Ansible/Variables and Vaults: Difference between revisions

From charlesreid1

(Created page with "{{Main|Ansible/Variables}} {{Main|Ansible/Vaults}} This article covers recommendations and best practices for storing variables (Ansible/Variables) in your vault (Ansi...")
 
No edit summary
 
(3 intermediate revisions by the same user not shown)
Line 1: Line 1:
{{Main|Ansible/Variables}}
{{Main|Ansible/Vaults}}
{{Main|Ansible/Vaults}}


This article covers recommendations and best practices for storing variables ([[Ansible/Variables]]) in your vault ([[Ansible/Vaults]]) while still making it possible to search variable names.
This article covers recommendations and best practices for storing variables in your vault ([[Ansible/Vaults]]) while still making it possible to search variable names.


Ansible documentation: https://docs.ansible.com/ansible/latest/user_guide/playbooks_best_practices.html
Ansible documentation: https://docs.ansible.com/ansible/latest/user_guide/playbooks_best_practices.html
Line 32: Line 30:
</pre>
</pre>


Now suppose we were including the full <code>vars</code> file with sensitive variables and all. It might look like this:
Now suppose we were including the full <code>vars</code> file with sensitive variables and all.  
 
===Before===
 
Before using the vault, our variables file might look like this:
 
'''<code>playbooks/group_vars/dbservers/vars</code> variables file, before using vault:'''


<pre>
<pre>
Line 38: Line 42:
port : 1234
port : 1234
database_username : root
database_username : root
# sensitive parameters:
database_password : strongPassword
database_password : strongPassword
slack_api_key : a1a2a3a4a5a6a7
slack_api_key : a1a2a3a4a5a6a7
Line 43: Line 49:
</pre>
</pre>


===After===
Now we can move the sensitive parameters into the vault, prefixing them with <code>vault_</code>, and have parameters in the vars variables file refer to variables in the vault:
'''<code>playbooks/group_vars/dbservers/vars</code> variables file, after using vault:'''
<pre>
host : 0.0.0.0
port : 1234
database_username : root
# sensitive parameters:
database_password : {{ vault_database_password }}
slack_api_key : {{ vault_slack_api_key }}
github_api_key : {{ vault_github_api_key }}
</pre>
'''<code>playbooks/group_vars/dbservers/vault</code> vault file:'''
<pre>
# sensitive parameters:
vault_database_password : strongPassword
vault_slack_api_key : a1a2a3a4a5a6a7
vault_github_api_key : b1b2b3b4b5b6b7
</pre>


==Flags==
==Flags==
{{AnsibleFlag}}

Latest revision as of 04:10, 16 January 2019

Main article: Ansible/Vaults

This article covers recommendations and best practices for storing variables in your vault (Ansible/Vaults) while still making it possible to search variable names.

Ansible documentation: https://docs.ansible.com/ansible/latest/user_guide/playbooks_best_practices.html

Group Variables

Start with a group_vars/ subdirectory that is named after the group you are trying to modify.

Inside of the subdirectory, create two files named vars and vault.

Inside vars, define all variables needed, including any sensitive ones.

Next, copy all sensitive variables over to vault file, prefix them with vault_.

Adjust the variables in the vars file so they point to the matching vault_ variables, using Jinja 2 syntax, and ensure that the vault file is encrypted (see Ansible/Vaults).


Example

Directory structure: 

playbooks/
    group_vars/
        dbservers/   # name of group
            vars     # file
            vault    # file

Now suppose we were including the full vars file with sensitive variables and all.

Before

Before using the vault, our variables file might look like this:

playbooks/group_vars/dbservers/vars variables file, before using vault: 

host : 0.0.0.0
port : 1234
database_username : root

# sensitive parameters:
database_password : strongPassword
slack_api_key : a1a2a3a4a5a6a7
github_api_key : b1b2b3b4b5b6b7

After

Now we can move the sensitive parameters into the vault, prefixing them with vault_, and have parameters in the vars variables file refer to variables in the vault:

playbooks/group_vars/dbservers/vars variables file, after using vault: 

host : 0.0.0.0
port : 1234
database_username : root

# sensitive parameters:
database_password : {{ vault_database_password }}
slack_api_key : {{ vault_slack_api_key }}
github_api_key : {{ vault_github_api_key }}

playbooks/group_vars/dbservers/vault vault file: 

# sensitive parameters:
vault_database_password : strongPassword
vault_slack_api_key : a1a2a3a4a5a6a7
vault_github_api_key : b1b2b3b4b5b6b7

Flags


Defcon.png
Ansible
Ansible is a Python library for managing IT and compute infrastructure.

Ansible  · Category:Ansible


Ansible Configuration

Config file: Ansible/Configuration

Secrets and Sensitive Info: Ansible/Security  · Ansible/Vaults


Ansible Playbooks

Basics: Ansible/Playbooks

Examples: Ansible/Nginx Playbook (simple)  · Ansible/Full Stack Playbook (advanced)


Ansible Hosts and Inventory Control

All topics in Ansible Hosts: Ansible/Hosts

Splitting large host files into subfiles: Ansible/Splitting Hosts File

Automatically naming hosts: Ansible/Host Naming

Grouping Hosts: Ansible/Groups

Assigning Variables to Groups: Ansible/Group Variables

Roles: Ansible/Roles


Ansible and Vagrant (Local)

Ansible/Vagrant  · Ansible/Vagrant/Static Inventory  · Ansible/Vagrant/Dynamic Inventory


Ansible and EC2 (Cloud)

Ansible/EC2  · Ansible/EC2/Static Inventory  · Ansible/EC2/Dynamic Inventory


Best Practices

Ansible/Directory Layout  · Ansible/Directory Layout/Details

Ansible/Separate Playbooks by Role

Ansible/Tag Inventory with Environment

Ansible/Group by Distribution

Ansible/Variables and Vaults


Ansible Galaxy

Ansible/Galaxy


Flags  · Template:AnsibleFlag  · e



Retrieved from "https://charlesreid1.com/w/index.php?title=Ansible/Variables_and_Vaults&oldid=25902"