How to diff ansible vault changes?

You can do this very neatly, so that the normal git tools like git log and git diff can see inside the vaulted files, using a custom git diff driver and .gitattributes.

• Make sure that your vault password is in .vault_password and that that file is not committed - you should also add it to .gitignore.

• Add a .gitattributes file that matches any files in your repository that are encrypted with ansible-vault and give them the attribute diff=ansible-vault. For example, I have:

  env_vars/production.yml diff=ansible-vault merge=binary
  env_vars/staging.yml diff=ansible-vault merge=binary
  

  You can also use wildcarded patterns - the first element of each line, the pattern, follows the same rules as .gitignore files. The merge=binary option tells git not to attempt to do a three-way merge of these files.

• Then you have to set the diff driver for files with attribute diff=ansible-vault to ansible-vault view:

  git config --global diff.ansible-vault.textconv "ansible-vault view"
  

And that should be it - when git is calculating diffs of the files your pattern matches, it'll decrypt them first.