Easy migration to Ansible Vault id

To keep all our tokens secure we use the Ansible vault to encrypt them. Historically all files with secrets were encrypted with a single password instead of using a vault id and password file. This week we decided to migrate to vault id.

All files encrypted with a password and without vault id specified will have the header $ANSIBLE_VAULT;1.1;AES256. We can use grep to find all files with this header. To do that run

grep "\$ANSIBLE_VAULT;1.1;AES256" group_vars/**/*.yml

Now we have a list of files that looks like that:

group_vars/staging/amazon.yml:$ANSIBLE_VAULT;1.1;AES256
group_vars/staging/db.yml:$ANSIBLE_VAULT;1.1;AES256
group_vars/staging/docker_registry.yml:$ANSIBLE_VAULT;1.1;AES256
....

Grep adds matched string at the end of every file. We can use the cut command to remove this part since we only need file names. cut -d: -f1 will leave only the file name.

And finally, we can use xargs to pass the file list to the ansible-vault rekey command to convert all encrypted files to encrypted files with vault id.

The full command will look like this:

grep "\$ANSIBLE_VAULT;1.1;AES256" group_vars/**/*.yml | cut -d: -f1 | xargs ansible-vault rekey --new-vault-id vaultID@vaultfile