Ansible vault - best practice folder structure

Question

I am trying to figure out the best practice folder structure to organize my vault variables.

Currently it looks like this:

.
├── group_vars/
│   ├── group1.yml
│   └── group2.yml
├── host_vars/
│   ├── host1.yml
│   └── host2.yml
├── roles/
│   └── .../
└── vault/
    ├── enc-file1.yml
    └── enc-file2.yml

However, this way I always have to use include_vars inside my role to source a specific encrypted file.

Is there any naming convention and folder structure I can apply that Ansible will automatically source the correct vaulted variable just as it does with host_vars and group_vars?

I had something like this in mind:

.
└── group_vars/
    ├── group1/
    │   ├── main.yml
    │   └── vault.yml
    └── group2/
        ├── main.yml
        └── vault.yml

Is there anything I can do, so I do not have to explicitly include vault variables?

Best practices about vault variables: http://docs.ansible.com/ansible/playbooks_best_practices.html#variables-and-vaults — Konstantin Suvorov, Mar 28 '17 at 18:44

techraf · Answer 1 · 2017-03-28T07:34:29.120

3

Is there anything I can do, so I do not have to explicitly include vault variables?

In recent Ansible versions (since 2.3) you don't need to include separate files for vault-protected variables. Instead, you can encrypt individual variables in regular vars-files - see Single Encrypted Variable.

Is there any naming convention and folder structure [] that Ansible will automatically source the correct vaulted variable []?

No, there is no convention nor automatic mechanism.

edited Mar 28 '17 at 07:34

answered Mar 28 '17 at 07:15

techraf

64,883
27
193
198

Thanks, didn't know about this. Btw, how would I work on these files? How can I encrypt/decrypt a single variable within this file? – cytopia Mar 28 '17 at 08:39
Click on the link I included in the answer and read. The question is about best practices/general mechanism, not about command details, so I see no reason to copy-paste from the docs. – techraf Mar 28 '17 at 08:41

leucos · Answer 2 · 2019-06-07T09:26:23.910

1

@cytopia, what you have in mind works.

You can split encrypted/clear inventory variables in separate files. Ansible will sort out what is crypted and what is not.

I use the following layout and had no problems with it so far (1.9.x - 2.2.1.0):

group_vars/
    all/
        clear
        secret
    group1/
        clear
        secret
    group2/
        clear
        secret

edited Jun 07 '19 at 09:26

answered Mar 28 '17 at 12:27

leucos

17,661
1
44
34

Ansible vault - best practice folder structure

2 Answers2