fix: add check if file is already encrypted to prevent ansible vault from throwing an error

ludwig-mueller · ludwig-mueller · commit 5dfbb04fabed · 2025-09-25T12:43:17.000+02:00
diff --git a/solutions/standard-openshift/ansible/main.tf b/solutions/standard-openshift/ansible/main.tf
@@ -122,8 +122,8 @@ resource "terraform_data" "execute_playbooks" {
   # Decrypt ocp config if it already exists
   provisioner "remote-exec" {
     inline = [
-      "if [ -f \"~/.powervs/config.json\" ]; then echo ${var.ansible_vault_password} > password_file; fi",
-      "if [ -f \"~/.powervs/config.json\" ]; then ansible-vault decrypt ~/.powervs/config.json --vault-password-file password_file; fi"
+      "if [ -f \"/root/.powervs/config.json\" ]; then echo ${var.ansible_vault_password} > password_file; fi",
+      "if [ -f \"/root/.powervs/config.json\" ]; then ansible-vault decrypt /root/.powervs/config.json --vault-password-file password_file; fi"
     ]
   }
 
@@ -145,8 +145,12 @@ resource "terraform_data" "execute_playbooks" {
   # Encrypt ocp config if it already exists
   provisioner "remote-exec" {
     inline = [
-      "if [ -f \"~/.powervs/config.json\" ]; then echo ${var.ansible_vault_password} > password_file; fi",
-      "if [ -f \"~/.powervs/config.json\" ]; then ansible-vault encrypt ~/.powervs/config.json --vault-password-file password_file; fi",
+      "if [ -f \"/root/.powervs/config.json\" ]; then",
+      "  if ! ( head -n 1 | grep -q '^\\$ANSIBLE_VAULT' ); then",
+      "    echo ${var.ansible_vault_password} > password_file",
+      "    ansible-vault encrypt /root/.powervs/config.json --vault-password-file password_file",
+      "  fi",
+      "fi",
       "rm -f password_file"
     ]
   }
@@ -226,7 +230,7 @@ resource "terraform_data" "execute_playbooks_with_vault" {
   # Decrypt ocp config if it already exists
   provisioner "remote-exec" {
     inline = [
-      "if [ -f \"~/.powervs/config.json\" ]; then ansible-vault decrypt ~/.powervs/config.json --vault-password-file password_file; fi"
+      "if [ -f \"/root/.powervs/config.json\" ]; then ansible-vault decrypt /root/.powervs/config.json --vault-password-file password_file; fi"
     ]
   }
 
@@ -241,8 +245,12 @@ resource "terraform_data" "execute_playbooks_with_vault" {
   # Encrypt ocp config if it already exists
   provisioner "remote-exec" {
     inline = [
-      "if [ -f \"~/.powervs/config.json\" ]; then echo ${var.ansible_vault_password} > password_file; fi",
-      "if [ -f \"~/.powervs/config.json\" ]; then ansible-vault encrypt ~/.powervs/config.json --vault-password-file password_file; fi",
+      "if [ -f \"/root/.powervs/config.json\" ]; then",
+      "  if ! ( head -n 1 | grep -q '^\\$ANSIBLE_VAULT' ); then",
+      "    echo ${var.ansible_vault_password} > password_file",
+      "    ansible-vault encrypt /root/.powervs/config.json --vault-password-file password_file",
+      "  fi",
+      "fi",
       "rm -f password_file"
     ]
   }
diff --git a/solutions/standard-openshift/ansible/templates-ansible/deploy-openshift-cluster/ansible_exec.sh.tftpl b/solutions/standard-openshift/ansible/templates-ansible/deploy-openshift-cluster/ansible_exec.sh.tftpl
@@ -24,12 +24,12 @@ export IBMCLOUD_API_KEY=$${IBMCLOUD_API_KEY}
 unbuffer ansible-playbook -i $${ansible_inventory} $${ansible_playbook} --extra-vars "IBMCLOUD_API_KEY=$IBMCLOUD_API_KEY"
 ## On failure:
 if [ $? -ne 0 ]; then
-    if [ -f "~/.powervs/config.json" ]; then ansible-vault encrypt ~/.powervs/config.json --vault-password-file password_file
+    if [ -f "/root/.powervs/config.json" ]; then ansible-vault encrypt /root/.powervs/config.json --vault-password-file password_file; fi
     rm -f password_file
     rm -rf $${ansible_private_key_file}
     exit 1
 fi
 echo \"Playbook command successful\"
 rm -rf $${ansible_private_key_file}
-if [ -f "~/.powervs/config.json" ]; then ansible-vault encrypt ~/.powervs/config.json --vault-password-file password_file
+if [ -f "/root/.powervs/config.json" ]; then ansible-vault encrypt /root/.powervs/config.json --vault-password-file password_file; fi
 rm -f password_file
diff --git a/solutions/standard-openshift/ansible/templates-ansible/deploy-openshift-cluster/ansible_exec_vault.sh.tftpl b/solutions/standard-openshift/ansible/templates-ansible/deploy-openshift-cluster/ansible_exec_vault.sh.tftpl
@@ -24,12 +24,12 @@ export IBMCLOUD_API_KEY=$${IBMCLOUD_API_KEY}
 unbuffer ansible-playbook -i $${ansible_inventory} $${ansible_playbook} --extra-vars "IBMCLOUD_API_KEY=$IBMCLOUD_API_KEY" --vault-password-file password_file
 ## On failure:
 if [ $? -ne 0 ]; then
-    if [ -f "~/.powervs/config.json" ]; then ansible-vault encrypt ~/.powervs/config.json --vault-password-file password_file
+    if [ -f "/root/.powervs/config.json" ]; then ansible-vault encrypt /root/.powervs/config.json --vault-password-file password_file; fi
     rm -f password_file
     rm -rf $${ansible_private_key_file}
     exit 1
 fi
 echo \"Playbook command successful\"
 rm -rf $${ansible_private_key_file}
-if [ -f "~/.powervs/config.json" ]; then ansible-vault encrypt ~/.powervs/config.json --vault-password-file password_file
+if [ -f "/root/.powervs/config.json" ]; then ansible-vault encrypt /root/.powervs/config.json --vault-password-file password_file; fi
 rm -f password_file
