string --vault-id tme@/Users/dsoper/Documents/vault_password_file ‘-----BEGIN EC PRIVATE KEY-----

<your private key data>

-----END EC PRIVATE KEY-----’

If not set, the value of the INTERSIGHT_API_PRIVATE_KEY environment variable is used.

api_uri

string

URI used to access the Intersight API.

If not set, the value of the INTERSIGHT_API_URI environment variable is used.

Default: "https://intersight.com/api/v1"

description

aliases: descr

string

The user-defined description of the Local User policy.

Description can contain letters(a-z, A-Z), numbers(0-9), hyphen(-), period(.), colon(:), or an underscore(_).

enable_password_expiry

boolean

Enables password expiry on the endpoint.

Choices:

  • false ← (default)

  • true

enforce_strong_password

boolean

If true, enables a strong password policy.

Strong password requirements:.

  1. The password must have a minimum of 8 and a maximum of 20 characters.

  2. The password must not contain the User’s Name.

  3. The password must contain characters from three of the following four categories.

  1. English uppercase characters (A through Z).

  2. English lowercase characters (a through z).

  3. Base 10 digits (0 through 9).

  4. Non-alphabetic characters (! , @, ‘#’, $, %, ^, &, *, -, _, +, =).

Choices:

  • false

  • true ← (default)

local_users

list / elements=dictionary

List of local users on the endpoint.

An admin user already exists on the endpoint.

Add the admin user here only if you want to change the password, or enable or disable the user.

To add admin user, provide a username as ‘admin’, select the admin user role, and then proceed.

account_types

list / elements=any

List of account types to assign to the user.

Supported values are IPMI and Local.

For backward compatibility, dictionary entries with ObjectType are still accepted.

When provided, the module maps these values to the corresponding Intersight API object types and does not set any separate

account-type toggle field.

Use this to request IPMI or combined local plus IPMI account access while keeping the endpoint role type at IMC.

enable

boolean

Enable or disable the user.

Choices:

  • false

  • true ← (default)

endpoint_role_type

string

The type of endpoint role to assign to the user.

IMC is the supported server management role type for local user roles.

IPMI access should be expressed through account_types such as IPMI.

Supplying IPMI here is rejected by the Intersight API for iam.EndPointUserRole.

Choices:

  • "IMC" ← (default)

  • "IPMI"

password

string / required

Valid login password of the user.

role

string / required

Roles associated with the user on the endpoint.

Choices:

  • "admin"

  • "readonly"

  • "user"

username

string / required

Name of the user created on the endpoint.

Cisco Intersight currently limits endpoint usernames to 16 characters.

name

string / required

The name assigned to the Local User Policy.

The name must be between 1 and 62 alphanumeric characters, allowing special characters :-_.

organization

string

The name of the Organization this resource is assigned to.

Profiles and Policies that are created within a Custom Organization are applicable only to devices in the same Organization.

Default: "default"

password_history

integer

Specifies number of times a password cannot repeat when changed (value between 0 and 5).

Entering 0 disables this option.

Default: 5

purge

boolean

The purge argument instructs the module to consider the resource definition absolute.

If true, any previously configured usernames will be removed from the policy with the exception of the `admin` user which cannot be deleted.

Choices:

  • false ← (default)

  • true

state

string

If present, will verify the resource is present and will create if needed.

If absent, will verify the resource is absent and will delete if needed.

Choices:

  • "present" ← (default)

  • "absent"

tags

list / elements=dictionary

List of tags in Key:<user-defined key> Value:<user-defined value> format.

use_proxy

boolean

If no, it will not use a proxy, even if one is defined in an environment variable on the target hosts.

Choices:

  • false

  • true ← (default)

validate_certs

boolean

Boolean control for verifying the api_uri TLS certificate

Choices:

  • false

  • true ← (default)

Examples

- name: Configure Local User policy
  intersight_local_user_policy:
    api_private_key: "{{ api_private_key }}"
    api_key_id: "{{ api_key_id }}"
    name: guest-admin
    tags:
      - Key: username
        Value: guest
    description: User named guest with admin role
    local_users:
      - username: guest
        role: admin
        password: vault_guest_password
      - username: reader
        role: readonly
        password: vault_reader_password

- name: Configure Local User policy with IPMI user
  intersight_local_user_policy:
    api_private_key: "{{ api_private_key }}"
    api_key_id: "{{ api_key_id }}"
    name: ipmi-admin
    description: User with IPMI account type
    local_users:
      - username: ipmi-user
        role: admin
        password: vault_ipmi_password
        account_types:
          - IPMI

- name: Configure Local User policy with local and IPMI access
  intersight_local_user_policy:
    api_private_key: "{{ api_private_key }}"
    api_key_id: "{{ api_key_id }}"
    name: local-ipmi-admin
    description: User with local and IPMI account types
    local_users:
      - username: local-ipmi
        role: admin
        password: vault_local_ipmi_password
        account_types:
          - Local
          - IPMI

- name: Delete Local User policy
  intersight_local_user_policy:
    api_private_key: "{{ api_private_key }}"
    api_key_id: "{{ api_key_id }}"
    name: guest-admin
    state: absent

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key

Description

api_response

dictionary

The API response output returned by the specified resource.

Returned: always

Sample: {"api_response": {"Description": "User named guest with admin role", "EndPointUserRoles": [{"ChangePassword": true, "Enabled": true}]}}

Authors

  • David Soper (@dsoper2)