Allow template files to be vaulted (#22951)

* Allow template files to be vaulted * Make sure to import exceptions we need * get_real_file can't take bytes, since it looks specifically for string_types * Now that we aren't using open() we don't need b_source * Expand playbooks_vault docs to include modules that support vaulted src files * Add vaulted template test
2017-06-07 13:16:03 -05:00 · 2017-06-07 13:16:03 -05:00 · 004e99316c
commit 004e99316c
parent 24f2a616dd
6 changed files with 47 additions and 6 deletions
--- a/docs/docsite/rst/playbooks_vault.rst
+++ b/docs/docsite/rst/playbooks_vault.rst
@ -18,7 +18,7 @@ The vault feature can encrypt any structured data file used by Ansible.  This ca

 Ansible tasks, handlers, and so on are also data so these can be encrypted with vault as well. To hide the names of variables that you're using, you can encrypt the task files in their entirety. However, that might be a little too much and could annoy your coworkers :)

-The vault feature can also encrypt arbitrary files, even binary files.  If a vault-encrypted file is given as the `src` argument to the `copy` module, the file will be placed at the destination on the target host decrypted (assuming a valid vault password is supplied when running the play).
+The vault feature can also encrypt arbitrary files, even binary files.  If a vault-encrypted file is given as the `src` argument to the `copy`, `template`, `unarchive`, `script` or `assemble` modules, the file will be placed at the destination on the target host decrypted (assuming a valid vault password is supplied when running the play).

 As of version 2.3, Ansible also supports encrypting single values inside a YAML file, using the `!vault` tag to let YAML and Ansible know it uses special processing. This feature is covered in more details below.

--- a/lib/ansible/plugins/action/template.py
+++ b/lib/ansible/plugins/action/template.py
@ -20,7 +20,7 @@ __metaclass__ = type
 import os

 from ansible import constants as C
-from ansible.errors import AnsibleError
+from ansible.errors import AnsibleError, AnsibleFileNotFound
 from ansible.module_utils._text import to_bytes, to_native, to_text
 from ansible.plugins.action import ActionBase
 from ansible.template import generate_ansible_template_vars
@ -107,10 +107,18 @@ class ActionModule(ActionBase):
            if dest_stat['exists'] and dest_stat['isdir']:
                dest = self._connection._shell.join_path(dest, os.path.basename(source))

-        # template the source data locally & get ready to transfer
-        b_source = to_bytes(source)
+        # Get vault decrypted tmp file
        try:
-            with open(b_source, 'r') as f:
+            tmp_source = self._loader.get_real_file(source)
+        except AnsibleFileNotFound as e:
+            result['failed'] = True
+            result['msg'] = "could not find src=%s, %s" % (source, e)
+            self._remove_tmp_path(tmp)
+            return result
+
+        # template the source data locally & get ready to transfer
+        try:
+            with open(tmp_source, 'r') as f:
                template_data = to_text(f.read())

            # set jinja2 internal search path for includes
@ -150,6 +158,8 @@ class ActionModule(ActionBase):
            result['failed'] = True
            result['msg'] = type(e).__name__ + ": " + str(e)
            return result
+        finally:
+            self._loader.cleanup_tmp_file(tmp_source)

        if not tmp:
            tmp = self._make_tmp_path()
--- a/test/integration/targets/vault/roles/test_vaulted_template/tasks/main.yml
+++ b/test/integration/targets/vault/roles/test_vaulted_template/tasks/main.yml
@ -0,0 +1,19 @@
+---
+- name: Template from a vaulted template file
+  template:
+    src: vaulted_template.j2
+    dest: "{{ output_dir }}/vaulted_template.out"
+  vars:
+    vaulted_template_var: "here_i_am"
+
+- name: Get output template contents
+  slurp:
+    path: "{{ output_dir }}/vaulted_template.out"
+  register: vaulted_tempalte_out
+
+- debug:
+    msg: "{{ vaulted_tempalte_out.content|b64decode }}"
+
+- assert:
+    that:
+      - vaulted_tempalte_out.content|b64decode == 'here_i_am\n'
--- a/test/integration/targets/vault/roles/test_vaulted_template/templates/vaulted_template.j2
+++ b/test/integration/targets/vault/roles/test_vaulted_template/templates/vaulted_template.j2
@ -0,0 +1,6 @@
+$ANSIBLE_VAULT;1.1;AES256
+65626437623461633630303033303939616334373263633438623938396564376435366534303865
+6363663439346464336437346263343235626463663130640a373233623733653830306262376430
+31666538323132343039613537323761343234613531353035373434666632333932623064316564
+3532363462643736380a303136353830636635313662663065343066323631633562356663633536
+31343265376433633234656432393066393865613235303165666338663930303035
--- a/test/integration/targets/vault/runme.sh
+++ b/test/integration/targets/vault/runme.sh
@ -57,4 +57,4 @@ ansible-playbook test_vault.yml          -i ../../inventory -v "$@" --vault-pass
 ansible-playbook test_vault_embedded.yml -i ../../inventory -v "$@" --vault-password-file vault-password --syntax-check
 ansible-playbook test_vault_embedded.yml -i ../../inventory -v "$@" --vault-password-file vault-password
 ansible-playbook test_vaulted_inventory.yml -i vaulted.inventory -v "$@" --vault-password-file vault-password
-
+ansible-playbook test_vaulted_template.yml -i ../../inventory -v "$@" --vault-password-file vault-password
--- a/test/integration/targets/vault/test_vaulted_template.yml
+++ b/test/integration/targets/vault/test_vaulted_template.yml
@ -0,0 +1,6 @@
+- hosts: testhost
+  gather_facts: False
+  vars:
+    - output_dir: .
+  roles:
+    - { role: test_vaulted_template, tags: test_vaulted_template}