Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to diff ansible vault changes?

I'd like to see the actual git commit changes in the ansible vault file.

Is there an easy way how to achieve this?

like image 457
Ikar Pohorský Avatar asked Apr 29 '15 07:04

Ikar Pohorský


People also ask

How do I view ansible vault files?

If you need to view or edit a vault encrypted file, it is usually better to use the ansible-vault view or ansible-vault edit commands, respectively. Pass in the name of the encrypted file: ansible-vault decrypt vault.

How do I decrypt ansible vault files?

Decrypting encrypted files If you have an encrypted file that you no longer want to keep encrypted, you can permanently decrypt it by running the ansible-vault decrypt command. This command will save the file unencrypted to the disk, so be sure you do not want to edit it instead.

How do I change my vault password in ansible?

You can use rekey keyword in your ansible-vault command. It allows us to reset the password of a vault.

Where does ansible vault store passwords?

Storing the Password in a File Be careful with that file, and make sure that if it lives inside the project, it never gets into source control. To tell Ansible where to find this password file, include it in the command, like so: ansible-playbook site. yml --vault-password-file ~/. vault_pass.


2 Answers

You can do this very neatly, so that the normal git tools like git log and git diff can see inside the vaulted files, using a custom git diff driver and .gitattributes.

  • Make sure that your vault password is in .vault_password and that that file is not committed - you should also add it to .gitignore.
  • Add a .gitattributes file that matches any files in your repository that are encrypted with ansible-vault and give them the attribute diff=ansible-vault. For example, I have:

    env_vars/production.yml diff=ansible-vault merge=binary
    env_vars/staging.yml diff=ansible-vault merge=binary
    

    You can also use wildcarded patterns - the first element of each line, the pattern, follows the same rules as .gitignore files. The merge=binary option tells git not to attempt to do a three-way merge of these files.

  • Then you have to set the diff driver for files with attribute diff=ansible-vault to ansible-vault view:

    git config --global diff.ansible-vault.textconv "ansible-vault view"
    

And that should be it - when git is calculating diffs of the files your pattern matches, it'll decrypt them first.

like image 144
Mark Longair Avatar answered Oct 12 '22 05:10

Mark Longair


So after some digging I constructed the non-trivial solution.

First of all store your vault password into the (.gitignored) .vault_password file.

In the following example a HEAD and HEAD~2 versions of the file inventory/group_vars/xyz/vault.yml are vimdiff-ed:

vimdiff \
  <(ansible-vault view --vault-password-file=.vault_password \
    <(git show HEAD:inventory/group_vars/xyz/vault.yml)) \
  <(ansible-vault view --vault-password-file=.vault_password \
    <(git show HEAD~2:inventory/group_vars/xyz/vault.yml))
like image 10
Ikar Pohorský Avatar answered Oct 12 '22 06:10

Ikar Pohorský