Molecule: allow defining a vault password file

Created on 8 May 2018  路  9Comments  路  Source: ansible-community/molecule

Issue Type

  • Feature request

Molecule and Ansible details

ansible --version

2.5.2

molecule --version

2.13.1

Molecule installation method (one of):

  • pip

Ansible installation method (one of):

  • pip

Desired Behavior

I want to be able to define a file containing a vault password in the provisioner section.
This should also set the necessary entry in the ansible.cfg file that molecule generates, so it is possible to use ansible-vault inside plays.

Actual Behaviour (Bug report only)

1061 states that it would be possible to pass this as runtime parameter (it is also possible to pass an absolute path via config_options). This works a bit, but won't work when calling ansible-vault from within a play.

An alternative would be to copy the password file to the folder in /tmp too, so it is possible to refer to it by a relative path. This could be extended to allow putting any random file(s) there that should be referenced in plays.

picture MarkusTeufelberger

Most helpful comment

For the record, here is how it should be done:

ANSIBLE_VAULT_PASSWORD_FILE=$HOME/.vault-file.txt molecule test

picture singuliere on 8 Jan 2019
👍4 🎉1

All 9 comments

This unfortunately doesn't work (the variable isn't used/expanded by molecule):

provisioner: name: ansible config_options: defaults: vault_password_file: ${MOLECULE_SCENARIO_DIRECTORY}/vault.pw lint: name: ansible-lint

It would be great if the vault.pw file (or any other file I define) could end up in MOLECULE_EPHEMERAL_DIRECTORY or the above would work.

MarkusTeufelberger picture MarkusTeufelberger on 8 May 2018

This should be configured via molecule.yml as:

provisioner:
  name: ansible
  options:
    'vault-id': '@$HOME/playground/vault-pw.txt'

The command will then become:

/Users/jodewey/.pyenv/versions/molecule2-env-2.7.13/bin/ansible-playbook --vault-id=@/Users/jodewey/playground/vault-pw.txt --skip-tags=molecule-notest,notest --inventory=/var/folders/_j/ncm1yw111bb771f6zsw1d3lc0000gn/T/molecule/docker/default/ansible_inventory.yml --diff /Users/jodewey/git/molecule_2/test/scenarios/driver/docker/molecule/default/playbook.yml -vvv

retr0h picture retr0h on 9 May 2018
👍1

It would be great if the vault.pw file (or any other file I define) could end up in MOLECULE_EPHEMERAL_DIRECTORY or the above would work.

I agree this would be a nice to have, but isn't trivial. It's a bit of a chicken and egg problem. Molecule needs to parse the config to then construct all the pathing for most of the env vars exported by Molecule. I'd like to do it at some point, but it's not something we will get to now.

retr0h picture retr0h on 9 May 2018

Closing as can be fixed by #1287.

retr0h picture retr0h on 12 May 2018

I agree this would be a nice to have, but isn't trivial. It's a bit of a chicken and egg problem. Molecule needs to parse the config to then construct all the pathing for most of the env vars exported by Molecule. I'd like to do it at some point, but it's not something we will get to now.

FYI - #1296

retr0h picture retr0h on 15 May 2018

For the record, here is how it should be done:

ANSIBLE_VAULT_PASSWORD_FILE=$HOME/.vault-file.txt molecule test

singuliere picture singuliere on 8 Jan 2019
👍4 🎉1

FYI for those who are bumping against this, I'm using molecule 2.22, there it's possible to specify it as a config option:

provisioner:
  name: ansible
  config_options:
    defaults:
      vault_password_file: ~/.ansible-vault-password-file.txt
Sephtex picture Sephtex on 12 Sep 2020

I'm looking for the same for vault_identity_list. Which works properly inside the local ansible.cfg

In, molecule.yml, I have
```provisioner:
name: ansible
options:
vvv: true
config_options:
default:
vault_identity_list: common@${MOLECULE_SCENARIO_DIRECTORY}/../../.vault-passwords/common, group1@${MOLECULE_SCENARIO_DIRECTORY}/../../.vault-passwords/group1, group2@${MOLECULE_SCENARIO_DIRECTORY}/../../.vault-passwords/group2

This yields:

$ cat ~/.cache/molecule/workstation/default/ansible.cfg

Molecule managed

[defaults]
ansible_managed = Ansible managed: Do NOT edit this file manually!
display_failed_stderr = True
forks = 50
retry_files_enabled = False
host_key_checking = False
nocows = 1
interpreter_python = auto
[ssh_connection]
scp_if_ssh = True
control_path = %(directory)s/%%h-%%p-%%r
[default]
vault_identity_list = common@/home/larry.user/src/molecule/default/../../.vault-passwords/common, group1@/home/larry.user/src/molecule/default/../../.vault-passwords/group1, group2@/home/larry.user/src/molecule/default/../../.vault-passwords/group2

But I still get:

ERROR! Attempting to decrypt but no vault secrets found
ERROR:

Version info:

$ molecule --version
molecule 3.0.6
ansible==2.9.10 python==3.8
```

arcege picture arcege on 7 Oct 2020

You just misspelled defaults in your molecule.yml.

MarkusTeufelberger picture MarkusTeufelberger on 7 Oct 2020
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

adborden picture adborden  路  4Comments
srizzling picture srizzling  路  3Comments
dj-wasabi picture dj-wasabi  路  3Comments
mielas picture mielas  路  5Comments
ssbarnea picture ssbarnea  路  4Comments