Définir la clef

Adding the vault password file option to the Ansible configuration

cat /dev/urandom  | tr -dc A-Za-z0-9 | head -c32 > ~/.ansible/.vault_pass
chmod 600 ~/.ansible/.vault_pass

~/.ansible.cfg

[defaults]
 
vault_password_file = $HOME/.ansible/.vault_pass

Changer le secret

mv ~/.ansible/.vault_pass ~/.ansible/.vault_pass.old
cat /dev/urandom  | tr -dc A-Za-z0-9 | head -c32 > ~/.ansible/.vault_pass
chmod 600 ~/.ansible/.vault_pass*
ansible-vault rekey --vault-password-file=~/.ansible/.vault_pass.old --new-vault-password-file=~/.ansible/.vault_pass $(find . -type f -name "*.mdp.yml")
 
# shred -u ~/.ansible/.vault_pass

ansible-vault encrypt_string 'P@ssw0rd' --name 'mysql_pass_root'

mysql_pass_root: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          31313332623736393962306239386565356536663533343665653565336265373265373166326565
          6166646561303163376336363834636633373538346632310a356166393237333865623863336133
          64343962336462356336303239663633316364393137633263366334376533303766393262653561
          6638303531626238630a613161663932376333633539656334336465383238623330393832666136
          6666

Dans notre exemple mysecret est une chaine chiffrée par ansible-vault

fatal: [remote]: FAILED! => {"msg": "Unexpected templating type error occurred on ({{ mysecret | password_hash('sha512') }}): secret must be unicode or bytes, not ansible.parsing.yaml.objects.AnsibleVaultEncryptedUnicode"}

Source : https://gist.github.com/douglasmiranda/f21a4481d372ae54fcf4a6ff32249949

- name: "Create main user"
  user:
    name: "myuser"
    password: "{{ '%s' | format(mysecret) | password_hash('sha512') }}"
    # ...