Ansible Vault support

Add the following options to the Ansible provisioner:
- ask_vault_pass
- vault_password_file

plugins/provisioners/ansible/config.rb

@@ -5,6 +5,8 @@ module VagrantPlugins
       attr_accessor :extra_vars
       attr_accessor :inventory_path
       attr_accessor :ask_sudo_pass
+      attr_accessor :ask_vault_pass
+      attr_accessor :vault_password_file
       attr_accessor :limit
       attr_accessor :sudo
       attr_accessor :sudo_user
@@ -21,39 +23,43 @@ module VagrantPlugins
       attr_accessor :raw_ssh_args
 
       def initialize
-        @playbook          = UNSET_VALUE
-        @extra_vars        = UNSET_VALUE
-        @inventory_path    = UNSET_VALUE
-        @ask_sudo_pass     = UNSET_VALUE
-        @limit             = UNSET_VALUE
-        @sudo              = UNSET_VALUE
-        @sudo_user         = UNSET_VALUE
-        @verbose           = UNSET_VALUE
-        @tags              = UNSET_VALUE
-        @skip_tags         = UNSET_VALUE
-        @start_at_task     = UNSET_VALUE
-        @groups            = UNSET_VALUE
-        @host_key_checking = UNSET_VALUE
-        @raw_arguments     = UNSET_VALUE
-        @raw_ssh_args      = UNSET_VALUE
+        @playbook            = UNSET_VALUE
+        @extra_vars          = UNSET_VALUE
+        @inventory_path      = UNSET_VALUE
+        @ask_sudo_pass       = UNSET_VALUE
+        @ask_vault_pass      = UNSET_VALUE
+        @vault_password_file = UNSET_VALUE
+        @limit               = UNSET_VALUE
+        @sudo                = UNSET_VALUE
+        @sudo_user           = UNSET_VALUE
+        @verbose             = UNSET_VALUE
+        @tags                = UNSET_VALUE
+        @skip_tags           = UNSET_VALUE
+        @start_at_task       = UNSET_VALUE
+        @groups              = UNSET_VALUE
+        @host_key_checking   = UNSET_VALUE
+        @raw_arguments       = UNSET_VALUE
+        @raw_ssh_args        = UNSET_VALUE
       end
 
       def finalize!
-        @playbook          = nil if @playbook == UNSET_VALUE
-        @extra_vars        = nil if @extra_vars == UNSET_VALUE
-        @inventory_path    = nil if @inventory_path == UNSET_VALUE
-        @ask_sudo_pass     = false unless @ask_sudo_pass == true
-        @limit             = nil if @limit == UNSET_VALUE
-        @sudo              = false unless @sudo == true
-        @sudo_user         = nil if @sudo_user == UNSET_VALUE
-        @verbose           = nil if @verbose == UNSET_VALUE
-        @tags              = nil if @tags == UNSET_VALUE
-        @skip_tags         = nil if @skip_tags == UNSET_VALUE
-        @start_at_task     = nil if @start_at_task == UNSET_VALUE
-        @groups            = {}  if @groups == UNSET_VALUE
-        @host_key_checking = false unless @host_key_checking == true
-        @raw_arguments     = nil if @raw_arguments == UNSET_VALUE
-        @raw_ssh_args      = nil if @raw_ssh_args == UNSET_VALUE
+        @playbook            = nil if @playbook == UNSET_VALUE
+        @extra_vars          = nil if @extra_vars == UNSET_VALUE
+        @inventory_path      = nil if @inventory_path == UNSET_VALUE
+        @ask_sudo_pass       = false unless @ask_sudo_pass == true
+        @ask_vault_pass      = false unless @ask_sudo_pass == true
+        @vault_password_file = nil if @vault_password_file == UNSET_VALUE
+        @limit               = nil if @limit == UNSET_VALUE
+        @sudo                = false unless @sudo == true
+        @sudo_user           = nil if @sudo_user == UNSET_VALUE
+        @verbose             = nil if @verbose == UNSET_VALUE
+        @tags                = nil if @tags == UNSET_VALUE
+        @skip_tags           = nil if @skip_tags == UNSET_VALUE
+        @start_at_task       = nil if @start_at_task == UNSET_VALUE
+        @groups              = {}  if @groups == UNSET_VALUE
+        @host_key_checking   = false unless @host_key_checking == true
+        @raw_arguments       = nil if @raw_arguments == UNSET_VALUE
+        @raw_ssh_args        = nil if @raw_ssh_args == UNSET_VALUE
       end
 
       def validate(machine)

plugins/provisioners/ansible/provisioner.rb

@@ -44,6 +44,8 @@ module VagrantPlugins
         options << "--sudo-user=#{config.sudo_user}" if config.sudo_user
         options << "#{self.get_verbosity_argument}" if config.verbose
         options << "--ask-sudo-pass" if config.ask_sudo_pass
+        options << "--ask-vault-pass" if config.ask_vault_pass
+        options << "--vault-password-file=#{config.vault_password_file}" if config.vault_password_file
         options << "--tags=#{as_list_argument(config.tags)}" if config.tags
         options << "--skip-tags=#{as_list_argument(config.skip_tags)}" if config.skip_tags
         options << "--limit=#{as_list_argument(config.limit)}" if config.limit

website/docs/source/v2/provisioning/ansible.html.md

@@ -178,6 +178,8 @@ all of which get passed to the `ansible-playbook` command that ships with Ansibl
 * `ansible.sudo_user` can be set to a string containing a username on the guest who should be used
 by the sudo command.
 * `ansible.ask_sudo_pass` can be set to `true` to require Ansible to prompt for a sudo password.
+* `ansible.ask_vault_pass` can be set to `true` to require Ansible to prompt for a vault password.
+* `ansible.vault_password_file` can be set to a string containing the path of a file containing the password used by Ansible Vault.
 * `ansible.limit` can be set to a string or an array of machines or groups from the inventory file to further control which hosts are affected. Note that:
   * As of Vagrant 1.5, the machine name (taken from Vagrantfile) is set as **default limit** to ensure that `vagrant provision` steps only affect the expected machine. Setting `ansible.limit` will override this default.
   * Setting `ansible.limit = 'all'` can be used to make Ansible connect to all machines from the inventory file.