community.sops.load_vars (1.6.7) — module

Install collection

Install with ansible-galaxy collection install community.sops:==1.6.7

Add to requirements.yml

  collections:
    - name: community.sops
      version: 1.6.7

Description

Loads sops-encrypted YAML/JSON variables dynamically from a file during task runtime.

To assign included variables to a different host than C(inventory_hostname), use C(delegate_to) and set C(delegate_facts=true).

Usage examples

Scanned by Steampunk Spotter

• Success
  Steampunk Spotter scan finished with no errors, warnings or hints.

- name: Include variables of stuff.sops.yaml into the 'stuff' variable
  community.sops.load_vars:
    file: stuff.sops.yaml
    name: stuff
    expressions: evaluate-on-load  # interpret Jinja2 expressions in stuf.sops.yaml on load-time!

Scanned by Steampunk Spotter

• Success
  Steampunk Spotter scan finished with no errors, warnings or hints.

- name: Conditionally decide to load in variables into 'plans' when x is 0, otherwise do not
  community.sops.load_vars:
    file: contingency_plan.sops.yaml
    name: plans
    expressions: ignore  # do not interpret possible Jinja2 expressions
  when: x == 0

Scanned by Steampunk Spotter

• Success
  Steampunk Spotter scan finished with no errors, warnings or hints.

- name: Load variables into the global namespace
  community.sops.load_vars:
    file: contingency_plan.sops.yaml

Inputs

    
file:
    description:
    - The file name from which variables should be loaded.
    - If the path is relative, it will look for the file in C(vars/) subdirectory of a
      role or relative to playbook.
    type: path

name:
    description:
    - The name of a variable into which assign the included vars.
    - If omitted (V(null)) they will be made top level vars.
    type: str

age_key:
    description:
    - One or more age private keys that can be used to decrypt encrypted files.
    - Will be set as the E(SOPS_AGE_KEY) environment variable when calling sops.
    type: str
    version_added: 1.4.0
    version_added_collection: community.sops

keyservice:
    description:
    - Specify key services to use next to the local one.
    - A key service must be specified in the form C(protocol://address), for example C(tcp://myserver.com:5000).
    - This corresponds to the sops C(--keyservice) option.
    elements: str
    type: list
    version_added: 1.0.0
    version_added_collection: community.sops

age_keyfile:
    description:
    - The file containing the age private keys that sops can use to decrypt encrypted
      files.
    - Will be set as the E(SOPS_AGE_KEY_FILE) environment variable when calling sops.
    - By default, sops looks for C(sops/age/keys.txt) inside your user configuration directory.
    type: path
    version_added: 1.4.0
    version_added_collection: community.sops

aws_profile:
    description:
    - The AWS profile to use for requests to AWS.
    - This corresponds to the sops C(--aws-profile) option.
    type: str
    version_added: 1.0.0
    version_added_collection: community.sops

config_path:
    description:
    - Path to the sops configuration file.
    - If not set, sops will recursively search for the config file starting at the file
      that is encrypted or decrypted.
    - This corresponds to the sops C(--config) option.
    type: path
    version_added: 1.0.0
    version_added_collection: community.sops

expressions:
    choices:
    - ignore
    - evaluate-on-load
    default: ignore
    description:
    - This option controls how Jinja2 expressions in values in the loaded file are handled.
    - If set to V(ignore), expressions will not be evaluated, but treated as regular strings.
    - If set to V(evaluate-on-load), expressions will be evaluated on execution of this
      module, in other words, when the file is loaded.
    - Unfortunately, there is no way for non-core modules to handle expressions "unsafe",
      in other words, evaluate them only on use. This can only achieved by M(ansible.builtin.include_vars),
      which unfortunately cannot handle sops-encrypted files.
    type: str

sops_binary:
    description:
    - Path to the sops binary.
    - By default uses C(sops).
    type: path
    version_added: 1.0.0
    version_added_collection: community.sops

aws_access_key_id:
    description:
    - The AWS access key ID to use for requests to AWS.
    - Sets the environment variable E(AWS_ACCESS_KEY_ID) for the sops call.
    type: str
    version_added: 1.0.0
    version_added_collection: community.sops

aws_session_token:
    description:
    - The AWS session token to use for requests to AWS.
    - Sets the environment variable E(AWS_SESSION_TOKEN) for the sops call.
    type: str
    version_added: 1.0.0
    version_added_collection: community.sops

aws_secret_access_key:
    description:
    - The AWS secret access key to use for requests to AWS.
    - Sets the environment variable E(AWS_SECRET_ACCESS_KEY) for the sops call.
    type: str
    version_added: 1.0.0
    version_added_collection: community.sops

enable_local_keyservice:
    default: false
    description:
    - Tell sops to use local key service.
    - This corresponds to the sops C(--enable-local-keyservice) option.
    type: bool
    version_added: 1.0.0
    version_added_collection: community.sops

Outputs

ansible_facts:
  description: Variables that were included and their values.
  returned: success
  sample:
    variable: value
  type: dict
ansible_included_var_files:
  description: A list of files that were successfully included
  elements: str
  returned: success
  sample:
  - /path/to/file.sops.yaml
  type: list

See also

• ansible.builtin.set_fact
• ansible.builtin.include_vars
• Ansible docs: More information related to task delegation. link
• community.sops.sops (lookup plugin) : The sops lookup can be used decrypt sops-encrypted files.
• community.sops.decrypt (filter plugin) : The decrypt filter can be used to descrypt sops-encrypted in-memory data.
• community.sops.sops (vars plugin) : The sops vars plugin can be used to load sops-encrypted host or group variables.