With regard to your wanting to continue gracefully after trying to import
an encrypted file... This is kind of a gross hack, but it might be a
starting point. Specifically, you might consider putting a comment in the
top of the unencrypted form of the secured vars file:
---
> #secret
>
> password: cool
>
Then use a call to get that comment line and register it as an Ansible
variable, and use that variable to complete the import filename.
# untested sed on line 2 only
- shell: chdir={{ secret_stuff_folder }} sed -e '2s/#secret/secret/'
mysql_accounts.yml
register: comment
- vars_files: "{{ item }}"
with_first_found:
- secured_settings/vars/mysql_accounts.yml.{{ comment.stdout }}
- secured_settings/vars/dummy.yml
If the file was unencrypted, the var will finish the file's real name and
it will be imported. If the file is encrypted, sed won't match and either
the filename will be incomplete or it'll try to import some gibberish file
like
mysql_accounts.yml.lkj37&6DS^@##*&#@EJHhddfjjh337kldfs3r8y&YFYFAsdjfkeljdhd
(and then in either case will import dummy.yml instead, which would be
unencrypted, but blank).
HTH,
Mark
On Saturday, January 25, 2014 2:08:14 PM UTC-6, Brent Langston wrote:
>
> So here's the story:
>
> My team is managing some of our secure settings using a set of variables
> stored in a file, and encrypted using git-crypt. This has been working
> great under the push model, because we all have the key, and have the
> secret yaml files decrypted.
>
> I've rolled out ansible-pull, and obviously, the secret yaml files are
> unreadable in the pull model. In my playbook, I have:
>
> vars_files:
> - secured_settings/vars/mysql_accounts.yml.secret
>
> and when ansible-pull triggers, I get an error:
>
> ERROR: Could not parse YAML. Check over
> /opt/ansible/secured_settings/vars/mysql_accounts.yml.secret again.
>
> Obviously this error is true, and valid; the file is encrypted. What I'd
> like to figure out is how I can continue the playbook, ignoring this error.
> Any tasks depending on these variables have conditionals checking to see
> that the variable is defined, so it's not a big deal to do a run without
> these variables in place.
>
> I could move these tasks and secured settings out into a totally separate
> playbook, but I figured I'd ask here to see if there was an option to skip
> an include if there is a problem.
>
> Thanks
> Brent
>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
