I'd like to see the actual git commit changes in the ansible vault file.
Is there an easy way how to achieve this?
If you need to view or edit a vault encrypted file, it is usually better to use the ansible-vault view or ansible-vault edit commands, respectively. Pass in the name of the encrypted file: ansible-vault decrypt vault.
Decrypting encrypted files If you have an encrypted file that you no longer want to keep encrypted, you can permanently decrypt it by running the ansible-vault decrypt command. This command will save the file unencrypted to the disk, so be sure you do not want to edit it instead.
You can use rekey keyword in your ansible-vault command. It allows us to reset the password of a vault.
Storing the Password in a File Be careful with that file, and make sure that if it lives inside the project, it never gets into source control. To tell Ansible where to find this password file, include it in the command, like so: ansible-playbook site. yml --vault-password-file ~/. vault_pass.
You can do this very neatly, so that the normal git tools like git log
and git diff
can see inside the vaulted files, using a custom git diff driver and .gitattributes
.
.vault_password
and that that file is not committed - you should also add it to .gitignore
.Add a .gitattributes
file that matches any files in your repository that are encrypted with ansible-vault and give them the attribute diff=ansible-vault
. For example, I have:
env_vars/production.yml diff=ansible-vault merge=binary
env_vars/staging.yml diff=ansible-vault merge=binary
You can also use wildcarded patterns - the first element of each line, the pattern, follows the same rules as .gitignore
files. The merge=binary
option tells git not to attempt to do a three-way merge of these files.
Then you have to set the diff driver for files with attribute diff=ansible-vault
to ansible-vault view
:
git config --global diff.ansible-vault.textconv "ansible-vault view"
And that should be it - when git is calculating diffs of the files your pattern matches, it'll decrypt them first.
So after some digging I constructed the non-trivial solution.
First of all store your vault password into the (.gitignored) .vault_password
file.
In the following example a HEAD
and HEAD~2
versions of the file inventory/group_vars/xyz/vault.yml
are vimdiff-ed:
vimdiff \
<(ansible-vault view --vault-password-file=.vault_password \
<(git show HEAD:inventory/group_vars/xyz/vault.yml)) \
<(ansible-vault view --vault-password-file=.vault_password \
<(git show HEAD~2:inventory/group_vars/xyz/vault.yml))
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With