Hi Drew,
I appreciate the suggestion use of ansible.builtin.fetch module instead of
copy module and I am trying to use ansible-vault on the command module
to encrypt and decrypt the data as you rightly said managing the
password secret will be challenge .
Ansible-vault has vault feature which can handle the vault secret
properly on the network.
Once Again Thank you very much for the valuable suggestion it really help
me to decide what is the best module to be used.
Thanks
Deepak B Kumar
On Wednesday, March 13, 2024 at 9:01:43 PM UTC+5:30 Drew Northup wrote:
> Hi Deepak,
> I would suggest using the vault mechanism to securely store the encryption
> secret if possible, so the process can be fully automated. That will also
> allow safe storage of any other confidential information needed by the
> playbook. As for handing of the log files, copy normally only pushes from
> the controller to the remote and therefore you likely want to use something
> else. If those logs are small then using "ansible.builtin.slurp" to get the
> content, filtering that with the "vault" filter, and then saving that
> locally using a local_action delegated copy task may be an option. A more
> flexible method would use "ansible.builtin.fetch" to copy to a local
> ramdisk, encrypt locally via a "local_action" task using native cli tools
> (such as gpg or the command-line version of Ansible vault), and then save
> someplace appropriate via a "local_action" task using
> "ansible.builtin.copy".
> I hope you find this helpful.
>
> On Tue, Mar 12, 2024 at 6:33 AM Deepak B K <deep...@gmail.com> wrote:
>
>> Hi Drew,
>>
>> I appreciate your reply . The customer requirement is the secret key
>> should be on ansible controller and the vms /endpoints logs are copied to
>> the controller and encryption is done on the controller I explored copy
>> module has a encrypt option which can help out in the process . But for
>> the decryption i will need to use ansible-vault .
>>
>> ---
>> - hosts: localhost
>> gather_facts: false
>>
>> vars_prompt:
>> name: vault_secret
>> prompt: Please enter the password to encrypt the file
>> default: v3rys3cr3t
>> private: true
>>
>> vars:
>> vault_file: secret.log
>>
>> tasks:
>> - name: In-place (re)encrypt file {{ vault_file }}
>> ansible.builtin.copy:
>> content: "{{ lookup('ansible.builtin.file', vault_file) |
>> ansible.builtin.vault(vault_secret) }}"
>> dest: "{{ vault_file }}"
>> decrypt: false
>>
>> Thanks
>> Deepak B Kumar
>>
>> On Monday, March 11, 2024 at 10:43:15 PM UTC+5:30 Drew Northup wrote:
>>
>>> Hi Deepak,
>>> You're going to need a different opener for this can of worms, as
>>> Ansible Vault is meant for protecting confidential information that needs
>>> to be pushed out to the endpoint being configured and not for pulling
>>> information back to the controller for encryption nor is it meant for
>>> encryption in-place on the endpoint node.
>>> So that the community can better help you, are to looking to encrypt log
>>> files in place on the configured endpoint node (host, VM, container, etc.)
>>> or are you looking to have the log files encrypted on the controller at the
>>> end of the playbook run? (Or, perhaps, are they the same host?)
>>>
>>>
>>> On Monday, March 11, 2024 at 5:06:21 AM UTC-4 Deepak B K wrote:
>>>
>>> Hi All,
>>>
>>> I need recommendation to use encryption and decryption of generated log
>>> files during the playbook execution . I was going through ansible
>>> documentation and I don't see any module except use of ansible-vault . I
>>> appreciate your advise .
>>>
>>>
>>> there is a module to decrypt the log file
>>> - ansible.builtin.debug: msg="the value of foo.log is {{
>>> lookup('ansible.builtin.unvault', '/etc/foo.log') | string | trim }}"
>>>
>>> Thanks
>>> Deepak
>>>
>>> --
>> You received this message because you are subscribed to a topic in the
>> Google Groups "Ansible Project" group.
>> To unsubscribe from this topic, visit
>> https://groups.google.com/d/topic/ansible-project/dCaCdMq9TAE/unsubscribe
>> .
>> To unsubscribe from this group and all its topics, send an email to
>> ansible-proje...@googlegroups.com.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/ansible-project/e0e93ea5-4a4f-4d44-8e50-97edad1ef5a5n%40googlegroups.com
>>
>> <https://groups.google.com/d/msgid/ansible-project/e0e93ea5-4a4f-4d44-8e50-97edad1ef5a5n%40googlegroups.com?utm_medium=email&utm_source=footer>
>> .
>>
>
>
> --
> ---------------------------------+--------------------------------------
> Drew Northup | Technical Support Specialist
> University of Maine System | drew.n...@maine.edu
> Computing Center | old phone: (207) 561-3513
> Orono, ME 04469 | new phone: (207) 581-3513
>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/5028f9b7-3b17-49f2-b556-3416f02d0ba6n%40googlegroups.com.
