We've had success storing secret variables in s3 YAML files and using include_vars to process them where needed.
- Jaime On Tuesday, July 14, 2015 at 7:12:50 AM UTC-4, Adam Flinton wrote: > > Dear All, > > At the moment we are encrypting all of our host vars with git-crypt as a > few contain secret information. > > This is a pain as only a few people need the encrypted parts of the few > encrypted files but it means all people who use ansible etc have to have > git-crypt set up & working etc.etc. > > So I would like to find out some way in which just the values which need > to be encrypted can be pulled out into separate files & encrypted. > > I see from: > > http://docs.ansible.com/intro_inventory.html > > That a host/group var file can be replaced with a folder & then > > "As an advanced use-case, you can create directories named after your > groups or hosts, and Ansible will read all the files in these directories" > > Such that I could have a file called notsecret & another called secret.key > & tell git-crypt just to encrypt "*.key" files. > > That way people using instances/roles etc with no secret info could still > use host/group vars w/o gitcrypt > > At the moment this seems like the best plan.....but any other suggestions > would be welcome. > > For example can a hostvar file perform an inclusion along the lines of > including something akin to > > vars_files: > - [ 'files/vars/{{ inventory_host }}.yml','files/vars/default.yml' ] > > ? > > TIA > > Adam > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/c9831fc9-25ee-42f8-9d47-204c77931801%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
