Normally, when you diff an Ansible vault, all you see is gibberish.
$ git diff -- group_vars/all/vault.yml
diff --git a/group_vars/all/vault.yml b/group_vars/all/vault.yml
index 245ccf4..90bf9ee 100644
--- a/group_vars/all/vault.yml
+++ b/group_vars/all/vault.yml
@@ -1,111 +1,111 @@
$ANSIBLE_VAULT;1.1;AES256
-34623631363535616466343837666562333766373666313637623534636632363736366631333739
...With Git, there's an easy way to associate a textconv
with files, so you can run the vaults through ansible-vault view prior to
diffing.
Setup your textconv for vault files in either ~/.gitconfig (globally) or
./.git/config (per-project).
[diff "ansible-vault"]
textconv = ansible-vault view
cachetextconv = trueThen, either in ~/.config/git/attributes (globally) or in ./.gitattributes
(per-project), configure your vault files to use the ansible-vault type.
# or *.vault.yml, or *-vault.yml, or whatever convention you use for vaults
vault.yml diff=ansible-vault
Now, git diff has a lot less gibberish.
$ git diff -- group_vars/all/vault.yml
diff --git a/group_vars/all/vault.yml b/group_vars/all/vault.yml
index 245ccf4..0b107ef 100644
--- a/group_vars/all/vault.yml
+++ b/group_vars/all/vault.yml
@@ -1,5 +1,6 @@
# -*- yaml -*-
---
+new_secret: foobar
old_secret: bubblegum
moar_secrets: my voice is my passport