Sensitive Information in Version Control
The Sensu framework is a distributed one, requiring different components to communicate over the network. Naturally, a means of authentication falls into place. This can require setting credentials to ensure secure communications are made.
You might have noticed, in this role's defaults/main.yml
that there are a few variables you can set for password properties.
If you're keeping your Ansible configuration in version control (as you really should be) - or anywhere for that matter - you most likely don't want such information to be expressed in plain text, readable to anyone/anything that may stumble upon it.
Ansible has an excellent feature called Vault - introduced in version 1.5. It offers a means of encrypting various pieces of data throughout your Ansible codebase.
As mentioned already throughout this documentation: Ansible really is quite versatile, so this can be approached in quite a few ways, but here's how I would suggest encrypting the sensitive variables necessary for use with this Sensu role.
Encrypting the various host_vars
files
Let's say we want to set the Uchiwa username and password for the node we have acting as the dashboard for our Sensu setup.
If it were a host called uchiwa.cmacr.ae
, we could set the following in host_vars/uchiwa.cmacr.ae.yml
:
sensu_uchiwa_users:
- username: mordecai
password: rigby
Then, using ansible-vault
we can encrypt this file: $ ansible-vault encrypt host_vars/uchiwa.cmacr.ae.yml
Or, if we want to set the Sensu API credentials; host_vars/sapi.cmacr.ae.yml
:
sensu_api_user_name: muscleman
sensu_api_password: highfiveghost
Same deal with encrypting it: $ ansible-vault encrypt host_vars/uchiwa.cmacr.ae.yml
It'll prompt for a password to encrypt with, so make sure you remember this!
Encrypting some other vars
file
You don't have to set these variables directly in specific a node's variables.
These could also be defined in, say, vars/sensitive.yml
at the top of your Ansible codebase:
sensu_uchiwa_users:
- username: mordecai
password: rigby
sensu_api_user_name: muscleman
sensu_api_password: highfiveghost
Next up: $ ansible-vault encrypt vars/sensitive.yml
Then, to ensure the variables are picked up during the play, you can add vars/sensitive.yml
to the vars_files
list directly in your playbook:
- name: Apply the Sensu role to all nodes
hosts: all
vars_files:
- /path/to/ansible_codebase/vars/sensitive.yml
Editing encrypted data
Editing encrypted data is as easy as $ ansible-vault edit path/to/data.yml
See the Ansible Vault page for more information