SaltStack has a lot of states and modules, an each one has different options, but some times the state/module doesn't support a certain function, so you have to use another state or general function (or as they're named "Global State Arguments").
Some of these general functions are "unless" and "onlyif", and I will quote these from SaltStack documentation.
Onlyif
The onlyif requisite specifies that if each command listed in onlyif returns True, then the state is run. If any of the specified commands return False, the state will not run.
Unless
The unless requisite specifies that a state should only run when any of the specified commands return False. The unless requisite operates as NAND and is useful in giving more granular control over when a state should execute.
In webutil.user_exists state, it's used to add "htpasswd" user into a file. By default, it just make sure the user is in the file. Also it has an option to "force" adding a htpasswd user even it exists in the file.
So, what is the problem here? The problem simply, what if I need to make sure the user exists and the password is working in the same time? Till latest stable version of SaltStack 2016.11.3, it doesn't have this option (but I can see update arg in develop branch).
As DevOps, I need to see the actual change only (so "Force" is not best option here), and I need to make sure the password actually updated.
By using htpasswd command (which is required for this state anyway) with unless argument, we have a workaround to mimic the new update parameter, which is not released yet.
add_htpasswd_user_{{ username }}:
webutil.user_exists:
- name: {{ username }}
- password: '{{ password }}'
- htpasswd_file: {{ htpasswd_file }}
- force: True
- unless: 'htpasswd -b -v {{ htpasswd_file }} "{{ username }}" "{{ password }}"'
Since htpasswd command can verify the password, so we can run "force" update file in case the password in file doesn't match the actual password.
That's it :-)
