暗号化する
以前の書いた ansible vault 暗号化 からアップデートされていた だが既存が上記の記事のように管理していたら移行面倒だしそのままでいいんじゃないかな・・・
ansible2.3から
http://docs.ansible.com/ansible/latest/playbooks_vault.html#single-encrypted-variable
コマンドを叩いてパスワードをいれると結果がでてくるのでそれをvarsに書く
[code lang=text]
astelnoMacBook-Pro% ansible-vault encrypt_string 'abc1234' --name 'db_root_user_password'
New Vault password:
Confirm New Vault password:
db_root_user_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
30303761393337323465663139336562366635353932646238306532373637663137316430326531
3466353964613263313633303863326236363032313833360a303732363363316631393133656239
38393662303036333637386639306638346464393730376435346630396438383231363266643530
6562623432303930660a633662356134623562353033393532643139366235613861663031316430
6537
Encryption successful
astelnoMacBook-Pro%
[/code]
[code lang=text]
astelnoMacBook-Pro% cat group_vars/gcp.yml
db_root_user_password: !vault | $ANSIBLE_VAULT;1.1;AES256 30303761393337323465663139336562366635353932646238306532373637663137316430326531 3466353964613263313633303863326236363032313833360a303732363363316631393133656239 38393662303036333637386639306638346464393730376435346630396438383231363266643530 6562623432303930660a633662356134623562353033393532643139366235613861663031316430 6537 astelnoMacBook-Pro% [/code]
実行するときは暗号化してるのでいつもどおり --ask-vault-pass をいれて実行してください
[code lang=text]
astelnoMacBook-Pro% ansible-playbook -i inventory/hosts site.yml -lgcp --ask-vault-pass -vv
ansible-playbook 2.4.1.0
config file = /Users/astel/git/ansible/ansible.cfg
configured module search path = [u'/Users/astel/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
ansible python module location = /usr/local/Cellar/ansible/2.4.1.0/libexec/lib/python2.7/site-packages/ansible
executable location = /usr/local/bin/ansible-playbook
python version = 2.7.14 (default, Sep 25 2017, 09:53:22) [GCC 4.2.1 Compatible Apple LLVM 9.0.0 (clang-900.0.37)]
Using /Users/astel/git/ansible/ansible.cfg as config file
Vault password:
PLAYBOOK: site.yml ************************************************************************************************************************************************************************************************************************************************************* 3 plays in site.yml
PLAY [all] *********************************************************************************************************************************************************************************************************************************************************************
TASK [Gathering Facts] ********************************************************************************************************************************************************************************************************************************************************* ok: [35.190.189.91] META: ran handlers
TASK [common : echo test] ****************************************************************************************************************************************************************************************************************************************************** task path: /Users/astel/git/ansible/roles/common/tasks/main.yml:3 changed: [35.190.189.91] => {"changed": true, "cmd": "echo abc1234", "delta": "0:00:00.010303", "end": "2017-12-06 17:47:40.444694", "failed": false, "rc": 0, "start": "2017-12-06 17:47:40.434391", "stderr": "", "stderr_lines": [], "stdout": "abc1234", "stdout_lines": ["abc1234"]}
(ry [/code]
abc1234 が複合化されてる
playbook前の確認とかだといいのが思いつかないけど
[code lang=text] astelnoMacBook-Pro% cat tmp.log db_root_user_password: !vault | $ANSIBLE_VAULT;1.1;AES256 30303761393337323465663139336562366635353932646238306532373637663137316430326531 3466353964613263313633303863326236363032313833360a303732363363316631393133656239 38393662303036333637386639306638346464393730376435346630396438383231363266643530 6562623432303930660a633662356134623562353033393532643139366235613861663031316430 6537 astelnoMacBook-Pro% astelnoMacBook-Pro% cat tmp.log | sed -e '1d' | awk '{print $1}' > tmp2.log && ansible-vault view tmp2.log Vault password: abc1234 [/code]
とか?
この形でviewとか叩けばみれるっていう話
[code lang=text] $ANSIBLE_VAULT;1.1;AES256 30303761393337323465663139336562366635353932646238306532373637663137316430326531 3466353964613263313633303863326236363032313833360a303732363363316631393133656239 38393662303036333637386639306638346464393730376435346630396438383231363266643530 6562623432303930660a633662356134623562353033393532643139366235613861663031316430 6537 [/code]