Today, I am excited to share how to set up an Ansible execution environment to control SOPS secrets. The Ansible execution image is a pre-built container containing all the necessary components for decrypting SOPS secrets in Ansible playbooks.

Ansible Builder is a tool that can help with building the image

  • Let’s start by creating a new working directory

    mkdir custom-ansible-execution; cd custom-ansible-execution
  • Add an execution-environment.yml file. ansible-builder build container images with the definition file execution-environment.yml

    version: 1
      EE_BASE_IMAGE: ''
      prepend: |
        RUN pip3 install --upgrade pip setuptools    
      galaxy: requirements.yml
  • Create and add the SOPS collection to the requirements.yml

      - community.sops
  • Generate the Containerfile

    ansible-builder create
    Complete! The build context can be found at: custom-ansible-execution/context
  • Update the Containerfile in the context directory to add SOPS rpm into the container and create new directories to mount the key file

    USER root
    RUN pip3 install --upgrade pip setuptools
    RUN rpm -i && \
        sops -v && \
        mkdir -p /home/runner/.config/sops/age
    COPY --from=galaxy /usr/share/ansible /usr/share/ansible
    COPY --from=builder /output/ /output/
    RUN /output/install-from-bindep && rm -rf /output/wheels
    LABEL ansible-execution-environment=true
  • Build the container image using Podman and push to a registry

    podman build -f context/Containerfile -t localhost/custom-ee:1.0 context
    podman push ...
  • Follow this guide to add an execution environment in Jobs

  • Mount the SOPS keys to decrypt using Execution environment mount options

    Jobs Settings

  • Finally, SSH into the ansible controller and change to awx user to copy the key into the appropriate directory

    ssh aap-controller
    sudo su - awx
    sudo mkdir -p /var/lib/awx/.sops-key
    sudo mv keys.txt /var/lib/awx/.sops-key 

Thank you for taking the time to read my blog post. Until next time, take care!