schema-enforcer icon indicating copy to clipboard operation
schema-enforcer copied to clipboard
verified publisher icon networktocode

Add Ansible vault decryption

Open Bleizo opened this issue 2 years ago • 0 comments

Environment

  • Python version: 3.10.12
  • schema-enforcer version: 1.2.2

It would be great if schema-enforcer ansible could handle inventory files with vaulted variables in them. At the moment part of the stack trace when doing so is:

__init__.py", line 640, in decrypt
    plaintext, vault_id, vault_secret = self.decrypt_and_get_vault_id(vaulttext, filename=filename, obj=obj)
  File "/home/bp/gitlab/framestore/systems/monitoring/fop/venv/lib/python3.10/site-packages/ansible/parsing/vault/__init__.py", line 678, in decrypt_and_get_vault_id
    raise AnsibleVaultError('Attempting to decrypt but no vault secrets found')

Proposed Functionality

I propose the command be extended to provide vault IDs in a similar way to what ansible-inventory provides. The invocation would look something like this:

schema-enforcer ansible --inventory inventory/ --vault-id testid@/tmp/vault_secret.txt

Use Case

This is useful when validating host/group vars that contain secrets. Those can be anything ranging from BGP peering passwords (8 character length limit) or validating that passwords adhere to certain requirements or even validating YAML files that are completely encrypted.

Bleizo avatar Nov 01 '23 02:11 Bleizo