vault2vault/README.md

141 lines
5.8 KiB
Markdown
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# vault2vault
Like
[`ansible-vault rekey`](https://docs.ansible.com/ansible/latest/cli/ansible-vault.html#rekey)
but works recursively on encrypted files and in-line variables
[![CI Status](https://github.com/enpaul/vault2vault/workflows/CI/badge.svg?event=push)](https://github.com/enpaul/vault2vault/actions)
[![PyPI Version](https://img.shields.io/pypi/v/vault2vault)](https://pypi.org/project/vault2vault/)
[![License](https://img.shields.io/pypi/l/vault2vault)](https://opensource.org/licenses/MIT)
[![Python Supported Versions](https://img.shields.io/pypi/pyversions/vault2vault)](https://www.python.org)
[![Code style: black](https://img.shields.io/badge/code%20style-black-000000.svg)](https://github.com/psf/black)
⚠️ **This project is alpha software and is under active development** ⚠️
- [What is this?](#what-is-this)
- [Installing](#installing)
- [Using](#using)
- [Developing](#developer-documentation)
## What is this?
If you use [Ansible Vault](https://docs.ansible.com/ansible/latest/user_guide/vault.html)
then you may have encountered the problem of needing to roll your vault password. Maybe
you found it written down on a sticky note, maybe a coworker who knows it left the
company, maybe you accidentally typed it into Slack when you thought the focus was on your
terminal. Whatever, these things happen.
The built-in tool Ansible provides,
[`ansible-vault rekey`](https://docs.ansible.com/ansible/latest/cli/ansible-vault.html#rekey),
suffers from two main drawbacks: first, it only works on vault encrypted files and not on
vault encrypted YAML data; and second, it only works on a single vault encrypted file at
a time. To rekey everything in a large project you'd need to write a script that
recursively goes through every file and rekeys every encrypted file and YAML variable all
at once.
This is that script.
## Installing
If you're using [Poetry](https://python-poetry.org/) or
[Pipenv](https://pipenv.pypa.io/en/latest/) to manage your Ansible runtime environment,
you can just add `vault2vault` to that same environment:
```
# using poetry
poetry add vault2vault --dev
# using pipenv
pipenv install vault2vault
```
If you're using Ansible from your system package manager, it's probably easier to just
install `vault2vault` using [PipX](https://pypa.github.io/pipx/) and the `ansible` extra:
```
pipx install vault2vault[ansible]
```
**Note: vault2vault requires an Ansible installation to function. If you are installing to a standalone virtual environment (like with PipX) then you must install it with the `ansible` extra to ensure a version of Ansible is available to the application.**
## Using
These docs are pretty sparse, largely because this project is still under active design
and redevelopment. Here are the command line options:
```
> vault2vault --help
usage: vault2vault [-h] [--version] [--interactive] [-v] [-b] [-i VAULT_ID] [--ignore-undecryptable]
[--old-pass-file OLD_PASS_FILE] [--new-pass-file NEW_PASS_FILE]
[paths ...]
Recursively rekey ansible-vault encrypted files and in-line variables
positional arguments:
paths Paths to search for Ansible Vault encrypted content
options:
-h, --help show this help message and exit
--version Show program version and exit
--interactive Step through files and variables interactively, prompting for confirmation before making
each change
-v, --verbose Increase verbosity; can be repeated
-b, --backup Write a backup of every file to be modified, suffixed with '.bak'
-i VAULT_ID, --vault-id VAULT_ID
Limit rekeying to encrypted secrets with the specified Vault ID
--ignore-undecryptable
Ignore any file or variable that is not decryptable with the provided vault secret instead
of raising an error
--old-pass-file OLD_PASS_FILE
Path to a file with the old vault password to decrypt secrets with
--new-pass-file NEW_PASS_FILE
Path to a file with the new vault password to rekey secrets with
```
Please report any bugs or issues you encounter on
[Github](https://github.com/enpaul/vault2vault/issues).
## Developer Documentation
All project contributors and participants are expected to adhere to the
[Contributor Covenant Code of Conduct, v2](CODE_OF_CONDUCT.md) ([external link](https://www.contributor-covenant.org/version/2/0/code_of_conduct/)).
The `devel` branch has the latest (and potentially unstable) changes. The stable releases
are tracked on [Github](https://github.com/enpaul/vault2vault/releases),
[PyPi](https://pypi.org/project/vault2vault/#history), and in the
[Changelog](CHANGELOG.md).
- To report a bug, request a feature, or ask for assistance, please
[open an issue on the Github repository](https://github.com/enpaul/vault2vault/issues/new).
- To report a security concern or code of conduct violation, please contact the project
author directly at **me \[at\] enp dot one**.
- To submit an update, please
[fork the repository](https://docs.github.com/en/enterprise/2.20/user/github/getting-started-with-github/fork-a-repo)
and [open a pull request](https://github.com/enpaul/vault2vault/compare).
Developing this project requires [Python 3.7+](https://www.python.org/downloads/) and
[Poetry 1.0](https://python-poetry.org/docs/#installation) or later. GNU Make can
optionally be used to quickly setup a local development environment, but this is not
required.
To setup a local development environment:
```bash
# Clone the repository...
# ...over HTTPS
git clone https://github.com/enpaul/vault2vault.git
# ...over SSH
git clone git@github.com:enpaul/vault2vault.git
cd vault2vault/
# Create and configure the local development environment...
make dev
# Run tests and CI locally...
make test
# See additional make targets
make help
```