On Wed, 20 Nov 2019 05:54:21 -0800 (PST)
Quentin Aveno <
aori...@gmail.com> wrote:
> Yes It is.
> I mean if I don't use it as a variable but directly in a task as a
> parameter.
> As example:
> Is there a difference between
> - shell: check.sh {{ lookup('hashi_vault', 'secret=secret1') }}
> And
> - shell: check.sh {{ password 1}}
> Where password1 is defined in an inventory
>
> It seems logical to me than the first one is safer and evaluate later
I can only assume that "password1 is defined in an inventory" means a
similar line can be found in an inventory
password1: "{{ lookup('hashi_vault', 'secret=secret1') }}"
(Otherwise the comparison does not make much sense).
I can only repeat that both arguments below will be decrypted at the same
time because of the "Lazy Evaluation" ("Ansible evaluates any variables in
playbook content at the last possible second.")
- shell: "check.sh {{ lookup('hashi_vault', 'secret=secret1') }}"
- shell: "check.sh {{ password1 }}"
Cheers,
-vlado