diff options
Diffstat (limited to '')
-rw-r--r-- | lib/ansible/plugins/filter/vault.yml | 48 |
1 files changed, 48 insertions, 0 deletions
diff --git a/lib/ansible/plugins/filter/vault.yml b/lib/ansible/plugins/filter/vault.yml new file mode 100644 index 0000000..1ad541e --- /dev/null +++ b/lib/ansible/plugins/filter/vault.yml @@ -0,0 +1,48 @@ +DOCUMENTATION: + name: vault + author: Brian Coca (@bcoca) + version_added: "2.12" + short_description: vault your secrets + description: + - Put your information into an encrypted Ansible Vault. + positional: secret + options: + _input: + description: Data to vault. + type: string + required: true + secret: + description: Vault secret, the key that lets you open the vault. + type: string + required: true + salt: + description: + - Encryption salt, will be random if not provided. + - While providing one makes the resulting encrypted string reproducible, it can lower the security of the vault. + type: string + vault_id: + description: Secret identifier, used internally to try to best match a secret when multiple are provided. + type: string + default: 'filter_default' + wrap_object: + description: + - This toggle can force the return of an C(AnsibleVaultEncryptedUnicode) string object, when C(False), you get a simple string. + - Mostly useful when combining with the C(to_yaml) filter to output the 'inline vault' format. + type: bool + default: False + +EXAMPLES: | + # simply encrypt my key in a vault + vars: + myvaultedkey: "{{ keyrawdata|vault(passphrase) }} " + + - name: save templated vaulted data + template: src=dump_template_data.j2 dest=/some/key/vault.txt + vars: + mysalt: '{{2**256|random(seed=inventory_hostname)}}' + template_data: '{{ secretdata|vault(vaultsecret, salt=mysalt) }}' + +RETURN: + _value: + description: The vault string that contains the secret data (or C(AnsibleVaultEncryptedUnicode) string object). + type: string |