Merge pull request #1171 from stackhpc/Hide-Wazuh-Secrets

Encrypt wazuh-secrets.yml once templated

Author: dougszumski

etc/kayobe/ansible/wazuh-secrets.yml

@@ -15,13 +15,15 @@
         state: directory
 
     - name: Template new secrets
+      no_log: True
       template:
         src: wazuh-secrets.yml.j2
         dest: "{{ wazuh_secrets_path }}"
-      notify: Please encrypt keys
 
-  handlers:
-    - name: Please encrypt keys
-      debug:
-        msg: >-
-          Please encrypt the keys using Ansible Vault.
+    - name: In-place encrypt wazuh-secrets
+      copy:
+        content: "{{ lookup('ansible.builtin.file', wazuh_secrets_path) | ansible.builtin.vault(ansible_vault_password) }}"
+        dest: "{{ wazuh_secrets_path }}"
+        decrypt: false
+      vars:
+        ansible_vault_password: "{{ lookup('ansible.builtin.env', 'KAYOBE_VAULT_PASSWORD') }}"