Open nicleary opened 1 year ago
Hi, I've looked into your question and created an example to help you. It is possible to store your become password in a vault file and then use that become password without ever being prompted for it. Here's how.
ansible-vault create vault.yml
# or this, for a different editor
EDITOR=<you_editor> ansible-vault create vault.yml
After entering one of the above commands, you'll be prompted for a password to use for your vault. Next a text editor will open, where you'll write the content of your vault file. Here's an example:
my_become_password: password
Note: If you're using an editor such as nano
, save using crtl+s
and exit using ctrl+x
Then, create your vault password file with your vault password as content.
echo my_vault_password > my_vault_password_file.txt
my_playbook.yml
---
- hosts: all
tasks:
- ansible.builtin.command: whoami
register: iam
- name: Who am I
ansible.builtin.debug:
var: iam.stdout
- name: My become password
ansible.builtin.debug:
msg: "My become passowrd is: {{ ansible_become_pass }}"
Option A: (main.tf
) If you're using the ansible_playbook
resource:
terraform {
required_providers {
ansible = {
source = "ansible/ansible"
version = "~> 1.1.0"
}
}
}
resource "ansible_playbook" "my_playbook" {
playbook = "my_playbook.yml"
name = "my_host"
# Specify the vault file and its password file
vault_files = [
"./vault.yml"
]
vault_password_file = "./my_vault_password_file.txt"
extra_vars = {
ansible_hostname = "my_host"
# keep this line if your host is a docker
# if needed, change it according to ansible documentation
ansible_connection = "docker"
# Specify your become password.
# my_become_password is a variable the vault file
# which stores your become password.
ansible_become_user = "myuser"
ansible_become = true
ansible_become_pass = "{{ my_become_password }}"
}
}
Option B: If you're using an ansible-playbook
from your terminal (plain CLI ansible-playbook):
ansible-playbook \
-i my_inventory.ini -e hostname=my_host \
-e @./vault.yml --vault-id @./vault_password_file.txt \
-e ansible_become_pass={{ my_become_password }} \
-e ansible_become_user=myuser -e ansible_hostname=my_host \
-e ansible_become=true \
-e ansible_connection=docker my_playbook.yml
In extra_vars
you can see a bunch of ansible_something
variables. Those are magic variables, and you can find a list of them [here](https://docs.ansible.com/ansible/latest/reference_appendices/special_variables.
Change up the variables from this example to your needs and that's it. Let me know if this helps. :)
This looks great, and is exactly what I need. Is it possible to add this as an example in the docs? It seems like it would be a very common use case that isn't immediately obvious.
The documentation is not very clear on this--how do we run a playbook and supply a become password?
Specifically, I'm looking to store a become password in a vault file, and use that as the become password, without ever being prompted for it.