Generate vaulted extra-vars
apenella opened this issue · comments
Generate vaulted extra-vars
That feature intends to solve the problem of how to pass to vaulted variables through extra-vars.
Ansible can read vaulted variables from a file however it does not provide a straightforward solution to pass vaulted data through an extra-vars.
To achieve that you need to generate an encrypted string and prepare a JSON with the ansible-vault result. That JSON can be passed as an extra-var.
Here you have an example of that JSONed vaulted variable.
{
"secret_var_name": {
"__ansible_vault": "$ANSIBLE_VAULT;1.2;AES256; VAULTED_DATA"
}
}
The proposal is to add a method with that signature:
AddVaultedExtraVar(string var_name, var_plain_value) string
Which returns the extra-var parameter having a variable vaulted in JSON format:
--extra-var '{ "secret_var_name": {"__ansible_vault": "$ANSIBLE_VAULT;1.2;AES256;VAULTED_DATA"}}
How to achieve the vault string
The AnsiblePlaybookCmd
and AnsibleAdhocCmd
would need a vault generator that could accept multi-password readers: such as text, file or environment variables.
The library https://github.com/sosedoff/ansible-vault-go can be used to achieve that.