0

I have problem with ansible. I have couple of group_vars folders and in this folders there is files encrypted by ansible-vault with difference passwords between prod and test:

├── group_vars
│   ├── app1_prod
│   │   ├── application.yml <- Ancryptes by Ansible Vault prod pass
│   │   └── service.yml
│   ├── app1_test
│   │   ├── application.yml <- Ancryptes by Ansible Vault test pass
│   │   └── service.yml
│   ├── app2_prod
│   │   ├── application.yml <- Ancryptes by Ansible Vault prod pass
│   │   └── service.yml
│   └── app2_test
│       ├── application.yml <- Ancryptes by Ansible Vault test pass
│       └── service.yml

And my inventory file looks like:

[test_hosts]
test_host1
test_host2

[prod_hosts]
prod_host1
prod_host2

[app1_test:children]
test_hosts

[app2_test:children]
test_hosts

[app1_prod:children]
prod_hosts

[app2_prod:children]
prod_hosts

When I running playbook command:

ansible-playbook app1_playbook.yml -i ./inventory/hosts -l app1_test -u ssh_user -k --vault-password-file path_to_vault_key

I get error that saying the vault password is wrong for file and pointing for file in prod and from other group:

Decryption failed on ansible/group_vars/app1_prod/application.yml

I don't know how to fix this.

Angel666
  • 5
  • 4
  • I assume you have different files for the different keys. Try putting both files on the command line. – Jack Feb 20 '19 at 15:07

1 Answers1

0

Personally, I think your inventory structure is a Bad Idea. I do not condone having PROD and TEST servers in the same inventory, and I see no good reason for it.

I would restructure your system like this:

├── prod
│   ├── ansible.cfg
│   ├── group_vars
│   │   ├── app1
│   │   │   ├── application.yml <- Ancryptes by Ansible Vault prod pass
│   │   │   └── service.yml
│   │   ├── app2
│   │   │   ├── application.yml <- Ancryptes by Ansible Vault prod pass
│   │   │   └── service.yml
├── test
│   ├── ansible.cfg
│   ├── group_vars
│   │   ├── app1
│   │   │   ├── application.yml <- Ancryptes by Ansible Vault prod pass
│   │   │   └── service.yml
│   │   ├── app2
│   │   │   ├── application.yml <- Ancryptes by Ansible Vault prod pass
│   │   │   └── service.yml

And, of course, there would be two host files:

PROD:

[hosts]
prod_host1
prod_host2

[app1:children]
hosts

[app2:children]
hosts

TEST:

[hosts]
test_host1
test_host2

[app1:children]
hosts

[app2:children]
hosts

Have an ansible.cfg file in each inventory directory with the lines:

inventory      = .
vault_password_file = /path/to/vault_password_file
remote_user = ssh_user
ask_pass = True

(Best if you just copy /etc/ansible/ansible.cfg to the inventory directory and change what you need to change.)

Once you have that setup, you go into the prod or test directory, and execute the playbook from there. Of course, you will need to specify the path to the playbooks:

cd prod
ansible-playbook /path/to/playbooks/app_playbook.yml

cd test
ansible-playbook /path/to/playbooks/app_playbook.yml

Trust me, life is much easier with inventory separation.

Good luck!

Jack
  • 5,801
  • 1
  • 15
  • 20
  • Thx for the tip. I'm implement this idea in my env. I'm simply still lacking of good practices. – Angel666 Feb 20 '19 at 19:55
  • After I split ma inventory there is problem that ansible don't see my group_vars. I start playbook from test folder like you says. Do you know how its possible? – Angel666 Feb 21 '19 at 09:06
  • The `group_vars` directory is under `test`? Did you make sure the group names match the files in `group_vars`? – Jack Feb 22 '19 at 13:26