Ansible ask for vault password for a host that don't need any variable

[alessandro mazzoli]

Hi,

i'm a pretty satisfied Ansible user but

i got an issue maybe caused by a bad practice or a bad definition on my Inventory.

I have two inventories( production/ development) in /etc/ansible/invenories with several hosts defined like these:

example1 ansible_ssh_host=10.0.8.142

example2 ansible_ssh_host=10.0.8.143

example3 ansible_ssh_host=10.0.8.144

[group1]

example1

example2

example3

and  some variables for each hosts encrypted  by Ansible-vault:  

(i.e) host_vars/example1.yml , host_vars/example2.yml and i don't have any vars on example3

---

- hosts: example3

  tasks:

  - name: update packages in CentOS

    yum: name=* state=latest

  become: yes

  check: true

  diff: true

when i launch ansible-playbook -i inventories/production/prod myplaybook.yml against example3

Ansible ask me to provide the ansible-vault password to decrypt for a host that don't need any variables!

Is it a strange behavior to fix or i have to change my setup?

Thanks

[Brian Coca]

If ansible is asked to open a vault file it will always try, if it
does not have a password it will fail. There is no way to know if a
variable inside the file is used unless you open it and examine it, so
we enter the paradox of needing to open the file to find out if we
need to open it.

If you know your play won't need those vault files, you should avoid
referencing them directly or indirectly to avoid needing a password.
-------------
Brian Coca