veza/ansible/roles/redis/tasks/users.yml

---
# file: roles/redis/tasks/users.yml

- name: "handle secret {{ ansible_hostname }}/redis_{{ user.name }}_password"
  block:
    - name: "get {{ ansible_hostname }}/redis_{{ user.name }}_password from hashicorp vault"
      ansible.builtin.set_fact:
        "{{ user.name }}_password": "#{{ lookup('hashi_vault', 'secret=talas-kv/data/' + host_vars_location + '/' + ansible_hostname)['redis_' + user.name + '_password'] | hash('sha256') }}"
  rescue:
    - name: "generate a random password for {{ ansible_hostname }}/redis_{{ user.name }}_password"
      ansible.builtin.set_fact:
        password: "{{ lookup('password','/dev/null chars=ascii_letters,digits length=50') }}"
    - name: "patching hashicorp vault with generated redis_{{ user.name }}_password"
      ansible.builtin.command: "vault kv patch talas-kv/{{ host_vars_location }}/{{ ansible_hostname }} redis_{{ user.name }}_password={{ password }}"
      delegate_to: localhost
      become: false
      register: result
      ignore_errors: true
    - name: "patch failed because the entry doesn't exist, creating it instead"
      ansible.builtin.command: "vault kv put talas-kv/{{ host_vars_location }}/{{ ansible_hostname }} redis_{{ user.name }}_password={{ password }}"
      delegate_to: localhost
      become: false
      when:
        - result.failed
        - '"No value found" in result.stderr'
    - name: "assign password value to redis_{{ user.name }}_password"
      ansible.builtin.set_fact:
        "{{ user.name }}_password": "#{{ password | hash('sha256') }}"
  when:
    - user.password == "auto"

- name: "hash non auto password to sha256"
  ansible.builtin.set_fact:
    "{{ user.name }}_password": "#{{ user.password | hash('sha256') }}"
  when:
    - user.password != "auto"
    - user.password != "nopass"

- name: "set nopass"
  ansible.builtin.set_fact:
    "{{ user.name }}_password": "nopass"
  when:
    - user.password == "nopass"