Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Syntax Check Fails Because Vault Password Not Specified #31

Closed
wbh1 opened this issue Apr 8, 2020 · 3 comments · Fixed by #32
Closed

Syntax Check Fails Because Vault Password Not Specified #31

wbh1 opened this issue Apr 8, 2020 · 3 comments · Fixed by #32

Comments

@wbh1
Copy link
Contributor

wbh1 commented Apr 8, 2020

When constructing the Ansible command(s) to run, this plugin returns prematurely if a syntax check is being run which leads to the vault password not being specified. This causes the syntax check to fail if one or more vars files is Ansible Vault-encrypted.

Line of code in question: https://github.com/drone-plugins/drone-ansible/blob/master/plugin.go#L252

I'll submit a PR to remedy, but still wanted to create an issue for tracking.

Our error:

$ ansible --version
ansible 2.8.2
  config file = /etc/ansible/ansible.cfg
  configured module search path = [u'/root/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python2.7/site-packages/ansible
  executable location = /usr/bin/ansible
  python version = 2.7.16 (default, May  6 2019, 19:28:45) [GCC 8.3.0]
$ ansible-playbook --inventory drone/inventory --syntax-check drone/run.yml
ERROR! Attempting to decrypt but no vault secrets found
exit status 1

Relevant portion of our .drone.yml:

---
kind: pipeline
name: syntax-check

steps:
  - name: check ansible syntax
    image: plugins/ansible:1
    settings:
      playbook: drone/run.yml
      syntax_check: true
      inventory: drone/inventory
      vault_password:
        from_secret: ansible_vault_key
@tboerger
Copy link
Contributor

tboerger commented Apr 8, 2020

Maybe you are defining your encrypted values in a bad way? Even this example works without any issue without providing the vault secret:

- hosts: all
  vars:
    foobar: !vault |
      $ANSIBLE_VAULT;1.1;AES256
      61326565656435373038396462323238313637396666343834316634393739326438613734656238
      3762306638643539636666656362373663326663363635320a363531306664353162343338396566
      31303035306130666333613337613538376563613036393436393631663466653363646539323332
      3437656166316164370a326462373861626234663237396333303663636338633739346637623061
      3936

  roles: []

@wbh1
Copy link
Contributor Author

wbh1 commented Apr 8, 2020

Yes - that works fine. The issue arises when the entirety of a file is vault encrypted rather than just individually encrypting strings (i.e. file-level encryption rather than variable-level encryption).

@ispringle
Copy link

I too am having this issue.

@wbh1 wbh1 mentioned this issue Apr 8, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Process vault flags prior to syntax check flag wbh1/drone-ansible
3 participants
@tboerger @wbh1 @ispringle