For added security, CFS enables native SOPS integration for hostvars
and groupvars
encryption as part of its security policy. Members of a tenancy, as defined by TAPMS,
may choose to encrypt any configuration information deemed sensitive. When a new tenant is created, TAPMS enables and
exposes a new endpoint and transit engine through HashiCorp Vault. Tenant administrators may select
and convert standard Ansible hostvars
and groupvars
files in an encrypted format
and check them into Version Control Service (VCS).
When Ansible runs, encrypted variables are automatically decrypted for use. Standard good practices and safety
using Ansible tasks with no_log: True
should be used in conjunction with any tasks that handle sensitive
information.