Ansible: human readable git diff for vault encrypted files
Ansible vault can be used transparently with copy
module and variable files: include_vars
, vars_files
. IMHO that’s bad architecture. “Explicit is better than implicit” (c) Python Zen. In our project we agreed to keep vault encrypted files with extension .vault
and vault encrypted variable files with .vault.yml
.
To make git diffs human-readable, we can use git attributes to specify properties for different pathnames in git repository.
.gitattributes
:
*.vault diff=ansible-vault merge=binary
*.vault.yml diff=ansible-vault merge=binary
Attribute diff
controls how git generates diffs for this files. merge
controls how 3 versions of file are merged. binary
is built-in merge driver, that keeps file version from working tree, but leaves the path in conflicted state. We don’t want ansible vault files to be merged automatically :) And we just have to configure specified diff driver:
git config diff.ansible-vault.textconv 'PAGER=cat ansible-vault view'
git config diff.ansible-vault.cachetextconv false
This will also make git blame
work fine for this files, but only if they always were encrypted during repository history.
I found this idea here: github.com/building5/ansible-vault-tools. It also has scripts to make human-readable merge possible for vault encrypted files, but that requires little more complex setup.