Includes from a secured file - can we continue if the file is unreadable?

So here’s the story:

My team is managing some of our secure settings using a set of variables stored in a file, and encrypted using git-crypt. This has been working great under the push model, because we all have the key, and have the secret yaml files decrypted.

I’ve rolled out ansible-pull, and obviously, the secret yaml files are unreadable in the pull model. In my playbook, I have:

vars_files:

  • secured_settings/vars/mysql_accounts.yml.secret

and when ansible-pull triggers, I get an error:

ERROR: Could not parse YAML. Check over /opt/ansible/secured_settings/vars/mysql_accounts.yml.secret again.

Obviously this error is true, and valid; the file is encrypted. What I’d like to figure out is how I can continue the playbook, ignoring this error. Any tasks depending on these variables have conditionals checking to see that the variable is defined, so it’s not a big deal to do a run without these variables in place.

I could move these tasks and secured settings out into a totally separate playbook, but I figured I’d ask here to see if there was an option to skip an include if there is a problem.

Thanks
Brent

Not really going to be a way to do this with ansible-pull.

When we do the vault feature for 1.5 we can think about how ansible-pull might pass in a vault password, but it’s got to come from somewhere.

With regard to your wanting to continue gracefully after trying to import an encrypted file… This is kind of a gross hack, but it might be a starting point. Specifically, you might consider putting a comment in the top of the unencrypted form of the secured vars file:


#secret

password: cool

Then use a call to get that comment line and register it as an Ansible variable, and use that variable to complete the import filename.

untested sed on line 2 only

  • shell: chdir={{ secret_stuff_folder }} sed -e ‘2s/#secret/secret/’ mysql_accounts.yml
    register: comment

  • vars_files: “{{ item }}”
    with_first_found:

  • secured_settings/vars/mysql_accounts.yml.{{ comment.stdout }}

  • secured_settings/vars/dummy.yml

If the file was unencrypted, the var will finish the file’s real name and it will be imported. If the file is encrypted, sed won’t match and either the filename will be incomplete or it’ll try to import some gibberish file like mysql_accounts.yml.lkj37&6DS^@##*&#@EJHhddfjjh337kldfs3r8y&YFYFAsdjfkeljdhd (and then in either case will import dummy.yml instead, which would be unencrypted, but blank).

HTH,
Mark

oops…typo…that’d be:

  • shell: chdir={{ secret_stuff_folder }} sed -e ‘2s/#secret/secret/’ mysql_accounts.yml_.secret_