Skip to content

Commit

Permalink
[Feature/ansible] - Introduced ansible-vault with gpg (#103)
Browse files Browse the repository at this point in the history
* fix: rename bin/ to scripts/

* feat(ansible-vault): added gpg_vault_pass script for encryption

* feat(ansible-vault): added default vault_password_file to ancible.cfg

* feat(docs): added ansible-vault section to readme

* feat(docs): added more ansible-vault commands

* feat(ansible-vault): added encrypted_example.txt

* fix: fixed typos
  • Loading branch information
piyoki authored Apr 22, 2022
1 parent 6a7c2be commit 8a66ee4
Show file tree
Hide file tree
Showing 7 changed files with 105 additions and 4 deletions.
98 changes: 94 additions & 4 deletions ansible-playbooks/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -73,7 +73,7 @@

- All the playbooks are stored under `./playbooks/`
- All the playable roles are stored under `./roles/`
- Sample inverntory definition can be found under `./inventory/`
- Sample inventory definition can be found under `./inventory/`

## Automation and Orchestration

Expand Down Expand Up @@ -157,7 +157,7 @@ How to pass the password as a parameter. ansible-playbook gives you to two optio
ansible-playbook -K [playbook path]
```

Alternative way to run playbook with `-e ansible_become_pass=$ANSIBLE_PASSWORD` but without the need to explicitly type `become` password
An alternative way to run playbook with `-e ansible_become_pass=$ANSIBLE_PASSWORD` but without the need to explicitly type `become` password

```bash
export $ANSIBLE_PASSOWRD=<become password goes here>
Expand All @@ -168,7 +168,7 @@ ansible-playbook \

#### Enable verbose mode while running the playbook

To understand what is happening when you run the playbook, you can run it with the verbose `-v` option. Every extra v will provide the end user with more debug output.
To understand what is happening when you run the playbook, you can run it with the verbose `-v` option. Every extra v will provide the end-user with more debug output.

`-v` or `--verbose`

Expand All @@ -188,7 +188,7 @@ changed_when: yes
#### Ensure all tasks must complete one one server before proceeding to the next server
Set the `serial` paramter to `1` as the following:
Set the `serial` parameter to `1` as the following:

```yaml
serial: 1
Expand Down Expand Up @@ -236,3 +236,93 @@ ansible-lint --version
# linting
ansible-lint .
```

---

### Ansible Vault

#### Encryption/Decryption utility for Ansible data files

```bash
# prepare a secret key and write it to ~/.vault_key
echo "<your secret string>" > ~/.vault_key
# ecrypt a file with vault_key
ansible-vault encrypt --vault-password-file ~/.vault_key <target file>
# decrypt a file with vault_key
ansible-vault decrypt --vault-password-file ~/.vault_key <target file>
# edit an encrypted file without decryting it
ansible-vault edit --vault-password-file ~/.vault_key <target file>
# view an encrypted file without decryting it
ansible-vault view --vault-password-file ~/.vault_key <target file>
```

Notes: you may omit the `--vault-password-file` flag if you specify the location of the `vault_key` in `ansible.cfg`

```yaml
[defaults]
vault_password_file=~/.vault_key
```

#### Advanced encryption option with `GPG`

Reference: https://disjoint.ca/til/2016/12/14/encrypting-the-ansible-vault-passphrase-using-gpg/

One of the neat things you can do with `GPG` is encrypt your ansible-vault passphrase file. This works very nicely with hardware security keys such as `Yubikey`.

To start off, you will probably want to generate a new Vault passphrase and re-key all your already-encrypted Vault files.

##### Generate a complicated passphrase with `pwgen`

```bash
pwgen -n -s -y -c 32 -C | head -n1 | gpg --armor --recipient <your email identity> --encrypt --output ~/.vault_key.gpg
```

The above command will generate a `32` length of passphrase including numerical numbers, characters, and symbols. It will feed the `stdout` to gpg and output the encrypted passphrase to `~/.vault_key.gpg` using your `GPG private key` (stored in Yubikey)

To view that actual vault passphrase:

```bash
gpg --batch --use-agent --decrypt ~/.vault_key.gpg
```

Now that you have the new passphrase ready to go, re-key all your already-encrypted Vault files.

```bash
grep -rl '^$ANSIBLE_VAULT.*' . | xargs -t ansible-vault rekey
```

This command will ask you for the `old` and `new` vault passphrases and then attempt to re-key all the files that begin with the string `$ANSIBLE_VAULT` (usually indicative of an Ansible Vault encrypted file).

##### Create an executable file to make use of gpg decryption with your gpg private key

gpg_vault_pass.sh

```bash
#!/bin/sh
gpg --batch --use-agent --decrypt ~/.vault_key.gpg
```

Grant executable permission

```bash
chmod +x gpg_vault_pass.sh
```

##### Invoke ansible-vault manually and make sure that the re-keying worked as expected

```bash
ansible-vault --vault-password-file=gpg_vault_pass.sh view <target file>
```

Alternatively (recommended):

You could also make your life slightly easier by adding this to your `ansible.cfg`, in which case you could omit the `--vault-password-file` argument

```yaml
[defaults]
vault_password_file=gpg_vault_pass.sh
```
2 changes: 2 additions & 0 deletions ansible-playbooks/ansible.cfg
Original file line number Diff line number Diff line change
@@ -1,4 +1,6 @@
[defaults]
# comment out this line if you dont need ansible-vault
vault_password_file=./scripts/gpg_vault_pass.sh
deprecation_warnings = False
command_warnings = False
# use the YAML callback plugin
Expand Down
6 changes: 6 additions & 0 deletions ansible-playbooks/examples/encrypted_example.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
$ANSIBLE_VAULT;1.1;AES256
36633036333631623838353436386532663764613031613230366231656634306161623266326630
3030396364626335643131653063306234303661333064390a383933303164303962386138386438
36376433613232393839616632363163303833393031313234653539343339636133333932303739
3763393765366430340a336564636632383734626262323964333132633766353730313535336162
6135
File renamed without changes.
File renamed without changes.
File renamed without changes.
3 changes: 3 additions & 0 deletions ansible-playbooks/scripts/gpg_vault_pass.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
#!/bin/sh

gpg --batch --use-agent --decrypt ~/.vault_key.gpg

0 comments on commit 8a66ee4

Please sign in to comment.