Make ansible vault files greppable

ansible_vault_grep.sh

### Ansible vault grepping
export VAULTS_LIST_FILE='.vaults.txt'
vaultscan()
{
    echo "Scanning `pwd` for ansible-vault files"
    [ -n "$VAULTSCANBASE" ] && pushd "$VAULSCANBASE"
    true > $VAULTS_LIST_FILE
    IFS=$'\n'
    set -f
    for i in `find . -type f`
    do
       if head -1 "$i" | grep -q '$ANSIBLE_VAULT'; then
           echo "Found vault $i"
           echo "$i" >> $VAULTS_LIST_FILE
       fi
    done
    set +f
    [ -n "$VAULTSCANBASE" ] && popd
}

_vaultgrep(){

    _searchfor="$1"
    _vaultfile="$2"

    OUTPUT=$(ansible-vault view "$_vaultfile" | grep "$_searchfor")

    if [ -n "$OUTPUT" ]; then
        echo
        echo "$_vaultfile:$OUTPUT"
    else
        echo -n '.'
    fi
}
vaultgrep()
{
    [ -z "$1" ] && echo "# ERROR: Need a search string!" && return 1
    searchfor="$1"
    if [ -z "$2" ]; then
        [ -n "$VAULTSCANBASE" ] && pushd "$VAULSCANBASE"
        [ -f "$VAULTS_LIST_FILE" ] || vaultscan
        while read -r vaultfile
        do
            _vaultgrep "$searchfor" "$vaultfile"
        done < $VAULTS_LIST_FILE
        [ -n "$VAULTSCANBASE" ] && popd
    else
        vaultfile="$2"
        _vaultgrep "$searchfor" "$vaultfile"
    fi
}

Thank you for this. I was using it for a while, when I discovered that git has a built in method for handling vaulted files, using textconv. Someone smarter than me noted the procedure for git diff here.

Apparently, git grep has a similar ability, but the option to use it is disabled by default... you have to enable it with a runtime option, --textconv. Although you will note there is a corresponding --no-textconv option available, I found no obvious way to override the default (clever, eh?), so I worked around it by using an alias. Here's my config values, for easy reference:

from ~/.gitconfig or /.../.git/config (per-project):

[diff "ansible-vault"]
	textconv = ansible-vault view
	cachetextconv = true
[alias]
	g = grep --textconv
[grep "ansible-vault"]
	textconv = ansible-vault view
	cachetextconv = true

and from ~/.gitattributes or /.../.gitattributes (per-project):

vault.yml diff=ansible-vault grep=ansible-vault

All my vaulted yaml files are stored as /.../vault.yml, so this works just fine for me. You can also define it as *.vault.yml, or *-vault.yml, or whatever convention you use for vaults.

Pro-tip: if you're not currently doing anything to differentiate vaulted files, it's super easy to update things to do that. For example, I had group_vars/all vaulted at that exact path, but i had to make no changes to my playbooks after moving it to group_vars/all/vault.yml like this:

cd group_vars
git mv all vault.yml
mkdir all
git mv vault.yml all

Similar for roles/rolename/defaults/main.yml files:

cd roles/rolename/defaults
git mv main.yml vault.yml
mkdir main
git mv vault.yml main

Done that way, git even just saw all the changes as file renames. <3!

Now I can just use git diff and git g to diff and search my vaulted yaml files.

I hope this helps you (and others) as much as your script helped me for a good while!!