ansible.builtin.user: add option for initial-only password-lock

[abelbabel]

Summary

Hi,

it would be nice if it would be possible to initially-only lock a password for a user (like the possibility to only create a random password for a user initially), but to not lock it afterwards / in following runs when the user already exists - since it might be possible that a user logs in (via ssh for example) and changes his/her password and unlocks password-authentication.

Like possible with update_password, I would suggest either a third value for password_lock (on_create, resulting in three choices: yes, no, on_create) or a new option update_password_lock with choices always and on_create.

Regards
abelbabel

Issue Type

Feature Idea
Docs Issue

Component Name

user

Additional Information

  - name: create user
    user:
      name: test123
      comment: test user
      uid: 1100
      group: users
      shell: /bin/bash
      password_lock: on_create
      update_password: on_create
      state: present

Code of Conduct

• I agree to follow the Ansible Code of Conduct

[ansibot]

Files identified in the description:

• lib/ansible/modules/user.py

If these files are incorrect, please update the component name section of the description or use the !component bot command.

click here for bot help

[abelbabel]

Actually this can be already achieved on Linux and OpenBSD - for example on Linux systems

  password: '!'
  update_password: on_create

If this fulfilles all use-cases the proposed feature request could have, it might be a good idea to add this case in documentation somewhere (as an example or as a note for password_lock).

[bcoca]

You can also just use a getent and make it conditional, both can be examples in the module, making this a 'docs' issue.