Skip to main content

Plugin to integrate Ansible with ploy.

Project description


The ploy_ansible plugin provides integration of Ansible with ploy. It automatically builds an inventory and provides a custom connection plugin.


ploy_ansible is best installed with easy_install, pip or with zc.recipe.egg in a buildout.


The plugin adds the following commands to ploy.


Configures an instance. There are three ways to specify how to configure an instance. Applying the roles given by the roles option of an instance, a playbook set by the playbook option or a playbook with the unique name of the instance found in the playbooks-directory. Using roles or a playbook is mutually exclusive. If you specify a playbook and there is also a playbook in the default location, you will get a warning.


Lists all known groups and their associated hosts, including regular default groups, such as all but also implicit, ploy_ansible groups such as instances of a particular master (i.e. all ez-instances of an ez-master)


Runs an Ansible command. This basically reflects the ansible script of Ansible.


Applies a playbook. This basically reflects the ansible-playbook script of Ansible.


Manages file encryption. This basically reflects the ansible-vault script of Ansible, but handles the encryption key source via ploy.conf.


Manages the vault key.




The playbooks-directory option of the ansible section allows you to specify the directory where playbooks, roles, host_vars etc are looked up. If you specify a relative path, then it’s always relative to the ploy.conf directory. If you have a structure like this:

|-- deployment
| |-- roles
| |-- host_vars
|-- etc
  |-- ploy.conf

Then you would put the following into your ploy.conf:

playbooks-directory = ../deployment

By default it is set to the parent directory of the directory the ploy.conf is located at like this:

|-- roles
|-- host_vars
|-- etc
  |-- ploy.conf


Using the keyring library, you can store the encryption key for the Ansible vault in your keychain.

The vault-password-source option is the id used in your keychain. The id must be unique among all people who have to use the feature, as it is used as an identifier in their keychain. If in doubt, use a speaking prefix and add a guid by running python -c "import uuid; print(uuid.uuid4().hex)".

If you want to rekey your files, you have to put the old id into the vault-password-old-source option and set a new id in vault-password-source. Just incrementing a number or appending a new guid is best.


vault-password-old-source = my-domain-deployment-0da2c8296f744c90a236721486dbd258
vault-password-source = my-domain-deployment-042a98b666ec4e4e8e06de7d42688f3b

You can manage your key with the vault-key command. For easy exchange with other developers, you can also export and import the key via gpg using the vault-key export and vault-key import commands.

Per instance


Whitespace separated list of Ansible group names this instance should be added to in addition to the default ones.


Used by the configure command. This allows you to configure an instance by applying the whitespace separated roles. This is like creating a playbook which only specifies a host and a list of roles names. If the sudo option is set, it’s also set for the generated playbook.


Allows you to explicitly specify a playbook to use for this instance. If you need sudo, then you have to add it yourself in that playbook.

Any option starting with ansible_ is passed through to Ansible as is. This can be used for settings like ansible_python_interpreter.

Any option starting with ansible- is stripped of the ansible- prefix and then passed through to Ansible. This is the main way to set Ansible variables for use in playbooks and roles.

All other options are prefixed with ploy_ and made available to Ansible.

Ansible inventory

All instances in ploy.conf are available to Ansible via their unique id.

The variables for each instance are gathered from group_vars, host_vars and the ploy.conf.

Ansible lookup plugins

The ploy_crypted lookup plugin can be used in playbooks to read the content of encrypted files. This is another way to access encrypted data where you don’t have to move that data into yml files. An added benefit is, that the file is only decrypted when it is actually accessed. If you run tasks filtered by tags and those tasks don’t access the encrypted data, then it’s not decrypted at all.

API usage

On the Python side, each ploy instance gains the following methods:

apply_playbook(self, playbook, *args, **kwargs)

Applies the playbook to the instance.


Return True if the instance has either of the roles or a playbook option set.

get_playbook(*args, **kwargs)

Returns an instance of the Ansible internal PlayBook class. This is either from a file (from playbook option or the playbook kwarg), or dynamically generated from the roles option.

configure(*args, **kwargs)

Configures the instance with the same semantics as the configure command.


Returns the Ansible variables from the inventory. This does not include facts, as it doesn’t connect to the instance. This is particularly useful in Fabric scripts.


Returns a readily usable Ansible VaultLib class. Use the encrypt and decrypt methods do encrypt/decrypt strings.

Known issues

On macOS when using a key stored in keyring, Ansible might hang with a message similar to the following: ` objc[81450]: +[__NSCFBoolean initialize] may have been in progress in another thread when fork() was called. objc[81450]: +[__NSCFBoolean initialize] may have been in progress in another thread when fork() was called. We cannot safely call it or ignore it in the fork() child process. Crashing instead. Set a breakpoint on objc_initializeAfterForkError to debug. ` This is caused by trying to access the secret from the keyring in a forked process.

To work around this you may have to add an encrypted host_vars yml for the affected host (or just one for the “all” group_vars) to trigger the key load early in Ansible.


