vaulted | nodejs based wrapper for HashiCorp 's Vault HTTP API | Identity Management library

I want to add the hyperlink of omdpratice into OdPratice's index.erb file so that when the admins open the OdPractice, they will be able to click the hyperlink and switch to omdpratice controller (omd endpoints). I have tried to lots of research and i am not able to find it . Can somebody point out the mistake or give me a resource how everything work ?

I'm currently using an Ansible playbook to extract and then transfer a configuration backup from some network devices (a basic text file) to an external storage.

I'd like to encrypt the configuration backups before sending them to their final storage. What would be the most adequate way to encrypt a file from inside an Ansible playbook task? To me, the obvious way would be to use the shell module to either call an external encryption tool (openssl) or an ansible-vault command to encrypt the backup in a format that ansible itself can read later in some other context; i.e. one of the two tasks below (simplified):

Apologies for the lengthy post. I am a relatively newbie to Ansible and Vault (<2 months).

Environment:

• CentOS & Win2019 (90% Linux systems)
• Ansible 2.10.7 (master Ansible controller)
• AWX 17.0.1 (embedded ansible 2.9.17)

Ultimate goals:

• Use the same code from Git for both environments (Prod & Test)
• Ability to separate the 'secrets' values based on which environment

Basic Setup (currently):

• Ansible master controller is designed to be completely self-starting. Meaning all the settings/configs are contained within playbooks. This means I can blow-up the ANS controller and rebuild with 3 min.
• All secrets are encrypted strings within a variable file. Due to the fact AWX cannot import an vaulted file, all secrets are in-line (ansible-vault encrypt_string 'secret_data' --name 'my_secret')
• Same user accounts exists in both environments but different creds

Current Issues:

• If was to import the Git repo into my Prod Ansible master controller, any plays requiring secrets would fail (due it has the secret variable with the 'Test' values)

Thoughts to resolve:

• I thought about using the ansible 'default' function for any secret combined with a 'when' conditional based on the Inventory file. Basically if the inventory file is a 'Test' based system, use 'Test' secrets. If not, then use 'Prod' secrets.

This is an ugly solution from my perspective and must be a better solution.

• Use Hashicorp Vault. It has the ability to use namespace trees to classify creds. I have not played with this idea yet and not sure how viable it is.

I wonder what others in the industry are doing for this same problem. This is not unique issue and sure there are best practices for this situation.

Thanks

I am studying for the RedHat Certified Specialist in Ansible Automation (EX407) and I'm playing around with the no_log module parameter. I have a sample playbook structured as so;

I have two array as :

I'm using ansible 2.7.16.

The ansible documentation says:

I have a public project on Github, it's an Ansible role. In this project, there is many files which are public, and 2 or 3 that are private (mainly private variable files).

I don't really want to push vaulted files, I'd like to maintain this role as clear for users as it can be (I provide cleared example for these files).

The solution I can think of is :

• 1st repo with only public files
• 2nd repo with public & private files

Git hook (or other solution) to push easily on both remote at same time.

What's the bests practices for this situation ?

I'm running into the issue (feature?) described in Ansible group vars priority , presumably because I've gone about structuring my inventory incorrectly.

The idea was to have two tasks, which apply to all 'routers' or 'firewalls' as defined in the inventory. This part works fine -- Ansible correctly parses the inventory and distinguishes between the two.

The problem is that due to the way the inventory is parsed, it's using the same ansible_user and ansible_password for every customer group. Which apparently makes sense based on the documentation:

When groups of the same parent/child level are merged, it is done alphabetically, and the last group loaded overwrites the previous groups. For example, an a_group will be merged with b_group and b_group vars that match will overwrite the ones in a_group.

Can anyone advise how I should correct this? If I change the 'routers' and 'firewalls' subgroups to be unique, e.g., custA_routers, custB_routers, then it behaves as expected. However then I think I have to write tasks scoped to each of those subgroups. Note that all hosts are unique IP addresses.

Playbook: