abdullah/EX407-Ansible-Automation
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

using vaults in playbook

Browse Source
This commit is contained in:
Ilgar_Naghiyev
2020-03-12 13:49:26 +01:00
parent c28761ee63
commit 59764e7271
1 changed files with 72 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

75
README.md
View File

@@ -52,9 +52,9 @@ Red Hat Certified Specialist in Ansible Automation (EX407) Preparation Course
- [Parallelism in Ansible](#parallelism-in-ansible) - [Parallelism in Ansible](#parallelism-in-ansible)
- [Use Ansible Vault in Playbooks to Protect Sensitive Data](#use-ansible-vault-in-playbooks-to-protect-sensitive-data) - [Use Ansible Vault in Playbooks to Protect Sensitive Data](#use-ansible-vault-in-playbooks-to-protect-sensitive-data)
- [The Ansible-Vault Command](#the-ansible-vault-command) - [The Ansible-Vault Command](#the-ansible-vault-command)
- [Using Vaults in Playbooks](#using-vaults-in-playbooks)
## Understanding Core Components of Ansible ## Understanding Core Components of Ansible
### Understanding Core Components of Ansible Part 1 ### Understanding Core Components of Ansible Part 1
This series of lessons lays the foundation for the remainder of the course content. Through a combination of lecture and command line demonstration, Students will gain a broad overview of Ansible. This particular lesson, focuses on Ansible inventories. This series of lessons lays the foundation for the remainder of the course content. Through a combination of lecture and command line demonstration, Students will gain a broad overview of Ansible. This particular lesson, focuses on Ansible inventories.
@@ -1786,3 +1786,72 @@ meaning: !vault |
Encryption successful Encryption successful
``` ```
### Using Vaults in Playbooks
- We have following a playbook for testing:
```
---
- hosts: localhost
vars_files:
- /home/cloud_user/secure
tasks:
- name: Output message
shell: echo {{ message }} > /home/cloud_user/deployed.txt
```
- let's create simple file with `password` word inside:
```
[cloud_user@innaghiyev2c ~]$ cat vault
password
```
- `ansible-vault encrypt --vault-id prod@vault secure` - encrypt `secure` file by labeling it as a `prod` and using file `vault` we recently created
```
[cloud_user@innaghiyev2c ~]$ ansible-vault encrypt --vault-id prod@vault secure
Encryption successful
```
- `secure` file looks like that now:
```
[cloud_user@innaghiyev2c ~]$ cat secure
$ANSIBLE_VAULT;1.2;AES256;prod
64366564623135316434353863666465646330626435613865363839626565353738363861336134
6234353734313535623764393439666463613831356434310a336365663839393465333535313061
64303464336666343739373736653162333866663733393930646366643031326239616538316665
3963616365336631610a623566666265306432316435303032383435336165613432343761353165
66336333366632353166643638663865366231356430333034663135343266633636
```
- Let's try to run our `vault.yml` playbook
```
[cloud_user@innaghiyev2c ~]$ ansible-playbook vault.yml
ERROR! Attempting to decrypt but no vault secrets found
```
- Same command, but with `vault-id` providing.
```
[cloud_user@innaghiyev2c ~]$ ansible-playbook vault.yml --vault-id prod@vault
```
- If we run playbook with `-v` - verbose key. We will see content of the encrypted file
```
changed: [localhost] => {"changed": true, "cmd": "echo I am a walrus"
```
- That can be prevented by using simple `no_log: True` string.
```
---
- hosts: localhost
vars_files:
- /home/cloud_user/secure
tasks:
- name: Output message
shell: echo {{ message }} > /home/cloud_user/deployed.txt
no_log: true
```
- Now output of the playbook will look like that:
```
TASK [Output message] **********************************************************************************
changed: [localhost] => {"censored": "the output has been hidden due to the fact that 'no_log: true' was specified for this result", "changed": true}
```