Feature idea: Adding a vault/ subdir to group_vars and host_vars

[Hagai Kariti]

Hi all

Using Vault in group_vars has the downside of losing version control on the vaulted file, so the logical thing is to separate sensitive variables from "normal" ones.

What we do is create a vault/ subdirectory under group_vars and include that in vars_file.

The dir structure looks like this:

hosts

group_vars/

  vault/

     some_group

  some_group

And the playbook starts like this:

- hosts: some_group

  vars:

    - "{{ inventory_dir }}/group_vars/vault/some_group

It seems like a good convention, any thoughts about making it a feature?

[Serge van Ginderachter]

If it's meant to be included by vars_file, that doesn't seem like a good place to me.

Also, this would conflict if one has a 'vault' group, as dirs are also allowed in host/group_vars, instead of plain files.

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/433a9c7a-c091-4a81-a586-d44c25ae3973%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Hagai Kariti]

I currenty use vars_files because Ansible doesn't include these files automatically. I was suggesting making a standard place to put vaulted group_vars (or host_vars) and gave mine as an example.

Do you object to the idea or just my convention?

--
You received this message because you are subscribed to a topic in the Google Groups "Ansible Project" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ansible-project/VgGIyBhFtZM/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ansible-proje...@googlegroups.com.

To post to this group, send email to ansible...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAEhzMJDshtwczt04PK%3D7S9XWuAcDmdERZvP8RbwCq8j7cqttFA%40mail.gmail.com.

[Serge van Ginderachter]

On 21 May 2014 16:39, Hagai Kariti <hka...@gmail.com> wrote:

I currenty use vars_files because Ansible doesn't include these files automatically. I was suggesting making a standard place to put vaulted group_vars (or host_vars) and gave mine as an example.

Do you object to the idea or just my convention?

​At least the convention, beneath group_vars is definetely not the right place​.

The idea, I'm not sure what exactly having this standard place would exactly mean?

Vault files are just encrypted files, users might want to 'vault' a file at any location they want.

Say you have a default vault dir somewhere, what would happen then?

[Hagai Kariti]

On Wednesday, May 21, 2014 5:44:32 PM UTC+3, Serge van Ginderachter wrote:

On 21 May 2014 16:39, Hagai Kariti <hka...@gmail.com> wrote:

I currenty use vars_files because Ansible doesn't include these files automatically. I was suggesting making a standard place to put vaulted group_vars (or host_vars) and gave mine as an example.

Do you object to the idea or just my convention?

​At least the convention, beneath group_vars is definetely not the right place​.

The idea, I'm not sure what exactly having this standard place would exactly mean?

It's really the same idea as group_vars. For each group a host is a member of, two files are included:

- The file under group_vars/, as usual

- The vaulted file under the vaulted group_vars dir

This allows you to separate the sensitive and normal parts of your group_vars, so that you won't lose version control on the normal parts. 

Vault files are just encrypted files, users might want to 'vault' a file at any location they want.

Same thing can be said about group_vars. You can include any variable file you want, but having a convention that uses your hostgroup structure is a good thing.

[Serge van Ginderachter]

On 21 May 2014 16:53, Hagai Kariti <hka...@gmail.com> wrote:

It's really the same idea as group_vars. For each group a host is a member of, two files are included:

- The file under group_vars/, as usual

- The vaulted file under the vaulted group_vars dir

This allows you to separate the sensitive and normal parts of your group_vars, so that you won't lose version control on the normal parts. 

​OK, actually, you already can do something similar, what I do:

for each group X I have a directory group_vars/X/

every file in that dir will be loaded for group X

then you van have a group_vars/X/secret.yml e.g. which is vaulted.​

Would that work for you?

[Hagai Kariti]

Whoa, dude. Didn't know that trick. Yeah that actually solves my case pretty nicely. Thanks a bunch.

[Michael DeHaan]

"Using Vault in group_vars has the downside of losing version control on the vaulted file"

This is not neccessarily the case.

group_vars/ folders are also loaded if they live alongside the playbook, so that can be a good option.

You could also keep the variables in a role vars/ directory and pull them in to hosts that need them.

