ansible Secret encryption Using local_action to decrypt vault-encrypted templates
Example
You can run a play which relies on vault-encrypted templates by using the local_action module.
---
- name: Decrypt template
local_action: "shell {{ view_encrypted_file_cmd }} {{ role_path }}/templates/template.enc > {{ role_path }}/templates/template"
changed_when: False
- name: Deploy template
template:
src=templates/template
dest=/home/user/file
- name: Remove decrypted template
local_action: "file path={{ role_path }}/templates/template state=absent"
changed_when: False
Please note the changed_when: False.
This is important in case you run idempotence tests with your ansible roles - otherwise each time you run the playbook a change is signaled.
In group_vars/all.yml you could set a global decrypt command for reuse, e.g., as view_encrypted_file_cmd.
group_vars/all.yml
---
view_encrypted_file_cmd: "ansible-vault --vault-password-file {{ lookup('env', 'ANSIBLE_VAULT_PASSWORD_FILE') }} view"
Now, when running a play you need to set the ANSIBLE_VAULT_PASSWORD_FILE environment variable to point to your vault password file (ideally with an absolute path).
