I’m having a problem running ansible-lint, which in turn calls ansible-playbook --syntax-check, which then fails as it doesn’t have the Ansible vault password so any decryption fails.
The reason there’s no vault password is because this password decrypts some important secrets and this syntax check is running in CI as part of the build and I don’t want the CI to have this password.
Can I somehow get around this? There have been some open issues around this (like this one where bcoca says it’s fixed), but I can’t find a solution.
As a last resort, I’ll use a hotfix to Ansible like this one, but would rather not.
I’m guessing this would generate an unskippable load-failure error. ansible-lint -L -f full has this to say about that:
This violation is not skippable, so it cannot be added to the warn_list or the skip_list. If a vault decryption issue cannot be avoided, the offending file can be added to exclude_paths configuration.
Asking ansible-lint to blindly proceed in the face of missing vault passwords might cause “interesting” issues, but the suggestion — to explicitly exclude vaulted files from linting — may be the best option.
That doesn’t help if you have vaulted variable values (strings) in otherwise unvaulted vars files, which is the way I prefer my vaulted bits. But that may not be your problem. (?)
That doesn’t help if you have vaulted variable values
I have both, due to legacy reasons. At the moment, I prefer vaulted variable strings inside yaml files.
Would it be possible to have your CI pipeline stub in dummy values before running ansible-lint?
Yes. But first, I’m talking about ansible-lint only because I’m using it, but the error comes from ansible-playbook running the syntax check as explained above, so the linting problem is a second-order problem.
Right now, I do a super-dirty hot-patch to make ansible-lint work:
sed -i '751s/.*/ return (b"", vault_id_used, vault_secret_used)/' /usr/local/lib/python3.12/site-packages/ansible/parsing/vault/__init__.py