In fact, a role can contain nothing but vars, and that works too!

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/cc0d252e-fb8b-407e-abf1-3bad7c19eae0%40googlegroups.com.

[Hagai Kariti]

On Thu, May 22, 2014 at 1:16 AM, Michael DeHaan <mic...@ansible.com> wrote:

"Using Vault in group_vars has the downside of losing version control on the vaulted file"

This is not neccessarily the case.

group_vars/ folders are also loaded if they live alongside the playbook, so that can be a good option.

You could also keep the variables in a role vars/ directory and pull them in to hosts that need them.

In fact, a role can contain nothing but vars, and that works too!

Yeah I know, but that's not helping my specific use case, as I need different sensitive variables based on inventory, not role or playbook. 

Serge's suggestion was what solved it for me - too bad this feature isn't documented!

 

On Wed, May 21, 2014 at 11:21 AM, Hagai Kariti <hka...@gmail.com> wrote:

Whoa, dude. Didn't know that trick. Yeah that actually solves my case pretty nicely. Thanks a bunch.

On Wednesday, May 21, 2014 6:16:19 PM UTC+3, Serge van Ginderachter wrote:

On 21 May 2014 16:53, Hagai Kariti <hka...@gmail.com> wrote:

It's really the same idea as group_vars. For each group a host is a member of, two files are included:

- The file under group_vars/, as usual

- The vaulted file under the vaulted group_vars dir

This allows you to separate the sensitive and normal parts of your group_vars, so that you won't lose version control on the normal parts. 

​OK, actually, you already can do something similar, what I do:

for each group X I have a directory group_vars/X/

every file in that dir will be loaded for group X

then you van have a group_vars/X/secret.yml e.g. which is vaulted.​

Would that work for you?

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/cc0d252e-fb8b-407e-abf1-3bad7c19eae0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to a topic in the Google Groups "Ansible Project" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ansible-project/VgGIyBhFtZM/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ansible-proje...@googlegroups.com.

To post to this group, send email to ansible...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CA%2BnsWgx4yAt_LJsc3nn%2BQWxhXDGd8_aj2zk7pyGTEi1yKPBCvw%40mail.gmail.com.

[Michael DeHaan]

Docs are open source and there's already an open pull request for that in the docs.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAO0%3DbmHB44%3DyFj-oW7%2B25MCdzFytXjpCoCY82GoBqZGO%2BLiW0A%40mail.gmail.com.

[Hagai Kariti]

Yeah that's me :-)

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CA%2BnsWgzLKR6MGbdOs3nVEDJJySvh8N6GyZwC4%3DvYORoX4gYuOw%40mail.gmail.com.

[Chris Adams]

Hi all,

I just came across this after puzzling over how best to use ansible-vault to manage sensitive credentials in group vars, without encrypting everything, and I couldn't find the pull request for this when looking through the github issues for

Would someone share a link to it?

Thanks

Chris

[Hagai Kariti]

The pull request for the docs has been merged already. The relevant doc page is here: http://docs.ansible.com/intro_inventory.html

Just search for 'vault' in that page. It doesn't have info this thread doesn't though...

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/d98d99e1-b6ca-4899-93b7-904dab97aa3a%40googlegroups.com.

[Michael DeHaan]

You can have subdirectories under group_vars/groupname/*.yml if you want, and some of those can be vault encrypted.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAO0%3DbmHKqR4WPSD0hb_U3B8KyXa_ptb4okN3Fp--Y389qrheXA%40mail.gmail.com.

[Igor Homyakov]

Hi,

I'm using a following naming scheme in my projects
[inventory_group]/secret/self-documented-name.yml

for example :
group_vars
├── all
│ └── secret
│ ├── deployment_keys.yml
│ ├── api_keys.yml
│ └── hipchat_token.yml
├── redis
│ └── secret
│ └── aws.yml
└── webapp
└── secret
└── ssl.yml

I hope it would be useful.

-- Best, Igor

> https://groups.google.com/d/msgid/ansible-project/CA%2BnsWgxxCHr7%2BJODHpUfaHkrX6tsbyyU4m5GA0%3DPG23DMR91wg%40mail.gmail.com.