Considering the following Ansible hosts
file:
[webservers]
server1.example.com ansible_ssh_pass=1234567
server2.example.com ansible_ssh_pass=2345678
server3.example.com ansible_ssh_pass=3456789
I would like to include these password values from a vault file and have a hosts
file like (my intention is to have an ini
inventory format):
[webservers]
server1.example.com ansible_ssh_pass={{ ssh_pass }}
server2.example.com ansible_ssh_pass={{ ssh_pass }}
server3.example.com ansible_ssh_pass={{ ssh_pass }}
where the sss_pass
variable comes from vaulted files defined in host_vars
folder.
The relevant ansible folder structure looks like this:
playbook.yml
inventories/
atlanta/
group_vars/
hosts
host_vars/
server1.example.com
server2.example.com
server3.example.com
But ansible is complaining:
[WARNING]: * Failed to parse /root/hsm-ansible-deploy/inventories/atlanta/hosts with ini plugin: /root/hsm-ansible-deploy/inventories/atlanta/hosts:18: Expected key=value host variable assignment, got: ssh_pass
hosts
file?As indicated by @techraf this is only a syntax issue. The correct way of writing the ini hosts
file is:
[webservers]
server1.example.com ansible_ssh_pass="{{ ssh_pass }}"
server2.example.com ansible_ssh_pass="{{ ssh_pass }}"
server3.example.com ansible_ssh_pass="{{ ssh_pass }}"
But I also found a more elegant solution where the hosts
file is even more elegant, by not providing the ansible_ssh_pass
variable at all in hosts
:
[webservers]
server1.example.com
server2.example.com
server3.example.com
and using the group_vars/all
to define this variable there:
---
ansible_ssh_pass: "{{ vault_ansible_ssh_pass }}"
where vault_ansible_ssh_pass
is defined in each of the hosts secrets vaulted files like host_vars/server1.example.com
---
vault_ansible_ssh_pass: "my secret password"
and then these files are encrypted using ansible-vault
:
ansible-vault encrypt inventories/atlanta/host_vars/server*/vault --vault-password-file ~/.vault_pass.txt
where ~/.vault_pass.txt
contains in clear text the ansible vault password.