Menu
One of my roles has two different variable types. One is public (things like package versions and other benign information). These can be committed to SCM without a worry. It also requires some private information (such as API keys and other secret information). I'm using ansible-vault to encrypt secret information. My solution was to have vars/main.yaml for pulic, and vars/vault.yml for the encrypted private information.
I came across a problem and am uncertain what's the best practice or actual solution here. It seems that ansible only loads the vars/main.yml file. Naturally I do not want to encrypt the public information so I looked for solution. So far the only solution I came up with (suggested on IRC) is to create group_vars/all/vault.yml and prefix all variables with the role name. This works because ansible seems to recursively load everything under group_vars. This does work but seems organizationally incorrect because the variables are for a specific role and not "globally universally true". I also tried to put include: vars/vault.yml into vars/main.yml but that did not work.
Is there a proper way to do this?
640
As very first task in your role you could have an include_vars task.
- include_vars: vault.yml
I have never tried it but according to the docs vault encrypted files can be used with the include_vars module.
The vault feature can encrypt any structured data file used by Ansible. This can include “group_vars/” or “host_vars/” inventory variables, variables loaded by “include_vars” or “vars_files” [...]
99
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
