2 min read Cloud

Inject Ansible Vault variable in external file

Inject Ansible Vault variable in external file

You want to inject an Ansible vault variable into an external file (configuration file or other)? Here's how to do it.

This work with any type of variable but in my case the need was to copy an encrypted password in a configuration file.

In this example we will inject the database password in the ghost configuration file config.production.json (the variable {{ mysql_user_password }} is contained in a vault.yml file).

For this we'll use the lineinfile module.

Context

We have an Ansible playbook that'll deploy a Ghost blog. We will focus on variable injection in the configuration file.

We have one folder that contains the playbook and all of the basics files (example ~/ghost-ansible with ansible files, nginx configuration, ghost configuration) and a folder with a copy of the configuration file (example : ~/ghost).

Why we create a copy of the configuration file : the Ansible directory will be clean of any password and you can continue to push this playbook into your versionning tool without any problem.

Create your vault

Create the vault and set the password :

$ ansible-vault create vault.yml
Vault password:

Add your variables :

mysql_root_password: "secret_root"
mysql_user_password: "secret_user"

Injection

The file config.production.json :

[...]
  "database": {
    "client": "mysql",
    "connection": {
        "host": "db",
        "user": "ghost-user",
        "password": ""
        "database": "ghost",
        "charset": "utf8"
    }
[...]

Creation of the folder and copy the file with Ansible :

  - name: Creates stack directory
    file:
      path: ~/ghost
      state: directory

  - name: Copying configuration files
    copy:
      src: ./configuration
      dest: ~/ghost/

Inject the password into the configuration file :

  - name: Set Ghost secret in config.production.json
    lineinfile:
      path: ~/ghost/configuration/config.production.json
      regexp: '^(.*)password(.*)$'
      line: '        "password": "{{ mysql_user_password }}"'

And the result :

$ cat  ~/ghost/configuration/config.production.json

$ grep password ~/ghost/configuration/config.production.json
        "password": "secret_user"

Deploy

$ ansible-playbook pre-config.yml --ask-vault-pass
Vault password:

Resources

https://docs.ansible.com/ansible/latest/modules/lineinfile_module.html

Feel free to correct me if you see any typo or if something seems wrong to you.
You can send me an email or comment below.

Picture : Silas Köhler

Published by:

Antoine Bayard

You might also like...

Apr
08

Manage multiple environments with OpenStack CLI clouds.yml

2 min read
Mar
04

CloudFlare Zero Trust, or how I ditched basic auth

4 min read
Feb
07

Vultr firewall: automatically update a rule with dynamic IP

3 min read
Oct
18

OpenStack Kolla-ansible: deploy Ceph with ceph-ansible

4 min read
Apr
27

Using Terraform to Deploy a Kubernetes (RKE) Cluster on Cloud.ca

5 min read