Ansibleã®Vaultã§æå·åããããã¡ã¤ã«ã管çããéã®ãã¹ããã©ã¯ãã£ã¹
ã¯ããã«
http://docs.ansible.com/ansible/playbooks_best_practices.html#variables-and-vaults
âã®Ansibleå ¬å¼ããã¥ã¡ã³ãã®ãã¹ããã©ã¯ãã£ã¹ã®ä¸ã®ãVariables and Vaultsãã¨ããé ç®ã«æ¸ãã¦ãã£ããã¨ã«ãã©ã¹ã¢ã«ãã¡ããå 容ã§ãã
ããç¨åº¦ããã£ã¦ãã人ãæ¤ç´¢ãã¦ãããã¨ãæ³å®ãã¦ããã®ã§ãã¡ãã£ã¨éã«æ¸ãã¾ãw
åé¡
Ansibleã®Vaultã¯ãã¹ã¯ã¼ãã¨ãç§å¯éµã¿ãããªã»ã³ã·ãã£ããªæ å ±ãæ¸ãããYAMLãæå·åã§ããã®ã§ãé常ã«éå®ããæ©è½ã§ããã
password1: himitsu_daaaaaaaa password2: secret_daaaaaaaa
ã¿ãããªYAMLãæå·åããçµæãâã§
$ANSIBLE_VAULT;1.1;AES256 3333333333333333333333333333333333333333333333333333333333333333333333333333
å¤æ°åãªãã ã£ãï¼ã¨ãªã£ã¦ç®¡çãã¥ããã¨ããåé¡ãããã¾ãã
ãansible vault best practiceãã§ã°ã°ã£ã
ããã§ãã°ã°ã£ãã¨ãããå ¬å¼ã®ãã¹ããã©ã¯ãã£ã¹ã«ãã©ãçãã¾ããã
A best practice approach for this is to start with a group_vars/ subdirectory named after the group. Inside of this subdirectory, create two files named vars and vault. Inside of the vars file, define all of the variables needed, including any sensitive ones. Next, copy all of the sensitive variables over to the vault file and prefix these variables with vault. You should adjust the variables in the vars file to point to the matching vault variables and ensure that the vault file is vault encrypted.
ããã¡ãã£ã¨ãããã¥ãããã
ããã¡ãã¨ã°ã°ãã¦ã¿ãã
ãªè¨äºãã
è¦ã¯
group_vars/stg.ymlãæå·åããã¦ããã¢ãã¨ããã§ãªãã¢ãã§åãã
group_vars/stg.ymlã¿ããã«å®ç¾©ãã¦ããã¢ãã¯âã®ããã«ãã£ã¬ã¯ããªãæã£ã¦ããã¡ã¤ã«ãåãã¦ãèªåçã«èªã¿è¾¼ã¾ããããã
æå·åããã¦ãªããã¡ã¤ã«ããæå·åãããã¡ã¤ã«ã§å®ç¾©ãããå¤ãåç §ãã
ï¼æå·åããã¦ããªãï¼vars.ymlã§âã®ããã«æ¸ãã¦
password1: {{ vault_password1 }}
ï¼æå·åããï¼vault.ymlã§âã®ããã«å®ç¾©ãã¦ãããã¨ã
vault_password1: himitsu_daaaaaaaa
ãããªããgrepããæãããã©ã®å¤æ°ãæå·åããã¦ããããä¸ç®çç¶ã§ãã
â»æå¾ã«ansible-vault encrypt group_vars/stg/vault.yml
ãã¦ãããã®ããå¿ããªã
ã ããroles/foo/vars/main.yml ã¯ã»ã»ã»
ãããããããªãè¦é ã§ã¨ãrolesé ä¸ã§ãroles/foo/vars/main.ymlã¨roles/foo/vars/vault.ymlã§ãããã¨ãããåµãã¾ããã
åµã£ãåå
roles/foo/vars/main.yml以å¤ã¯èªåçã«å¤æ°ã¨ãã¦èªã¿è¾¼ãã§ãããªãããã
roles/foo/tasks/main.ymlã§âã®ããã«include_vars
ã使ã£ã¦æ示çã«includeããªãã¨ä½¿ãã¾ããã§ããã
- include_vars: vault.yml no_log: true # âãããã¤ããæ¹ããããã
ããã¯
ã®è¨äºãè¦ã¦è§£æ±ºãã¾ããï¼ãããã¨ããããã¾ããï¼
ã¾ã¨ã
å¤åã(åãããã«åµã£ã¦ãã|ããããåµã)æ¹ã¯ããã¨æãã®ã§ãå°ãã§ãåèã«ãªãã°å¹¸ãã§ãã
ããã®ããã¾ã
ãã®1
ç§å¯éµã¨ãã®å¤æ°ãtemplates/id_rsa.j2ã¿ãããªãã¡ã¤ã«ãç½®ãã¦ãtemplateã¢ã¸ã¥ã¼ã«æ©è½ã使ã£ã¦é ç½®ãã¦ããä¾ãï¼ç¤¾å ã§ï¼ä½åãã¿ãããã®ã§ããã
- copy: > content="{{ foo_secret_key }}" dest=~/.ssh/id_rsa mode=0600
ã¿ããã«copyã¢ã¸ã¥ã¼ã«ã®contentæå®ã§ãããã¾ã
ãã®2
ç§å¯éµçãªé·ãæååãå¤æ°ã«è¨å®ããã¨ãã¯YAMLã®|
ã使ã£ãè¨æ³ã便å©ï¼æ¹è¡ãã®ãããã¾ã¾æååã®å¤ã¨ãã¦æ±ã£ã¦ãããï¼
vault_secret_key: | -----BEGIN RSA PRIVATE KEY----- xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx -----END RSA PRIVATE KEY-----