My team is managing some of our secure settings using a set of variables stored in a file, and encrypted using git-crypt. This has been working great under the push model, because we all have the key, and have the secret yaml files decrypted.
I’ve rolled out ansible-pull, and obviously, the secret yaml files are unreadable in the pull model. In my playbook, I have:
vars_files:
secured_settings/vars/mysql_accounts.yml.secret
and when ansible-pull triggers, I get an error:
ERROR: Could not parse YAML. Check over /opt/ansible/secured_settings/vars/mysql_accounts.yml.secret again.
Obviously this error is true, and valid; the file is encrypted. What I’d like to figure out is how I can continue the playbook, ignoring this error. Any tasks depending on these variables have conditionals checking to see that the variable is defined, so it’s not a big deal to do a run without these variables in place.
I could move these tasks and secured settings out into a totally separate playbook, but I figured I’d ask here to see if there was an option to skip an include if there is a problem.
With regard to your wanting to continue gracefully after trying to import an encrypted file… This is kind of a gross hack, but it might be a starting point. Specifically, you might consider putting a comment in the top of the unencrypted form of the secured vars file:
#secret
password: cool
Then use a call to get that comment line and register it as an Ansible variable, and use that variable to complete the import filename.
untested sed on line 2 only
shell: chdir={{ secret_stuff_folder }} sed -e ‘2s/#secret/secret/’ mysql_accounts.yml
register: comment
If the file was unencrypted, the var will finish the file’s real name and it will be imported. If the file is encrypted, sed won’t match and either the filename will be incomplete or it’ll try to import some gibberish file like mysql_accounts.yml.lkj37&6DS^@##*&#@EJHhddfjjh337kldfs3r8y&YFYFAsdjfkeljdhd (and then in either case will import dummy.yml instead, which would be unencrypted, but blank).