You can do this very neatly, so that the normal git tools like git log and git diff can see inside the vaulted files, using a custom git diff driver and .gitattributes.
- Make sure that your vault password is in
.vault_password and that that file is not committed - you should also add it to .gitignore.
Add a .gitattributes file that matches any files in your repository that are encrypted with ansible-vault and give them the attribute diff=ansible-vault. For example, I have:
env_vars/production.yml diff=ansible-vault merge=binary
env_vars/staging.yml diff=ansible-vault merge=binary
You can also use wildcarded patterns - the first element of each line, the pattern, follows the same rules as .gitignore files. The merge=binary option tells git not to attempt to do a three-way merge of these files.
Then you have to set the diff driver for files with attribute diff=ansible-vault to ansible-vault view:
git config --global diff.ansible-vault.textconv "ansible-vault view"
And that should be it - when git is calculating diffs of the files your pattern matches, it'll decrypt them first.
与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
