ansible/issues/001_fix_vault_security_issue.md

Issue: Fix Vault Security Risk in Proxmox Role

Status: Open Priority: High Component: proxmox/15_create_secret.yaml Assignee: Junior Dev

Description

The current vault handling in roles/proxmox/tasks/15_create_secret.yaml uses insecure shell commands to decrypt/encrypt vault files, creating temporary plaintext files that pose a security risk.

Current Problematic Code

- name: Decrypt vm vault file
  ansible.builtin.shell: cd ../; ansible-vault decrypt "./playbooks/{{ proxmox_vault_file }}"
  no_log: true

- name: Encrypt vm vault file
  ansible.builtin.shell: cd ../; ansible-vault encrypt "./playbooks/{{ proxmox_vault_file }}"
  no_log: true

Required Changes

Step 1: Replace shell commands with Ansible vault module

Replace the shell-based decryption/encryption with ansible.builtin.ansible_vault module.

Step 2: Remove temporary plaintext file operations

Eliminate the need for temporary plaintext files by using in-memory operations.

Step 3: Add proper error handling

Include error handling for vault operations (missing files, decryption failures).

Implementation Steps

1. Read the current vault file securely:

   - name: Load vault content securely
     ansible.builtin.include_vars:
       file: "{{ proxmox_vault_file }}"
       name: vault_data
     no_log: true
   

2. Use ansible_vault module for operations:

   - name: Update vault data securely
     ansible.builtin.set_fact:
       new_vault_data: "{{ vault_data | combine({vm_name_secret: cipassword}) }}"
     when: not variable_exists
     no_log: true
   

3. Write encrypted vault directly:

   - name: Write encrypted vault
     ansible.builtin.copy:
       content: "{{ new_vault_data | ansible.builtin.ansible_vault.encrypt('vault_password') }}"
       dest: "{{ proxmox_vault_file }}"
       mode: "0600"
     when: not variable_exists
     no_log: true
   

Testing Requirements

• Test with existing vault files
• Verify no plaintext files are created during operation
• Confirm vault can be decrypted properly after updates

Acceptance Criteria

• No shell commands used for vault operations
• No temporary plaintext files created
• All vault operations use Ansible built-in modules
• Existing functionality preserved
• Proper error handling implemented