Ansible/Variables and Vaults: Difference between revisions
From charlesreid1
(Created page with "{{Main|Ansible/Variables}} {{Main|Ansible/Vaults}} This article covers recommendations and best practices for storing variables (Ansible/Variables) in your vault (Ansi...") |
|||
| Line 32: | Line 32: | ||
</pre> | </pre> | ||
Now suppose we were including the full <code>vars</code> file with sensitive variables and all. | Now suppose we were including the full <code>vars</code> file with sensitive variables and all. | ||
===Before=== | |||
Before using the vault, our variables file might look like this: | |||
'''<code>playbooks/group_vars/dbservers/vars</code> variables file, before using vault:''' | |||
<pre> | <pre> | ||
| Line 38: | Line 44: | ||
port : 1234 | port : 1234 | ||
database_username : root | database_username : root | ||
# sensitive parameters: | |||
database_password : strongPassword | database_password : strongPassword | ||
slack_api_key : a1a2a3a4a5a6a7 | slack_api_key : a1a2a3a4a5a6a7 | ||
| Line 43: | Line 51: | ||
</pre> | </pre> | ||
===After=== | |||
Now we can move the sensitive parameters into the vault, prefixing them with <code>vault_</code>, and have parameters in the vars variables file refer to variables in the vault: | |||
'''<code>playbooks/group_vars/dbservers/vars</code> variables file, after using vault:''' | |||
<pre> | |||
host : 0.0.0.0 | |||
port : 1234 | |||
database_username : root | |||
# sensitive parameters: | |||
database_password : {{ vault_database_password }} | |||
slack_api_key : {{ vault_slack_api_key }} | |||
github_api_key : {{ vault_github_api_key }} | |||
</pre> | |||
'''<code>playbooks/group_vars/dbservers/vault</code> vault file:''' | |||
<pre> | |||
# sensitive parameters: | |||
vault_database_password : strongPassword | |||
vault_slack_api_key : a1a2a3a4a5a6a7 | |||
vault_github_api_key : b1b2b3b4b5b6b7</pre> | |||
</pre> | |||
==Flags== | ==Flags== | ||
Revision as of 05:07, 15 November 2018
This article covers recommendations and best practices for storing variables (Ansible/Variables) in your vault (Ansible/Vaults) while still making it possible to search variable names.
Ansible documentation: https://docs.ansible.com/ansible/latest/user_guide/playbooks_best_practices.html
Group Variables
Start with a group_vars/ subdirectory that is named after the group you are trying to modify.
Inside of the subdirectory, create two files named vars and vault.
Inside vars, define all variables needed, including any sensitive ones.
Next, copy all sensitive variables over to vault file, prefix them with vault_.
Adjust the variables in the vars file so they point to the matching vault_ variables, using Jinja 2 syntax, and ensure that the vault file is encrypted (see Ansible/Vaults).
Example
Directory structure:
playbooks/
group_vars/
dbservers/ # name of group
vars # file
vault # file
Now suppose we were including the full vars file with sensitive variables and all.
Before
Before using the vault, our variables file might look like this:
playbooks/group_vars/dbservers/vars variables file, before using vault:
host : 0.0.0.0 port : 1234 database_username : root # sensitive parameters: database_password : strongPassword slack_api_key : a1a2a3a4a5a6a7 github_api_key : b1b2b3b4b5b6b7
After
Now we can move the sensitive parameters into the vault, prefixing them with vault_, and have parameters in the vars variables file refer to variables in the vault:
playbooks/group_vars/dbservers/vars variables file, after using vault:
host : 0.0.0.0
port : 1234
database_username : root
# sensitive parameters:
database_password : {{ vault_database_password }}
slack_api_key : {{ vault_slack_api_key }}
github_api_key : {{ vault_github_api_key }}
playbooks/group_vars/dbservers/vault vault file:
# sensitive parameters: vault_database_password : strongPassword vault_slack_api_key : a1a2a3a4a5a6a7 vault_github_api_key : b1b2b3b4b5b6b7