2.0.0 - 2022-08-17

  • Dropped support for Python 3.6. [fschulze]

  • Added support for Python 3.10 using ansible-core. [fschulze]

  • Restore ploy_crypted compatibility for older Ansible versions. [fschulze]

2.0.0b8 - 2021-09-08

  • Never store python objects in inventory data to fix issues with ansible >= 2.8.x. [fschulze]

2.0.0b7 - 2021-07-16

  • Fix encoding issue with execnet connection on Python 3.x. [fschulze]

  • Fix hanging when using keyring in newer macOS with ansible 2.x. [fschulze]

2.0.0b6 - 2020-05-13

  • Support switch from vault cat to view command for ansible 2.x. [fschulze]

2.0.0b5 - 2019-06-09

  • This release works up to and including ansible 2.7.x. [fschulze]

  • Restored support for ansible 1.9.x. [fschulze]

  • Support Python >= 3.5 with ansible >= 2.4.x. [fschulze]

  • Make host lookup in InventoryManager lazy to prevent errors when unrelated hosts are not accessible. [fschulze]

2.0.0b4 - 2018-02-11

  • Fix become/sudo support for execnet_connection. [fschulze]

  • Fix playbook discovery. [fschulze]

2.0.0b3 - 2018-02-10

  • Fix ploy_crypted lookup plugin. [fschulze]

2.0.0b2 - 2018-02-07

  • Readded execnet_connection as plugin. [fschulze]

2.0.0b1 - 2018-02-07

  • Support ansible >= 2.4.0 and drop support for previous versions. [fschulze]

  • Support for ploy 2.0.0. [fschulze]

1.4.1 - 2018-02-11

  • Return with proper exit code on failure of configure command. [fschulze]

  • Fix playbook discovery. [fschulze]

1.4.0 - 2017-12-17

  • Look for [instance-name].yml in addition to [master-name]-[instance-name].yml. This allows using the same playbook for the same instance on multiple masters. [fschulze]

1.3.2 - 2016-06-02

  • Don’t add empty search path when no additional role or library paths are defined. This prevents the current working directory from being searched. [fschulze]

1.3.1 - 2015-09-03

  • Update Ansible requirement to < 2.dev0. The upcoming 2.0.0 has way too many internal changes to be supported. [fschulze]

  • Add hosts only once in Inventory. [fschulze]

1.3.0 - 2015-04-10

  • Added handling of groups option of instances to allow definition of additional Ansible groups. [fschulze]

  • Get host variables on demand instead of at startup. If you have many hosts with encrypted yml files, this speeds things up considerably in most cases. [fschulze]

  • Fixes for changes in ansible 1.9. [fschulze]

  • Added inventory command to list all known groups and their associated hosts. [fschulze]

1.2.4 - 2015-02-28

  • Pass on the sudo setting if the roles option is used. [fschulze]

1.2.3 - 2015-02-28

  • Fix sudo support for ansible > 1.6. [fschulze]

  • Print warning when using an untested version of ansible. [fschulze]

  • If ansible isn’t installed, then require >= 1.8 as that doesn’t violate the sandbox of buildout anymore. [fschulze]

1.2.2 - 2015-02-18

  • Test and fixes for changes in ansible 1.8. [fschulze]

1.2.1 - 2015-01-06

  • Limit Ansible to pre 1.8, as > 1.8 breaks stuff. [fschulze]

1.2.0 - 2014-10-27

  • Always set ansible_ssh_user in inventory. [fschulze]

  • Clear host and pattern cache after calling original Inventory.__init__ method. [fschulze]

  • Add --extra-vars option to configure command. [witsch (Andreas Zeidler)]

  • Provide ploy_crypted lookup plugin to load encrypted files into Ansible variables. Only ascii and utf8 encoded files will work. [fschulze]

  • Expand Ansible variables in get_ansible_variables method. [fschulze]

  • Support Ansible vault with safe key storage via keyring library, so you don’t have to type it in or have it in an unprotected file. [fschulze]

1.1.0 - 2014-08-13

  • Test and fixes for changes in ansible 1.7. [fschulze]

  • Add verbosity argument to configure command. [fschulze]

1.0.0 - 2014-07-19

  • Added documentation. [fschulze]

1.0b8 - 2014-07-15

  • Add ansible as dependency if it can’t be imported already. [fschulze]

1.0b7 - 2014-07-08

  • Packaging and test fixes. [fschulze]

1.0b6 - 2014-07-04

  • Use unique instance id to avoid issues. [fschulze]

  • Renamed mr.awsome to ploy and mr.awsome.ansible to ploy_ansible. [fschulze]

1.0b5 - 2014-06-16

  • Set user in playbook to the one from the config if it’s not set already. [fschulze]

  • Change default playbook directory from the aws.conf directory to it’s parent. [fschulze]

1.0b4 - 2014-06-11

  • Added playbook and roles config options for instances. [fschulze]

  • Added has_playbook and configure methods to instances. [fschulze]

  • Added before/after_ansible_configure hooks. [fschulze]

1.0b3 - 2014-06-09

  • Use execnet for connections. There is only one ssh connection per host and it’s reused for all commands. [fschulze]

  • Make sure the playbook directory is always absolute. [fschulze]

  • Prevent use of persistent ssh connections, as that easily results in connections to wrong jails because of the proxying. This makes ansible a lot slower at the moment. [fschulze]

  • Add support for su and vault (ansible 1.5) as well as --force-handlers (ansible 1.6). [fschulze]

  • Removed ansible from install requirements. It won’t install in a buildout so it needs to be installed in a virtualenv or via a system package. [fschulze]

1.0b2 - 2014-05-15

  • Add configure command which is a stripped down variant of the playbook command with assumptions about the location of the yml file. [fschulze]

  • Warn if a playbook is requested for a host that is not configured in the playbook hosts list. [fschulze]

  • Allow mr.awsome plugins to add ansible variables. [fschulze]

  • Inject the ansible paths sooner as they may not apply in some cases otherwise. [fschulze]

  • Moved setuptools-git from to .travis.yml, it’s only needed for releases and testing. [fschulze]

1.0b1 - 2014-03-24

  • Initial release [fschulze]

Project details

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

ploy_ansible-2.0.0.tar.gz (33.3 kB view hashes)

Uploaded Source

Built Distribution

ploy_ansible-2.0.0-py2.py3-none-any.whl (31.2 kB view hashes)

Uploaded Python 2 Python 3

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page