search

ansible / vscode-ansible

vscode/vscodium extension for providing Ansible auto-completion and integrating quality assurance tools like ansible-lint, ansible syntax check, yamllint, molecule and ansible-test.
https://ansible.readthedocs.io/projects/vscode-ansible/
MIT License
366 stars 92 forks source link

Support for ansible-vault when Ansible config is not in the workspace root #768

Open Tina-otoge opened 1 year ago

Tina-otoge commented 1 year ago

Problem

I'm editing an Ansible project that is in a subfolder of my VS Code workspace directory

My VS Code workspace looks like this

├── ansible-project1
│   ├── ansible.cfg
│   ├── docs
│   ├── files
│   ├── group_vars
│   ├── hosts
│   ├── molecule
│   ├── playbook_install.yml
│   ├── README.md
│   ├── requirements.txt
│   ├── roles
│   ├── tasks
│   ├── templates
│   └── .ansible_vault_key.txt
└── ansible-project2
    ├── ansible.cfg
    ├── group_vars
    ├── hosts
    ├── molecule
    ├── playbook_install.yml
    ├── README.md
    ├── requirements.txt
    ├── roles
    ├── tasks
    ├── templates
    └── .ansible_vault_key.txt

If I'm editing ansible-project1/group_vars/prod/vault.yml, and try to run the extension command Ansible Vault: Encrypt/decrypt via 'ansible vault' from VS Code, it fails with message:

no valid ansible vault config found, cannot de/-encrypt

Solution

I believe the extension could benefit from testing for any valid ansible config starting from the file we are trying to encrypt/decrypt, and escalate to the parent folder, until it reaches the workspace root.

Alternatives

Currently, the alternative is either running ansible-vault manually from the command line, or re-opening a new VS Code instance in one of the subfolders before using the Ansible Vault extension features.

Additional context

No response

priyamsahoo commented 1 year ago

Hey @Tina-otoge, I believe you might have opened the parent directory as the workspace's root. With the project structure you mentioned, if you open both the projects as two different workspaces, the extension would successfully pick the associated config files (which you can confirm with the status bar present below).

Tina-otoge commented 1 year ago

Indeed, as stated in the "Alternatives" section of my ticket, it works fine if I open the ansible directory directly as the workspace root.

I was hoping the extension could support working on projects that are made of multiple Ansible sub-projects, by looking for an ansible config starting from the file you are editing and its parents, instead of by looking at the project root only, which would improve my workflow in my use case a lot.

sgreinerCNS commented 1 year ago

The extension should also respect the .bashrc: export ANSIBLE_VAULT_PASSWORD_FILE=~/projects/ansible/.vault_pw setting to detect the vault pw. We manage our ansible projects in git and we also use AWX, therefore we do not commit the .vault_pw file or have the vault_password_file = ./.vault_pw setting in the ansible.cfg at all. setting it in the ansible.cfg breaks AWX. There the secret is configured in AWX itself.

andrea-berling commented 1 year ago

Also interested in this

vrelk-net commented 1 year ago

Yep. I'm having this issue too, but I do have ANSIBLE_VAULT_PASSWORD_FILE env variable set (using multiple methods), but I still have the problem. If I run it manually from the shell, it works fine and respects the env variable, but the VS code extension doesn't.

Note: I am using VS Code on Windows, but I am working in a Ubuntu WSL2 environment.

karmicdude commented 1 year ago

Its very relevant in a mono repo environment. If it will be possible to assign a path relative to which the extension should work, it will be great.

karmicdude commented 1 year ago

@Tina-otoge see also my workaround https://github.com/ansible/vscode-ansible/issues/115#issuecomment-1287869317 maybe that's the way to go in your case.

jonas-moreonion commented 10 months ago

The extension is ignoring any environmental variables, if I understood it correctly? I just tried to figure out what I was doing wrong for way too long. Is that the desired behaviour?

sgreinerCNS commented 7 months ago

@jonas-moreonion

The extension is ignoring the ENV var ANSIBLE_VAULT_PASSWORD_FILE. Yes. It would be desired, that the extension is using the ENV vars. Including version 24.5 we get this error message: "no valid ansible vault config found, cannot de/-encrypt" when using the command "extension.ansible.vault / Ansible Vault: Encrypt/decrypt via ansible-vault"

karpulix commented 1 month ago

I tried to create a global config of ansible in ~/.ansible.cfg:

[defaults]
vault_password_file=~/.ansible/.vault

When I use Encrypt/Decrypt command I get error:

/opt/homebrew/Cellar/python@3.12/3.12.6/Frameworks/Python.framework/Versions/3.12/lib/python3.12/getpass.py:91: GetPassWarning: Can not control echo on the terminal. passwd = fallback_getpass(prompt, stream) Warning: Password input may be echoed. New Vault password: Warning: Password input may be echoed. Confirm New Vault password: [WARNING]: Error in vault password prompt (default): EOFError (ctrl-d) on prompt for (default) ERROR! EOFError (ctrl-d) on prompt for (default)