When you’re working through an ansible playbook, it’s entirely likely that
you’re going to spend a lot of time searching through the repository to see
where the variables have been set. Normally, this is pretty easy. Fire up
and you find exactly what you’re looking for.
However, what if the variable is something sensitive, like a password or an API key? If they’re in your repository, then they should have been encrypted properly. If you can easily grep for passwords in your repository then you have another, much bigger, problem.
If you’re diligent, then you can make sure that you’ve placed your secrets in a
known location. That will reduce your searching considerably. Variables are set
up in a
group_vars file and the sensitive values are placed into
vault_staging.yml or the like. Just like they tell you to do in
Human nature being what it is, people forget to do things the right way. Hey - at least the file has been encrypted.
I’m not sure where I originally found this snippet, but it’s come in handy more than once. This should get you the info you need:
#!/bin/bash # Search recursively through the current directory for encrypted values # - assumes your vault password is in a file vpass grep -ril ANSIBLE_VAULT group_vars/ | while read N do echo -n $N: ansible-vault --vault-pass vpass view $N | grep $1 done
Now, go and refactor your vars so you don’t need to do this again.