Roll keys and re-encrypt secrets in any repo using Ansible Vault
Project description
ansible-vault-rekey
Roll keys and re-encrypt secrets in any repo using Ansible Vault
Free software: BSD license
Documentation: https://ansible-vault-rekey.readthedocs.io.
Usage
WARNING: Very few guardrails present. Running this without options will overwrite data by default.
Known issues / caveats:
Shows a callous disregard for whitespace and comments
Assumes it’s in a playbook directory if -r isn’t provided
Will casually write secrets to STDOUT in –debug mode
$ ansible-vault-rekey --help
Usage: ansible-vault-rekey [OPTIONS]
(Re)keys Ansible Vault repos.
Options:
--debug
--dry-run Skip any action that would overwrite an original
file.
-k, --keep-backups Keep unencrypted copies of files after a
successful rekey.
-r, --code-path TEXT Path to Ansible code.
-p, --password-file TEXT Path to password file. Default: vault-password.txt
-v, --vars-file TEXT Only operate on the file specified. Default is to
check every YAML file in Ansible role/play dirs
for encrypted assets.
--help Show this message and exit.
You can confirm that your secrets were rencryped properly by running debug on an encrypted var or file. eg:
ansible --vault-password-file vault-password.txt -e "@group_vars/all.yml" -i localhost, -c local -m debug -a var=somesecurevar localhost
Installation
pip install ansible-vault-rekey
We have dependencies a couple of layers down which need to compile crypto libraries if you haven’t already got them. On most systems, you’ll need the following:
libffi-dev / libffi-devel
libssl-dev / openssl-devel
gcc
Features
TODO
Testing
With Docker (recommended):
docker build -t tmp . && docker run --rm -it -w /workspace -v $(pwd):/workspace tmp
Manually:
pip install -r requirements.txt pytest & python -m pytest tests/*.py
Credits
This package was created with Cookiecutter and the audreyr/cookiecutter-pypackage project template.
History
2.0.1 (2020-12-31)
Fix improper encrypting YAML files
2.0.0 (2020-12-31)
Fix dependencies errors
Dropped support for Python2 and Python 3.5
Added support for Python 3.7, 3.8, 3.9
0.1.0 (2017-10-31)
First release on PyPI.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for ansible-vault-rekey-2.0.1.tar.gz
Algorithm | Hash digest | |
---|---|---|
SHA256 | cbbc6d425deb6f22d525dbcc928fb9d48ae76342c421d9f6b1fa284ee9b7d317 |
|
MD5 | aa4fd6feb2dac62fae40f69d387a8b23 |
|
BLAKE2b-256 | 8dd2651013e84930308686c40e74299c19e29e8b31cea7551652b376056a53f9 |
Hashes for ansible_vault_rekey-2.0.1-py2.py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 5aee4bff099c1a4437ae352fa4734358794cdae9c87694be840fd438f8e9eab8 |
|
MD5 | dc8d58c11da9e0bc6fc6a6e6386c26b6 |
|
BLAKE2b-256 | 41ef67208a1a90bd56f0f18879b5529e2a076b5f6ac05ef6e40a6ccce2fa1c83 |