At the moment changing Splunk.secret will break everything and rerunning ansible playbook will always force configs to be updated and splunk restarted even though the password values are exactly the same.

Should update the tasks related to passwords to do the following

1. Run a shell command that

• runs btool to get the value for the key
• if value is empty exit 1
• elif value starts with $ use show-decrypted command to decrypt it and return value
• else return value
• register the value into pass_result

2. Run a ini_file

• run only when pass_result not same as password in inventory
• set the password

This should auto update password if it or Splunk.secret has changed.

The role does not currently support changing the splunk.secret file because as you found out, the splunk.secret file is used in the password hashing process for several different passwords. The role provides the configure splunk.secret option in case you want to use a common splunk.secret file across several hosts during a new installation, which allows you to deploy pre-hashed passwords that are in your VCS via configure_apps.yml. This practice is what we recommend to deploy passwords securely across multiple Splunk hosts. See: https://docs.splunk.com/Documentation/Splunk/8.2.2/Security/Deploysecurepasswordsacrossmultipleservers

The issue that you encountered is also why the configure_splunk_secret.yml task is only called during install_splunk.yml and not during upgrade_splunk.yml - because changing splunk.secret without also updating the passwords in the .conf files and restarting splunk will cause password decryption errors.

Can I ask what your use case is for changing splunk.secret after installation?

Your suggested workaround for the issue could work if we wanted to add a new task specifically for rotating splunk.secret but shouldn't be necessary for something like a password rotation. It's also not safe for us to assume that everyone is using Ansible to manage the passwords in their configuration files, since as I mentioned earlier, you can pre-hash the password in the config files, and then deploy the configs as part of an app. So, in that scenario, there is no variable storing the password in Ansible to compare the decrypted output against.

Thanks for the detailed response @mason-splunk

The use cases are below

1. People want to use different secrets on different servers - better security
2. The secret is exposed and everything needs to be rotated - at the moment it is tedious as would need to manually re-encrypt everything
3. People that want to store the plain text password using ansible vault. This would already be the case for splunk.secret and admin password.

Current logic is really only for those using a single secret and storing the prehashed password in ansible.

Actually the plain text password is also needed for below command to work (test in Splunk 8.0.7)

1. splunk edit cluster-config -mode slave

It seems to be trying to connect to the master with the hashed password.