exception from JinjaRule and VariableNamingRule due to vault password

[kaysond]

Summary

My ansible repo follows the collections directory structure. I have an ansible.cfg at the root containing a vault_password_file = entry. If I run any ansible-playbook --check <playbook>, it works just fine and decrypts the vault. If I run ansible-lint, however, I get a bunch of warnings.

I tried setting ANSIBLE_VAULT_PASSWORD_FILE as an env var too, but no luck.

Initially posted this as a discussion (#2404) but another user is seeing the same thing, and without a smoking gun as far as configuration goes, I'm guessing this is actually a bug.

Issue Type

• Bug Report

Ansible and Ansible Lint details

ansible --version
ansible [core 2.13.3]
  config file = /home/aram/git/nublab/ansible.cfg
  configured module search path = ['/home/aram/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/aram/git/nublab/virtualenv/lib/python3.10/site-packages/ansible
  ansible collection location = /home/aram/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/aram/git/nublab/virtualenv/bin/ansible
  python version = 3.10.4 (main, Jun 29 2022, 12:14:53) [GCC 11.2.0]
  jinja version = 3.1.2
  libyaml = True

ansible-lint --version
ansible-lint 6.5.2 using ansible 2.13.3

• ansible installation method: pip
• ansible-lint installation method: pip

OS / ENVIRONMENT

Debian 11

STEPS TO REPRODUCE

Create a playbook with a vault. Specify the vault password file via env var or ansible.cfg. Run ansible-lint.

Desired Behavior

Runs as expected

Actual Behavior

WARNING  Ignored exception from JinjaRule.<bound method JinjaRule.matchyaml of jinja: Rule that looks inside jinja2 templates.>: A vault password must be specified to decrypt data
WARNING  Ignored exception from VariableNamingRule.<bound method VariableNamingRule.matchyaml of var-naming: All variables should be named using only lowercase and underscores.>: A vault password must be specified to decrypt data
WARNING  Ignored exception from JinjaRule.<bound method JinjaRule.matchyaml of jinja: Rule that looks inside jinja2 templates.>: A vault password must be specified to decrypt data
WARNING  Ignored exception from VariableNamingRule.<bound method VariableNamingRule.matchyaml of var-naming: All variables should be named using only lowercase and underscores.>: A vault password must be specified to decrypt data

Running verbose doesn't show anything helpful, just that the errors are caused by my vault files.

DEBUG    Examining roles/nas/vars/main/vault.yml of type vars
WARNING  Ignored exception from JinjaRule.<bound method JinjaRule.matchyaml of jinja: Rule that looks inside jinja2 templates.>: A vault password must be specified to decrypt data
WARNING  Ignored exception from VariableNamingRule.<bound method VariableNamingRule.matchyaml of var-naming: All variables should be named using only lowercase and underscores.>: A vault password must be specified to decrypt data

[hemberger]

I noticed that the examples using ansible-vault (e.g. https://github.com/ansible/ansible-lint/blob/main/examples/playbooks/contains_secrets.yml) only encrypt individual variables; however, this bug report refers to vault.yml, which makes me wonder if the issue is with encrypted files.

I should note that I see the exact same issue, and I am using vault files as well.

[klaus-tux]

I also encountered this behaviour.

I set up my inventory variables following the advice in the playbook best practices at https://docs.ansible.com/ansible/latest/user_guide/playbooks_best_practices.html#keep-vaulted-variables-safely-visible . I have a vars.yaml and a vault.yaml and the variables are defined in the first one redirecting to the latter one using a jinja template like in the following example.

vars.yaml:
secret_variable: "{{ vault_secret_variable }}"
vault.yaml:
vault_secret_variable: "secret_string"

In order to facilitate the usage of the command line tools like ansible-playbook and ansible-vault I set the environment variable ANSIBLE_VAULT_PASSWORD_FILE (https://docs.ansible.com/ansible/latest/reference_appendices/config.html#envvar-ANSIBLE_VAULT_PASSWORD_FILE ).

As I think I'm following a best practice approach here, I'm a bit puzzled that ansible-lint can not handle this setup but issues the warning.

$ ansible --version | grep -v "/"
ansible [core 2.13.4]
  python version = 3.10.6 (main, Aug 30 2022, 04:58:14) [Clang 13.1.6 (clang-1316.0.21.2.5)]
  jinja version = 3.1.2
  libyaml = True

$ ansible-lint --version
ansible-lint 6.7.0 using ansible 2.13.4

[sgreiner]

Problem still exists in ansible-lint v6.8.7 and the env var ANSIBLE_VAULT_PASSWORD_FILE ist still ignored.

$ ansible --version | grep -v "/"
ansible [core 2.13.6]
  python version = 3.10.6 (main, Nov  2 2022, 18:53:38) [GCC 11.3.0]
  jinja version = 3.0.3
  libyaml = True

$ ansible-lint --version 
ansible-lint 6.8.7 using ansible 2.13.6

[mszumilak]

This issue still exist in 6.18.0

[ReenigneArcher]

Still present in v6.20.0

According to the source it looks like it should pass a dummy value of x

ansible-lint/src/ansiblelint/utils.py

Lines 72 to 75 in e6bc4c7

	# ansible-lint doesn't need/want to know about encrypted secrets, so we pass a
	# string as the password to enable such yaml files to be opened and parsed
	# successfully.
	DEFAULT_VAULT_PASSWORD = "x" # noqa: S105

It seems that the issue is occurring when specifying the value in an ansible.cfg file or env variable.

Didn't have any issues using this action: https://github.com/ansible/ansible-lint-action

[EgerUS]

Still present in v6.22.2

I've specified the vault password file in ansible.cfg using vault_password_file=.vault-file
Ansible commands like ansible-playbook, ansible-vault etc works correctly.
When I try to check the encrypted file using ansible-lint, I get the WARNING A vault password must be specified to decrypt data.

$ ansible-lint group_vars/site-test/vault.yml

WARNING  Ignored exception from JinjaRule.<bound method JinjaRule.matchyaml of jinja: Rule that looks inside jinja2 templates.> while processing group_vars/site-test/vault.yml (vars): A vault password must be specified to decrypt data in file group_vars/site-test/vault.yml
WARNING  Ignored exception from VariableNamingRule.<bound method VariableNamingRule.matchyaml of var-naming: All variables should be named using only lowercase and underscores.> while processing group_vars/site-test/vault.yml (vars): A vault password must be specified to decrypt data in file group_vars/site-test/vault.yml

Is there any solution ?