17

I have two roles, one of which has a group_vars file that is vaulted, and another that is not. I would like to run the role that does not require any vaulted information, but ansible prompts me for a vault password anyway:

$ tree
├── deploy-home-secure.yml
├── deploy-home.yml
├── group_vars
│   ├── home
│   │   └── unvaulted
│   └── home-secure
│       ├── unvaulted
│       └── vaulted
├── hosts
└── roles
    ├── home
    │   └── tasks
    │       └── main.yaml
    └── home-secure
        └── tasks
            └── main.yaml

$ ansible-playbook --version
ansible-playbook 1.8.2
  configured module search path = None

$ ansible-playbook -i hosts deploy-home.yml
ERROR: A vault password must be specified to decrypt vaulttest/group_vars/home-secure/vaulted

$ ansible-playbook --vault-password-file=/dev/null -i hosts deploy-home.yml
ERROR: Decryption failed
Alexei Tenitski
  • 9,030
  • 6
  • 41
  • 50
Shepmaster
  • 388,571
  • 95
  • 1,107
  • 1,366
  • I suspect Ansible needs to read everything in `group_vars` to make sure it doesn't miss anything. If that's the case, then why not move your encrypted playbooks into a separate _"secure"_ directory? – Mxx Dec 20 '14 at 18:13
  • 2
    @Mxx "to make sure it doesn't miss anything" - I would have hoped that the normal undefined variable warning would have kicked in - if we can't decrypt, then those variables wouldn't be available. – Shepmaster Dec 20 '14 at 18:16
  • @Mxx "move your encrypted playbooks" - I'm not sure I follow. It is `group_vars` files that are vaulted, and those have to be in a structure relative to the `hosts` file, as I understand it. I wouldn't want to have to duplicate my hosts file for each vaulted file with a different password. – Shepmaster Dec 20 '14 at 18:19
  • Your inventory file is not linked to your playbooks in any way(other than referenced hosts inside the playbooks). So you could have a central location for your inventory and separate locations for each playbook. – Mxx Dec 20 '14 at 18:43
  • 1
    @Mxx I must be vastly misunderstanding something here. The file `group_vars/home_secure/vaulted` is the file that has been vaulted. I understand that ["group variables are generally placed alongside your inventory file"](http://docs.ansible.com/playbooks_variables.html#variable-precedence-where-should-i-put-a-variable). I expect to need a password to run the `home_secure` role, but not for the `home` role. I don't see how moving my playbook (`deploy-home.yml`) would make Ansible not load the vaulted `group_vars` file. – Shepmaster Dec 20 '14 at 18:52
  • Separate everything related to encrypted playbook from unencrypted one. You can still have a common inventory file. – Mxx Dec 22 '14 at 04:02
  • Shepmaster, if the answer answers your question, please accept it. – tedder42 Feb 04 '15 at 17:41

3 Answers3

12

I have something like this to solve this kind of problem (mine was not different roles, but different hosts, but I think the same principle applies):

This is the simplified file structure:

group_vars
  development_vars
  staging_vars 
vaulted_vars
  production_vars

This allows you to deploy development or staging without Ansible asking you to decrypt production_vars.

And then, the production playbook goes like this:

hosts: production
roles:
  - role...
vars_files:
  - vaulted_vars/production_vars

The vars_files line where you specify the path to the vaulted var is the key.

Franco Mariluis
  • 1,521
  • 2
  • 14
  • 15
7

Ansible will try to load a group_vars file for any group it encounters in your inventory. If you split inventory file (hosts) into one for home group and another for home-secure then it will not try to decrypt vars it is not supposed to.

$ ansible-playbook -i hosts-home deploy-home.yml

$ ansible-playbook --ask-vault-password -i hosts-home-secure deploy-home-secure.yml
Alexei Tenitski
  • 9,030
  • 6
  • 41
  • 50
4

Here is another option if you don't always need your vaulted variables.

You can have a folder structure like this:

group_vars
├── all
├── prod
├── dev
│   └── vars.yml
└── dev-vault
    └── vault.yml

You store vaulted variables in the '-vault' variant of that inventory.

Then your inventories might be something like the following:

dev:

[servers]
dev.bla.bla


[dev:children]
servers

dev-vault:

[servers]
dev.bla.bla


[dev:children]
servers

[dev-vault:children]
servers

So you're only saving sensitive data in the dev-vault vars, if in most cases you don't actually need passwords etc you can run playbooks without having extra options you're not really using, or storing the vault password in plaintext for convenience, etc.

So the "normal" command might be:

 ansible-playbook -i dev some.yml

And the "vaulted" command could be:

 ansible-playbook -i dev-vault some.yml --extra-vars="use_vault=true"

Or you could manage the "include vault variables" via tagging, including some.yml in some-vault.yml etc

Mr. Hasquestions
  • 168
  • 2
  • 10