I have an Ansible playbook which deploys various applications to a server. It contains cert files. These files have been encrypted with Ansible Vault. As I have multiple environments, dev, uat and prd. Each environment uses a different password. I created an Ansible Vault encrypted cert file for each environment and placed them in this folder structure:
files
|_ dev
|_ mycert.cer.enc
|_ uat
|_ mycert.cer.enc
|_ prd
|_ mycert.cer.enc
The files are copied down with the following:
- name: Copy the Cert for {{ hostname }}
copy:
src: "{{ encrypted_cert_location }}"
dest: "{{ cert_destination }}"
owner: "{{ user }}"
group: "{{ group }}"
mode: '440'
decrypt: yes
backup: yes
when: "over_ssl | bool"
I have the default for encrypted_cert_location set in main.yml:
encrypted_cert_location: "{{role_path}}/files/{{env}}/mycert.cer.enc"
This works fine in dev and uat where the same password is used by all applications in the environment but in prd, each application has a different password. I don't want to go down the route of having an Ansible Vault encrypted cert file for each application. Is there any way I can use one cert file prd applications but have it somehow accept any of the passwords used or is there any generally accepted way of dealing with this?
