How to diff ansible vault changes?

Question

I\'d like to see the actual git commit changes in the ansible vault file.

Is there an easy way how to achieve this?

Answer 1

For completeness, it's worth to mention how to configure the diff for ansible-vaulted files globally. For example, I work with really a lot of ansible repositories over here and almost all of them have some vaulted secrets. So what I want is my configuration to be global and portable from one machine to another.

In your ~/.gitconfig add these sections:

[core]
    # The following line defines a global .gitattributes file
    attributesfile = ~/.gitattributes

[diff "ansible-vault"]
    textconv = "ansible-vault view"

For this to work, you need some naming pattern for ansible-vaulted files, which is something good that you should do anyways. In my case, I like to name them with the extension .vault.yml. So my ~/.gitattributes file looks like this:

*.vault.yml diff=ansible-vault merge=binary

Finally, to avoid typing the password all the time, make sure you have a file in a convenient place in each repository (normally something like .vault, placed at the root). This file must contain the password in plain text (properly .gitignored, of course) or an executable script that produces such password.

Having that in place, go ahead and tell ansible to use the .vault file, by adding the following line to the global or local ansible.cfg:

vault_password_file = .vault

Done. Now running git diff will produce the readable diff that you would expect from non-vaulted files :)