Hi!
Just don't know where to post feature requests/suggestions, so I've decided
to post it here.
How about additional key to ansible-playbook binary which will tell Ansible
to delete vault password file right after starting playbook.
Here is the case (not sure if I'm the only one with such case):
I'm starting my playbook in Jenkins pipeline groovy code, so I'm using
Jenkins credentials secret file to post vault string to ansible playbook
but that leads to creating this file in workdir in plaintext for the whole
ansible playbook runtime. So anyone, that have read acess to my job can
just go to jenkins Workspaces tab right in UI and get my vault id. I've
made ugly solution to run parallel tasks and remove the file after some
timeout (dirty and ugly)^ so the code looks like this%
parallel "Running ansible script": {
ansiblePlaybook playbook: "${playbook}",
*vaultCredentialsId: "${creds}"*, - that
takes Jenkins credentials secret file and puts it into workspace
installation: "${tool}",
inventory: "${inventory}",
extras: "${extras}"
}, "Cleanup": {
sh "sleep 5 && rm -f vault*.password"
}
Off course I can also try to delete it with the first task of my playbook,
but I come up with idea that maybe some additional key to ansible binary
itself will be the most elegant solution for this, since in most cases you
don't need vault password file right after starting the playbook.
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/4c9390f7-fa08-464f-bc47-afcaa279e3d5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
