Is there any Ansible module to Encrypt a log file during the play book execution

[Deepak B K]

Hi All, 

I need recommendation to use encryption and decryption  of generated log files during the playbook execution . I was going through ansible documentation and I don't see any module  except use of ansible-vault . I appreciate your  advise .

there is a module to decrypt the log file 

- ansible.builtin.debug: msg="the value of foo.log is {{ lookup('ansible.builtin.unvault', '/etc/foo.log') | string | trim }}"

Thanks 

Deepak

[Drew Northup]

Hi Deepak,

You're going to need a different opener for this can of worms, as Ansible Vault is meant for protecting confidential information that needs to be pushed out to the endpoint being configured and not for pulling information back to the controller for encryption nor is it meant for encryption in-place on the endpoint node.

So that the community can better help you, are to looking to encrypt log files in place on the configured endpoint node (host, VM, container, etc.) or are you looking to have the log files encrypted on the controller at the end of the playbook run? (Or, perhaps, are they the same host?)

[Deepak B K]

Hi  Drew, 

I appreciate your reply . The customer requirement is the secret key should be on ansible controller  and the vms /endpoints  logs are copied to the controller  and encryption is done on the controller I explored  copy module has a encrypt  option which can help out in the process . But for the decryption i will need to use ansible-vault .

---

- hosts: localhost

  gather_facts: false

  vars_prompt:

    name: vault_secret

    prompt: Please enter the password to encrypt the file

    default: v3rys3cr3t

    private: true

  vars:

    vault_file: secret.log

  tasks:

    - name: In-place (re)encrypt file {{ vault_file }}

      ansible.builtin.copy:

        content: "{{ lookup('ansible.builtin.file', vault_file) | ansible.builtin.vault(vault_secret) }}"

        dest: "{{ vault_file }}"

        decrypt: false

Thanks

Deepak B Kumar  

[Drew Northup]

Hi Deepak,

I would suggest using the vault mechanism to securely store the encryption secret if possible, so the process can be fully automated. That will also allow safe storage of any other confidential information needed by the playbook. As for handing of the log files, copy normally only pushes from the controller to the remote and therefore you likely want to use something else. If those logs are small then using "ansible.builtin.slurp" to get the content, filtering that with the "vault" filter, and then saving that locally using a local_action delegated copy task may be an option. A more flexible method would use "ansible.builtin.fetch" to copy to a local ramdisk, encrypt locally via a "local_action" task using native cli tools (such as gpg or the command-line version of Ansible vault), and then save someplace appropriate via a "local_action" task using "ansible.builtin.copy".

I hope you find this helpful.

--
You received this message because you are subscribed to a topic in the Google Groups "Ansible Project" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ansible-project/dCaCdMq9TAE/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ansible-proje...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/e0e93ea5-4a4f-4d44-8e50-97edad1ef5a5n%40googlegroups.com.

--

---------------------------------+--------------------------------------
Drew Northup                     |          Technical Support Specialist
University of Maine System       |                Drew.N...@Maine.edu
Computing Center                 |             old phone: (207) 561-3513
Orono, ME 04469                  |             new phone: (207) 581-3513

[Deepak B K]

Hi Drew, 

I appreciate the suggestion use of  ansible.builtin.fetch module instead of copy module  and I am  trying to  use  ansible-vault on the command module to  encrypt and decrypt the data as you  rightly said  managing the password secret will be  challenge .

Ansible-vault  has  vault feature which can handle the vault secret properly on the network.

Once Again Thank you very much  for the valuable  suggestion it really help me to decide what is the best  module to be used.

Thanks 

Deepak B Kumar