Try SpotterEncrypt data with sops
| "added in version" 0.1.0 of community.sops"
Authors: Felix Fontein (@felixfontein)
Install with ansible-galaxy collection install community.sops:==1.6.7
collections:
- name: community.sops
version: 1.6.7Allows to encrypt binary data (Base64 encoded), text data, JSON or YAML data with sops.
- name: Encrypt a secret text
community.sops.sops_encrypt:
path: text-data.sops
content_text: This is a secret text.
- name: Encrypt the contents of a file
community.sops.sops_encrypt:
path: binary-data.sops
content_binary: "{{ lookup('ansible.builtin.file', '/path/to/file', rstrip=false) | b64encode }}"
- name: Encrypt some datastructure as YAML
community.sops.sops_encrypt:
path: stuff.sops.yaml
content_yaml: "{{ result }}"
age:
description:
- Age fingerprints to use.
- This corresponds to the sops C(--age) option.
elements: str
type: list
version_added: 1.4.0
version_added_collection: community.sops
kms:
description:
- List of KMS ARNs to use.
- This corresponds to the sops C(--kms) option.
elements: str
type: list
version_added: 1.0.0
version_added_collection: community.sops
pgp:
description:
- PGP fingerprints to use.
- This corresponds to the sops C(--pgp) option.
elements: str
type: list
version_added: 1.0.0
version_added_collection: community.sops
mode:
description:
- The permissions the resulting filesystem object should have.
- For those used to I(/usr/bin/chmod) remember that modes are actually octal numbers.
You must give Ansible enough information to parse them correctly. For consistent
results, quote octal numbers (for example, V('644') or V('1777')) so Ansible receives
a string and can do its own conversion from string into number. Adding a leading
zero (for example, V(0755)) works sometimes, but can fail in loops and some other
circumstances.
- Giving Ansible a number without following either of these rules will end up with
a decimal number which will have unexpected results.
- As of Ansible 1.8, the mode may be specified as a symbolic mode (for example, V(u+rwx)
or V(u=rw,g=r,o=r)).
- If O(mode) is not specified and the destination filesystem object B(does not) exist,
the default C(umask) on the system will be used when setting the mode for the newly
created filesystem object.
- If O(mode) is not specified and the destination filesystem object B(does) exist,
the mode of the existing filesystem object will be used.
- Specifying O(mode) is the best way to ensure filesystem objects are created with
the correct permissions. See CVE-2020-1736 for further details.
type: raw
path:
description:
- The sops encrypt file.
required: true
type: path
force:
default: false
description:
- Force rewriting the encrypted file.
type: bool
group:
description:
- Name of the group that should own the filesystem object, as would be fed to I(chown).
- When left unspecified, it uses the current group of the current user unless you
are root, in which case it can preserve the previous ownership.
type: str
owner:
description:
- Name of the user that should own the filesystem object, as would be fed to I(chown).
- When left unspecified, it uses the current user unless you are root, in which case
it can preserve the previous ownership.
- Specifying a numeric username will be assumed to be a user ID and not a username.
Avoid numeric usernames to avoid this confusion.
type: str
serole:
description:
- The role part of the SELinux filesystem object context.
- When set to V(_default), it will use the C(role) portion of the policy if available.
type: str
setype:
description:
- The type part of the SELinux filesystem object context.
- When set to V(_default), it will use the C(type) portion of the policy if available.
type: str
seuser:
description:
- The user part of the SELinux filesystem object context.
- By default it uses the V(system) policy, where applicable.
- When set to V(_default), it will use the C(user) portion of the policy if available.
type: str
age_key:
description:
- One or more age private keys that can be used to decrypt encrypted files.
- Will be set as the E(SOPS_AGE_KEY) environment variable when calling sops.
type: str
version_added: 1.4.0
version_added_collection: community.sops
gcp_kms:
description:
- GCP KMS resource IDs to use.
- This corresponds to the sops C(--gcp-kms) option.
elements: str
type: list
version_added: 1.0.0
version_added_collection: community.sops
selevel:
description:
- The level part of the SELinux filesystem object context.
- This is the MLS/MCS attribute, sometimes known as the C(range).
- When set to V(_default), it will use the C(level) portion of the policy if available.
type: str
azure_kv:
description:
- Azure Key Vault URLs to use.
- This corresponds to the sops C(--azure-kv) option.
elements: str
type: list
version_added: 1.0.0
version_added_collection: community.sops
attributes:
aliases:
- attr
description:
- The attributes the resulting filesystem object should have.
- To get supported flags look at the man page for I(chattr) on the target system.
- This string should contain the attributes in the same order as the one displayed
by I(lsattr).
- The C(=) operator is assumed as default, otherwise C(+) or C(-) operators need to
be included in the string.
type: str
version_added: '2.3'
version_added_collection: ansible.builtin
keyservice:
description:
- Specify key services to use next to the local one.
- A key service must be specified in the form C(protocol://address), for example C(tcp://myserver.com:5000).
- This corresponds to the sops C(--keyservice) option.
elements: str
type: list
version_added: 1.0.0
version_added_collection: community.sops
age_keyfile:
description:
- The file containing the age private keys that sops can use to decrypt encrypted
files.
- Will be set as the E(SOPS_AGE_KEY_FILE) environment variable when calling sops.
