add existing file encryption check

MaxBed4d · MaxBed4d · commit ecac53042eb5 · 2024-11-19T14:16:21.000Z
diff --git a/etc/kayobe/ansible/wazuh-secrets.yml b/etc/kayobe/ansible/wazuh-secrets.yml
@@ -19,6 +19,22 @@
         path: "{{ wazuh_secrets_path }}"
       register: waz_exist_result
 
+    - name: Check if secret is encrypted
+      block:
+        - name: Try to decrypt secret
+          no_log: True
+          copy:
+            content: "{{ lookup('ansible.builtin.file', wazuh_secrets_path) | ansible.builtin.vault(ansible_vault_password) }}"
+            dest: "{{ wazuh_secrets_path }}"
+            decrypt: True
+          vars:
+            ansible_vault_password: "{{ lookup('ansible.builtin.env', 'KAYOBE_VAULT_PASSWORD') }}"
+      rescue:
+        - name: Secrets already decrypted
+          ansible.builtin.debug:
+            msg: 'Secret was already decrypted'
+      when: waz_exist_result.stat.exists
+
     - name: Template new secrets
       no_log: True
       template:
@@ -34,4 +50,3 @@
         decrypt: false
       vars:
         ansible_vault_password: "{{ lookup('ansible.builtin.env', 'KAYOBE_VAULT_PASSWORD') }}"
-      when: not waz_exist_result.stat.exists
