Allow template files to be vaulted (#22951)
* Allow template files to be vaulted * Make sure to import exceptions we need * get_real_file can't take bytes, since it looks specifically for string_types * Now that we aren't using open() we don't need b_source * Expand playbooks_vault docs to include modules that support vaulted src files * Add vaulted template test
This commit is contained in:
parent
24f2a616dd
commit
004e99316c
6 changed files with 47 additions and 6 deletions
|
@ -18,7 +18,7 @@ The vault feature can encrypt any structured data file used by Ansible. This ca
|
||||||
|
|
||||||
Ansible tasks, handlers, and so on are also data so these can be encrypted with vault as well. To hide the names of variables that you're using, you can encrypt the task files in their entirety. However, that might be a little too much and could annoy your coworkers :)
|
Ansible tasks, handlers, and so on are also data so these can be encrypted with vault as well. To hide the names of variables that you're using, you can encrypt the task files in their entirety. However, that might be a little too much and could annoy your coworkers :)
|
||||||
|
|
||||||
The vault feature can also encrypt arbitrary files, even binary files. If a vault-encrypted file is given as the `src` argument to the `copy` module, the file will be placed at the destination on the target host decrypted (assuming a valid vault password is supplied when running the play).
|
+The vault feature can also encrypt arbitrary files, even binary files. If a vault-encrypted file is given as the `src` argument to the `copy`, `template`, `unarchive`, `script` or `assemble` modules, the file will be placed at the destination on the target host decrypted (assuming a valid vault password is supplied when running the play).
|
||||||
|
|
||||||
As of version 2.3, Ansible also supports encrypting single values inside a YAML file, using the `!vault` tag to let YAML and Ansible know it uses special processing. This feature is covered in more details below.
|
As of version 2.3, Ansible also supports encrypting single values inside a YAML file, using the `!vault` tag to let YAML and Ansible know it uses special processing. This feature is covered in more details below.
|
||||||
|
|
||||||
|
|
|
@ -20,7 +20,7 @@ __metaclass__ = type
|
||||||
import os
|
import os
|
||||||
|
|
||||||
from ansible import constants as C
|
from ansible import constants as C
|
||||||
from ansible.errors import AnsibleError
|
from ansible.errors import AnsibleError, AnsibleFileNotFound
|
||||||
from ansible.module_utils._text import to_bytes, to_native, to_text
|
from ansible.module_utils._text import to_bytes, to_native, to_text
|
||||||
from ansible.plugins.action import ActionBase
|
from ansible.plugins.action import ActionBase
|
||||||
from ansible.template import generate_ansible_template_vars
|
from ansible.template import generate_ansible_template_vars
|
||||||
|
@ -107,10 +107,18 @@ class ActionModule(ActionBase):
|
||||||
if dest_stat['exists'] and dest_stat['isdir']:
|
if dest_stat['exists'] and dest_stat['isdir']:
|
||||||
dest = self._connection._shell.join_path(dest, os.path.basename(source))
|
dest = self._connection._shell.join_path(dest, os.path.basename(source))
|
||||||
|
|
||||||
# template the source data locally & get ready to transfer
|
# Get vault decrypted tmp file
|
||||||
b_source = to_bytes(source)
|
|
||||||
try:
|
try:
|
||||||
with open(b_source, 'r') as f:
|
tmp_source = self._loader.get_real_file(source)
|
||||||
|
except AnsibleFileNotFound as e:
|
||||||
|
result['failed'] = True
|
||||||
|
result['msg'] = "could not find src=%s, %s" % (source, e)
|
||||||
|
self._remove_tmp_path(tmp)
|
||||||
|
return result
|
||||||
|
|
||||||
|
# template the source data locally & get ready to transfer
|
||||||
|
try:
|
||||||
|
with open(tmp_source, 'r') as f:
|
||||||
template_data = to_text(f.read())
|
template_data = to_text(f.read())
|
||||||
|
|
||||||
# set jinja2 internal search path for includes
|
# set jinja2 internal search path for includes
|
||||||
|
@ -150,6 +158,8 @@ class ActionModule(ActionBase):
|
||||||
result['failed'] = True
|
result['failed'] = True
|
||||||
result['msg'] = type(e).__name__ + ": " + str(e)
|
result['msg'] = type(e).__name__ + ": " + str(e)
|
||||||
return result
|
return result
|
||||||
|
finally:
|
||||||
|
self._loader.cleanup_tmp_file(tmp_source)
|
||||||
|
|
||||||
if not tmp:
|
if not tmp:
|
||||||
tmp = self._make_tmp_path()
|
tmp = self._make_tmp_path()
|
||||||
|
|
|
@ -0,0 +1,19 @@
|
||||||
|
---
|
||||||
|
- name: Template from a vaulted template file
|
||||||
|
template:
|
||||||
|
src: vaulted_template.j2
|
||||||
|
dest: "{{ output_dir }}/vaulted_template.out"
|
||||||
|
vars:
|
||||||
|
vaulted_template_var: "here_i_am"
|
||||||
|
|
||||||
|
- name: Get output template contents
|
||||||
|
slurp:
|
||||||
|
path: "{{ output_dir }}/vaulted_template.out"
|
||||||
|
register: vaulted_tempalte_out
|
||||||
|
|
||||||
|
- debug:
|
||||||
|
msg: "{{ vaulted_tempalte_out.content|b64decode }}"
|
||||||
|
|
||||||
|
- assert:
|
||||||
|
that:
|
||||||
|
- vaulted_tempalte_out.content|b64decode == 'here_i_am\n'
|
|
@ -0,0 +1,6 @@
|
||||||
|
$ANSIBLE_VAULT;1.1;AES256
|
||||||
|
65626437623461633630303033303939616334373263633438623938396564376435366534303865
|
||||||
|
6363663439346464336437346263343235626463663130640a373233623733653830306262376430
|
||||||
|
31666538323132343039613537323761343234613531353035373434666632333932623064316564
|
||||||
|
3532363462643736380a303136353830636635313662663065343066323631633562356663633536
|
||||||
|
31343265376433633234656432393066393865613235303165666338663930303035
|
|
@ -57,4 +57,4 @@ ansible-playbook test_vault.yml -i ../../inventory -v "$@" --vault-pass
|
||||||
ansible-playbook test_vault_embedded.yml -i ../../inventory -v "$@" --vault-password-file vault-password --syntax-check
|
ansible-playbook test_vault_embedded.yml -i ../../inventory -v "$@" --vault-password-file vault-password --syntax-check
|
||||||
ansible-playbook test_vault_embedded.yml -i ../../inventory -v "$@" --vault-password-file vault-password
|
ansible-playbook test_vault_embedded.yml -i ../../inventory -v "$@" --vault-password-file vault-password
|
||||||
ansible-playbook test_vaulted_inventory.yml -i vaulted.inventory -v "$@" --vault-password-file vault-password
|
ansible-playbook test_vaulted_inventory.yml -i vaulted.inventory -v "$@" --vault-password-file vault-password
|
||||||
|
ansible-playbook test_vaulted_template.yml -i ../../inventory -v "$@" --vault-password-file vault-password
|
||||||
|
|
6
test/integration/targets/vault/test_vaulted_template.yml
Normal file
6
test/integration/targets/vault/test_vaulted_template.yml
Normal file
|
@ -0,0 +1,6 @@
|
||||||
|
- hosts: testhost
|
||||||
|
gather_facts: False
|
||||||
|
vars:
|
||||||
|
- output_dir: .
|
||||||
|
roles:
|
||||||
|
- { role: test_vaulted_template, tags: test_vaulted_template}
|
Loading…
Reference in a new issue