How to resolve git conflicts with files encrypted by ansible-vault in PyCharm

Question

Is it possible to resolve conflicts in files which are encrypted by ansbile-vault in PyCharm's GUI?

I have tried to follow the instruction provided in the accepted answer at How to diff ansible vault changes?. I put ansible-vault password in .vault_password file, set particular file paths in .gitattributes and ran

git config --global diff.ansible-vault.textconv "ansible-vault view --vault-id .vault_password"

However this seems to work only for showing diffs from command line.

Is it possible to make it work for PyCharm when comparing conflicting files? I would like them to be decrypted and thus their content to be visible just as with regular files so I can resolve conflicts easily.

It would be also perfect if resolved conflicting file would be encrypted at the end of the process.

Answer 1

I found out a script that may solve your problem.

#!/bin/sh

# vault-merge
# Benjamin Ragheb <ben@benzado.com>

# This shell script handles conflicts generated by attempts to merge encrypted
# Ansible Vault files. Run `git merge` as usual; when git warns of a merge
# conflict, run this command to attempt a merge on the unencrypted versions of
# the file. If there are conflicts, you will be given a chance to correct them
# in $EDITOR.

# First, we ensure we are inside the working directory of a git repo.

GIT_ROOT=`git rev-parse --show-toplevel`
if [ $? != 0 ]; then
    exit $?
fi

# Next, we set a default location for a vault password file, and allow the user
# to override it if desired.

VAULT_PASSWORD_FILE="$GIT_ROOT/.ansible-vault-password"

while getopts "p:" opt; do
    case $opt in
        p)
            VAULT_PASSWORD_FILE=$OPTARG
            ;;
        \?)
            # Invalid option (e.g., -p without an argument)
            exit 1
            ;;
    esac
done
shift $(($OPTIND - 1))

VAULT_OPT="--vault-password-file=$VAULT_PASSWORD_FILE"
VAULT_FILE=$1

# If no vault has been provided, abort!

if [ -z $VAULT_FILE ]; then
    echo "Usage: $0 [-p PASSWORD_FILE] VAULT_FILE"
    exit 1
fi

# If the password file doesn't exist, we prompt for the password and save it.

if [ ! -e $VAULT_PASSWORD_FILE ]; then
    read -s -p "Vault Password: " VAULT_PASSWORD
    echo
    echo "Remembering password in $VAULT_PASSWORD_FILE"
    echo $VAULT_PASSWORD > $VAULT_PASSWORD_FILE
else
    echo "Using password saved in $VAULT_PASSWORD_FILE"
fi

# Fetch the base (common ancestor) version of the encrypted vault file, save
# it to a temporary location, and decrypt it. (Hat Tip to the git-merge manual
# page for tipping me off to the `git show :1:path` notation.)

BASE=`mktemp ${VAULT_FILE}.base.XXXX`
git show :1:${VAULT_FILE} > $BASE 2> /dev/null
if [ $? != 0 ]; then
    echo "Path '${VAULT_FILE}' does not have any conflicts."
    rm $BASE
    exit 1
fi
ansible-vault decrypt $VAULT_OPT $BASE || exit $?

# Do the same with the current (branch we are merging INTO) version of the vault
# file.

CURRENT=`mktemp ${VAULT_FILE}.current.XXXX`
git show :2:${VAULT_FILE} > $CURRENT 2> /dev/null
ansible-vault decrypt $VAULT_OPT $CURRENT || exit $?

# And finally, with the other (branch we a merging FROM) version of the vault.

OTHER=`mktemp ${VAULT_FILE}.other.XXXX`
git show :3:${VAULT_FILE} > $OTHER 2> /dev/null
ansible-vault decrypt $VAULT_OPT $OTHER || exit $?

# Now that we have all three versions decrypted, ask git to attempt the merge
# again. If it fails again due to a conflict, open $EDITOR and let the user
# perform a manual merge.

git merge-file $CURRENT $BASE $OTHER
if [ $? == 0 ]; then
    echo "Merge OK"
else
    echo "Merge conflict; opening editor to resolve."
    $EDITOR $CURRENT
fi

# Now that we're done, encrypt the file and move it into the repo, and clean up
# the temporary files (they contain secrets!).

ansible-vault encrypt $VAULT_OPT $CURRENT
cp $CURRENT $VAULT_FILE
rm $BASE $CURRENT $OTHER

echo "$VAULT_FILE has been updated."
echo "    (use \"git add $VAULT_FILE\" to mark as resolved)"
echo "    (or re-run this command to retry the merge)"
exit 0