Managing Sensitive Information in (VCS)

For added security, CFS enables native SOPS integration for hostvars and groupvars encryption as part of its security policy. Members of a tenancy, as defined by TAPMS, may choose to encrypt any configuration information deemed sensitive. When a new tenant is created, TAPMS enables and exposes a new endpoint and transit engine through HashiCorp Vault. Tenant administrators may select and convert standard Ansible hostvars and groupvars files in an encrypted format and check them into Version Control Service (VCS).

When Ansible runs, encrypted variables are automatically decrypted for use. Standard good practices and safety using Ansible tasks with no_log: True should be used in conjunction with any tasks that handle sensitive information.