Variables and Ansible Vault
Static playbooks are useful, but "Industrial Level" automation requires flexibility and security. In this guide, we will learn how to use Variables to handle different environments (Dev/Prod) and Ansible Vault to protect sensitive data.
- Variables allow you to write reusable playbooks that can adapt to different scenarios without changing the code.
- Ansible Vault ensures that sensitive information like passwords and API keys are encrypted and safe from prying eyes, even in version control.
1. Using Variables
Variables in Ansible allow you to write one playbook and use it for multiple purposes. Instead of hardcoding a version number or a username, you use a placeholder.
Where to Define Variables?
Ansible has a specific "Precedence" (priority) for variables, but these are the most common places:
- Playbook Level: Directly inside the
.ymlfile. - Inventory Level: Inside your
hosts.ini. - File Level: In a dedicated
group_varsorhost_varsfolder.
---
- name: Deploy CodeHarborHub App
hosts: webservers
vars:
app_version: "v2.0.4"
node_port: 3000
tasks:
- name: Start the application
command: "node app.js --port {{ node_port }}"
Always wrap variables in double curly braces {{ var_name }}. If the variable starts the line, you must wrap the entire value in quotes: "{{ var_name }}".
2. Ansible Vault (Securing Secrets)
At CodeHarborHub, we never push plain-text passwords, SSH keys, or SSL certificates to GitHub. Ansible Vault is a built-in feature that encrypts these files so they can be safely stored in version control.
Common Vault Operations
| Action | Command |
|---|---|
| Create | ansible-vault create secrets.yml |
| Edit | ansible-vault edit secrets.yml |
| Encrypt Existing | ansible-vault encrypt my_passwords.txt |
| Decrypt | ansible-vault decrypt secrets.yml |
How to use Vault in a Playbook
- Create an encrypted file
vars/secrets.yml:Example: Encrypted Vault Filedb_password: "SuperSecretPassword123" - Reference it in your playbook:
Example: Using Vault in Playbook
- name: Setup Database
hosts: dbservers
vars_files:
- vars/secrets.yml - Run the playbook by providing the password:
Running Playbook with Vault
ansible-playbook site.yml --ask-vault-pass
In this example, Ansible will prompt you for the vault password before it can read the encrypted variables. This way, you can safely store sensitive information in your repository without risking exposure.
3. Facts: The Special Variables
Ansible automatically discovers information about the Managed Node before running any tasks. These are called Facts.
Example: Conditional Logic using Facts
- name: Install Web Server
apt:
name: apache2
state: present
when: ansible_os_family == "Debian"
Comparison: Variables vs. Vault
| Feature | Variables | Ansible Vault |
|---|---|---|
| Visibility | Plain text / Human readable. | Encrypted / Block of gibberish. |
| Purpose | Configuration (Ports, Paths, Names). | Secrets (Passwords, Keys, Tokens). |
| Storage | Committed directly to Git. | Committed to Git (but encrypted). |
Industrial Best Practice: group_vars
Instead of cluttering your playbook, create a directory structure like this:
.
├── inventory.ini
├── playbook.yml
└── group_vars/
├── all.yml # Variables for all servers
├── webservers.yml # Specific for web group
└── dbservers.yml # Specific for DB group
Ansible will automatically load these variables based on the group names in your inventory! This keeps your playbooks clean and organized, making it easier to manage large infrastructures.
Final Graduation Challenge
- Create a variable file named
user_config.yml. - Add a variable
username: chh_admin. - Create a playbook that creates a user on your local machine using
{{ username }}. - Now, encrypt
user_config.ymlusingansible-vault. - Run the playbook and see how Ansible asks for the password before it can read the file!
Congratulations! You've just learned how to make your Ansible playbooks dynamic with variables and secure with Vault. This is a crucial step towards becoming an "Industrial Level" DevOps Engineer at CodeHarborHub!