From 9e473265a530807a5123c3f7f3d99736aca2e35a Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Mon, 20 Dec 2021 17:25:18 +0000 Subject: [PATCH] Read vault password from bitwarden instead of filesystem https://theorangeone.net/posts/ansible-vault-bitwarden/ --- .gitignore | 1 - README.md | 2 +- ansible/ansible.cfg | 1 + ansible/vault-pass.sh | 3 +++ scripts/ansible/deploy.sh | 2 +- 5 files changed, 6 insertions(+), 3 deletions(-) create mode 100755 ansible/vault-pass.sh diff --git a/.gitignore b/.gitignore index d876c26..ddfdfa4 100644 --- a/.gitignore +++ b/.gitignore @@ -112,7 +112,6 @@ dmypy.json # End of https://www.gitignore.io/api/python,ansible env/ -ansible/.vault_pass ansible/galaxy_roles ansible/galaxy_collections diff --git a/README.md b/README.md index 221d981..3f697fb 100644 --- a/README.md +++ b/README.md @@ -15,7 +15,7 @@ ### Private Settings -The ansible vault password needs setting in `ansible/.vault_pass`. +Ansible [integrates](https://theorangeone.net/posts/ansible-vault-bitwarden/) with Bitwarden through its [CLI](https://bitwarden.com/help/article/cli/). Terraform configuration needs to be placed in `terraform/secrets.auto.tfvars`. diff --git a/ansible/ansible.cfg b/ansible/ansible.cfg index 6ab62d9..5eec73e 100644 --- a/ansible/ansible.cfg +++ b/ansible/ansible.cfg @@ -7,6 +7,7 @@ collections_path = $PWD/galaxy_collections inventory = ./hosts become_ask_pass = True interpreter_python = auto +vault_password_file = ./vault-pass.sh [ssh_connection] pipelining = True diff --git a/ansible/vault-pass.sh b/ansible/vault-pass.sh new file mode 100755 index 0000000..8cbf3c9 --- /dev/null +++ b/ansible/vault-pass.sh @@ -0,0 +1,3 @@ +#!/bin/sh + +bw get password infrastructure diff --git a/scripts/ansible/deploy.sh b/scripts/ansible/deploy.sh index fed0067..9c7f847 100755 --- a/scripts/ansible/deploy.sh +++ b/scripts/ansible/deploy.sh @@ -4,4 +4,4 @@ set -ex cd ansible/ -time ansible-playbook main.yml -K --vault-password-file .vault_pass $@ +time ansible-playbook main.yml -K $@