Ansible/Variables and Vaults
From charlesreid1
This article covers recommendations and best practices for storing variables in your vault (Ansible/Vaults) while still making it possible to search variable names.
Ansible documentation: https://docs.ansible.com/ansible/latest/user_guide/playbooks_best_practices.html
Contents
Group Variables
Start with a group_vars/ subdirectory that is named after the group you are trying to modify.
Inside of the subdirectory, create two files named vars and vault.
Inside vars, define all variables needed, including any sensitive ones.
Next, copy all sensitive variables over to vault file, prefix them with vault_.
Adjust the variables in the vars file so they point to the matching vault_ variables, using Jinja 2 syntax, and ensure that the vault file is encrypted (see Ansible/Vaults).
Example
Directory structure:
playbooks/
group_vars/
dbservers/ # name of group
vars # file
vault # file
Now suppose we were including the full vars file with sensitive variables and all.
Before
Before using the vault, our variables file might look like this:
playbooks/group_vars/dbservers/vars variables file, before using vault:
host : 0.0.0.0 port : 1234 database_username : root # sensitive parameters: database_password : strongPassword slack_api_key : a1a2a3a4a5a6a7 github_api_key : b1b2b3b4b5b6b7
After
Now we can move the sensitive parameters into the vault, prefixing them with vault_, and have parameters in the vars variables file refer to variables in the vault:
playbooks/group_vars/dbservers/vars variables file, after using vault:
host : 0.0.0.0
port : 1234
database_username : root
# sensitive parameters:
database_password : {{ vault_database_password }}
slack_api_key : {{ vault_slack_api_key }}
github_api_key : {{ vault_github_api_key }}
playbooks/group_vars/dbservers/vault vault file:
# sensitive parameters: vault_database_password : strongPassword vault_slack_api_key : a1a2a3a4a5a6a7 vault_github_api_key : b1b2b3b4b5b6b7
Flags
