Is there a way to have both encrypted and nonencrypted host vars?

Question

If I encrypt host_vars/* files with ansible-vault, I don\'t seem to have a chance to have nonencrypted host vars other than those residing in the inven

Answer 1

As it turns out, host_vars- and group_vars-files might be directories in actuality. That is, instead of creating host_vars/example.com one might create host_vars/example.com/vault and host_vars/example.com/vars. All the files residing in the directory are read. Which settles it.

Additionally, the best practice is to store sensitive variables prefixed with vault_ in the vault file, and reassign them to non-prefixed variables in the vars file. Like so:

vault:

vault_mysql_password: '...'

vars:

mysql_password: '{{ vault_mysql_password }}'

That way, you'll be able to find encrypted variables with grep, or any similar tool.