Geek Answers Handbook

Essential storage and file template

I have a file on my local computer that I want to upload to a remote server, it contains confidential information that I do not want to display in my VCS. It also has some text that I need to replace dynamically in it (for now, as placeholders for Jinja2 "{{}}").

If I use the copy module, then the file will be incompatible when it is downloaded, but, obviously, replacement replacement records are replaced.

If I use the template module, it does not cancel the file and, therefore, it is downloaded in encrypted form (and also does not replace placeholders, because they are obfuscated by encryption).

How can I use both a template and un-vault file (using it) on a remote server?

+4
source share
4 answers

As mentioned in the comments, you can set your secrets in variables and display them in templates at the time of submission, but if for some reason you want to keep your entire template a secret, there are workarounds.

Processing Encrypted Templates

As a workaround, you can temporarily decrypt the template locally, and after deployment, delete the decrypted file using the module local_action. Suppose your encrypted template is in the template.encroles directory templates.

---

- name: Decrypt template
  local_action: "shell {{ view_encrypted_file_cmd }} {{ role_path }}/templates/template.enc > {{ role_path }}/templates/template"
  changed_when: False

- name: Deploy template
  template:
    src=templates/template
    dest=/home/user/file

- name: Remove decrypted template
  local_action: "file path={{ role_path }}/templates/template state=absent"
  changed_when: False

changed_when: False. idempotence - , playbook, . group_vars/all.yml , , view_encrypted_file_cmd.

group_vars/all.yml

---

view_encrypted_file_cmd: "ansible-vault --vault-password-file {{ lookup('env', 'ANSIBLE_VAULT_PASSWORD_FILE') }} view"

:

(, ) .

var.yml

---

my_private_key: |
  YOUR KEY
  asfdlsafkj
  asdlkfjasf

/private_key.j2

{{ private_key }}

/main.yml

---

template: 
  src=templates/private_key.j2
  dest=/home/user/.ssh/id_rsa
  vars:
    private_key: "{{ my_private_key }}"

:

lookup pipe, content copy - .

---

- copy:
    dest=/your/dest
    content=lookup('pipe', 'VAULT_PASSWORD_FILE=path/to/pass_file ansible-vault view path/to/file.enc')
+9

, fishi. copy template, .

vars.yml:

vault vars.yml:

encrypted_content: |
  foo = {{ bar }}
  password = abcabc
  ...

:

- name: Save encrypted template
  copy: 
    content: "{{ encrypted_content }}"
    dest: /path/to/destination

YAML

YAML. , wenn vars.yml . vars/encrypted.yml :

encrypted_content: |
  foo = {{ bar }}
  password = abcabc
  ...

:

- name: Read encrypted variable file
  include_vars: encrypted.yml
  no_log: true

- name: Save encrypted template
  copy: 
    content: "{{ encrypted_content }}"
    dest: /path/to/destination
+2

, copy ansible-vault.

hello.vault hello.txt . - WORLD - 1234.

  1. hello.vault:
$ ansible-vault create hello.vault
New Vault password: 1234
Confirm New Vault password: 1234
## Then input your secret and exit the editor ##
WORLD

$ cat hello.vault
$ANSIBLE_VAULT;1.1;AES256
39653932393834613339393036613931393636663638636331323034653036326237373061666139
6434373635373065613135633866333733356532616635640a663739306639326535336637616138
39666462343737653030346463326464333937333161306561333062663164313162376564663262
3533393839633466300a666661303363383265613736376564623465613165656531366331366664
6436
  1. , , vault.key
1234
  1. copy webserver ( ).
ansible webserver -i inventory --vault-password-file=vault.key \
        -m copy -a "src=hello.vault dest=hello.txt"

ansible webserver -i inventory -m command -a "cat hello.txt"
WORLD
0

More articles:


All Articles