Dynamically include vaulted vars within playbook only for certain hosts

Pete_Albrecht · February 21, 2017, 5:47pm

Greetings!

I’m trying to figure out the best way to dynamically include vaulted vars files in a playbook only for certain hosts. The situation is I’m building out production and pre-prod environments from a common playbook, including development (via vagrant) where the vault password will not be available. The vault password wont be distributed anywhere except for the build box. I tried using group_vars, but the problem I run into is ansible tries to decrypt vars files for other hosts when running the playbook in dev where the vault password is not available. The only work-around I could find is to make a task or role that sets those variables using set_fact, and only including that task in the hosts that need it. I’m wondering if there is a better way or if I’m doing it wrong.

`

Brian_Coca · February 28, 2017, 4:25pm

To include variables, use include_vars, not include (this only works
for plays or tasks).

Include_vars is always dynamic, so you just need a when:

- include_vars: vault_vars/ci_prod/vault.yml
when: myenv != 'dev'

# example when condition

Topic		Replies	Views
Can I specify ansible-password-vault-file in a playbook before running an include_vars ? Ansible Project	1	0	May 15, 2020
Feature idea: Adding a vault/ subdir to group_vars and host_vars Ansible Project	14	0	December 9, 2014
include_vars and include before hosts play i need to implement Ansible Project	1	0	October 3, 2016
How to include a variable vault in inventory.ini or ansible.cfg Get Help rhel9 , ansible-vault	6	46	December 9, 2024
Encrypted Password in Playbook Ansible Project	8	2	January 24, 2020

Dynamically include vaulted vars within playbook only for certain hosts

Related topics