We use Ansible to orchestrate our software deployments accross mulitple tiers of servers, and as with all automated tools we need to pass passwords or other sensitive information to these plays.
Ansible uses “Vault” to do this, so you can store you passwords and other security relevant parameters in an encrypted form – however, a major drawback of this solution is that the entire file is encrypted and version control shows a 100% change for the update of a single value.
As we use Puppet for configuration management we use the Ruby Gem “hiera-eyaml” to do exactly this for our parameters there: store encrypted values inside an otherwise not encrypted file.
Intrigued by this we went out to look for a possibility to dongle hiera-eyaml with Ansible to use the same great feature there.
During this search we stumbled upon this Repository on Github – https://github.com/cmstokoe/ansible-filter-eyaml – which implements pretty much what we want: hiera-eyaml for Ansible using Ansible’s “filter” feature, which allows you to create a value based on a variable and a defined transformation (the filter).
Only flaw was that it did not allow us to specify the path to the Keys used for de- and encryption.
Therefore we modified the script to suit our wishes:
- it now expects an “eyaml.yml” next to itself containing to parameters; the path to the public key and the path to the private key to be used
And thanks to open source we could give back our upgrade by creating a Pull Request.
- According to this piece of documentation – http://docs.ansible.com/ansible/playbooks_vault.html#single-encrypted-variable – Ansible will have a similar feature in version 2.3 whose release is planned for March/April 2017