I trying to figure out how to determine if a SSH key file is encrypted or not. This is documented here. So I developed a simple Ansible playbook using the two examples in the document.
# site2.yml
- name: site playbook (dummy site)
hosts: localhost
gather_facts: no
vars:
thisisfalse: '{{ "any string" is ansible_vault }}'
thisistrue: '{{ "$ANSIBLE_VAULT;1.2;AES256;dev...." is ansible_vault }}'
tasks:
- name: show example1
ansible.builtin.debug:
var: thisisfalse
- name: show example2
ansible.builtin.debug:
var: thisistrue
# Results:
#
# fatal: [localhost]: FAILED! =>
# msg: 'An unhandled exception occurred while templating ''{{ "any string" is ansible_vault }}''.
# Error was a <class ''ansible.errors.AnsibleError''>, original message: template error while templating string:
# Could not load "ansible_vault": ''ansible_vault''.
# String: {{ "any string" is ansible_vault }}.
# Could not load "ansible_vault": ''ansible_vault'''
So, as you can see above, it doesn't seem to like ansible_vault.
I thought it strange that the content was referring to ansible.builtin.vault_encrypted, but the examples were using ansible_vault. So I changed ansible_vault references to ansible.builtin.vault_encrypted and this is the new playbook.
# site3.yml
- name: site playbook (dummy site)
hosts: localhost
gather_facts: no
vars:
thisisfalse: '{{ "any string" is ansible.builtin.vault_encrypted }}'
thisistrue: '{{ "$ANSIBLE_VAULT;1.2;AES256;dev...." is ansible.builtin.vault_encrypted }}'
tasks:
- name: show example1
ansible.builtin.debug:
var: thisisfalse
- name: show example2
ansible.builtin.debug:
var: thisistrue
# Results:
# PLAYBOOK: site3.yml ***********************************************************************************************************************************************************************************************************************
# 1 plays in site3.yml
# PLAY [site playbook (dummy site)] *********************************************************************************************************************************************************************************************************
# TASK [show example1] **********************************************************************************************************************************************************************************************************************
# task path: /home/sjf/tick/site3.yml:13
# Tuesday 30 July 2024 18:42:47 +0000 (0:00:00.005) 0:00:00.005 **********
# ok: [localhost] =>
# thisisfalse: false
# TASK [show example2] **********************************************************************************************************************************************************************************************************************
# task path: /home/sjf/tick/site3.yml:17
# Tuesday 30 July 2024 18:42:47 +0000 (0:00:00.019) 0:00:00.025 **********
# ok: [localhost] =>
# thisistrue: false
As you can see in the results, it no longer errors out, but unfortunately both the thisisfalse variable and thisistrue variables are false. So it still isn't working.
Does anybody see what I am doing wrong?
$ANSIBLE_VAULT;1.2;AES256;dev.... is actually not a valid encrypted value, the ellipsis (....) at the end is the clue pointing at it.
If we do take a valid vault encrypted value, like one from the Creating encrypted variables page, then the test reacts as you expected it to:
- debug:
msg: "{{ the_secret is ansible.builtin.vault_encrypted }}"
vars:
the_secret: !vault |
$ANSIBLE_VAULT;1.1;AES256
623133653966623430613934643361633837643737646136336536343062313864336
264366233616134333665353966363534333632666535333761666131620a66353764
643664383961653164356163396265333966386166373632626539326166353965363
2626330303336303133386463353036303438626666666137650a3536386434356666
336339643663386330666232346164323732313333316564
Yields:
ok: [localhost] =>
msg: true