Vault secrets default vault ids list (#28190)

* Add config option for a default list of vault-ids

This is the vault-id equilivent of ANSIBLE_DEFAULT_PASSWORD_FILE
except ANSIBLE_DEFAULT_VAULT_IDENTITY_LIST is a list.

lib/ansible/cli/__init__.py

@@ -214,6 +214,9 @@ class CLI(with_metaclass(ABCMeta, object)):
         # certain vault password prompt format, so 'promp_ask_vault_pass' vault_id gets the old format.
         prompt_formats = {}
 
+        # If there are configured default vault identities, they are considered 'first'
+        # so we prepend them to vault_ids (from cli) here
+
         vault_password_files = vault_password_files or []
         if C.DEFAULT_VAULT_PASSWORD_FILE:
             vault_password_files.append(C.DEFAULT_VAULT_PASSWORD_FILE)

lib/ansible/cli/console.py

@@ -415,8 +415,11 @@ class ConsoleCLI(CLI, cmd.Cmd):
 
         self.loader, self.inventory, self.variable_manager = self._play_prereqs(self.options)
 
+        default_vault_ids = C.DEFAULT_VAULT_IDENTITY_LIST
+        vault_ids = self.options.vault_ids
+        vault_ids = default_vault_ids + vault_ids
         vault_secrets = self.setup_vault_secrets(self.loader,
-                                                 vault_id=self.options.vault_ids,
+                                                 vault_ids=vault_ids,
                                                  vault_password_files=self.options.vault_password_files,
                                                  ask_vault_pass=self.options.ask_vault_pass)
         self.loader.set_vault_secrets(vault_secrets)

lib/ansible/cli/vault.py

@@ -23,6 +23,7 @@ import os
 import sys
 
 from ansible.cli import CLI
+from ansible import constants as C
 from ansible.errors import AnsibleOptionsError
 from ansible.module_utils._text import to_text, to_bytes
 from ansible.parsing.dataloader import DataLoader
@@ -156,6 +157,9 @@ class VaultCLI(CLI):
         # ask for a new password and confirm it, and 'read/write (rekey) that asks for the
         # old password, then asks for a new one and confirms it.
 
+        default_vault_ids = C.DEFAULT_VAULT_IDENTITY_LIST
+        vault_ids = default_vault_ids + vault_ids
+
         # TODO: instead of prompting for these before, we could let VaultEditor
         #       call a callback when it needs it.
         if self.action in ['decrypt', 'view', 'rekey']:
@@ -163,7 +167,6 @@ class VaultCLI(CLI):
                                                      vault_ids=vault_ids,
                                                      vault_password_files=self.options.vault_password_files,
                                                      ask_vault_pass=self.options.ask_vault_pass)
-
             if not vault_secrets:
                 raise AnsibleOptionsError("A vault password is required to use Ansible's Vault")
 
@@ -178,7 +181,6 @@ class VaultCLI(CLI):
                                          vault_password_files=self.options.vault_password_files,
                                          ask_vault_pass=self.options.ask_vault_pass,
                                          create_new_password=True)
-
             if not vault_secrets:
                 raise AnsibleOptionsError("A vault password is required to use Ansible's Vault")
 

lib/ansible/config/data/config.yml

@@ -1088,6 +1088,15 @@ DEFAULT_VAULT_IDENTITY:
   - {key: vault_identity, section: defaults}
   vars: []
   yaml: {key: defaults.vault_identity}
+DEFAULT_VAULT_IDENTITY_LIST:
+  default: []
+  desc: 'A list of vault-ids to use by default. Equivalent to multiple --vault-id args. Vault-ids are tried in order.'
+  env: [{name: ANSIBLE_VAULT_IDENTITY_LIST}]
+  ini:
+  - {key: vault_identity_list, section: defaults}
+  value_type: list
+  vars: []
+  yaml: {key: defaults.vault_identity_list}
 DEFAULT_VAULT_PASSWORD_FILE:
   default:
   desc: 'TODO: write it'