ansible_vault path handling issues - Githubissues

ansible / terraform-provider-ansible

community terraform provider for ansible

https://registry.terraform.io/providers/ansible/ansible/latest

GNU General Public License v3.0

201 stars 45 forks source link

ansible_vault path handling issues #134

Open JasonGantner opened 2 months ago

JasonGantner commented 2 months ago

Versions

ansible [core 2.17.3] python version = 3.12.4

OpenTofu v1.7.3 on linux_amd64

provider registry.opentofu.org/ansible/ansible v1.3.0

Summary

The ansible_vault resource ignores the path given in vault_password_file and looks directly in $HOME for the password file.

Terraform code

terraform {
  required_providers {
    ansible = {
      source  = "ansible/ansible"
      version = "~>1.3.0"
    }
  }
}

resource "ansible_vault" "secrets" {
  vault_file          = "/path/to/secrets.yml"
  vault_password_file = "/home/jgantner/src/password_file"
}

Terraform example output

tf plan
│ Error: [WARNING]: Error getting vault password file (default): The vault password file
│ /home/jgantner/password_file was not found
│ ERROR! The vault password file /home/jgantner/password_file was not found

JasonGantner commented 2 months ago

Upon further analysis, it seems the issue commes from the path being saved in the state on apply even when wrong and then being reused in plan which prevents any further plan/apply that could correct the issue.

Recovery from error

To recover from this, I had to tf state rm ansible_vault.secret and correct the path in my tf file. We should be able to recover from this error without manual alteration of the state