do loop in ansible to report each deleted user

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
dev-sec · Feb 23, 2023 · 00d1bdc · 00d1bdc
1 parent 06687d7
commit 00d1bdc
Showing 1 changed file with 8 additions and 9 deletions.
diff --git a/roles/mysql_hardening/tasks/mysql_secure_installation.yml b/roles/mysql_hardening/tasks/mysql_secure_installation.yml
@@ -49,14 +49,13 @@
 - name: Get all users that have no authentication_string on MySQL version >= 5.7.6 or Mariadb version >= 10.4.0
   community.mysql.mysql_query:
     query: >
-      SELECT GROUP_CONCAT(QUOTE(USER), '@', QUOTE(HOST) SEPARATOR ', ') AS users
+      SELECT CONCAT(QUOTE(USER), '@', QUOTE(HOST)) AS users
       FROM mysql.user
       WHERE (length(authentication_string)=0
              OR authentication_string="")
         AND USER NOT IN ('mysql.sys',
                          'mysqlxsys',
-                         'mariadb.sys')
-      HAVING users IS NOT NULL;
+                         'mariadb.sys');
     login_unix_socket: "{{ login_unix_socket | default(omit) }}"
   register: mysql_users_wo_passwords_or_auth_string
   when: >
@@ -67,16 +66,15 @@
 - name: Get all users that have no password or authentication_string on MySQL version < 5.7.6 or Mariadb version < 10.4.0
   community.mysql.mysql_query:
     query: >
-      SELECT GROUP_CONCAT(QUOTE(USER), '@', QUOTE(HOST) SEPARATOR ', ') AS users
+      SELECT CONCAT(QUOTE(USER), '@', QUOTE(HOST)) AS users
       FROM mysql.user
       WHERE (length(password)=0
              OR password="")
         AND (length(authentication_string)=0
              OR authentication_string="")
         AND USER NOT IN ('mysql.sys',
                          'mysqlxsys',
-                         'mariadb.sys')
-      HAVING users IS NOT NULL;
+                         'mariadb.sys');
     login_unix_socket: "{{ login_unix_socket | default(omit) }}"
   register: mysql_users_wo_passwords
   when: >
@@ -87,7 +85,8 @@
 - name: Ensure that there are no users without password or authentication_string
   community.mysql.mysql_query:
     query:
-      - DROP USER {{ (mysql_users_wo_passwords.query_result | default(mysql_users_wo_passwords_or_auth_string.query_result)).0.0.users }}
+      - DROP USER {{ item }}
     login_unix_socket: "{{ login_unix_socket | default(omit) }}"
-  when:
-    - mysql_users_wo_passwords_or_auth_string.rowcount.0 | default(mysql_users_wo_passwords.rowcount.0) | int > 0
+  with_community.general.flattened:
+    - "{{ mysql_users_wo_passwords.query_result.0.0.users | default() }}"
+    - "{{ mysql_users_wo_passwords_or_auth_string.query_result.0.0.users | default() }}"