Allow template files to be vaulted (#22951)

* Allow template files to be vaulted

* Make sure to import exceptions we need

* get_real_file can't take bytes, since it looks specifically for string_types

* Now that we aren't using open() we don't need b_source

* Expand playbooks_vault docs to include modules that support vaulted src files

* Add vaulted template test
This commit is contained in:
Matt Martz 2017-06-07 13:16:03 -05:00 committed by Brian Coca
parent 24f2a616dd
commit 004e99316c
6 changed files with 47 additions and 6 deletions

View file

@ -18,7 +18,7 @@ The vault feature can encrypt any structured data file used by Ansible. This ca
Ansible tasks, handlers, and so on are also data so these can be encrypted with vault as well. To hide the names of variables that you're using, you can encrypt the task files in their entirety. However, that might be a little too much and could annoy your coworkers :) Ansible tasks, handlers, and so on are also data so these can be encrypted with vault as well. To hide the names of variables that you're using, you can encrypt the task files in their entirety. However, that might be a little too much and could annoy your coworkers :)
The vault feature can also encrypt arbitrary files, even binary files. If a vault-encrypted file is given as the `src` argument to the `copy` module, the file will be placed at the destination on the target host decrypted (assuming a valid vault password is supplied when running the play). +The vault feature can also encrypt arbitrary files, even binary files. If a vault-encrypted file is given as the `src` argument to the `copy`, `template`, `unarchive`, `script` or `assemble` modules, the file will be placed at the destination on the target host decrypted (assuming a valid vault password is supplied when running the play).
As of version 2.3, Ansible also supports encrypting single values inside a YAML file, using the `!vault` tag to let YAML and Ansible know it uses special processing. This feature is covered in more details below. As of version 2.3, Ansible also supports encrypting single values inside a YAML file, using the `!vault` tag to let YAML and Ansible know it uses special processing. This feature is covered in more details below.

View file

@ -20,7 +20,7 @@ __metaclass__ = type
import os import os
from ansible import constants as C from ansible import constants as C
from ansible.errors import AnsibleError from ansible.errors import AnsibleError, AnsibleFileNotFound
from ansible.module_utils._text import to_bytes, to_native, to_text from ansible.module_utils._text import to_bytes, to_native, to_text
from ansible.plugins.action import ActionBase from ansible.plugins.action import ActionBase
from ansible.template import generate_ansible_template_vars from ansible.template import generate_ansible_template_vars
@ -107,10 +107,18 @@ class ActionModule(ActionBase):
if dest_stat['exists'] and dest_stat['isdir']: if dest_stat['exists'] and dest_stat['isdir']:
dest = self._connection._shell.join_path(dest, os.path.basename(source)) dest = self._connection._shell.join_path(dest, os.path.basename(source))
# template the source data locally & get ready to transfer # Get vault decrypted tmp file
b_source = to_bytes(source)
try: try:
with open(b_source, 'r') as f: tmp_source = self._loader.get_real_file(source)
except AnsibleFileNotFound as e:
result['failed'] = True
result['msg'] = "could not find src=%s, %s" % (source, e)
self._remove_tmp_path(tmp)
return result
# template the source data locally & get ready to transfer
try:
with open(tmp_source, 'r') as f:
template_data = to_text(f.read()) template_data = to_text(f.read())
# set jinja2 internal search path for includes # set jinja2 internal search path for includes
@ -150,6 +158,8 @@ class ActionModule(ActionBase):
result['failed'] = True result['failed'] = True
result['msg'] = type(e).__name__ + ": " + str(e) result['msg'] = type(e).__name__ + ": " + str(e)
return result return result
finally:
self._loader.cleanup_tmp_file(tmp_source)
if not tmp: if not tmp:
tmp = self._make_tmp_path() tmp = self._make_tmp_path()

View file

@ -0,0 +1,19 @@
---
- name: Template from a vaulted template file
template:
src: vaulted_template.j2
dest: "{{ output_dir }}/vaulted_template.out"
vars:
vaulted_template_var: "here_i_am"
- name: Get output template contents
slurp:
path: "{{ output_dir }}/vaulted_template.out"
register: vaulted_tempalte_out
- debug:
msg: "{{ vaulted_tempalte_out.content|b64decode }}"
- assert:
that:
- vaulted_tempalte_out.content|b64decode == 'here_i_am\n'

View file

@ -0,0 +1,6 @@
$ANSIBLE_VAULT;1.1;AES256
65626437623461633630303033303939616334373263633438623938396564376435366534303865
6363663439346464336437346263343235626463663130640a373233623733653830306262376430
31666538323132343039613537323761343234613531353035373434666632333932623064316564
3532363462643736380a303136353830636635313662663065343066323631633562356663633536
31343265376433633234656432393066393865613235303165666338663930303035

View file

@ -57,4 +57,4 @@ ansible-playbook test_vault.yml -i ../../inventory -v "$@" --vault-pass
ansible-playbook test_vault_embedded.yml -i ../../inventory -v "$@" --vault-password-file vault-password --syntax-check ansible-playbook test_vault_embedded.yml -i ../../inventory -v "$@" --vault-password-file vault-password --syntax-check
ansible-playbook test_vault_embedded.yml -i ../../inventory -v "$@" --vault-password-file vault-password ansible-playbook test_vault_embedded.yml -i ../../inventory -v "$@" --vault-password-file vault-password
ansible-playbook test_vaulted_inventory.yml -i vaulted.inventory -v "$@" --vault-password-file vault-password ansible-playbook test_vaulted_inventory.yml -i vaulted.inventory -v "$@" --vault-password-file vault-password
ansible-playbook test_vaulted_template.yml -i ../../inventory -v "$@" --vault-password-file vault-password

View file

@ -0,0 +1,6 @@
- hosts: testhost
gather_facts: False
vars:
- output_dir: .
roles:
- { role: test_vaulted_template, tags: test_vaulted_template}