Lookup vault file

[bcoca]

now the file lookup plugin will automatically decrypt vault files, it should also be easy to add vault support to other lookups using this.

example:

- hosts: localhost
  connection: local
  tasks:
    - name: "Show secret stuff"
      debug: msg="{{ lookup('file', 'files/secret_stuff') }}"

    - name: "non secret stuff"
      debug: msg="{{ lookup('file', 'files/not_secret') }}"

output of : ansible-playbook -i 'localhost,' test.yml

PLAY [localhost] ************************************************************** 

GATHERING FACTS *************************************************************** 
ok: [localhost]

TASK: [Show secret stuff] ***************************************************** 
ok: [localhost] => {
    "msg": "$ANSIBLE_VAULT;1.1;AES256\n39623566663433343066313837336334663830616434343631383366353461353666303336316165\n3563656235663731363464643137316662376631373430380a623736323765663637363734306133\n62313933636265643263333564653533626135653162613235623232623334663638373238626462\n3933366466336162610a363934316333373034326665656663306333373736333163373763316666\n65666432663037663432663031356636343063356339343232623435386632636430"
}

TASK: [non secret stuff] ****************************************************** 
ok: [localhost] => {
    "msg": "notsecret1\nnotsecret\n"
PLAY RECAP ******************************************************************** 
localhost                  : ok=3    changed=0    unreachable=0    failed=0   
}

output of : ansible-playbook -i 'localhost,' test.yml --ask-vault-pass

PLAY [localhost] ************************************************************** 

GATHERING FACTS *************************************************************** 
ok: [localhost]

TASK: [Show secret stuff] ***************************************************** 
ok: [localhost] => {
    "msg": "secret1\nsecret2\n"
}

TASK: [non secret stuff] ****************************************************** 
ok: [localhost] => {
    "msg": "notsecret1\notsecret2\n"
}
PLAY RECAP ******************************************************************** 
localhost                  : ok=3    changed=0    unreachable=0    failed=0  

[raboof]

Looks very useful!!

Fixed the merge conflict and opened #8472

[bcoca]

rebased and pushed branch

[bcoca]

moved this to clean PR at #8533

[soichih]

Which version of Ansible was this feature released in? I am using 1.8.2 (RHEL6 latest) but it's not working.

[raboof]

It wasn't - this PR was closed without merging, #8533 is the new one but it's outdated and still open :(

[vperron]

Please :) could you merge that ?

[rvdbogerd]

+1 would be awesome to have this

[flmmartins]

This is not working with 1.7.2. I am using the exact lines with roles.

[raboof]

@flmmartins The PR proposes a feature that has not made it into Ansible yet, so indeed it is not available in 1.7.2.

[abourget]

knock knock knock ! +1 +1 !

[adeck]

This was opened over a year ago.
And then moved to a new ticket.

Which was squashed; utterly and completely.
Vaults aren't all that useful for a project of any kind of size without the ability to vault files.

😞

[therealmarv]

this helped me. I do not understand WHY Ansible Vault is designed this way. It makes handling of files worse.

https://dantehranian.wordpress.com/2015/07/24/managing-secrets-with-ansible-vault-the-missing-guide-part-1-of-2/
https://dantehranian.wordpress.com/2015/07/24/managing-secrets-with-ansible-vault-the-missing-guide-part-2-of-2/