Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Pass vault password to vagrants ansible_local provisioner

Tags:

vagrant

ansible

ansible-vault

vagrant-provision

I'm using the ansible_local provisioner for my vagrant box. Some of my variables should be stored in a vault file.

While the ansible provisioner provides ask_vault_pass as configuration option (https://www.vagrantup.com/docs/provisioning/ansible.html#ask_vault_pass), the ansible_local does not.

Is there any workaround?

like image 611
turbophi Avatar asked Jan 05 '23 15:01

turbophi

2 Answers

You can use vault_password_file option.

1. echo to password file

Vagrant.configure(2) do |config|
  config.vm.box = '...'

  config.vm.provision :shell, inline: "echo 'password' > /tmp/vault_pass"

  config.vm.define :controller do |machine|
    ...

    machine.vm.provision 'ansible_local' do |ansible|
      ...
      ansible.vault_password_file = "/tmp/vault_pass"
      ...
    end
  end
end

2. use .synced_folder

Create vault_pass file, like following.

mkdir provision
cd provision
echo password > vault_pass

and Vagrantfile is following.

Vagrant.configure(2) do |config|
  config.vm.box = '...'

  config.vm.synced_folder "./provision", "/provision", id: "ansible", owner: "vagrant", group: "vagrant", mount_options: ["dmode=775,fmode=664"]

  config.vm.define :controller do |machine|
    ...

    machine.vm.provision 'ansible_local' do |ansible|
      ...
      ansible.vault_password_file = "/provision/vault_pass"
      ...
    end
  end
end
like image 148
sujoyu Avatar answered Jan 31 '23 09:01

sujoyu

I suggest another approach to sujoyu's answer by asking the user to input the vault password when provisioning. Also inspired by this answer.

Vagrant.configure(2) do |config|

  config.vm.box = "..."

  # Password Input Function
  class Password
    def to_s
      begin
      system 'stty -echo'
      print "Ansible Vault Password: "
      pass = URI.escape(STDIN.gets.chomp)
      ensure
      system 'stty echo'
      end
      print "\n"
      pass
    end
  end

  # Ask for vault password
  config.vm.provision "shell", env: {"VAULT_PASS" => Password.new}, inline: <<-SHELL
    echo "$VAULT_PASS" > /tmp/vault_pass
  SHELL

  # Run ansible provision
  config.vm.provision "ansible_local" do |ansible|

      ansible.playbook = "playbook.yml"
      ansible.vault_password_file = "/tmp/vault_pass"

  end

  # Delete temp vault password file
  config.vm.provision "shell", inline: <<-SHELL
    rm /tmp/vault_pass
  SHELL

end
like image 35
knixxo Avatar answered Jan 31 '23 07:01

knixxo
Sign in to Comment

Related questions

VirtualBox 6.1.28 fails to load R0 module (`VERR_LDR_GENERAL_FAILURE`) on Windows
How can I override the Chef node name in vagrant?
phpunit with composer not working
use vagrant to provision simple mysql setup (with shell provisioner)
Laravel Homestead - SSL set up
Vagrant: Unknown configuration section 'omnibus' but vagrant-omnibus plugin is installed
Multiple folders for homestead not syncing
Homestead virtualbox error, the host path of the shared folder is missing: ~/Code
Vagrant "ssh_exchange_identification: Connection closed by remote host" after update Ubuntu guest
USB device is not visible inside Vagrant

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!