semaphore icon indicating copy to clipboard operation
semaphore copied to clipboard
verified publisher icon semaphoreui

Improvement: Support multiple Ansible vault-id instead of just one

Open ccuz opened this issue 3 years ago • 3 comments

Given a ansible.cfg having vault_identity_list = [email protected], [email protected] and according to https://docs.ansible.com/ansible/latest/user_guide/vault.html#passing-multiple-vault-passwords, it should be possible to use ansible-playbook --vault-id [email protected] --vault-id [email protected] theplaybook.yml instead of just ansible-playbook --vault-password-file vaultfile theplaybook.yml.

As currently implemented, using the 'username' field of Secret's Username&Password as vault identifier 'i.e. dev or database', would allow to create the expected ' --vault-id' for each. On the Task's Template, having a multi-select dropdown menu instead of a single entry, would already do it. Also just selecting one value, should be equivalent to existing behavior: today: ansible-playbook --vault-password-file vaultfile theplaybook.yml after: ansible-playbook --vault-id vaultfile theplaybook.yml, vaultfile name coming from username from Password form.

https://github.com/ansible-semaphore/semaphore/blob/develop/services/tasks/runner.go#L704

ccuz avatar Jul 28 '22 08:07 ccuz

Hi :)

I need this feature too. Do you have a date plan ?

TThanks

FlashModz avatar Feb 21 '24 12:02 FlashModz

+1 - I need this in order to run my Playbooks through Semaphore :innocent:

Aaron-von-Awesome avatar Mar 01 '24 19:03 Aaron-von-Awesome

Yes, vault-id can be assigned, but it seems to be once per run unless you were to find a method that could redefine the value of a specific Semaphore variable in the middle of a task template run.

This is not really covered anywhere in the documentation that I have seen, so I am sharing what I have learned. Let me start with a bit of history.

When I build an Ansible playbook, I have always designed them to use a single "--vault-id" per run.

  --vault-id development@prompt  - used for development
  --vault-id production@prompt - used for production deployment

I know it is possible to call multiple '--vault-id' identities in a single playbook run, but I have never designed my playbooks to use that ability.

When I started migrating playbooks into Semaphore, I was wondering how the different '--vault-id' identities would play out. My first playbook failed failed with an undefined variable error specifying the variable 'vault_id_target' was undefined. I added that variable into the 'Extra variables' area of the current 'Environment' assigned to the running task template and the playbook then ran as expected and completed successfully.

  {
    ...
    "vault_id_target":"development",
    ...
  }

I also had previously created an entry in the 'Key Store' for 'Vault-ID - development' which contains the correct password for that '--vault-id', and had assigned that value to the 'Vault Password' field of the running task template.

Hopefully this helps someone out in the future.

erioshi avatar May 04 '24 09:05 erioshi