Nested Command in sed substitution

Question

I'm trying to used sed to find and encrypt ansible_password field in an inventory file and encrypt it with ansible-vault command. But ansible-command is failing throwing an sed error, where as a simple echo is working fine.

sed -n "s/\( *\)\(ansible_password\: *\)\"\(.*\)\"/$(echo \\3)/p" sample.yml

is outputting the attribute value without the double quotes.

The ansible-vault command:

sed -n "s/\( *\)\(ansible_password\: *\)\"\(.*\)\"/$(ansible-vault encrypt_string --vault-password-file ~/password.txt --name 'ansible_password' '\\3')/p" sample.yml

is throwing an error message: sed: -e expression #1, char 67: unterminated ``s' command

Here's the line where the substitution is happening:

        ansible_password: "somepassword"

score 6 · Accepted Answer · answered May 19 '21 at 06:09

This cannot work. The nested command will run first. echo works by accident because it will put \3 as replacement pattern which happens to be what you want in this case (= output the original value).

Not sure what you exactly want, maybe you can try grep and xargs:

grep -Po 'ansible_password: \K"[^"]*' sample.yaml \
| xargs -n1 ansible-vault encrypt_string --vault-password-file ~/password.txt --name 'ansible_password'

However, you might want to use a proper yaml parser instead of grep or sed.

score 3 · Answer 2 · answered May 19 '21 at 09:03

Use blockinfile if you can put the variables into the "# BEGIN ... # END" blocks, e.g.

shell> cat sample.yml
# BEGIN my_password1
my_password1: "somepassword1"
# END my_password1
# BEGIN my_password2
my_password2: "somepassword2"
# END my_password2
# BEGIN my_password3
my_password3: "somepassword3"
# END my_password3

Then the tasks below read the file and replace the blocks with encrypted variables, e.g.

    - include_vars:
        file: sample.yml
        name: my_pswd
    - blockinfile:
        dest: sample.yml
        marker: "# {mark} {{ item }}"
        block: "{{ _enc }}"
      loop: [my_password1, my_password2, my_password3]
      vars:
        vault_cmd: "ansible-vault encrypt_string --name '{{ item }}' "
        _enc: "{{ lookup('pipe', vault_cmd ~  my_pswd[item]) }}"

gives

shell> cat sample.yml
# BEGIN my_password1
my_password1: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          30343161323861646333623332303663326438336462613165633766313130363961366633343764
          3335393837613638633565616366353139623063366131640a616233616534386663666263653432
          36376530653139666634323435313433346263643634303463643963343937316562326634313437
          6262613663313664630a343830636436376366656534366438613435366664656132643866353030
          3633
# END my_password1
# BEGIN my_password2
my_password2: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          36653034373863613531643535353361636565633463626465393065316561353661666564633762
          6139666336666433646633303664633261626135343865380a656464363430643563373264343234
          38303034653332626238326432333236333439383365623866656262343436386137353638663436
          3261363962373237300a646263396432646134313561366662326439303739303061303936353134
          6235
# END my_password2
# BEGIN my_password3
my_password3: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          31383764376166363733313065636264343863346334386230333739316337306535313866303164
          3465616663626565623438316364326532306538303134640a313564356135373931306236373833
          62383563386230633265396261363861393530653034613732333962643233316535646462656331
          6566383662323266310a343337303465613334336638316132636238343637646235646565653532
          6134
# END my_password3

When you repeat the tasks the encryption of the variables will be renewed.

Nested Command in sed substitution

2 Answers2