Ansible vs PCI
If you need to comply with PCI
Requirement 2: Maintain an inventory of system components in scope for PCI DSS
to support effective scoping practices.
You will find that using public-key authentication is sometimes
as it’s almost impossible to ensure employees are rotating the keys, keeping the
private key safe and with a strong password.
Using Ansible without ssh key based authentication is painful if you need to
run a playbook against hundreds of servers, as you will need to insert your
password ad nauseam.
Ansible Vault To The Rescue
“Vault” is a feature of ansible that allows keeping sensitive data such as
passwords or keys in encrypted files.
We can leverage Ansible Vault to keep the user password stored in a safe way:
mkdir group_vars ansible-vault create group_vars/all.yml
After providing a password (although I am not aware of a way to audit that the
password is good enough), insert all the need Ansible credentials:
ansible_user: <username> ansible_ssh_pass: <password> ansible_become_pass: <sudo password>
We can run any Ansible playbook easily:
ansible-playbook -i inventory.ini playbook.yml --ask-vault-pass
Using Ansible Vault we can follow PCI guidelines without jeopardising
productivity or security.