Paste sensitive data the ansible way

Question

Let's suppose i have some applications inside a repository. Sensitive data, like database username+password, are not stored inside the repository but are in a separate encrypted password database. Within the source code are only place-holders like this: %%mysqlpassword%%.

I want to create an ansible-playbook to checkout the code and replace the user-credentials.

I have two ideas to do so:

1. with a template or
2. with the replace module.

Is there a best practise way to accomplish this task?

---
- hosts: test

vars_prompt:
  - name: "mysqlpassword"
    prompt: "Enter mysql password for app"
    private: yes

tasks:
  - name: copy code from repo
    subversion: repo=https://repo.url.local/app dest=/srv/www/app

  - name: Replacement of sensitive data by templating
    template: src=mysqlconnect.php.j2 dest=/srv/www/app/inc/mysqlconnect.php

  - name: Replacement of sensitive data by replacement function
    replace: dest=/srv/www/app/inc/mysqlconnect.php regexp='%%mysqlpassword%%' replace='{{ mysqlpassword }}'

Answer 1

The best answer to your question is use ansible-vault.

1- use mysqlpassword as variable {{ mysqlpassword }} inside your template mysqlconnect.php.j2

2- create separate file like my_very_secure.yml(whatever name you want) with all the values of your secure username and password:

---
mysqlpassword: very-secure-password-value
anothervariable: another-secure-value

After that you can encrypt this file with ansible-vault:

ansible-vault encrypt my_very_secure.yml

Then you can store this file into source control server because it's encrypted or leave it on the ansible master server, but once you are ready to run the playbook just include the --ask-vault-pass option like this and path to your secure file:

ansible-playbook -i yourhostfile yourplaybook.yml -e@/path-to-your-file/my_very_secure.yml --ask-vault-pass

Hope this will help you.