Ansible shell/command modules with Doppler

Lily · July 27, 2021, 8:24pm

I was wondering if I could use Doppler with Ansible. I don’t see any native integrations with Ansible. I know that Ansible has a Hashicorp Vault plugin that uses secrets in Ansible playbooks…

https://docs.ansible.com/ansible/latest/collections/community/hashi_vault/hashi_vault_lookup.html#ansible-collections-community-hashi-vault-hashi-vault-lookup

Since there seems to be no native support for Ansible and Doppler I was thinking I could just use the Doppler Cli with the Ansible Shell or command module? Or maybe the raw module? The reason I ask is that I don’t want Ansible to accidentally leak any of my Doppler secrets.

Is their any planned integrations with Ansible in the future?

Thank You

ryan-blunden · July 27, 2021, 9:58pm

Hi @Lily and welcome to the Doppler community!

From taking a quick look at the Ansible docs, you should be able to use Ansible’s built-in support for environment variables with the Doppler CLI by running:

# `DOPPLER_TOKEN` environment variable must be set 
doppler run -- ansible-playbook playbook.yml

If triggering the playbook using a GitHub Action, the step could look like:

- name: Ansible Playbook
    run: doppler run -- ansible-playbook playbook.yml
    env:
        DOPPLER_TOKEN: ${{ secrets.DOPPLER_TOKEN }}

Then I believe inside your playbook, you can reference a Doppler injected environment variable using:

{{ lookup('env', 'SECRET_FROM_DOPPLER') }}

Let me know if that works as I’m not an Ansible user and need to get across it more.

We don’t yet have an Ansible integration, but I’ve added it to our engineering backlog and will let you know once it’s available (although I can’t offer an ETA at this stage).

rit001 · September 14, 2022, 9:53am

Ryan’s answer above currently seems to be the main documentation available for using Doppler with Ansible, so I’m posting this just to update it a little

To read a shell environment variable from within an Ansible script you would use

"{{ lookup('env', 'SECRET_FROM_DOPPLER') }}"

with a working example looking like

   var:
      stored_value:  "{{ lookup('env', 'SECRET_FROM_DOPPLER') }}"

swasher · August 4, 2023, 8:07am

But how select doppler’s config depent on ansible target? I have prod and stage servers with different secrets. I’m using Makefile, so command look as

$ make deploy server=stage

And makefile content is

deploy:
    wsl ansible-playbook --limit $(server) ansible/provision.yml

How I can swith between prod and stage doppler’s config in this case?

watsonian · August 4, 2023, 6:16pm

@swasher You’d probably need to adjust your deploy command to something like this:

wsl doppler run -p YOUR_DOPPLER_PROJECT -c $(server) -- ansible-playbook --limit $(server) ansible/provision.yml

This would assume that your Doppler configs share the same name as what you’re passing in via your server. Note that I’m not super familiar with usage for that wsl command you’re using, so you may need to tweak the command slightly. The main point is passing in the -c flag to designate which config you want used.

Let me know if that works for you. If not, I’ll see what else I can come up with for you!

Regards,
-Joel

Topic		Replies	Views
Ansible Module for Doppler Secrets Discussions	5	403	July 19, 2024
Injecting secrets with doppler run Need Help	2	1086	August 12, 2022
Problems with doppler run in CI pipeline Need Help	2	679	December 17, 2021
Difference between the CLI and the API Feature Requests	0	17	July 18, 2024
Is there a way to load the secrets into the local terminal? Need Help	7	827	December 7, 2021

Ansible shell/command modules with Doppler

Related topics