Ansible vault: a framework for encrypting any playbook or var file.

lib/ansible/inventory/__init__.py

@@ -347,19 +347,19 @@ class Inventory(object):
             raise Exception("group not found: %s" % groupname)
         return group.get_variables()
 
-    def get_variables(self, hostname):
+    def get_variables(self, hostname, vault_password=None):
         if hostname not in self._vars_per_host:
-            self._vars_per_host[hostname] = self._get_variables(hostname)
+            self._vars_per_host[hostname] = self._get_variables(hostname, vault_password=vault_password)
         return self._vars_per_host[hostname]
 
-    def _get_variables(self, hostname):
+    def _get_variables(self, hostname, vault_password=None):
 
         host = self.get_host(hostname)
         if host is None:
             raise errors.AnsibleError("host not found: %s" % hostname)
 
         vars = {}
-        vars_results = [ plugin.run(host) for plugin in self._vars_plugins ] 
+        vars_results = [ plugin.run(host, vault_password=vault_password) for plugin in self._vars_plugins ] 
         for updated in vars_results:
             if updated is not None:
                 vars.update(updated)

lib/ansible/inventory/vars_plugins/group_vars.py

@@ -23,7 +23,7 @@ from ansible import errors
 from ansible import utils
 import ansible.constants as C
 
-def _load_vars(basepath, results):
+def _load_vars(basepath, results, vault_password=None):
     """
     Load variables from any potential yaml filename combinations of basepath,
     returning result.
@@ -35,7 +35,7 @@ def _load_vars(basepath, results):
     found_paths = []
 
     for path in paths_to_check:
-        found, results = _load_vars_from_path(path, results)
+        found, results = _load_vars_from_path(path, results, vault_password=vault_password)
         if found:
             found_paths.append(path)
 
@@ -49,7 +49,7 @@ def _load_vars(basepath, results):
 
     return results
 
-def _load_vars_from_path(path, results):
+def _load_vars_from_path(path, results, vault_password=None):
     """
     Robustly access the file at path and load variables, carefully reporting
     errors in a friendly/informative way.
@@ -90,7 +90,7 @@ def _load_vars_from_path(path, results):
 
     # regular file
     elif stat.S_ISREG(pathstat.st_mode):
-        data = utils.parse_yaml_from_file(path)
+        data = utils.parse_yaml_from_file(path, vault_password=vault_password)
         if type(data) != dict:
             raise errors.AnsibleError(
                 "%s must be stored as a dictionary/hash" % path)
@@ -143,7 +143,7 @@ class VarsModule(object):
 
         self.inventory = inventory
 
-    def run(self, host):
+    def run(self, host, vault_password=None):
 
         """ main body of the plugin, does actual loading """
 
@@ -183,11 +183,11 @@ class VarsModule(object):
             # load vars in dir/group_vars/name_of_group
             for group in groups:
                 base_path = os.path.join(basedir, "group_vars/%s" % group)
-                results = _load_vars(base_path, results)
+                results = _load_vars(base_path, results, vault_password=vault_password)
 
             # same for hostvars in dir/host_vars/name_of_host
             base_path = os.path.join(basedir, "host_vars/%s" % host.name)
-            results = _load_vars(base_path, results)
+            results = _load_vars(base_path, results, vault_password=vault_password)
 
         # all done, results is a dictionary of variables for this particular host.
         return results