Ansible galaxy and Ansible vault Flashcards
Encrypt/decrypt existing file with ansible-vault
ansible-vault encrypt myfile
ansible-vault decrypt myfile
Create encrypted playbook
- Prompt for password and opens vi for editing playbook
- Use the existing password from other file and open vi for editing playbook
- ansible-vault create myplaybook.yml
2. ansible-vault create –vault-password-file=psfile myplaybook.yml
View encrypted file
Edit encrypted file
ansible-vault view myplaybook.yml
ansible-vault edit myplaybook.yml
Change password for encrypted file
ansible-vault rekey myfile
You should provide od password for myfile first to set a new password
Run a playbook that accesses vault encrypted file
ansible-vault –vault-id @prompt
Access pasword file while running playbook
ansible-vault –vault-password-file=psfile
Create playbook create-user.yml to create user
Module user should use username and password for new user set in encrypted file secret
- vim create-user.yml
- name: create user
hosts: localhost
become: yes
vars_files:- secret
tasks: - name: creating user
user:
name: “{{ username }}”
password: “{{ psw }}”
- secret
- ansible-vault create secret
(enter password for secret file)
usename: lisa
psw: password - ansible-playbook –ask-vault-pass create-user.yml
when running playbook enter password for secret file
or even better:
ansible-playbook -i inventory create_user.yml –vault-id @prompt
Create playbook create-user.yml to create user
Use password stored in secret non-encrypted plain file while running playbook
- echo password>secret
- vim create-user.yml
- name: create user
hosts: localhost
become: yes
var_files:- secret
tasks: - name: creating user
user:
name: “{{ username }}”
password: “{{ psw }}”
- secret
- ansible-playbook –vault-password-file=secret create-user.yml
- Create password file pswd. (Keep this with permissions=600)
- Create file secure_file to be encrypted with phrase content of which is kept in pswd file
- Create playbook test.yml, so that content of secure_file will be added to new_file. Be sure that when running playbook with -v flag content of secure_file is not output to the screen
1. vim pswd 123 \:wq 2. vim secure_file message: "Hello world" \:wq ansible-vault encrypt --vault-id content@prompt secure_file ansible-vault edit --vault-id prod@pswd secure_file 3. vim test.yml - hosts: localhost vars_files: secure_file tasks: - name: adding content to new_file shell: "echo {{message}} >new_file" no_log: true \:wq ansible-playbook test.yml --vault-id prod@pswd
Encrypt string and paste this value as var value in playbook
- hosts: labservers
become: yes
vars:
- http_port: 8080
- http_dir: /var/webcontent
tasks:
…
1. ansible-vault encrypt_string –ask-vault-pass ‘8080’ –name ‘http_port’
2. set pass
3. paste ouput for encrypted value into playbook as a value for http_port variable instead of 8080
Default locations of Ansible Roles
./roles in current project dir
~/.ansible/roles
/etc/ansible/roles
Install several roles from ansible galaxy
- create requirements.yml file in ~/.ansible/roles
- src: file:///my/path/tar.gz
- src: geerlingguy.nginx
version: 2.3
name: nginx - src: geerlinguy.docker
- Install roles
ansible-galaxy install -r ~/.ansible/roles/requirements.yml
Creating custome roles
ansible-galaxy init role_name
Keep in mind location of role_name dir