75 lines
2.3 KiB
Markdown
75 lines
2.3 KiB
Markdown
# Issue: Fix Vault Security Risk in Proxmox Role
|
|
|
|
**Status**: Open
|
|
**Priority**: High
|
|
**Component**: proxmox/15_create_secret.yaml
|
|
**Assignee**: Junior Dev
|
|
|
|
## Description
|
|
The current vault handling in `roles/proxmox/tasks/15_create_secret.yaml` uses insecure shell commands to decrypt/encrypt vault files, creating temporary plaintext files that pose a security risk.
|
|
|
|
## Current Problematic Code
|
|
```yaml
|
|
- name: Decrypt vm vault file
|
|
ansible.builtin.shell: cd ../; ansible-vault decrypt "./playbooks/{{ proxmox_vault_file }}"
|
|
no_log: true
|
|
|
|
- name: Encrypt vm vault file
|
|
ansible.builtin.shell: cd ../; ansible-vault encrypt "./playbooks/{{ proxmox_vault_file }}"
|
|
no_log: true
|
|
```
|
|
|
|
## Required Changes
|
|
|
|
### Step 1: Replace shell commands with Ansible vault module
|
|
Replace the shell-based decryption/encryption with `ansible.builtin.ansible_vault` module.
|
|
|
|
### Step 2: Remove temporary plaintext file operations
|
|
Eliminate the need for temporary plaintext files by using in-memory operations.
|
|
|
|
### Step 3: Add proper error handling
|
|
Include error handling for vault operations (missing files, decryption failures).
|
|
|
|
## Implementation Steps
|
|
|
|
1. **Read the current vault file securely**:
|
|
```yaml
|
|
- name: Load vault content securely
|
|
ansible.builtin.include_vars:
|
|
file: "{{ proxmox_vault_file }}"
|
|
name: vault_data
|
|
no_log: true
|
|
```
|
|
|
|
2. **Use ansible_vault module for operations**:
|
|
```yaml
|
|
- name: Update vault data securely
|
|
ansible.builtin.set_fact:
|
|
new_vault_data: "{{ vault_data | combine({vm_name_secret: cipassword}) }}"
|
|
when: not variable_exists
|
|
no_log: true
|
|
```
|
|
|
|
3. **Write encrypted vault directly**:
|
|
```yaml
|
|
- name: Write encrypted vault
|
|
ansible.builtin.copy:
|
|
content: "{{ new_vault_data | ansible.builtin.ansible_vault.encrypt('vault_password') }}"
|
|
dest: "{{ proxmox_vault_file }}"
|
|
mode: "0600"
|
|
when: not variable_exists
|
|
no_log: true
|
|
```
|
|
|
|
## Testing Requirements
|
|
- Test with existing vault files
|
|
- Verify no plaintext files are created during operation
|
|
- Confirm vault can be decrypted properly after updates
|
|
|
|
## Acceptance Criteria
|
|
- [ ] No shell commands used for vault operations
|
|
- [ ] No temporary plaintext files created
|
|
- [ ] All vault operations use Ansible built-in modules
|
|
- [ ] Existing functionality preserved
|
|
- [ ] Proper error handling implemented
|