gthieleb/convert-and-test.sh

## convert-and-test.sh
#!/bin/bash

#Vault password is 1
echo "Converting vault to yaml format:"
ansible-vault decrypt --output - vault | python ./convert_vault.py > new-vault.yml

echo "Decrypting a variable from the converted vault"
ansible localhost -i localhost, -e @new-vault.yml -m debug -a 'var=secret' --ask-vault-pas

## convert_vault.py
import sys
import re
import yaml
import argparse
from ansible.parsing.vault import VaultLib
from ansible.cli import CLI
from ansible import constants as C
from ansible.parsing.dataloader import DataLoader
from ansible.parsing.yaml.dumper import AnsibleDumper
from ansible.parsing.yaml.loader import AnsibleLoader
from ansible.parsing.yaml.objects import AnsibleVaultEncryptedUnicode

"""
This script reads a yaml file and dumps it back while encrypting
the values but keeping the keys plaintext. To convert an ansible
vault file format into yaml you can do:
    ansible-vault decrypt --output - vault | \
        python ./convert_vault.py > new-vault
"""

def encrypt_string(decrypted_secret, vault_id=None):
    """
    Encrypts string
    """
    loader = DataLoader()
    vault_secret = CLI.setup_vault_secrets(
        loader=loader,
        vault_ids=C.DEFAULT_VAULT_IDENTITY_LIST
    )
    vault = VaultLib(vault_secret)
    return AnsibleVaultEncryptedUnicode(
            vault.encrypt(decrypted_secret,
                          vault_id=vault_id))


def encrypt_dict(d, vault_id=None, pattern=None):
    for key in d:
        value = d[key]
        if isinstance(value, str):
            if not re.search(pattern, key):
                continue
            d[key] = encrypt_string(value, vault_id)
        elif isinstance(value, list):
            for item in value:
                encrypt_dict(item, vault_id=vault_id, pattern=pattern)
        elif isinstance(value, dict):
            encrypt_dict(value, vault_id=vault_id, pattern=pattern)


def main():
    parser = argparse.ArgumentParser()
    parser.add_argument('--input-file',
                        help='File to read from',
                        default='-')
    parser.add_argument('--vault-id',
                        help='Vault id used for the encryption')
    parser.add_argument('--pattern',
                        default=r'password',
                        help='Pattern of key that should be encrypted')

    args = parser.parse_args()
    in_file = sys.stdin if args.input_file == '-' else open(args.input_file)
    data = yaml.load(in_file, Loader=AnsibleLoader)

    encrypt_dict(data, vault_id=args.vault_id, pattern=args.pattern)

    print(yaml.dump(data, Dumper=AnsibleDumper))


if __name__ == "__main__":
    main()

## vault
$ANSIBLE_VAULT;1.1;AES256
32656465316437646133376138393234386439303536343631343763396661386339366431346263
3036313832303437623834633363396333343338643930640a343266336434383434646530386664
61623665363935373738366634613363626132613861666432396630396436306534303265303430
3637306164666265380a386431363364636666626263653864613866323235366638386261353433
30643765623033353435313230663933353931616530663735303437393138663738
	#!/bin/bash

	#Vault password is 1
	echo "Converting vault to yaml format:"
	ansible-vault decrypt --output - vault \| python ./convert_vault.py > new-vault.yml

	echo "Decrypting a variable from the converted vault"
	ansible localhost -i localhost, -e @new-vault.yml -m debug -a 'var=secret' --ask-vault-pas
	import sys
	import re
	import yaml
	import argparse
	from ansible.parsing.vault import VaultLib
	from ansible.cli import CLI
	from ansible import constants as C
	from ansible.parsing.dataloader import DataLoader
	from ansible.parsing.yaml.dumper import AnsibleDumper
	from ansible.parsing.yaml.loader import AnsibleLoader
	from ansible.parsing.yaml.objects import AnsibleVaultEncryptedUnicode

	"""
	This script reads a yaml file and dumps it back while encrypting
	the values but keeping the keys plaintext. To convert an ansible
	vault file format into yaml you can do:
	ansible-vault decrypt --output - vault \| \
	python ./convert_vault.py > new-vault
	"""

	def encrypt_string(decrypted_secret, vault_id=None):
	"""
	Encrypts string
	"""
	loader = DataLoader()
	vault_secret = CLI.setup_vault_secrets(
	loader=loader,
	vault_ids=C.DEFAULT_VAULT_IDENTITY_LIST
	)
	vault = VaultLib(vault_secret)
	return AnsibleVaultEncryptedUnicode(
	vault.encrypt(decrypted_secret,
	vault_id=vault_id))


	def encrypt_dict(d, vault_id=None, pattern=None):
	for key in d:
	value = d[key]
	if isinstance(value, str):
	if not re.search(pattern, key):
	continue
	d[key] = encrypt_string(value, vault_id)
	elif isinstance(value, list):
	for item in value:
	encrypt_dict(item, vault_id=vault_id, pattern=pattern)
	elif isinstance(value, dict):
	encrypt_dict(value, vault_id=vault_id, pattern=pattern)


	def main():
	parser = argparse.ArgumentParser()
	parser.add_argument('--input-file',
	help='File to read from',
	default='-')
	parser.add_argument('--vault-id',
	help='Vault id used for the encryption')
	parser.add_argument('--pattern',
	default=r'password',
	help='Pattern of key that should be encrypted')

	args = parser.parse_args()
	in_file = sys.stdin if args.input_file == '-' else open(args.input_file)
	data = yaml.load(in_file, Loader=AnsibleLoader)

	encrypt_dict(data, vault_id=args.vault_id, pattern=args.pattern)

	print(yaml.dump(data, Dumper=AnsibleDumper))


	if __name__ == "__main__":
	main()
	$ANSIBLE_VAULT;1.1;AES256
	32656465316437646133376138393234386439303536343631343763396661386339366431346263
	3036313832303437623834633363396333343338643930640a343266336434383434646530386664
	61623665363935373738366634613363626132613861666432396630396436306534303265303430
	3637306164666265380a386431363364636666626263653864613866323235366638386261353433
	30643765623033353435313230663933353931616530663735303437393138663738