gbeke
Enthusiast
Enthusiast

vRA 8 and dynamic ansible-vault variable

Hi all,

I'm new to Ansible and use it to add servers deployed using vRA 8 to AD domain. When the user deploys a new server they select which domain the server belongs to. Based on the domain selected I need to select the correct ad credential to join the server to the domain.

I've created a vault that contains the passwords for the account with permission to add the server to the domain:
vault_domain1.com: password1
vault_domain2.com: password2

If I in the playbook specifies one of the vault secrets it works for that domain:
domain_admin_password: "{{ vault_domain1.com }}"

But I need that the vault secret used in the playbook is dependent on the domain the user selects. If the user selects domain2.com, the vault secret used in the playbook should be "vault_domain2.com".

In the vRA blueprint I've added a host variable that sets the vault secret based on the domain that the user selects:
domain_join_password: vault_${input.domain}

I've verified that the value for domain_join_password is vault_domain1.com or vault_domain2.com depending on what the user selects. The problem I've not been able to solve is how to get this in the playbook as a variable. I've tried the following that doesn't work.
domain_admin_password: "{{ domain_join_password }}"
domain_admin_password: "{{ {{ domain_join_password }} }}"

It was suggested to do this the host variable entry:
domain_join_password: "{{ lookup('vars', 'vault_' ~ ${input.domain}) }}".

I've tried many variations on how to write the line with and without quotes, single quotes, escape character before the single/double quotes but they all give this error.

Failed to run Ansible Ad hoc command - sudo ansible localhost -m lineinfile -a dest=/opt/ansible/vra/host_vars/sditest9/vra_user_host_vars_f6f19a39-6433-496f-93c0-85230e40ceb4.yml line='domain: domain1.com
dns1: 8.8.8.8
domain_ou: ou=servers,DC=domain1,DC=com
servername: sditest9
domain_join_password: "{{ lookup('vars', 'vault_' ~ domain1.com) }}"
ansible_user: Administrator
ansible_password: password
ansible_winrm_transport: ntlm
ansible_winrm_port: 5985
' create=yes insertafter=EOF state=present --connection=local. Refer to logs at var/tmp/vmware/provider/user_defined_script/f6f19a39-6433-496f-93c0-85230e40ceb4 on Ansible Control Machine for more details.

I've been able to workaround it by creating a vault file pr domain, but this means creating and maintaining 20-30 extra files. Not a big deal but it would be cleaner with just one vault file.

Hopefully I've explained what I'm trying to achieve. I'm hoping someone has done this and can point me in the right direction. Any help will be greatly appreciated.

Thansk.

Labels (2)
0 Kudos
0 Replies