Is there any Ansible module to Encrypt a log file during the play book execution

Hi All,

I need recommendation to use encryption and decryption of generated log files during the playbook execution . I was going through ansible documentation and I don’t see any module except use of ansible-vault . I appreciate your advise .

there is a module to decrypt the log file

  • ansible.builtin.debug: msg=“the value of foo.log is {{ lookup(‘ansible.builtin.unvault’, ‘/etc/foo.log’) | string | trim }}”

Thanks
Deepak

Hi Deepak,
You’re going to need a different opener for this can of worms, as Ansible Vault is meant for protecting confidential information that needs to be pushed out to the endpoint being configured and not for pulling information back to the controller for encryption nor is it meant for encryption in-place on the endpoint node.
So that the community can better help you, are to looking to encrypt log files in place on the configured endpoint node (host, VM, container, etc.) or are you looking to have the log files encrypted on the controller at the end of the playbook run? (Or, perhaps, are they the same host?)

Hi Drew,

I appreciate your reply . The customer requirement is the secret key should be on ansible controller and the vms /endpoints logs are copied to the controller and encryption is done on the controller I explored copy module has a encrypt option which can help out in the process . But for the decryption i will need to use ansible-vault .

Hi Deepak,
I would suggest using the vault mechanism to securely store the encryption secret if possible, so the process can be fully automated. That will also allow safe storage of any other confidential information needed by the playbook. As for handing of the log files, copy normally only pushes from the controller to the remote and therefore you likely want to use something else. If those logs are small then using “ansible.builtin.slurp” to get the content, filtering that with the “vault” filter, and then saving that locally using a local_action delegated copy task may be an option. A more flexible method would use “ansible.builtin.fetch” to copy to a local ramdisk, encrypt locally via a “local_action” task using native cli tools (such as gpg or the command-line version of Ansible vault), and then save someplace appropriate via a “local_action” task using “ansible.builtin.copy”.
I hope you find this helpful.

Hi Drew,

I appreciate the suggestion use of ansible.builtin.fetch module instead of copy module and I am trying to use ansible-vault on the command module to encrypt and decrypt the data as you rightly said managing the password secret will be challenge .
Ansible-vault has vault feature which can handle the vault secret properly on the network.

Once Again Thank you very much for the valuable suggestion it really help me to decide what is the best module to be used.

Thanks
Deepak B Kumar