trellis-cli
trellis-cli copied to clipboard
roots
Deploy doesn't prompt for password and produces a "no vault secrets found" error.
Terms
- [X] I have read the guidelines for Contributing to Roots Projects
- [X] This request is not a duplicate of an existing issue
- [X] I have read the docs and followed them (if applicable)
- [X] I have seached the Roots Discourse for answers and followed them (if applicable)
- [X] This is not a personal support request that should be posted on the Roots Discourse community
Description
What's wrong?
I'm trying to use trellis-cli for everything, but trellis deploy isn't working and returns an error about missing Vault secrets. Prior to now I used the ./bin/deploy.sh script and could pass the --ask-vault-pass option so it would prompt me for the Vault password (I don't want to save it on disk). However https://github.com/roots/trellis/pull/1352 removed that script.
Possible solutions
From some quick googling it looks like vault_password_file could be pointed at a script inside ansible.cfg, which would then prompt me for the password (or maybe get it from 1password or Mac keychain... I like the flexibility of this idea.) I'm not sure though if this would solve the problem, or if ansible.cfg is "safe" to edit w/o breaking future Trellis updates.
Temporary workarounds
I can do trellis exec ansible-playbook deploy.yml -e env=<environment> -e site=<example.com> --ask-vault-pass, and it works fine, so I know all the files are in place and the password works in Vault.
Steps To Reproduce
-
trellis initrun - remote server config is in
group_varslike usual - vault.yml files encrypted via Vault with a password
- no
.vault_passfile
Expected Behavior
trellis deploy <environment> should prompt for vault password.
Actual Behavior
When I run trellis deploy <environment>, it never prompts me for the password, and I get a "ERROR! Attempting to decrypt but no vault secrets found" message.
I tried passing --ask-vault-pass, but that returns a "too many arguments" error.
All the vault.yml files in group_vars are encrypted with the same password. I can do trellis vault view and it prompts me for password, and decrypts the contents successfully.
Relevant Log Output
Running command => ansible-playbook deploy.yml -e env=<environment> -e site=<example.com> -vvvv
PLAY [Ensure necessary variables are defined] **********************************
[WARNING]: Failure using method (v2_playbook_on_play_start) in callback plugin
(<ansible.plugins.callback.vars.CallbackModule object at 0x10e5f3820>):
Attempting to decrypt but no vault secrets found
ERROR! Attempting to decrypt but no vault secrets found
exit status 4
Versions
trellis-cli 1.5.1, trellis 40b949a, macOS 12.2.1, Python 3.10.2 in trellis virtualenv, ansible 2.10.16
I'm not sure though if this would solve the problem, or if ansible.cfg is "safe" to edit w/o breaking future Trellis updates.
It would likely fix it (as a workaround), and editing ansible.cfg is pretty safe as well. But I agree that trellis-cli should handle this better anyway since not saving a plain text password to disk is a good practice after all.
Any Ansible config value can be set with an env var too, so you could run:
ANSIBLE_VAULT_PASSWORD_FILE=some_script_file trellis deploy production
I also wonder if you can use the existing --extra-vars flag to set vault-password-file (or vault_password_file)?
Regardless of all of the above, maybe just adding first class support for --ask-vault-pass makes sense too. This would have to be added to all playbook commands (deploy, rollback, provision)
I was thinking about this again and there's two ways to work around this:
- modify
ansible.cfgand remove thevault_password_filesetting - set the
ANSIBLE_ASK_VAULT_PASS=trueenv var (you could even permanently export it). Setting this will override theansible.cfgsetting
After discovering that env var, I decided to add support for it in the CLI config file: https://github.com/roots/trellis-cli/pull/321
After the next release, you can this in .trellis/cli.yml:
ask_vault_pass: true