Check number of vault secrets after setup. (#30520)

This is to catch vault secrets from config and cli. Previously vault_password_file in config was missed since it was added by setup_vault_secrets, so check after setup_vault_secrets. Related to #30514 (cherry picked from commit 174cb1f33c)
2017-09-20 11:15:42 -04:00 · 2017-09-20 11:15:42 -04:00 · a3d5b2f1ce
commit a3d5b2f1ce
parent f8ad9ca75d
2 changed files with 5 additions and 0 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -20,6 +20,7 @@ Ansible Changes By Release
 * Fix nxos terminal regex to parse username correctly.
 * Fix colors for selective callback
 * Fix for 'New password' prompt on 'ansible-vault edit' (https://github.com/ansible/ansible/issues/30491)
+* Fix for 'ansible-vault encrypt' with vault_password_file in config and --ask-vault-pass cli (https://github.com/ansible/ansible/pull/30514#pullrequestreview-63395903)

 <a id="2.4"></a>

--- a/lib/ansible/cli/vault.py
+++ b/lib/ansible/cli/vault.py
@ -184,6 +184,10 @@ class VaultCLI(CLI):
                                         vault_password_files=self.options.vault_password_files,
                                         ask_vault_pass=self.options.ask_vault_pass,
                                         create_new_password=True)
+
+            if len(vault_secrets) > 1:
+                raise AnsibleOptionsError("Only one --vault-id can be used for encryption. This includes passwords from configuration and cli.")
+
            if not vault_secrets:
                raise AnsibleOptionsError("A vault password is required to use Ansible's Vault")