How to diff ansible vault changes?

Question

I\'d like to see the actual git commit changes in the ansible vault file.

Is there an easy way how to achieve this?

Answer 1

So after some digging I constructed the non-trivial solution.

First of all store your vault password into the (.gitignored) .vault_password file.

In the following example a HEAD and HEAD~2 versions of the file inventory/group_vars/xyz/vault.yml are vimdiff-ed:

vimdiff \
  <(ansible-vault view --vault-password-file=.vault_password \
    <(git show HEAD:inventory/group_vars/xyz/vault.yml)) \
  <(ansible-vault view --vault-password-file=.vault_password \
    <(git show HEAD~2:inventory/group_vars/xyz/vault.yml))