Is there a way to have both encrypted and nonencrypted host vars?

后端 未结 4 554
佛祖请我去吃肉
佛祖请我去吃肉 2021-02-15 01:46

If I encrypt host_vars/* files with ansible-vault, I don\'t seem to have a chance to have nonencrypted host vars other than those residing in the inven

4条回答
  •  你的背包
    2021-02-15 02:37

    Simply don't encrypt host_vars/*, but instead encrypt only variable files that you want encrypted. This article describes a really nice approach: https://www.reinteractive.net/posts/167-ansible-real-life-good-practices

    Essentially what you have are nested/chained variables.

    This is your plain text variable file:

    # var_file
    db_password: {{ vaulted_db_passord }}
    

    And this is your variable file that you are going to encrypt:

    # vault_file
    vaulted_db_passord: a_super_secret
    

    In your playbook you refer to db_password and it'll resolve into the encrypted password. Using this approach your variable names are still readable plain text, however variable values are securely encrypted.

提交回复
热议问题