I am using the following structure to separate my host_vars
into plaintext and encrypted
ansible
├── ansible.cfg
├── host_vars
│ ├── host1
│ │ ├── vars
│ │ └── vault
│ └── host2
│ ├── vars
│ └── vault
├── inventory
├── site.yaml
└── vars
└── ansible_vars.yaml
Is there a way, using ansible-vault
to encrypt both files named vault
or do I have to do them one by one?
Just asking since there are more to come, e.g. in future directories of group_vars
etc.
I know this works
ansible-vault encrypt host_vars/host1/vault host_vars/host2/vault
just asking whether there is a more elegant / quick solution
CodePudding user response:
There are a lot of possibilities gives by shell expansions.
Here are two that would be interesting in your case:
- The asterisk
*
expansion, that is used as a wildcard. Which means thathost_vars/*/vault
would match bothhost_vars/host1/vault
andhost_vars/host2/vault
but any other in the future, too. - Mind that, if, in the future, you have a more complex folder hierarchy
host_vars/*/vault
will only match one folder level (e.g. it won't matchhost_vars/level1/host1/vault
), but multiple folder levels can be achieved with a double asterisk (actually named is globstar):host_vars/**/vault
, will matchhost_vars/host1/vault
as well ashost_vars/level1/host1/vault
- The brace expansion, on the other hands offer a more granular set of possibilities, for examples, if I have hosts names after the distributions like
RedHat[1..5]
,Ubuntu[1..5]
andDebian[1..5]
, I could target only the Debian and RedHat ones viahost_vars/{Ubuntu*,RedHat*}/vault
.
Or only target the three first of them both withhost_vars/{Ubuntu{1..3},RedHat{1..3}}/vault
, or the three first of them all viahost_vars/*{1..3}/vault
As a more practical example, if you where to handle SE via Ansible and would like to encrypt the the files for *.stackexchange.com
and stackoverflow.com
but not superuser.com
or any other Q&A having a specific domain name, given that the hosts are named as their DNS name, you could do
ansible-vault host_vars/{stackoverflow.com,*.stackexchange.com}/vault