DEVHIDE
Login Or Sign up

Retrieving encrypted files from Ansible vault during Jenkins deploy

83 Views Asked by At

I'm new to Ansible vault so here goes:

As part of my company's CI/CD process we are using Jenkins to deploy our apps onto our various servers; there's already an Ansible playbook for that and works well. Note that I can't change this part at all. If I encrypt a file in the source code and deploy it here then it won't be decrypted afterwards. As our apps have sensitive information in their configuration file (db usernames and passwords, for example) I need to take this information out from the source code.and encrypt it via Ansible vault. Everything suggests I should use the 'copy' command:

So far I've tried:

Encoding the entire configuration file via ansible-vault encrypt_string and putting the resulting output into a separate file as part of the Jenkins project. Say it's called 'config.properties.encoded'

In an ansible playbook (copy_secure_files.yaml) I have:

- hosts: remote_servers tasks: - name: Copy files to remote copy: src: 'config.properties.encoded' dest: 'config.properties' decrypt: yes

According to the docs: The copy module copies a file from the local or remote machine to a location on the remote machine. Except when I run this, all it does is copy the file on the jenkins build server. It isn't uploaded anywhere. And it is not decrypted.

dev.ini: [remote_servers] dev ansible_host=remoteDevServer ansible_user=devUser anisble_connection=local 

jenkinsfile-deploy
ansiblePlaybook(
  installation: 'Ansible 2',
  inventory: 'dev.ini',
  playbook: "Copy_secure_files.yaml",
  colorized: true,
  vaultCredentialsId: '<Password used to encrypt file goes here>'
  extraVars: [
      ansible_user: ansible_user,
      ansible_password: ansible_password
  ]
)

What am I doing wrong? Why isn't my file being uploaded anywhere?

jenkins ansible jenkins-plugins ansible-vault
Original Q&A
1

There are 1 best solutions below

0
On

You use ansible_connection=local in your inventory, so yeah, Ansible doesn't go anywhere from your Ansible control machine (Jenkins in your case)

You need to consider that you would typically either rely on fact that first parameter in your inventory definition is actual hostname (resolvable by DNS or by /etc/hosts or present in SSH config...), in your obfuscated example that is dev or that you use ansible_host and you put actual hostname or IP address

Related Questions in JENKINS

Related Questions in ANSIBLE

Related Questions in JENKINS-PLUGINS

Related Questions in ANSIBLE-VAULT

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Popular Questions

Copyright © 2021 Jogjafile Inc.