Ansible vault can be used transparently with
copy module and variable files:
vars_files. IMHO that’s bad architecture. “Explicit is better than implicit” (c) Python Zen. In our project we agreed to keep vault encrypted files with extension
.vault and vault encrypted variable files with
To make git diffs human-readable, we can use git attributes to specify properties for different pathnames in git repository.
*.vault diff=ansible-vault merge=binary *.vault.yml diff=ansible-vault merge=binary
diff controls how git generates diffs for this files.
merge controls how 3 versions of file are merged.
binary is built-in merge driver, that keeps file version from working tree, but leaves the path in conflicted state. We don’t want ansible vault files to be merged automatically :) And we just have to configure specified diff driver:
git config diff.ansible-vault.textconv 'PAGER=cat ansible-vault view' git config diff.ansible-vault.cachetextconv false
This will also make
git blame work fine for this files, but only if they always were encrypted during repository history.
I found this idea here: github.com/building5/ansible-vault-tools. It also has scripts to make human-readable merge possible for vault encrypted files, but that requires little more complex setup.