Ansible vault: a framework for encrypting any playbook or var file.

2025-07-01 12:40:22 -07:00 · 2014-02-11 12:03:11 -05:00 · 2014-02-11 12:03:11 -05:00 · 427b8dc78d
commit 427b8dc78d
parent 30611eaac5
10 changed files with 724 additions and 34 deletions
--- a/lib/ansible/playbook/play.py
+++ b/lib/ansible/playbook/play.py
@ -34,7 +34,7 @@ class Play(object):
       'handlers', 'remote_user', 'remote_port', 'included_roles', 'accelerate',
       'accelerate_port', 'accelerate_ipv6', 'sudo', 'sudo_user', 'transport', 'playbook',
       'tags', 'gather_facts', 'serial', '_ds', '_handlers', '_tasks',
-       'basedir', 'any_errors_fatal', 'roles', 'max_fail_pct', '_play_hosts', 'su', 'su_user'
+       'basedir', 'any_errors_fatal', 'roles', 'max_fail_pct', '_play_hosts', 'su', 'su_user', 'vault_password'
    ]

    # to catch typos and so forth -- these are userland names
@ -44,12 +44,12 @@ class Play(object):
       'tasks', 'handlers', 'remote_user', 'user', 'port', 'include', 'accelerate', 'accelerate_port', 'accelerate_ipv6',
       'sudo', 'sudo_user', 'connection', 'tags', 'gather_facts', 'serial',
       'any_errors_fatal', 'roles', 'pre_tasks', 'post_tasks', 'max_fail_percentage',
-       'su', 'su_user'
+       'su', 'su_user', 'vault_password'
    ]

    # *************************************************

-    def __init__(self, playbook, ds, basedir):
+    def __init__(self, playbook, ds, basedir, vault_password=None):
        ''' constructor loads from a play datastructure '''

        for x in ds.keys():
@ -64,6 +64,7 @@ class Play(object):
        self.basedir          = basedir
        self.roles            = ds.get('roles', None)
        self.tags             = ds.get('tags', None)
+        self.vault_password   = vault_password

        if self.tags is None:
            self.tags = []
@ -88,6 +89,7 @@ class Play(object):
        self.vars_files = ds.get('vars_files', [])
        if not isinstance(self.vars_files, list):
            raise errors.AnsibleError('vars_files must be a list')
+
        self._update_vars_files_for_host(None)

        # template everything to be efficient, but do not pre-mature template
@ -124,6 +126,7 @@ class Play(object):
        self.max_fail_pct     = int(ds.get('max_fail_percentage', 100))
        self.su               = ds.get('su', self.playbook.su)
        self.su_user          = ds.get('su_user', self.playbook.su_user)
+        #self.vault_password   = vault_password

        # Fail out if user specifies a sudo param with a su param in a given play
        if (ds.get('sudo') or ds.get('sudo_user')) and (ds.get('su') or ds.get('su_user')):
@ -540,7 +543,7 @@ class Play(object):
                        dirname = os.path.dirname(original_file)
                    include_file = template(dirname, tokens[0], mv)
                    include_filename = utils.path_dwim(dirname, include_file)
-                    data = utils.parse_yaml_from_file(include_filename)
+                    data = utils.parse_yaml_from_file(include_filename, vault_password=self.vault_password)
                    if 'role_name' in x and data is not None:
                        for x in data:
                            if 'include' in x:
@ -652,12 +655,12 @@ class Play(object):

    # *************************************************

-    def update_vars_files(self, hosts):
+    def update_vars_files(self, hosts, vault_password=None):
        ''' calculate vars_files, which requires that setup runs first so ansible facts can be mixed in '''

        # now loop through all the hosts...
        for h in hosts:
-            self._update_vars_files_for_host(h)
+            self._update_vars_files_for_host(h, vault_password=vault_password)

    # *************************************************

@ -689,14 +692,14 @@ class Play(object):

    # *************************************************

-    def _update_vars_files_for_host(self, host):
+    def _update_vars_files_for_host(self, host, vault_password=None):

        if type(self.vars_files) != list:
            self.vars_files = [ self.vars_files ]

        if host is not None:
            inject = {}
-            inject.update(self.playbook.inventory.get_variables(host))
+            inject.update(self.playbook.inventory.get_variables(host, vault_password=vault_password))
            inject.update(self.playbook.SETUP_CACHE[host])

        for filename in self.vars_files:
@ -747,7 +750,7 @@ class Play(object):
                filename4 = utils.path_dwim(self.basedir, filename3)
                if self._has_vars_in(filename4):
                    continue
-                new_vars = utils.parse_yaml_from_file(filename4)
+                new_vars = utils.parse_yaml_from_file(filename4, vault_password=self.vault_password)
                if new_vars:
                    if type(new_vars) != dict:
                        raise errors.AnsibleError("%s must be stored as dictionary/hash: %s" % (filename4, type(new_vars)))