| --- |
| - hosts: localhost |
| gather_facts: false |
| tasks: |
| - name: Ensure the secrets file exists |
| ansible.builtin.file: |
| path: "{{ secrets_path }}" |
| state: touch |
| |
| - name: Load the current secrets into a variable |
| ansible.builtin.include_vars: |
| file: "{{ secrets_path }}" |
| name: secrets |
| |
| - name: Generate secrets for missing variables |
| ansible.builtin.set_fact: |
| secrets: "{{ secrets| default({}) | combine({item: lookup('password', '/dev/null chars=ascii_lowercase,ascii_uppercase,digits length=32')}) }}" |
| # NOTE(mnaser): We don't want to override existing secrets, so we generate |
| # a new one if and only if it doesn't exist |
| when: item not in secrets |
| # NOTE(mnaser): This is absolutely hideous but there's no clean way of |
| # doing this using `with_fileglob` or `with_filetree` |
| with_lines: > |
| ls {{ playbook_dir }}/../roles/*/defaults/main.yml | |
| xargs grep undef | |
| egrep -v '(_host|region_name)' | |
| cut -d':' -f2 |
| |
| - name: Write new secrets file to disk |
| ansible.builtin.copy: |
| content: "{{ secrets | to_nice_yaml }}" |
| dest: "{{ secrets_path }}" |
| |
| - name: Encrypt secrets file with Vault password |
| ansible.builtin.shell: |
| ansible-vault encrypt --vault-password-file {{ secrets_vault_password_file }} {{ secrets_path }} |
| when: |
| - secrets_vault_password_file is defined |