Ansible-Vault filter, module extensions

j1f0x · May 4, 2020, 11:48am

I’d like to have a possibilty to generate vault file from within ansible playbooks.

The particular problem is to fetch sensitive data for remote host and store this data encrypted on the local host.

on pypy ansible-vault is available, so there is no need to duplicatie the functionality of encryption and decryption.

What do you think about

Implementing a filter plugin

set_fact:
encrypted_data: “{{ my_data | to_vault(‘~/.vault/ansible-vault’) }}”

Extend Modules ‘copy’, ‘fetch’ to allow encryption during copy
encrypt: [ src | dest ]

What are your thougths about that?

KR
Josef

afeller · May 4, 2020, 11:57am

Interesting idea but I’d imagine going with a custom module instead of a filter plugin as you’d potentially want to store / update multiple variables within the vault.

Some logistical questions to ask yourself in your implementation:

Does this module support vault ids?
Can the password of the vault be the same or different from one used with running ansible itself?
Does this overwrite the vault with subsequent calls or should it merge new variables with existing content? Does it provide an option to overwrite?
Lastly, I recommend looking at the Ansible code the interacts with vaults to see which modules you can import to make this happen without boiling the ocean.

HTH,
Andy

j1f0x · May 5, 2020, 2:21am

Hi Andy

Thanks for feedback. I’m going to analyse all the stuff.

Josef

Topic		Replies	Views
Is there a module that can encrypt a file with vault in tasks? Ansible Project	2	0	October 19, 2022
edit/create encrypted vars in python script (vault encrypt_string) Ansible Developer	6	1	September 6, 2022
References for using Ansible-Vault's APIs in a Python script Get Help ansible-vault	4	187	May 8, 2024
Ansible Vault is now merged into devel (1.5) Ansible Project	9	0	February 20, 2014
Is there a task/module to create a vaulted file? Ansible Project	4	0	May 28, 2024

Ansible-Vault filter, module extensions

Related topics