ansible-vault 変数一つに対して暗号化

暗号化する

以前の書いた ansible vault 暗号化 からアップデートされていた だが既存が上記の記事のように管理していたら移行面倒だしそのままでいいんじゃないかな・・・

ansible2.3から

http://docs.ansible.com/ansible/latest/playbooks_vault.html#single-encrypted-variable

コマンドを叩いてパスワードをいれると結果がでてくるのでそれをvarsに書く

[code lang=text] astelnoMacBook-Pro% ansible-vault encrypt_string 'abc1234' --name 'db_root_user_password' New Vault password: Confirm New Vault password: db_root_user_password: !vault | $ANSIBLE_VAULT;1.1;AES256 30303761393337323465663139336562366635353932646238306532373637663137316430326531 3466353964613263313633303863326236363032313833360a303732363363316631393133656239 38393662303036333637386639306638346464393730376435346630396438383231363266643530 6562623432303930660a633662356134623562353033393532643139366235613861663031316430 6537 Encryption successful astelnoMacBook-Pro%
[/code]

[code lang=text]

astelnoMacBook-Pro% cat group_vars/gcp.yml

db_root_user_password: !vault | $ANSIBLE_VAULT;1.1;AES256 30303761393337323465663139336562366635353932646238306532373637663137316430326531 3466353964613263313633303863326236363032313833360a303732363363316631393133656239 38393662303036333637386639306638346464393730376435346630396438383231363266643530 6562623432303930660a633662356134623562353033393532643139366235613861663031316430 6537 astelnoMacBook-Pro% [/code]

実行するときは暗号化してるのでいつもどおり --ask-vault-pass をいれて実行してください

[code lang=text] astelnoMacBook-Pro% ansible-playbook -i inventory/hosts site.yml -lgcp --ask-vault-pass -vv
ansible-playbook 2.4.1.0 config file = /Users/astel/git/ansible/ansible.cfg configured module search path = [u'/Users/astel/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules'] ansible python module location = /usr/local/Cellar/ansible/2.4.1.0/libexec/lib/python2.7/site-packages/ansible executable location = /usr/local/bin/ansible-playbook python version = 2.7.14 (default, Sep 25 2017, 09:53:22) [GCC 4.2.1 Compatible Apple LLVM 9.0.0 (clang-900.0.37)] Using /Users/astel/git/ansible/ansible.cfg as config file Vault password:

PLAYBOOK: site.yml ************************************************************************************************************************************************************************************************************************************************************* 3 plays in site.yml

PLAY [all] *********************************************************************************************************************************************************************************************************************************************************************

TASK [Gathering Facts] ********************************************************************************************************************************************************************************************************************************************************* ok: [35.190.189.91] META: ran handlers

TASK [common : echo test] ****************************************************************************************************************************************************************************************************************************************************** task path: /Users/astel/git/ansible/roles/common/tasks/main.yml:3 changed: [35.190.189.91] => {"changed": true, "cmd": "echo abc1234", "delta": "0:00:00.010303", "end": "2017-12-06 17:47:40.444694", "failed": false, "rc": 0, "start": "2017-12-06 17:47:40.434391", "stderr": "", "stderr_lines": [], "stdout": "abc1234", "stdout_lines": ["abc1234"]}

(ry [/code]

abc1234 が複合化されてる

playbook前の確認とかだといいのが思いつかないけど

[code lang=text] astelnoMacBook-Pro% cat tmp.log db_root_user_password: !vault | $ANSIBLE_VAULT;1.1;AES256 30303761393337323465663139336562366635353932646238306532373637663137316430326531 3466353964613263313633303863326236363032313833360a303732363363316631393133656239 38393662303036333637386639306638346464393730376435346630396438383231363266643530 6562623432303930660a633662356134623562353033393532643139366235613861663031316430 6537 astelnoMacBook-Pro% astelnoMacBook-Pro% cat tmp.log | sed -e '1d' | awk '{print $1}' > tmp2.log && ansible-vault view tmp2.log Vault password: abc1234 [/code]

とか?

この形でviewとか叩けばみれるっていう話

[code lang=text] $ANSIBLE_VAULT;1.1;AES256 30303761393337323465663139336562366635353932646238306532373637663137316430326531 3466353964613263313633303863326236363032313833360a303732363363316631393133656239 38393662303036333637386639306638346464393730376435346630396438383231363266643530 6562623432303930660a633662356134623562353033393532643139366235613861663031316430 6537 [/code]