Every item in group_vars/ is named to match a group name. These items can
be either files (my_group, my_group.yml) or directories (my_group/). If it
is a directory, then it works similarly to a .d/ directory where all of the
files in that dir are imported.
These are equivilent structures:
1. One file:
group_vars/group1.yml
---
var1: val1
var2: val2
2. One Directory:
group_vars/group1/arbitrary_file1.yml
---
var1: val1
group_vars/group1/arbitrary_file2.yml
---
var2: val2
In my playbooks, I tend to make the all group a dir so that I can better
organize those vars and use the filenames as a sort of documentation or
comment.
group_vars/
├── all
│ ├── defaults.yml
│ ├── definitions.yml
│ ├── lookups.yml
│ ├── servers.yml
│ └── users.yml
├── arista.yml
I have also found it best to keep sensitive vars in separate files (whether
or not I encrypt them in a vault) using the group_vars dir structure.
My problem with vault is that you need the password to unlock it and if you
are checking things into git, then everyone has to use the same password to
unlock the vault, so now you have to deal with how to tell people what that
password is and what to do when it changes, etc.
So, in my playbooks, I store sensitive vars in a secure datastore where I
can control who has access to read and write. Then, instead of locking the
vars in a vault, I use a lookup which is able to use the local user's
personal creds for auth.
e.g.
group_vars/all/lookups.yml
---
## Vars I don't want to store in git
enpass: "{{ lookup('hss', 'enpass', objid='ans_vars.json') }}"
snmpro: "{{ lookup('hss', 'snmpro', objid='ans_vars.json') }}"
On Thursday, March 31, 2016 at 7:18:12 AM UTC-4, Mark Matthews wrote:
>
> Hi guys
>
> Thank you so much for all your feedback. Getting a little confused as to
> what to do now though.
>
> Do I create the following folder /etc/ansible/group_vars/all and just copy
> all the files into that folder? Will that solve the problem?
>
> Jon - Im not exactly sure what you mean by, "into a separate file and
> vault that, then use the child groups mechanism to include the var in
> whatever groups you need."
>
>
> Can you not just have one vault file with all variables that you want
> secure, and then just refer to those variables in all your playbooks?
>
> Cheers
>
>
>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/21861ead-09af-48e4-8876-4c7129189e48%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
