Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/bin/sh
- #
- # Verifies that all files in provisioning/group_vars are encrypted with ansible-vault.
- # If not, commit will fail with an error message
- #
- # File should be .git/hooks/pre-commit and executable
- FILES_PATTERN='.*vault.*\.yml$'
- REQUIRED='ANSIBLE_VAULT'
- EXIT_STATUS=0
- wipe="\033[1m\033[0m"
- yellow='\033[1;33m'
- # carriage return hack. Leave it on 2 lines.
- cr='
- '
- for f in $(git diff HEAD --name-only | grep -E $FILES_PATTERN)
- do
- MATCH=`head -n1 $f | grep $REQUIRED`
- if [ -z $MATCH ] ; then
- UNENCRYPTED_FILES="$f$cr$UNENCRYPTED_FILES"
- EXIT_STATUS=1
- fi
- done
- if [ $EXIT_STATUS != 0 ] ; then
- echo '# COMMIT REJECTED'
- echo '# Looks like unencrypted ansible-vault files are part of the commit:'
- echo '#'
- while read -r line; do
- if [ -n "$line" ]; then
- echo "#\t${yellow}unencrypted: $line${wipe}"
- fi
- done <<< "$UNENCRYPTED_FILES"
- echo '#'
- echo "# Please encrypt them with 'ansible-vault encrypt <file>'"
- echo "# (or force the commit with '--no-verify')."
- fi
- exit $EXIT_STATUS
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement