def load_yaml(yaml_file, vault_secret=None):
"""
Load a YAML file into a python dictionary.
The YAML file can be fully encrypted by Ansible-Vault or can contain
multiple inline Ansible-Vault encrypted values. Ansible Vault
encryption is ideal to store passwords or encrypt the entire file
with sensitive data if required.
"""
vault = VaultLib()
if vault_secret:
secret_file = get_file_vault_secret(filename=vault_secret, loader=DataLoader())
secret_file.load()
vault.secrets = [('default', secret_file)]
# YAML ENV VAR
# name: !ENV env_var('FOO')/bar
yaml.add_implicit_resolver("!ENV", ENV_VAR_PATTERN)
yaml.add_constructor('!ENV', env_var_constructor)
data = None
if os.path.isfile(yaml_file):
with open(yaml_file, 'r') as stream:
# Render environment variables using jinja templates
contents = stream.read()
template = Template(contents)
stream = StringIO(template.render(env_var=os.environ))
try:
if is_encrypted_file(stream):
file_data = stream.read()
data = yaml.load(vault.decrypt(file_data, None))
else:
file_data = stream.read()
data = yaml.load(file_data, Loader=yaml.Loader)
'''
Commenting code below for posterity. We are not using ansible functionality but yaml load should
follow the same code path regardless of the file encryption state.
'''
#loader = AnsibleLoader(stream, None, vault.secrets)
#try:
# data = loader.get_single_data()
#except Exception as exc:
# raise Exception(f'Error when loading YAML config at {yaml_file} {exc}') from exc
#finally:
# loader.dispose()
except yaml.YAMLError as exc:
raise Exception(f'Error when loading YAML config at {yaml_file} {exc}') from exc
else:
LOGGER.debug('No file at %s', yaml_file)
return data
def vault_encrypt(plaintext, secret):
"""
Vault encrypt a piece of data.
"""
try:
vault = VaultLib()
secret_file = get_file_vault_secret(filename=secret, loader=DataLoader())
secret_file.load()
vault.secrets = [('default', secret_file)]
return vault.encrypt(plaintext)
except AnsibleError as exc:
LOGGER.critical('Cannot encrypt string: %s', exc)
sys.exit(1)
def vault_encrypt(plaintext, secret):
'''
Vault encrypt a piece of data.
'''
try:
vault = VaultLib()
secret_file = get_file_vault_secret(filename=secret, loader=DataLoader())
secret_file.load()
vault.secrets = [('default', secret_file)]
return vault.encrypt(plaintext)
except AnsibleError as e:
logger.critical(f"Cannot encrypt string: {e}")
sys.exit(1)
def load_yaml(yaml_file, vault_secret=None):
"""
Load a YAML file into a python dictionary.
The YAML file can be fully encrypted by Ansible-Vault or can contain
multiple inline Ansible-Vault encrypted values. Ansible Vault
encryption is ideal to store passwords or encrypt the entire file
with sensitive data if required.
"""
vault = VaultLib()
if vault_secret:
secret_file = get_file_vault_secret(filename=vault_secret,
loader=DataLoader())
secret_file.load()
vault.secrets = [('default', secret_file)]
data = None
if os.path.isfile(yaml_file):
with open(yaml_file, 'r', encoding='utf-8') as stream:
# Render environment variables using jinja templates
contents = stream.read()
template = Template(contents)
stream = StringIO(template.render(env_var=os.environ))
try:
if is_encrypted_file(stream):
file_data = stream.read()
data = yaml.load(vault.decrypt(file_data, None))
else:
loader = AnsibleLoader(stream, None, vault.secrets)
try:
data = loader.get_single_data()
except Exception as exc:
raise Exception(
f'Error when loading YAML config at {yaml_file} {exc}'
) from exc
finally:
loader.dispose()
except yaml.YAMLError as exc:
raise Exception(
f'Error when loading YAML config at {yaml_file} {exc}'
) from exc
else:
LOGGER.debug('No file at %s', yaml_file)
if isinstance(data, AnsibleMapping):
data = dict(data)
return data
def vault_encrypt(plaintext, secret):
"""
Vault encrypt a piece of data.
"""
try:
vault = VaultLib()
secret_file = get_file_vault_secret(filename=secret,
loader=DataLoader())
secret_file.load()
vault.secrets = [("default", secret_file)]
return vault.encrypt(plaintext)
except AnsibleError as e:
logger.critical("Cannot encrypt string: {}".format(e))
sys.exit(1)
def load_yaml(yaml_file, vault_secret=None):
'''
Load a YAML file into a python dictionary.
The YAML file can be fully encrypted by Ansible-Vault or can contain
multiple inline Ansible-Vault encrypted values. Ansible Vault
encryption is ideal to store passwords or encrypt the entire file
with sensitive data if required.
'''
vault = VaultLib()
if vault_secret:
secret_file = get_file_vault_secret(filename=vault_secret,
loader=DataLoader())
secret_file.load()
vault.secrets = [('default', secret_file)]
data = None
if os.path.isfile(yaml_file):
with open(yaml_file, 'r') as stream:
try:
if is_encrypted_file(stream):
file_data = stream.read()
data = yaml.load(vault.decrypt(file_data, None))
else:
loader = AnsibleLoader(stream, None, vault.secrets)
try:
data = loader.get_single_data()
except Exception as exc:
raise Exception(
"Error when loading YAML config at {} {}".format(
yaml_file, exc))
finally:
loader.dispose()
except yaml.YAMLError as exc:
raise Exception(
"Error when loading YAML config at {} {}".format(
yaml_file, exc))
else:
logger.debug("No file at {}".format(yaml_file))
return data
