Search code examples
ansiblehashicorp-vaultansible-vault

Ansible Vault - Same Git repo for Prod & Test

Apologies for the lengthy post. I am a relatively newbie to Ansible and Vault (<2 months).

Environment:

  • CentOS & Win2019 (90% Linux systems)
  • Ansible 2.10.7 (master Ansible controller)
  • AWX 17.0.1 (embedded ansible 2.9.17)

Ultimate goals:

  • Use the same code from Git for both environments (Prod & Test)
  • Ability to separate the 'secrets' values based on which environment

Basic Setup (currently):

  • Ansible master controller is designed to be completely self-starting. Meaning all the settings/configs are contained within playbooks. This means I can blow-up the ANS controller and rebuild with 3 min.
  • All secrets are encrypted strings within a variable file. Due to the fact AWX cannot import an vaulted file, all secrets are in-line (ansible-vault encrypt_string 'secret_data' --name 'my_secret')
  • Same user accounts exists in both environments but different creds

Current Issues:

  • If was to import the Git repo into my Prod Ansible master controller, any plays requiring secrets would fail (due it has the secret variable with the 'Test' values)

Thoughts to resolve:

  • I thought about using the ansible 'default' function for any secret combined with a 'when' conditional based on the Inventory file. Basically if the inventory file is a 'Test' based system, use 'Test' secrets. If not, then use 'Prod' secrets.

This is an ugly solution from my perspective and must be a better solution.

  • Use Hashicorp Vault. It has the ability to use namespace trees to classify creds. I have not played with this idea yet and not sure how viable it is.

I wonder what others in the industry are doing for this same problem. This is not unique issue and sure there are best practices for this situation.

Thanks

Solution

  • As you want different variables based on your environment (vault secrets are just another variables) then you could use separate inventories for each environment, see https://docs.ansible.com/ansible/2.8/user_guide/playbooks_best_practices.html#alternative-directory-layout. Then, for example, inventories/prod/group_vars/all.yml would have prod vault secrets... You would specify explicitly each inventory with ansible -i inventories/prod ....

    In this inventories layout you could share a variable file between environments with symlinks, eg. inventories/prod/group_vars/all/010_cross_env_vars.yml would be a symlink to ../../../010_cross_env_vars.yml, thus pointing to variable files located in parent directory of per-environment subdirectories, ie. inventories/010_cross_env_vars.yaml.