Normally, when you diff an Ansible vault, all you see is gibberish.
$ git diff -- group_vars/all/vault.yml
diff --git a/group_vars/all/vault.yml b/group_vars/all/vault.yml
index 245ccf4..90bf9ee 100644
--- a/group_vars/all/vault.yml
+++ b/group_vars/all/vault.yml
@@ -1,111 +1,111 @@
$ANSIBLE_VAULT;1.1;AES256
-34623631363535616466343837666562333766373666313637623534636632363736366631333739
...With Git, there's an easy way to associate a textconv
with files, so you can run the vaults through ansible-vault view prior to
diffing.
Setup your textconv for vault files in either ~/.gitconfig (globally) or
./.git/config (per-project).
[diff "ansible-vault"]
textconv = ansible-vault view
cachetextconv = trueThen, either in ~/.config/git/attributes (globally) or in ./.gitattributes
(per-project), configure your vault files to use the ansible-vault type.
# or *.vault.yml, or *-vault.yml, or whatever convention you use for vaults
vault.yml diff=ansible-vault
Now, git diff has a lot less gibberish.
$ git diff -- group_vars/all/vault.yml
diff --git a/group_vars/all/vault.yml b/group_vars/all/vault.yml
index 245ccf4..0b107ef 100644
--- a/group_vars/all/vault.yml
+++ b/group_vars/all/vault.yml
@@ -1,5 +1,6 @@
# -*- yaml -*-
---
+new_secret: foobar
old_secret: bubblegum
moar_secrets: my voice is my passport
git runs this ansible-vault command from the root directory of the repository (irrespective of where you run git diff from). Therefore you will need to have an ansible.cfg file there that defines where the vault password file is relative to that directory. If your existing ansible.cfg with vault_password_file is lower in your tree, you will need to make another one in root of repo for this diffing to work.
Once I got that sorted, this gist was very helpful in getting my vault diffii ng to work. Thanks muchly.