Allow Vault Credentials for Project SCM Type Inventories to process inventory plugin parameters

[azrdev]

Please confirm the following

• [X] I agree to follow this project's code of conduct.
• [X] I have checked the current issues for duplicates.
• [X] I understand that AWX is open source software provided for free and that I might not receive a timely response.

Feature type

Enhancement to Existing Feature

Feature Summary

"Inventory Source" objects can have a number of Credential types attached, but not "vault" ones. For custom inventory plugins which need secrets one does not want to record as plaintext into the plugin-config.yml (in git), this requires 1. support from the inventory plugin and 2. a Custom Credential Type -- This could be much easier if we could add the secrets to the plugin config as vaulted variables -- and have the "Vault Credential" attached to the inventory source to decode those upon inventory sync.

Select the relevant components

• [X] UI
• [ ] API
• [ ] Docs
• [ ] Collection
• [ ] CLI
• [X] Other

Steps to reproduce

The hoops an inventory currently has to jump through can be seen in this PR: https://github.com/stdevel/ansible-collection-uyuni/pull/41/ (diff and comment https://github.com/stdevel/ansible-collection-uyuni/pull/41/#issuecomment-1983166880 )

Current results

Cannot select vault Credentials on inventory source.

Sugested feature result

Can select vault Credentials on inventory source.

Additional information

• 4089 discusses vault decrypting of variables files inside the sourced inventory, e.g. host_vars / group_vars (see esp. https://github.com/ansible/awx/issues/4089#issuecomment-1233231686)

• https://github.com/ansible/awx/issues/223#issuecomment-416946662 describes a workaround of putting vault-encrypted vars (content only, not name) in host_vars via the GUI

[gendergap]

Maybe this is the same as #14680.

[PulsatingQuasar]

Hi, we have run into this issue to.

I see a lot of people asking for this so why is this not implemented yet? Since this works in basic Ansible, why not in AWX? The vault credential should be allowed on an Inventory source.

[BartOpitz]

+1 from me - we need login/password in inventory plugin configuration and encrypt password with ansible vault. Normally, ansible-inventory can prompt for that vault secret, but there is no option in AWX to assign a vault credential with inventory sync job. This is weird, as ansible-inventory seems to use exact same mechanism (and even command line parameters / environment variables) for vault handling as ansible-playbook does. In my opinion enabling the possibility to use vaults with ansible-inventory should not be a big deal.

And to clarify - I do not mean here that ansible-inventory decrypts inventory group_vars or host_vars - it is very OK that they are imported as encrypted and are decrypted when the actual job template runs and uses them. I just need to be able to decrypt inventory plugin configuration.

Currently use a workaround described somewhere that uses environment variables and custom credentials, but this requires me to create 2 secrets for a vault that is used both in inventory and in playbooks... This is a bit cumbersome.