search

drone-plugins / drone-ansible

Drone plugin to provision via Ansible
http://plugins.drone.io/drone-plugins/drone-ansible
Apache License 2.0
31 stars 44 forks source link

Syntax Check Fails Because Vault Password Not Specified #31

Closed wbh1 closed 4 years ago

wbh1 commented 4 years ago

When constructing the Ansible command(s) to run, this plugin returns prematurely if a syntax check is being run which leads to the vault password not being specified. This causes the syntax check to fail if one or more vars files is Ansible Vault-encrypted.

Line of code in question: https://github.com/drone-plugins/drone-ansible/blob/master/plugin.go#L252

I'll submit a PR to remedy, but still wanted to create an issue for tracking.

Our error:

$ ansible --version
ansible 2.8.2
  config file = /etc/ansible/ansible.cfg
  configured module search path = [u'/root/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python2.7/site-packages/ansible
  executable location = /usr/bin/ansible
  python version = 2.7.16 (default, May  6 2019, 19:28:45) [GCC 8.3.0]
$ ansible-playbook --inventory drone/inventory --syntax-check drone/run.yml
ERROR! Attempting to decrypt but no vault secrets found
exit status 1

Relevant portion of our .drone.yml:

---
kind: pipeline
name: syntax-check

steps:
  - name: check ansible syntax
    image: plugins/ansible:1
    settings:
      playbook: drone/run.yml
      syntax_check: true
      inventory: drone/inventory
      vault_password:
        from_secret: ansible_vault_key
tboerger commented 4 years ago

Maybe you are defining your encrypted values in a bad way? Even this example works without any issue without providing the vault secret:

- hosts: all
  vars:
    foobar: !vault |
      $ANSIBLE_VAULT;1.1;AES256
      61326565656435373038396462323238313637396666343834316634393739326438613734656238
      3762306638643539636666656362373663326663363635320a363531306664353162343338396566
      31303035306130666333613337613538376563613036393436393631663466653363646539323332
      3437656166316164370a326462373861626234663237396333303663636338633739346637623061
      3936

  roles: []
wbh1 commented 4 years ago

Yes - that works fine. The issue arises when the entirety of a file is vault encrypted rather than just individually encrypting strings (i.e. file-level encryption rather than variable-level encryption).

ispringle commented 4 years ago

I too am having this issue.