On 03/21/14 17:57, ralov...@gmail.com wrote: > > Well, it will work, but this is still a workaround. You still have > to maintain two files and edit them both for a single addition. > Also, it becomes more complicated if you have repeated variable > names and values. > > It is a trick, no doubt > But it's simple, pretty straightforward and self documented. > We use it everyday and don't feel any overhead because of it. Maybe the fact that you try flattening/namespacing your vars as much as possible, as you are suggesting in your article, helps you in keeping the complexity of your vault files in sane levels. This is not going to be the case with people that prefer to have a more hierarchical representation of their data (dicts nesting other dicts and lists, with possible repeating identifiers).
> Passwords are not edited so often, and in the end not that many. > > > For example, how much complexity you have to introduce in your > separate vault file in order to handle a simple variable file like > the following ? > > Of course, you end up duplicating your password entries. > But with a consistent convention it's painless. Besides duplication of data entry and the increased difficulty coming with writing vault-files for data with varying hierarchal representation, there is also another important feature missing from ansible-vault that your workaround cannot handle too: Auditing capabilities. You still cannot tell whether a specific secret has changed and by whom. A structure that allows the provability of the source of a security breach is quite important, especially in environments that need to conform to security standards. > > > Unfortunately, the Ansible team has not (yet) given an answer on > whether a command-line option to enable a simple syntax for > leaf-node encryption mode would be considered for ansible-vault > (keeping the current whole-file encryption mode as the default > mode). There was a feature request for this mode and discussion by > many people _before_ vault's release and it seems it is still > desired by people _after_ vault's release. > > > I read the thread at the time, and agreed that leaf encryption was a > better way, > but since we use this, I really don't feel it's that necessary, on a > day to day usage. > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/532C8A3D.6030702%40yahoo.gr. For more options, visit https://groups.google.com/d/optout.
