12-28-2022 02:08 PM
Say we have three admins who would login to the linux server running Terraform and Ansible to see the source files and execute. But I do not want any of them to see the networking device login credential.
For example, I want to automate configuration backup of a network built with 4 NXOS switches. I can get Terraform or Ansible playbook written properly. But I kinda having difficult time to figure out how to protect the nexus login credential which would be fed into the Terraform or Ansible during run time.
With Ansible, I could use Vault to encrypt the nexus login credential but I still need to supply the encryption key/password to perform decryption during playbook run...Without anyone to enter the key, I could put the encryption key into a file but how am I supposed to set the permission of the file to prevent others viewing the content while still maintain the automationn? If I set owner of the file to be root or a special group, then the execution of `ansible-playbook` would need `sudo`...
With Terraform, not clue so far...
01-05-2023 10:46 AM
I'm not exactly sure how to implement this, as I haven't run into this yet, but here are some potential options:
HashiCorp Vault
Digital Ocen
https://www.digitalocean.com/community/tutorials/how-to-protect-sensitive-data-in-terraform
terraform-provider-ansiblevault
https://meilleursagents.github.io/terraform-provider-ansiblevault/
Sharing sensitive variables between ansible and terraform (Proof of Concept)
01-05-2023 10:55 AM
Thanks for the links. But they would still require minimum human inputs. For example, what if I want to schedule an ansible plan or terraform apply @ 1am every Sunday to login to all devices to perform configuration backup, I would not want to have someone to manually type in the credential to kick start the job while I still want to keep the credentials invisible...
01-05-2023 11:03 AM
Using Ansible Tower or Ansible AWX you can inject an 'Approve/Deny' button for a workflow/playbook.
01-16-2023 11:21 AM
@JesseRussell08468 is correct, as AWX/Tower (AWX is the open-source version of Tower) provides role-based access control (RBAS). There has even been an effort to extend this capability for AWX to Terraform: https://github.com/mauromedda/terraform-provider-awx
Also, see 'awx Provider', which is an Ansible Tower Provider for handling Tower Projects with REST: https://registry.terraform.io/providers/nolte/awx/latest/docs
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide