Setting Environment Variables for inventory scripts from vault.

I’m working with digital ocean and I would really like to wrap our DO keys we use for deployment in a vault. I also want to use digital ocean for my inventory. Unfortunately the inventory is instantiated before any playbook processing…

https://github.com/ansible/ansible/blob/devel/bin/ansible-playbook#L150

The only work around I can think off hand is to write a module to load the inventory at runtime and run it from a bastion host, like when provisioning cloud servers or modify ansible-playbook to parse the playbooks first, looking for attempts to set environment, then instantiate the inventory.

I can easily get the digital ocean hosts at runtime, I’ve already modified the digital_ocean module to do that. It looks like it should be pretty easy, note sure if library modules can BYPASS_HOST_LOOP.

Any suggestions or ideas?

Hmmmmm.

So currently vault processes any data files that go through Ansible’s generic loader, but the INI files the various inventory scripts read don’t do that and are generic.

Currently in Ansible Tower (no Digital Ocean support yet) we have some other magic to keep cloud credentials secure but shareable via small groups, but that won’t help you here right now.

I’m guessing this one will be hard-ish. It would require making vault-lib work with INI files and then making all the INI file reading in all the inventory plugins be able to use that common function.

The idea that you could modify the inventory script is a good one, taking a parameter like DO_CONFIG_FILE and then requiring that to be set, and reading form there, could allow everybody to use something with permissions associated on it.