I use Ansible to handle endpoint differences for different environments. This is done using variables and the ansible-xml extension.
For example, I have a task named "endpoints.yml" in a role called "myapp". This task sets many configuration parameters in the configuration files, replacing the variables.
/roles/myapp/tasks/endpoints.yml
β> set value in app config file to: {{ db_user }} β> set value in app config file to: {{ db_password }}
Since my non-prod environments use one endpoint, the values ββfor these variables are set in the default role file:
/roles/myapp/defaults/main.yml
β> db_user: myuser_ro β> db_passwordd: some_password
For the prod environment, I overwrite the default with group_variable (as this takes precedence):
/ environments / prod / group_vars / myapp_servers
β> db_user: produser_ro β> db_password: some_other_password
All this works great and allows us to use a single playbook / role for all environments. However, I want to move to take advantage of the hidden storage to move the password values ββfrom these files to an encrypted file.
However, there will still be different values ββfor prod and non-prod. I can create a new "vars" file in the role of "pass.yml", encrypt it using hidden storage and then reference it using the "include_vars: pass.yml" task.
But this does not explain how I take into account the need to use different (encrypted) variables for different environments.
Any suggestions?