Add support for decrypting vault file

[patrickmacarthur]

Right now, trying to run ansible-review with the default standards when a group_vars or host_vars file is encrypted using ansible-vault results in the error:

ERROR: Standard "Inventory must be parseable" not met:
inventory/hosts:Inventory is broken: Decryption failed on inventory/group_vars/all/private.yml

The vault password file directive is used in the ansible.cfg file in the playbook directory.

ansible-review should either (1) add an option to supply a vault password file or (2) pull it from the ansible config via the ansible API (not sure how difficult this is).

[willthames]

I think ansible-review should use the standard ansible.cfg mechanism, so it might be that we're just not checking for the presence of that configuration parameter when decrypting vault files.

For now I'll have to mark this as a bug and hope someone can help solve it until I have some more time to dig into it.

[ansiblejunky]

Is this a bug on the latest 0.14.0rc2 ? I think I have hit this problem when the file is completely vaulted. For now I prefer encrypt_string instead of vaulted files anyway, so I believe this latest RC works with that.

As for the ansible.cfg reference, I don't agree with that because most often we are linting our ansible role repo, which does not include the ansible.cfg (since its typically in the playbook repo). For now, I think ansible-review shouldn't raise an ERROR and prevent the commit when it hits a vaulted file. It should be a warning.

[willthames]

@ansiblejunky it shouldn't be now but I don't use vaulted files these days so I'm not sure I've tested it - like you, I find the encrypt_string makes for much more readable configuration and definitely more useful diffs!

[ansiblejunky]

@willthames Oh I totally agree with you and I haven't done vaulted files for awhile either, however thought you might want to know about a bug that a colleague hit when using vaulted files.