Is there a way to have both encrypted and nonencrypted host vars?

后端 未结 4 550
佛祖请我去吃肉
佛祖请我去吃肉 2021-02-15 01:46

If I encrypt host_vars/* files with ansible-vault, I don\'t seem to have a chance to have nonencrypted host vars other than those residing in the inven

4条回答
  •  一向
    一向 (楼主)
    2021-02-15 02:36

    As it turns out, host_vars- and group_vars-files might be directories in actuality. That is, instead of creating host_vars/example.com one might create host_vars/example.com/vault and host_vars/example.com/vars. All the files residing in the directory are read. Which settles it.

    Additionally, the best practice is to store sensitive variables prefixed with vault_ in the vault file, and reassign them to non-prefixed variables in the vars file. Like so:

    vault:

    vault_mysql_password: '...'
    

    vars:

    mysql_password: '{{ vault_mysql_password }}'
    

    That way, you'll be able to find encrypted variables with grep, or any similar tool.

提交回复
热议问题