-
Notifications
You must be signed in to change notification settings - Fork 11
/
ansible-password-file-from-ansible.cfg-wrapper
executable file
·81 lines (75 loc) · 2.78 KB
/
ansible-password-file-from-ansible.cfg-wrapper
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
#!/bin/bash
help() {
echo 'usage: ANSIBLE_COMMAND_WITH_PASSWORD_FILE_FROM_ANSIBLE_CFG=[ansible-vault|ansible-playbook|ansible] ansible-password-file-from-ansible.cfg-wrapper [ansible_command_parameters]*'
echo ' ansible-password-file-from-ansible.cfg-wrapper --help'
echo ' ansible-password-file-from-ansible.cfg-wrapper --clear'
echo
echo ' This is a wrapper for ansible commands. It will get'
echo ' the vault_password_file from ansible.cfg if the'
echo ' latter exists and execute the ansible command with it.'
echo
echo ' ANSIBLE_COMMAND_WITH_PASSWORD_FILE_FROM_ANSIBLE_CFG contains the'
echo ' name of the ansible command to execute.'
echo
echo " More precisely it will check if there's a ansible.cfg"
echo ' in the same directory that the script has been called that'
echo ' contains a line:'
echo
echo ' #vault_password_file = ansible/vault/file'
echo
echo ' and if it does will:'
echo
echo ' * `export ANSIBLE_VAULT_PASSWORD_FILE=ansible/vault/file`'
echo ' * call the ansible command with all the parameters given on'
echo ' the command line'
echo
echo ' The idea of this script is to work with vault_password_files'
echo ' on a team, where not everybody has vault_password_files'
echo ' set up.'
echo
echo ' So those that *have* vault_password_files set up can'
echo ' add the respective comment line as shown above to the'
echo ' ansible.cfg file and have ansible-playbook use that'
echo ' automatically.'
echo
echo ' Note that:'
echo
echo ' * this way different vault_password_files can be set up'
echo ' per ansible repo'
echo ' * those in the team that do use vault_password_files need'
echo ' to have them located at the same place'
echo
echo ' --clear: will call the `vault_password_file` with a'
echo ' parameter `--clear` in orderr to clear a'
echo ' possible (wrong) password that is remembered/cached'
echo ' by the `vault_password_file`/pin entry program'
echo
exit 1
}
[ "$1" == "--help" ] && help
if [ "$1" == "--clear" ]; then
CLEAR=true
else
CLEAR=false
fi
if [ "$ANSIBLE_COMMAND_WITH_PASSWORD_FILE_FROM_ANSIBLE_CFG" == "" ]; then
echo "ERROR: You must set the ANSIBLE_COMMAND_WITH_PASSWORD_FILE_FROM_ANSIBLE_CFG environment variable" >&1
exit 1
fi
if [ -e ansible.cfg ]; then
pwd_file=$(
cat ansible.cfg \
| grep '#vault_password_file' \
| sed 's/#vault_password_file *= *//'
)
if [ "$pwd_file" != "" ]; then
export ANSIBLE_VAULT_PASSWORD_FILE="$pwd_file"
fi
fi
if [ "$CLEAR" == "true" ]; then
# expand '~'
pwd_file="${pwd_file/#\~/$HOME}"
"$pwd_file" --clear
else
"$ANSIBLE_COMMAND_WITH_PASSWORD_FILE_FROM_ANSIBLE_CFG" "$@"
fi