Metadata-Version: 2.1
Name: vault2vault
Version: 0.1.1
Summary: Recursively rekey ansible-vault encrypted files and in-line variables
Home-page: https://github.com/enpaul/vault2vault/
License: MIT
Keywords: ansible,vault,playbook,yaml,password
Author: Ethan Paul
Author-email: 24588726+enpaul@users.noreply.github.com
Requires-Python: >=3.6.1,<4.0.0
Classifier: Development Status :: 3 - Alpha
Classifier: Environment :: Console
Classifier: Framework :: Ansible
Classifier: Intended Audience :: Developers
Classifier: Intended Audience :: Information Technology
Classifier: Intended Audience :: System Administrators
Classifier: License :: OSI Approved :: MIT License
Classifier: Natural Language :: English
Classifier: Operating System :: OS Independent
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.10
Classifier: Programming Language :: Python :: 3.6
Classifier: Programming Language :: Python :: 3.7
Classifier: Programming Language :: Python :: 3.8
Classifier: Programming Language :: Python :: 3.9
Classifier: Programming Language :: Python :: Implementation :: CPython
Provides-Extra: ansible
Requires-Dist: ansible-core (>=2.11.5,<3.0.0); extra == "ansible"
Requires-Dist: ruamel.yaml (>=0.17.16,<0.18.0)
Project-URL: Repository, https://github.com/enpaul/vault2vault/
Description-Content-Type: text/markdown

# vault2vault

Like
[`ansible-vault rekey`](https://docs.ansible.com/ansible/latest/cli/ansible-vault.html#rekey)
but works recursively on encrypted files and in-line variables

[![CI Status](https://github.com/enpaul/vault2vault/workflows/CI/badge.svg?event=push)](https://github.com/enpaul/vault2vault/actions)
[![PyPI Version](https://img.shields.io/pypi/v/vault2vault)](https://pypi.org/project/vault2vault/)
[![License](https://img.shields.io/pypi/l/vault2vault)](https://opensource.org/licenses/MIT)
[![Python Supported Versions](https://img.shields.io/pypi/pyversions/vault2vault)](https://www.python.org)
[![Code style: black](https://img.shields.io/badge/code%20style-black-000000.svg)](https://github.com/psf/black)

⚠️ **This project is alpha software and is under active development** ⚠️

- [What is this?](#what-is-this)
- [Installing](#installing)
- [Using](#using)
- [Developing](#developer-documentation)

## What is this?

If you use [Ansible Vault](https://docs.ansible.com/ansible/latest/user_guide/vault.html)
then you may have encountered the problem of needing to roll your vault password. Maybe
you found it written down on a sticky note, maybe a coworker who knows it left the
company, maybe you accidentally typed it into Slack when you thought the focus was on your
terminal. Whatever, these things happen.

The built-in tool Ansible provides,
[`ansible-vault rekey`](https://docs.ansible.com/ansible/latest/cli/ansible-vault.html#rekey),
suffers from two main drawbacks:

1. It only works on vault encrypted files and not on vault encrypted YAML data
2. It only works on a single vault encrypted file at a time.

To rekey everything in a large project you'd need to write a script that goes through
every file and rekeys everything in every format it can find.

This is that script.

## Installing

If you're using [Poetry](https://python-poetry.org/) or
[Pipenv](https://pipenv.pypa.io/en/latest/) to manage your Ansible runtime environment,
you can just add `vault2vault` to that same environment:

```
# using poetry
poetry add vault2vault --dev

# using pipenv
pipenv install vault2vault
```

If you're using Ansible from your system package manager, it's probably easier to just
install `vault2vault` using [PipX](https://pypa.github.io/pipx/) and the `ansible` extra:

```
pipx install vault2vault[ansible]
```

**Note: vault2vault requires an Ansible installation to function. If you are installing to a standalone virtual environment (like with PipX) then you must install it with the `ansible` extra to ensure a version of Ansible is available to the application.**

## Using

These docs are pretty sparse, largely because this project is still under active design
and redevelopment. Here are the command line options:

```
> vault2vault --help
usage: vault2vault [-h] [--version] [--interactive] [-v] [-b] [-i VAULT_ID] [--ignore-undecryptable]
                   [--old-pass-file OLD_PASS_FILE] [--new-pass-file NEW_PASS_FILE]
                   [paths ...]

Recursively rekey ansible-vault encrypted files and in-line variables

positional arguments:
  paths                 Paths to search for Ansible Vault encrypted content

options:
  -h, --help            show this help message and exit
  --version             Show program version and exit
  --interactive         Step through files and variables interactively, prompting for confirmation before making
                        each change
  -v, --verbose         Increase verbosity; can be repeated
  -b, --backup          Write a backup of every file to be modified, suffixed with '.bak'
  -i VAULT_ID, --vault-id VAULT_ID
                        Limit rekeying to encrypted secrets with the specified Vault ID
  --ignore-undecryptable
                        Ignore any file or variable that is not decryptable with the provided vault secret instead
                        of raising an error
  --old-pass-file OLD_PASS_FILE
                        Path to a file with the old vault password to decrypt secrets with
  --new-pass-file NEW_PASS_FILE
                        Path to a file with the new vault password to rekey secrets with
```

Please report any bugs or issues you encounter on
[Github](https://github.com/enpaul/vault2vault/issues).

## Developer Documentation

All project contributors and participants are expected to adhere to the
[Contributor Covenant Code of Conduct, v2](CODE_OF_CONDUCT.md) ([external link](https://www.contributor-covenant.org/version/2/0/code_of_conduct/)).

The `devel` branch has the latest (and potentially unstable) changes. The stable releases
are tracked on [Github](https://github.com/enpaul/vault2vault/releases),
[PyPi](https://pypi.org/project/vault2vault/#history), and in the
[Changelog](CHANGELOG.md).

- To report a bug, request a feature, or ask for assistance, please
  [open an issue on the Github repository](https://github.com/enpaul/vault2vault/issues/new).
- To report a security concern or code of conduct violation, please contact the project
  author directly at **‌me \[at‌\] enp dot‎ ‌one**.
- To submit an update, please
  [fork the repository](https://docs.github.com/en/enterprise/2.20/user/github/getting-started-with-github/fork-a-repo)
  and [open a pull request](https://github.com/enpaul/vault2vault/compare).

Developing this project requires [Python 3.7+](https://www.python.org/downloads/) and
[Poetry 1.0](https://python-poetry.org/docs/#installation) or later. GNU Make can
optionally be used to quickly setup a local development environment, but this is not
required.

To setup a local development environment:

```bash
# Clone the repository...
# ...over HTTPS
git clone https://github.com/enpaul/vault2vault.git
# ...over SSH
git clone git@github.com:enpaul/vault2vault.git

cd vault2vault/

# Create and configure the local development environment...
make dev

# Run tests and CI locally...
make test

# See additional make targets
make help
```

