Read vault password from bitwarden instead of filesystem

https://theorangeone.net/posts/ansible-vault-bitwarden/
2021-12-20 17:25:18 +00:00 · 2021-12-20 17:25:18 +00:00 · 9e473265a5
commit 9e473265a5
parent b50659ab5d
5 changed files with 6 additions and 3 deletions
--- a/.gitignore
+++ b/.gitignore
@ -112,7 +112,6 @@ dmypy.json

 # End of https://www.gitignore.io/api/python,ansible
 env/
-ansible/.vault_pass
 ansible/galaxy_roles
 ansible/galaxy_collections

--- a/README.md
+++ b/README.md
@ -15,7 +15,7 @@

 ### Private Settings

-The ansible vault password needs setting in `ansible/.vault_pass`.
+Ansible [integrates](https://theorangeone.net/posts/ansible-vault-bitwarden/) with Bitwarden through its [CLI](https://bitwarden.com/help/article/cli/).

 Terraform configuration needs to be placed in `terraform/secrets.auto.tfvars`.

--- a/ansible/ansible.cfg
+++ b/ansible/ansible.cfg
@ -7,6 +7,7 @@ collections_path = $PWD/galaxy_collections
 inventory = ./hosts
 become_ask_pass = True
 interpreter_python = auto
+vault_password_file = ./vault-pass.sh

 [ssh_connection]
 pipelining = True
--- a/ansible/vault-pass.sh
+++ b/ansible/vault-pass.sh
@ -0,0 +1,3 @@
+#!/bin/sh
+
+bw get password infrastructure
--- a/scripts/ansible/deploy.sh
+++ b/scripts/ansible/deploy.sh
@ -4,4 +4,4 @@ set -ex

 cd ansible/

-time ansible-playbook main.yml -K --vault-password-file .vault_pass $@
+time ansible-playbook main.yml -K $@