I am using Ansible to handle endpoint differences for different environments. This is done through the use of variables and the ansible-xml extension.
For example, I have a task called "endpoints.yml" setup within a role called "myapp". This task sets a variety of configuration parameters within configuration files, substituting in variables.
/roles/myapp/tasks/endpoints.yml
—> set value in app config file to: {{ db_user }}
—> set value in app config file to: {{ db_password }}
Since my non-prod environments share a single endpoint, the values for these variables are setup in the role's default file:
/roles/myapp/defaults/main.yml
—> db_user: myuser_ro
—> db_passwordd: some_password
For the prod environment, I am overwriting the default with a group_variable (since this takes precedence):
/environments/prod/group_vars/myapp_servers
—> db_user: produser_ro
—> db_password: some_other_password
This all works great and allows for us to use a single playbook/role for all environments. However, I am wanting to move take advantage of ansible-vault to move the password values out of these files and into an encrypted file.
However, there will still be different values for prod and non-prod. I could create a new "vars" file in the role called "pass.yml", encrypt it with ansible-vault, and then reference it from the task with an "include_vars: pass.yml".
But this doesn't explain how I account for needing different (encrypted) variables for different environments.
Any suggestions?