Secret hostvars... how to deal with them?

[Adam Flinton]

Dear All,

At the moment we are encrypting all of our host vars with git-crypt as a few contain secret information.

This is a pain as only a few people need the encrypted parts of the few encrypted files but it means all people who use ansible etc have to have git-crypt set up & working etc.etc.

So I would like to find out some way in which just the values which need to be encrypted can be pulled out into separate files & encrypted.

I see from:

http://docs.ansible.com/intro_inventory.html

That a host/group var file can be replaced with a folder & then 

"As an advanced use-case, you can create directories named after your groups or hosts, and Ansible will read all the files in these directories"

Such that I could have a file called notsecret & another called secret.key & tell git-crypt just to encrypt "*.key" files.

That way people using instances/roles etc with no secret info could still use host/group vars  w/o gitcrypt

At the moment this seems like the best plan.....but any other suggestions would be welcome.

For example can a hostvar file perform an inclusion along the lines of including something akin to

    vars_files:

      - [ 'files/vars/{{ inventory_host }}.yml','files/vars/default.yml' ]

?

TIA

Adam

[Jaime Bermudez]

We've had success storing secret variables in s3 YAML files and using include_vars to process them where needed.

- Jaime