Encrypting ansible inventory file

Question

I want to encrypt my ansible inventory file using ansible vault as it contains the IP/Passwords/Key file paths etc, which I do not want to keep it in readable format.

This is what I have tried.

My folder structure looks like below

env/
   hosts
   hosts_details
plays/
   test.yml
files/
   vault_pass.txt

env/hosts

[server-a]
server-a-name

[server-b]
server-b-name

[webserver:children]
server-a
server-b

env/hosts_details (file which I want to encrypt)

[server-a:vars]
env_name=server-a
ansible_ssh_user=root
ansible_ssh_host=10.0.0.1
ansible_ssh_private_key_file=~/.ssh/xyz-key.pem

[server-b:vars]
env_name=server-b
ansible_ssh_user=root
ansible_ssh_host=10.0.0.2
ansible_ssh_private_key_file=~/.ssh/xyz-key.pem

test.yml

---
  - hosts: webserver
    tasks:
      - name: Print Hello world
        debug:
          msg: "Hello World"

Execution without encryption runs successfully without any errors

ansible-playbook -i env/ test.yml

When I encrypt my env/hosts_details file with vault file in files/vault_pass.txt and then execute the playbook I get the below error

ansible-playbook -i env/ test.yml --vault-password-file files/vault_pass.txt


PLAY [webserver] 
******************************************************************

TASK [setup] 
*******************************************************************
Thursday 10 August 2017  11:21:01 +0100 (0:00:00.053)       0:00:00.053 *******
fatal: [server-a-name]: UNREACHABLE! => {"changed": false, "msg": "Failed to connect to the host via ssh: ssh: Could not resolve hostname server-a-name: Name or service not known\r\n", "unreachable": true}
fatal: [server-b-name]: UNREACHABLE! => {"changed": false, "msg": "Failed to connect to the host via ssh: ssh: Could not resolve hostname server-b-name: Name or service not known\r\n", "unreachable": true}

PLAY RECAP 
*********************************************************************
server-a-name            : ok=0    changed=0    unreachable=1    failed=0
server-b-name            : ok=0    changed=0    unreachable=1    failed=0

I want to know if I am missing anything or is it possible to have inventory file encrypted.

Is there any other alternative for the same?

score 2 · Accepted Answer · answered Aug 10 '17 at 12:55

2

As far as I know, you can't encrypt inventory files.
You should use group vars files instead.

Place your variables into ./env/group_vars/server-a.yml and server-b.yml in YAML format:

env_name: server-a
ansible_ssh_user: root
ansible_ssh_host: 10.0.0.1
ansible_ssh_private_key_file: ~/.ssh/xyz-key.pem

And encrypt server-a.yml and server-b.yml.

This way your inventory (hosts file) will be in plain text, but all inventory (host and group) variables will be encrypted.

answered Aug 10 '17 at 12:55

Konstantin Suvorov

65,183
9
162
193

Hey! Thank you for your reply. I tried this and I am running into this `error.ERROR! Unexpected Exception: dictionary update sequence element #0 has length 1; 2 is required` – shwetha Aug 10 '17 at 13:45
My bad! it was a yaml syntax error. This is working, thank you for your help. – shwetha Aug 11 '17 at 04:52

Encrypting ansible inventory file

1 Answers1