ansible-vault 変数一つに対して暗号化

Tweet

Pocket

暗号化する

以前の書いた ansible vault 暗号化 からアップデートされていた
だが既存が上記の記事のように管理していたら移行面倒だしそのままでいいんじゃないかな・・・

ansible2.3から

http://docs.ansible.com/ansible/latest/playbooks_vault.html#single-encrypted-variable

コマンドを叩いてパスワードをいれると結果がでてくるのでそれをvarsに書く

astelnoMacBook-Pro% ansible-vault encrypt_string 'abc1234' --name 'db_root_user_password'
New Vault password: 
Confirm New Vault password: 
db_root_user_password: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          30303761393337323465663139336562366635353932646238306532373637663137316430326531
          3466353964613263313633303863326236363032313833360a303732363363316631393133656239
          38393662303036333637386639306638346464393730376435346630396438383231363266643530
          6562623432303930660a633662356134623562353033393532643139366235613861663031316430
          6537
Encryption successful
astelnoMacBook-Pro%   

astelnoMacBook-Pro% cat group_vars/gcp.yml 
---

db_root_user_password: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          30303761393337323465663139336562366635353932646238306532373637663137316430326531
          3466353964613263313633303863326236363032313833360a303732363363316631393133656239
          38393662303036333637386639306638346464393730376435346630396438383231363266643530
          6562623432303930660a633662356134623562353033393532643139366235613861663031316430
          6537
astelnoMacBook-Pro% 

実行するときは暗号化してるのでいつもどおり –ask-vault-pass をいれて実行してください

astelnoMacBook-Pro% ansible-playbook -i inventory/hosts site.yml -lgcp --ask-vault-pass -vv  
ansible-playbook 2.4.1.0
  config file = /Users/astel/git/ansible/ansible.cfg
  configured module search path = [u'/Users/astel/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/Cellar/ansible/2.4.1.0/libexec/lib/python2.7/site-packages/ansible
  executable location = /usr/local/bin/ansible-playbook
  python version = 2.7.14 (default, Sep 25 2017, 09:53:22) [GCC 4.2.1 Compatible Apple LLVM 9.0.0 (clang-900.0.37)]
Using /Users/astel/git/ansible/ansible.cfg as config file
Vault password: 

PLAYBOOK: site.yml *************************************************************************************************************************************************************************************************************************************************************
3 plays in site.yml

PLAY [all] *********************************************************************************************************************************************************************************************************************************************************************

TASK [Gathering Facts] *********************************************************************************************************************************************************************************************************************************************************
ok: [35.190.189.91]
META: ran handlers

TASK [common : echo test] ******************************************************************************************************************************************************************************************************************************************************
task path: /Users/astel/git/ansible/roles/common/tasks/main.yml:3
changed: [35.190.189.91] => {"changed": true, "cmd": "echo abc1234", "delta": "0:00:00.010303", "end": "2017-12-06 17:47:40.444694", "failed": false, "rc": 0, "start": "2017-12-06 17:47:40.434391", "stderr": "", "stderr_lines": [], "stdout": "abc1234", "stdout_lines": ["abc1234"]}

(ry

abc1234　が複合化されてる

playbook前の確認とかだといいのが思いつかないけど

astelnoMacBook-Pro% cat tmp.log 
db_root_user_password: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          30303761393337323465663139336562366635353932646238306532373637663137316430326531
          3466353964613263313633303863326236363032313833360a303732363363316631393133656239
          38393662303036333637386639306638346464393730376435346630396438383231363266643530
          6562623432303930660a633662356134623562353033393532643139366235613861663031316430
          6537
astelnoMacBook-Pro% 
astelnoMacBook-Pro% cat tmp.log | sed -e '1d' | awk '{print $1}' > tmp2.log &&  ansible-vault view tmp2.log 
Vault password: 
abc1234

とか？

この形でviewとか叩けばみれるっていう話

$ANSIBLE_VAULT;1.1;AES256
30303761393337323465663139336562366635353932646238306532373637663137316430326531
3466353964613263313633303863326236363032313833360a303732363363316631393133656239
38393662303036333637386639306638346464393730376435346630396438383231363266643530
6562623432303930660a633662356134623562353033393532643139366235613861663031316430
6537