I have it this way (thanks splunk/ansible-splunk) - name: Set admin access via seed
when: splunk_first_run | bool
block:
- name: "Hash the password"
command: "{{ splunk.exec }} hash-passwd {{ splunk.password }}"
register: hashed_pwd
changed_when: hashed_pwd.rc == 0
become: yes
become_user: "{{ splunk.user }}"
no_log: "{{ hide_password }}"
- name: "Generate user-seed.conf (Linux)"
ini_file:
owner: "{{ splunk.user }}"
group: "{{ splunk.group }}"
dest: "{{ splunk.home }}/etc/system/local/user-seed.conf"
section: user_info
option: "{{ item.opt }}"
value: "{{ item.val }}"
mode: 0644
with_items:
- {opt: 'USERNAME', val: '{{ splunk.admin_user }}'}
- {opt: 'HASHED_PASSWORD', val: '{{ hashed_pwd.stdout }}'}
loop_control:
label: "{{ item.opt }}"
when: ansible_system is match("Linux")
become: yes
become_user: "{{ splunk.user }}"
no_log: "{{ hide_password }}" Then those user + pass information is in config file which are per environment etc. on git. All those secrets are saved by ansible-vault, so there is no passwords as plain text on your repository/inventory. You could have as many config files as you are needing. Usually one or more per environment and customer.
... View more