ansible/roles/proxmox/tasks/10_create_secrets.yml

---
- name: Ensure Vault file exists
  ansible.builtin.file:
    path: "{{ proxmox_vault_file }}"
    state: touch
    mode: "0600"

- name: Decrypt vm vault file
  ansible.builtin.shell: cd ../; ansible-vault decrypt "./playbooks/{{ proxmox_vault_file }}"
  ignore_errors: true
  no_log: true

- name: Load existing vault content
  ansible.builtin.slurp:
    src: "{{ proxmox_vault_file }}"
  register: vault_content
  no_log: true

- name: Parse vault content as YAML
  ansible.builtin.set_fact:
    vault_data: "{{ (vault_content['content'] | b64decode | from_yaml) if (vault_content['content'] | length > 0) else {} }}"
  no_log: true

- name: Update Vault data
  ansible.builtin.include_tasks: 15_create_secret.yml
  loop: "{{ vms | map(attribute='name') }}"
  loop_control:
    loop_var: "vm_name"

- name: Encrypt vm vault file
  ansible.builtin.shell: cd ../; ansible-vault encrypt "./playbooks/{{ proxmox_vault_file }}"
  ignore_errors: true
  no_log: true