add checksum to prevent re-encryption

MaxBed4d · MaxBed4d · commit 8fc30a727d14 · 2024-07-22T17:08:15.000+01:00
diff --git a/etc/kayobe/ansible/wazuh-secrets.yml b/etc/kayobe/ansible/wazuh-secrets.yml
@@ -14,13 +14,45 @@
         path: "{{ wazuh_secrets_path | dirname }}"
         state: directory
 
+    - name: Check whether wazuh-secrets.yml exists
+      stat:
+        path: "{{ wazuh_secrets_path }}"
+      register: waz_exist_result
+
+    - name: Decrypt wazuh-secrets to checksum
+      no_log: True
+      copy:
+        content: "{{ lookup('ansible.builtin.file', wazuh_secrets_path) | ansible.builtin.vault(ansible_vault_password) }}"
+        dest: "{{ wazuh_secrets_path }}"
+        decrypt: true
+      vars:
+        ansible_vault_password: "{{ lookup('ansible.builtin.env', 'KAYOBE_VAULT_PASSWORD') }}"
+      when: waz_exist_result.stat.exists
+
+    - name: Template new secrets
+      no_log: True
+      template:
+        src: wazuh-secrets.yml.j2
+        dest: "/tmp/wazuh-secrets.yml"
+      when: waz_exist_result.stat.exists
+
+    - name: Copy for checksum
+      no_log: True
+      copy:
+        content: "{{ lookup('ansible.builtin.file', '/tmp/wazuh-secrets.yml') }}"
+        dest: "{{ wazuh_secrets_path }}"
+        checksum: yes
+      when: waz_exist_result.stat.exists
+
     - name: Template new secrets
       no_log: True
       template:
         src: wazuh-secrets.yml.j2
         dest: "{{ wazuh_secrets_path }}"
+      when: not waz_exist_result.stat.exists
 
     - name: In-place encrypt wazuh-secrets
+      no_log: True
       copy:
         content: "{{ lookup('ansible.builtin.file', wazuh_secrets_path) | ansible.builtin.vault(ansible_vault_password) }}"
         dest: "{{ wazuh_secrets_path }}"