- By default, sops looks for C(sops/age/keys.txt) inside your user configuration directory.
type: path
version_added: 1.4.0
version_added_collection: community.sops
aws_profile:
description:
- The AWS profile to use for requests to AWS.
- This corresponds to the sops C(--aws-profile) option.
type: str
version_added: 1.0.0
version_added_collection: community.sops
config_path:
description:
- Path to the sops configuration file.
- If not set, sops will recursively search for the config file starting at the file
that is encrypted or decrypted.
- This corresponds to the sops C(--config) option.
type: path
version_added: 1.0.0
version_added_collection: community.sops
sops_binary:
description:
- Path to the sops binary.
- By default uses C(sops).
type: path
version_added: 1.0.0
version_added_collection: community.sops
content_json:
description:
- The data to encrypt. Must be a JSON dictionary.
- Exactly one of O(content_text), O(content_binary), O(content_json), and O(content_yaml)
must be specified.
type: dict
content_text:
description:
- The data to encrypt. Must be a Unicode text.
- Please note that the module might not be idempotent if the text can be parsed as
JSON or YAML.
- Exactly one of O(content_text), O(content_binary), O(content_json), and O(content_yaml)
must be specified.
type: str
content_yaml:
description:
- The data to encrypt. Must be a YAML dictionary.
- Please note that Ansible only allows to pass data that can be represented as a JSON
dictionary.
- Exactly one of O(content_text), O(content_binary), O(content_json), and O(content_yaml)
must be specified.
type: dict
unsafe_writes:
default: false
description:
- Influence when to use atomic operation to prevent data corruption or inconsistent
reads from the target filesystem object.
- By default this module uses atomic operations to prevent data corruption or inconsistent
reads from the target filesystem objects, but sometimes systems are configured or
just broken in ways that prevent this. One example is docker mounted filesystem
objects, which cannot be updated atomically from inside the container and can only
be written in an unsafe manner.
- This option allows Ansible to fall back to unsafe methods of updating filesystem
objects when atomic operations fail (however, it doesn't force Ansible to perform
unsafe writes).
- IMPORTANT! Unsafe writes are subject to race conditions and can lead to data corruption.
type: bool
version_added: '2.2'
version_added_collection: ansible.builtin
content_binary:
description:
- The data to encrypt. Must be L(Base64 encoded,https://en.wikipedia.org/wiki/Base64)
binary data.
- Please note that the module might not be idempotent if the data can be parsed as
JSON or YAML.
- Exactly one of O(content_text), O(content_binary), O(content_json), and O(content_yaml)
must be specified.
type: str
encrypted_regex:
description:
- Set the encrypted key suffix.
- When specified, only keys matching the regular expression will be encrypted.
- This corresponds to the sops C(--encrypted-regex) option.
type: str
version_added: 1.0.0
version_added_collection: community.sops
encrypted_suffix:
description:
- Override the encrypted key suffix.
- When set to an empty string, all keys will be encrypted that are not explicitly
marked by O(unencrypted_suffix).
- This corresponds to the sops C(--encrypted-suffix) option.
type: str
version_added: 1.0.0
version_added_collection: community.sops
hc_vault_transit:
description:
- HashiCorp Vault key URIs to use.
- For example, C(https://vault.example.org:8200/v1/transit/keys/dev).
- This corresponds to the sops C(--hc-vault-transit) option.
elements: str
type: list
version_added: 1.0.0
version_added_collection: community.sops
aws_access_key_id:
description:
- The AWS access key ID to use for requests to AWS.
- Sets the environment variable E(AWS_ACCESS_KEY_ID) for the sops call.
type: str
version_added: 1.0.0
version_added_collection: community.sops
aws_session_token:
description:
- The AWS session token to use for requests to AWS.
- Sets the environment variable E(AWS_SESSION_TOKEN) for the sops call.
type: str
version_added: 1.0.0
version_added_collection: community.sops
unencrypted_regex:
description:
- Set the unencrypted key suffix.
- When specified, only keys matching the regular expression will be left unencrypted.
- This corresponds to the sops C(--unencrypted-regex) option.
type: str
version_added: 1.0.0
version_added_collection: community.sops
encryption_context:
description:
- List of KMS encryption context pairs of format C(key:value).
- This corresponds to the sops C(--encryption-context) option.
elements: str
type: list
version_added: 1.0.0
version_added_collection: community.sops
unencrypted_suffix:
description:
- Override the unencrypted key suffix.
- This corresponds to the sops C(--unencrypted-suffix) option.
type: str
version_added: 1.0.0
version_added_collection: community.sops
aws_secret_access_key:
description:
- The AWS secret access key to use for requests to AWS.
- Sets the environment variable E(AWS_SECRET_ACCESS_KEY) for the sops call.
type: str
version_added: 1.0.0
version_added_collection: community.sops
enable_local_keyservice:
default: false
description:
- Tell sops to use local key service.
- This corresponds to the sops C(--enable-local-keyservice) option.
type: bool
version_added: 1.0.0
version_added_collection: community.sops
shamir_secret_sharing_threshold:
description:
- The number of distinct keys required to retrieve the data key with L(Shamir's Secret
Sharing, https://en.wikipedia.org/wiki/Shamir%27s_Secret_Sharing).
- If not set here and in the sops config file, will default to V(0).
- This corresponds to the sops C(--shamir-secret-sharing-threshold) option.
type: int
version_added: 1.0.0
version_added_collection: community.sops