Menu
I am using Ansible to handle endpoint differences for different environments. This is done through the use of variables and the ansible-xml extension.
For example, I have a task called "endpoints.yml" setup within a role called "myapp". This task sets a variety of configuration parameters within configuration files, substituting in variables.
/roles/myapp/tasks/endpoints.yml
—> set value in app config file to: {{ db_user }}
—> set value in app config file to: {{ db_password }}
Since my non-prod environments share a single endpoint, the values for these variables are setup in the role's default file:
/roles/myapp/defaults/main.yml
—> db_user: myuser_ro
—> db_passwordd: some_password
For the prod environment, I am overwriting the default with a group_variable (since this takes precedence):
/environments/prod/group_vars/myapp_servers
—> db_user: produser_ro
—> db_password: some_other_password
This all works great and allows for us to use a single playbook/role for all environments. However, I am wanting to move take advantage of ansible-vault to move the password values out of these files and into an encrypted file.
However, there will still be different values for prod and non-prod. I could create a new "vars" file in the role called "pass.yml", encrypt it with ansible-vault, and then reference it from the task with an "include_vars: pass.yml".
But this doesn't explain how I account for needing different (encrypted) variables for different environments.
Any suggestions?
630
When using ansible-vault commands that encrypt content (ansible-vault encrypt, ansible-vault encrypt_string, etc) only one vault-id can be used. Prior to Ansible 2.4, only one vault password could be used in each Ansible run. The --vault-id option is not support prior to Ansible 2.4.
The --vault-password-file option can also be used with the ansible-pull command if you wish, though this would require distributing the keys to your nodes, so understand the implications – vault is more intended for push mode.
You can store your vault passwords on the system keyring, in a database, or in a secret manager and retrieve them from within Ansible using a vault password client script.
The ansible-vault create command is used to create the encrypted file. After typing this command, it will ask for a password and then ask where to put your content. To check that the file has been encrypted, use the cat command. The following command is used to create encrypted files with --vault id .
It sounds like you are using a multi-environment structure like this. In this case you can create a vault file for each environment.
environments
├── dev
│ └── group_vars
│ └── all
│ └── secrets
└── prod
└── group_vars
└── all
└── secrets
Each "secrets" file can have its own password.
99
Multiple vault passwords in a single ansible configuration are not currently supported by ansible vault. You must use the same vault password to encrypt both the prod and non-prod environment files.
21
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
