surf-decrypt

#!/usr/bin/env python3
import sys
import os
import json
import yaml

import ansible.constants
import ansible.cli
from ansible.parsing.dataloader import DataLoader
from ansible.parsing.yaml.objects import AnsibleVaultEncryptedUnicode

import argparse


class AnsibleVaultEncoder(json.JSONEncoder):
    def default(self, obj):
        if isinstance(obj, AnsibleVaultEncryptedUnicode):
            # casting it to string will trigger the embedded decryption magicks in the AnsibleVaultEncryptedUnicode
            # object
            return str(obj)
        else:
            # Otherwise, use the default encoder
            return super().default(obj)


# parse arguments
parser = argparse.ArgumentParser(description='Decrypt an ansible yaml file with embedded vault secrets')
parser.add_argument('filename', help='filename to process')
parser.add_argument('variable', nargs='?', default=None, help='optional variable name to display')
args = parser.parse_args()
filename = args.filename
if filename in ('bhr','tst','acc','prd'):
    filename = f"environments/aws_{filename}/secrets/all.yml"

variable = args.variable
if not os.path.isfile(filename):
    print(f"Error: File '{filename}' does not exist.")
    parser.print_help()
    exit(1)

# input and set up vault secret
loader = DataLoader()
vault_pass = ansible.cli.CLI.setup_vault_secrets(
    loader=loader,
    vault_ids=ansible.constants.DEFAULT_VAULT_IDENTITY_LIST)
loader.set_vault_secrets(vault_pass)

# load data
data = loader.load_from_file(filename)

# and print
if variable is None:
    print(json.dumps(dict(data), indent=4, cls=AnsibleVaultEncoder))
elif isinstance(data[variable], dict):
    decoded_data = json.loads(json.dumps(data[variable], indent=4, cls=AnsibleVaultEncoder))
    print(yaml.dump(decoded_data, default_style='|'))
else:
    print(data[variable])

sys.exit(0)