Allow skipping vault file check

[egvimo]

I have a playbook which contains vault variables. Locally I am decrypting it via a vault file. Now on CI I don't need this file because I am only verifying the playbook with ansible-lint. But I am getting this error:

internal-error: Unexpected error code 1 from execution of: ansible-playbook --syntax-check my_playbook.yml
Warning: tus.yml:0 [WARNING]: Error in vault password file loading (default): Invalid vault password was provided from file (/home/runner/work/my-repo/my-repo/vault_password_file)
ERROR! Invalid vault password was provided from file (/home/runner/work/my-repo/my-repo/vault_password_file)

Error: internal-error Unexpected error code 1 from execution of: ansible-playbook --syntax-check my_playbook.yml
You can skip specific rules or tags by adding them to your configuration file:
# .ansible-lint
warn_list:  # or 'skip_list' to silence them completely
  - internal-error  # Unexpected internal error
Finished with 2 failure(s), 0 warning(s) on 2 files.
Error: Process completed with exit code 2.

Is there a way to disable this check without disabling the whole "internal-error" check?

[staticf0x]

Check that you provide correct ANSIBLE_VAULT_PASSWORD_FILE and that vault_password_file really contains the password. In gitlab CI it would look like this:

script:
  - echo $ANSIBLE_VAULT_PASSWORD > .vault_password
  - ANSIBLE_VAULT_PASSWORD_FILE=.vault_password ansible-lint
variables:
  # By default the CI/CD variables are not propagated to the runner
  ANSIBLE_VAULT_PASSWORD: $ANSIBLE_VAULT_PASSWORD

[egvimo]

Thanks for the explanation and the example, but I know how to create and reference the vault file.

The point is, that I would like to ignore that for the linting, so that it's not necessary to provide that file at all.

In my opinion you don't have to decrypt the variables just to lint the playbook.

[loganmarchione]

Well @egvimo I'm now linting my Ansible playbooks in Drone CI and am running into the same issue as you. The ansible.cfg file references vault_password_file = ~/ansible_vault_pass, but that file is in my home directory and not checked into git. I agree with you when you say:

The point is, that I would like to ignore that for the linting, so that it's not necessary to provide that file at all.
In my opinion you don't have to decrypt the variables just to lint the playbook.

[loganmarchione]

Can't you just exclude the file?

# exclude_paths included in this file are parsed relative to this file's location
# and not relative to the CWD of execution. CLI arguments passed to the --exclude
# option will be parsed relative to the CWD of execution.
exclude_paths:
- .cache/  # implicit unless exclude_paths is defined in config
- .github/

[egvimo]

Which file do you mean?

The vault file is not in the repository and should not be there. This is the reason for the lint error. If I exclude the variables file which contains the encrypted values, than the linter would complain about the playbook referencing these variables

[loganmarchione]

Ah sorry, I misunderstood.

[ghost]

This still seems to be an issue:

• ansible.cfg in version control (to ensure this file is version controlled)
• vault_password_file = ~/myveryimportantsecret.txt in ansible.cfg (for convenience so that this doesn't need to be specified when running Ansible)
• ~/myveryimportantsecret.txt exists only on very trusted deployment host and is not version controlled (because this file is extremely sensitive and therefore shouldn't be distributed off this host or in version control)

Result:

ansible-lint fails with Unexpected error code 1 from execution of: ansible-playbook -i localhost, --syntax-check build/xxx.yml

[JoeAlamo]

I was able to get around this issue for my circumstances, maybe the solution will be useful to other people.

The problem I had was when I was statically importing variables, in my case via vars_files, and any of those variables were vault variables (or files).

When I changed the playbook to dynamically importing variables, ansible-lint was happy again!

Of course, you need to check you are happy with the variable precedence and any edge cases.

For example, previous problematic playbook:

- name: Setup foo
  hosts: foo
  vars_files:
    - vars.vault.yml
    - vars.yml

Happy dynamic playbook:

- name: Setup foo variables
  hosts: foo
  tasks:
    - name: Include vault file
      ansible.builtin.include_vars:
        file: vars.vault.yml
      tags: [always]
    - name: Include var file
      ansible.builtin.include_vars:
        file: vars.yml
      tags: [always]

- name: Setup foo
  hosts: foo
  tasks: ...

[binaryDiv]

I had the same issue and found a workaround that doesn't require any changes in the Ansible code.

Apparently, Ansible Lint only checks that the path in vault_password_file exists and is a generally valid password file (so it can't be empty for example). But it doesn't check whether it can actually decrypt secrets with it, so you don't need the real password.

I've simply added a step to my CI pipeline to create a password file with the content "fake_password" and Ansible Lint properly lints everything without complaints.

(I've only tested this with inline vault-encrypted strings so far, not with entirely encrypted variable files. Those caused issues with Ansible Lint anyway, so we stopped using them. I'd generally recommend inline encryption by now, it's easier to maintain and to review in a pull request.)

I still think it would be a great addition to add a --ignore-vault-password option or similar to Ansible Lint for this purpose. Or at least add a section to the documentation that you can just use a placeholder password file.