Is there a way to have both encrypted and nonencrypted host vars?

Question

If I encrypt host_vars/* files with ansible-vault, I don\'t seem to have a chance to have nonencrypted host vars other than those residing in the inven

Answer 1

Simply don't encrypt host_vars/*, but instead encrypt only variable files that you want encrypted. This article describes a really nice approach: https://www.reinteractive.net/posts/167-ansible-real-life-good-practices

Essentially what you have are nested/chained variables.

This is your plain text variable file:

# var_file
db_password: {{ vaulted_db_passord }}

And this is your variable file that you are going to encrypt:

# vault_file
vaulted_db_passord: a_super_secret

In your playbook you refer to db_password and it'll resolve into the encrypted password. Using this approach your variable names are still readable plain text, however variable values are securely encrypted.