Support for ansible-vault when Ansible config is not in the workspace root

[Tina-otoge]

Problem

I'm editing an Ansible project that is in a subfolder of my VS Code workspace directory

My VS Code workspace looks like this

├── ansible-project1
│   ├── ansible.cfg
│   ├── docs
│   ├── files
│   ├── group_vars
│   ├── hosts
│   ├── molecule
│   ├── playbook_install.yml
│   ├── README.md
│   ├── requirements.txt
│   ├── roles
│   ├── tasks
│   ├── templates
│   └── .ansible_vault_key.txt
└── ansible-project2
    ├── ansible.cfg
    ├── group_vars
    ├── hosts
    ├── molecule
    ├── playbook_install.yml
    ├── README.md
    ├── requirements.txt
    ├── roles
    ├── tasks
    ├── templates
    └── .ansible_vault_key.txt

If I'm editing ansible-project1/group_vars/prod/vault.yml, and try to run the extension command Ansible Vault: Encrypt/decrypt via 'ansible vault' from VS Code, it fails with message:

no valid ansible vault config found, cannot de/-encrypt

Solution

I believe the extension could benefit from testing for any valid ansible config starting from the file we are trying to encrypt/decrypt, and escalate to the parent folder, until it reaches the workspace root.

Alternatives

Currently, the alternative is either running ansible-vault manually from the command line, or re-opening a new VS Code instance in one of the subfolders before using the Ansible Vault extension features.

Additional context

No response

[priyamsahoo]

Hey @Tina-otoge, I believe you might have opened the parent directory as the workspace's root. With the project structure you mentioned, if you open both the projects as two different workspaces, the extension would successfully pick the associated config files (which you can confirm with the status bar present below).

[Tina-otoge]

Indeed, as stated in the "Alternatives" section of my ticket, it works fine if I open the ansible directory directly as the workspace root.

I was hoping the extension could support working on projects that are made of multiple Ansible sub-projects, by looking for an ansible config starting from the file you are editing and its parents, instead of by looking at the project root only, which would improve my workflow in my use case a lot.

[sgreinerCNS]

The extension should also respect the .bashrc: export ANSIBLE_VAULT_PASSWORD_FILE=~/projects/ansible/.vault_pw setting to detect the vault pw. We manage our ansible projects in git and we also use AWX, therefore we do not commit the .vault_pw file or have the vault_password_file = ./.vault_pw setting in the ansible.cfg at all. setting it in the ansible.cfg breaks AWX. There the secret is configured in AWX itself.

[andrea-berling]

Also interested in this

[vrelk-net]

Yep. I'm having this issue too, but I do have ANSIBLE_VAULT_PASSWORD_FILE env variable set (using multiple methods), but I still have the problem. If I run it manually from the shell, it works fine and respects the env variable, but the VS code extension doesn't.

Note: I am using VS Code on Windows, but I am working in a Ubuntu WSL2 environment.

[karmicdude]

Its very relevant in a mono repo environment. If it will be possible to assign a path relative to which the extension should work, it will be great.

[karmicdude]

@Tina-otoge see also my workaround https://github.com/ansible/vscode-ansible/issues/115#issuecomment-1287869317 maybe that's the way to go in your case.

[jonas-moreonion]

The extension is ignoring any environmental variables, if I understood it correctly? I just tried to figure out what I was doing wrong for way too long. Is that the desired behaviour?

[sgreinerCNS]

@jonas-moreonion

The extension is ignoring the ENV var ANSIBLE_VAULT_PASSWORD_FILE. Yes. It would be desired, that the extension is using the ENV vars. Including version 24.5 we get this error message: "no valid ansible vault config found, cannot de/-encrypt" when using the command "extension.ansible.vault / Ansible Vault: Encrypt/decrypt via ansible-vault"